November 17th, 2016 by Elma Jane
Payment Card Industry
What is PCI DSS (Payment Card Industry Data Security Standards)? A set of requirements, founded by Amex, Discover, JCB, MasterCard and Visa; to facilitate industry-wide adoption of consistent data security measures on a global basis. Best practices for enhancing payment account data security.
Why does my business need to be PCI Compliant? You help protect your business
by reducing the risk of a costly breach of your customers’ payment card data. Payment card brands (Amex, Discover, JCB, MasterCard and Visa) mandate that all businesses processing payment cards must be compliant.
Once my business validates PCI-DSS compliance, does that prevent a security breach from happening? No. It helps prevent security breaches and loss of cardholder data but do not provide a guarantee to your business. Also, similar to the regularly required updates to anti-virus and firewall software; data security is also continually subject to new threats.
What happens to my business if I am not PCI Compliant? If you do not comply with the security requirements contained within PCI-DSS as mandated by the payment card networks; you put your organization at risk of a payment card compromise.
In the event that your business is compromised, you may also be subject to additional fines, fees, and assessments by the card brands. You may also lose your credit card acceptance privileges.
What am I required to do to validate PCI compliance? The minimum requirement for PCI Level 4 business is to complete a PCI-DSS Self-Assessment Questionnaire (SAQ) on an annual basis and achieve a passing status.
Posted in Best Practices for Merchants, Payment Card Industry PCI Security Tagged with: card, credit card, customers, data, payment, PCI, Security
September 21st, 2016 by Elma Jane
PCI compliance applies to any company, organization or merchant of any size or transaction volume that either accepts, stores or transmits cardholder data.
Any merchant accepting payments directly from the customer via credit or debit card must be Compliant. The merchant themselves are therefore responsible for becoming Compliant, as the deadline for the merchant becomes overdue.
Understanding and knowing the details of Payment Card Industry Compliance can help you better prepare your business. Because failing and waiting to become compliant or ignoring them, could end up being an expensive mistake.
The VISA regulations have to adhere to the PCI standard forms as part of the operating regulations. The regulations signed when you open an account at the bank. The rules under which merchants are allowed to operate merchant accounts.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.
Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: American Express, cardholder, compliance, credit, customer, data, debit card, Discover, jcb, MasterCard, merchant, Payment Card Industry, payments, PCI, transaction, visa
September 15th, 2016 by Elma Jane
Storing credit card data for recurring billing are discouraged.
But many feels storing is necessary in order to facilitate recurring payments.
Using a third party vault provider to store credit card data for recurring billing is the best way.
It helps reduce or eliminate the need for electronically stored cardholder data while still maintaining current business processes.
For recurring billing a token can be use, by utilizing a vault. The risk is removed from your possession.
Modern payment gateways allow card tokenization.
Any business that storing data needs to review and follow PCI DSS requirement in order for the electronic storage of cardholder data to be PCI compliant.
On the primary account number, an appropriate encryption will be applied. In this situation, the numbers in the electronic file should be encrypted either at the column level, file level or disk level.
Posted in Best Practices for Merchants, Credit Card Security Tagged with: billing, cardholder, credit card, data, payment gateways, payments, PCI, recurring, token, tokenization
August 9th, 2016 by Elma Jane
Businesses are discouraged from storing credit card data, but many feel the practice is necessary in order to facilitate recurring payments. Merchants that need to store credit card data are doing it for recurring billing.
Using a third party vault provider is the best way to store credit card data for recurring billing, it helps reduce or eliminate the need for electronically stored cardholder data while still maintaining current business processes. The risk of storing card data is removed from your possession and you are given back a token that can be used for the purpose of recurring billing, by utilizing a vault. Modern payment gateways allow card tokenization.
Any business that storing data via hard copy needs to review and follow PCI DSS requirement in order for the electronic storage of cardholder data to be PCI compliant. Appropriate encryption must be applied to the PAN (primary account number). In this situation, the numbers in the electronic file should be encrypted either at the column level, file level or disk level.
Posted in Best Practices for Merchants, Payment Card Industry PCI Security, Travel Agency Agents Tagged with: cardholder, credit card, data, merchants, payment gateways, payments, PCI, provider, tokenization
June 28th, 2016 by Elma Jane
Financial Cost – on average, it costs a small business between $36,0000 and $50,000 in the event of a data breach. From PCI examination to liability costs and POS upgrades. The many costs of a data breach add up.
Notification Cost – if your business falls victim to a data breach, it is your moral and sometimes legal (depending on the state in which your business operates) obligation to notify your customers of the breach.
Reputation Cost – data breach lessens your credibility and trust with your customers. This can have a long-term affect on your business.
Time Cost – as a small business owner, your focus is on the daily operations of your business. In the event of a data breach, your focus will be shifted entirely to clearing up the issue.
The cost of a data breach is more than financial and can often have a lasting negative impact on your business.
The quickest and easiest way to protect your business is to prevent fraud from happening. At National Transaction, we give importance to your security. For your electronic payments needs give us a call at 888-996-2273.
Posted in Best Practices for Merchants Tagged with: customers, data breach, electronic payments, financial, fraud, PCI, POS, Security
June 23rd, 2016 by Elma Jane
Merchant Aggregators, Merchants of Records and Payment Service Provider what’s the difference?
Payment Service Provider – is a company, which provides payment gateway and related services (like antifraud tools) to merchants. PSP is a representative of one or several acquiring banks. The merchant signs an agreement with the acquiring bank and PSP. The acquiring bank provides a merchant account and secures settlements for merchant’s transactions directly to the merchant’s bank account. Payment Service Provider secures delivery of the merchant’s transactions to the acquiring bank and some related services like fraud scrubbing and recurring transactions. The merchant has an own merchant account with this model.
Merchant Aggregator – is a company, which uses one merchant account to process transactions from many merchants. Merchants don’t have any agreements with an acquiring bank, but with the merchant aggregator. You get quick setup and get shut down quickly. Most aggregators are hard to get hold of, they don’t have human customer support. The problem with this model is, it’s not intended as a long-term, scalable solution to accepting payments and they can freeze your account or hold your money if anything unusual happens.
Merchants of Records – are a merchant, who use services of payment service provider (PSP) or merchant aggregators to accept payments on their websites for goods or services they sell. Merchant of record role requires an array of administrative responsibilities, such as managing a merchant account with a payment processor, paying associated credit card fees for the transactions, other responsibilities like complying with PCI DSS.
Posted in Best Practices for Merchants, Travel Agency Agents Tagged with: bank account, credit card, customer, merchant, payment gateway, payment processor, Payment Service Provider, PCI, transactions
November 3rd, 2015 by Elma Jane
While EMV represents a significant improvement in the way credit/debit card fraud is detected and prevented, some have confused EMV’s capabilities with the concepts of data security and PCI compliance.
Does EMV override PCI?
The answer is NO, EMV technology does not satisfy any PCI requirements, nor does it reduce PCI scope.
- EMV is counterfeit card fraud protection – it makes it more difficult to make use of stolen card data.
- EMV is not encryption – EMV does not encrypt the Primary Account Number (PAN) and therefore the card data must still be protected according to PCI guidelines.
- EMV only works for card present transactions.
If your business accepts credit or debit cards in a physical store or other face-to-face setting, you will need to implement the EMV technology and PCI standards. If you upgrade your terminals for EMV, consider adding point-to-point encryption (P2PE) capabilities to reduce PCI scope and protect data end to end. In addition, using tokens after authorization can prevent the card data from being used, should it be stolen.
Posted in Best Practices for Merchants, EMV EuroPay MasterCard Visa, Payment Card Industry PCI Security Tagged with: card data, card fraud, card present, counterfeit card, credit, data security, debit card, EMV, emv technology, fraud, p2pe, PAN, PCI, PCI Compliance, point-to-point encryption, Primary Account Number, terminals, tokens
October 9th, 2015 by Elma Jane
Credit card fraud is much more difficult to prevent in a card-not-present transaction. In a face-to-face setting the merchant can inspect the card to ensure that it is valid and can verify that the cardholder is an authorized user on the account. None of these actions can be performed when the payment is submitted online or accepted by phone. As we moved in adopting EMV Technology, majority of fraud is going to migrate away from counterfeit and stolen cards towards the card-not-present transaction as happened in other countries.
A combination of best practices and fraud prevention tools can provide card-not-present merchants with strong fraud prevention capabilities.
Steps to avoid fraud and protect your business for a card-not-present transaction:
- Email Verification: Send a message to the email address provided by the customer requesting that the customer verify the email address is correct, you can ensure that the email is associated with the other information provided.
- Maintain PCI compliance:All merchants accepting card payments are now required to be compliant with the requirements of the PCI DSS (Payment Card Industry Data Standard) which sets the rules for data security management, policies, procedures, network architecture, software design and other protective measures.
- Security Code Verification. Requesting the three digit security code on the back of a credit card. Visa (CVV2), MasterCard (CVC 2) and Discover (CID) cards, and the 4-digit numbers located on the front of American Express (CID) cards. Card Security Codes help verify that the customer is in a physical possession of a valid card during a card-not-present transaction.
- Use an Address Verification Service (AVS): Enables you to compare the billing address provided by your customer with the billing address on the card issuer’s file before processing a transaction. AVS is good protection against card information obtained through means like phishing and malware because fraudster might not know the billing address.
- Use 3D Secure Service: MasterCard and Verified by Visa enable cardholders to authenticate themselves to their card issuers through the use of personal passwords they create when they register their cards with the programs. The liability of any fraudulent charges through the 3D service is picked up by the issuer, not the merchant.
- Verify the phone number and transaction information.Prior to shipping your products, call the phone number provided by the customer and verify the transaction information. Criminals may be unable to verify such information, because in their haste to max out the credit line before the fraud is discovered, they often order at random and do not keep records.
Posted in Best Practices for Merchants, e-commerce & m-commerce, Mail Order Telephone Order, Payment Card Industry PCI Security, Travel Agency Agents Tagged with: American Express, card-not-present, card-security, cardholder, cnp, credit card, Discover, EMV, MasterCard, merchant, Payment Card Industry, payments, PCI, visa
May 19th, 2015 by Elma Jane
We’re now nearly midway through 2015, and payment security still remains a topic that stirs up great concern and confusion. While there is seemingly unanimous agreement on the need for heightened security, there’s uncertainty about those who are tasked with actually implementing it. Let’s dig deeper into EMV, P2PE and tokenization. How each will play a part in the next generation of securing payments, and how without properly working together they might just fall short.
Europay, MasterCard, and Visa (EMV) – A powerful guard against credit card skimming. EMV also uses cryptography to create dynamic data for every transaction and relies on an integrated chip embedded into the card.
Downside: For Independent Software Vendor (ISVs), the biggest downside of EMV is the complexity of creating an EMV solution. ISVs interested in certifying PINpads with a few processors face up to 22 months of costly work, and because there are a large number of pending certifications, processors will be backed up over the next few years.
It’s not impossible for an ISV to build EMV solutions in-house, but it’s difficult and unnecessary when there are plug-and-play EMV solutions available. These solutions include pre-packaged and pre-certified APIs that remove most of the need for research, the complexity and the burden of time and cost.
Point to Point Encryption (P2PE) – Secures devices, apps and processes using encrypted data with cryptographic keys only known to the payment company or gateway from the earliest point of the transaction, from tech-savvy criminals, jumping at their chance to intercept POS systems and scrape the memory from Windows machines.
How does a key get into card reader? Through an algorithm called derived unique key per transaction (DUKPT), or “duck putt.” DUKPT generates a base key that’s shared with device manufacturers securely, where output cardholder data is rendered differently each time a card is swiped, making it impossible to reverse engineer the card data. P2PE not only benefits the cardholders, but also the ISVs and merchants. PA-DSS certification was designed to address the problems created with cardholder data which is not encrypted.
Downside: P2PE isn’t cheap if an organization wants to do it in-house. The secure cryptographic device needed to manage the keys, Hardware Security Module (HSM), can cost $30-40,000 but when it’s built out, that total cost can jump to $100,000.
TOKENIZATION – The best way to protect cardholder data when it’s stored is using tokenization, a process which the PCI Security Standards Council describes as one where the primary account number is replaced with a surrogate value a token. For merchants dealing with recurring billing, future payments, loyalty programs and more, tokenization is critical.
Downside: Tokenization doesn’t prevent malware that’s remotely installed on POS devices. It’s possible, as seen with recent retail card breaches, for data to be stolen before it is tokenized. That’s why it’s essential to group tokenization together with P2PE and EMV to offer optimal security.
Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: (POS) systems, account number, billing, card, card breaches, card reader, cardholder, cardholder data, chip, credit card, data, DSS, EMV, EuroPay, gateway, Independent Software Vendor, ISVs, MasterCard, merchants, p2pe, payment company, payment security, payments, PCI, PINpads, point-to-point encryption, POS devices, processors, Security, security standards council, token, tokenization, transaction, visa
All merchants that accepts, transmit or stores cardholder data are required to be PCI (Payment Card Industry) Compliant. Most believe that because they do not charge the credit cards themselves, they are exempt. Why all agencies are required to be complaint even when they don’t charge credit cards themselves, and some steps to ensure your agency is PCI compliant.
What is PCI compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. PCI applies to all organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Travel agents accepting, storing and transmitting credit card information to suppliers, are required to be compliant too. Suppliers reinforce this through their travel agent guidelines/contracts. Travel Agency must adhere to the applicable credit card company’s procedures for credit card transactions.
Consequences of Not Being PCI Compliant
If an agency is not PCI compliant, the agency can lose the ability to process credit card payments with that supplier. Not being able to pay with client credit cards can be a serious roadblock for agencies, and an inconvenience for clients.
If you have a merchant account and are found to be out of compliance, you can be fined.
How to be PCI Compliant
Don’t store the CCV security code from the client’s credit card. The client does not have the authority to grant you permission to store their CCV code. The credit card company explicitly forbid storage of the CCV code.
Make sure you securely store any client information, including their credit card number and expiration date. If you use a CRM, ensure that you have a strong password. If your CRM database is stored on your computer hard drive, encrypt it (there is a great encryption software that is free of charge). If you have an IT resource, talk to them about installing a firewall on your network, installing anti-virus and anti-malware protection, and any other steps that you can take to secure your client data even further.
If you keep paper copies of client information, keep it in a locked filing cabinet or desk drawer. When you no longer need their credit card information, cross shred it.
Home based businesses are arguably the most vulnerable simply because they are usually not well protected, according to the PCI Compliance Guide. Having strong passwords, encryption, a firewall, anti-virus and anti-malware protection are all inexpensive steps that you can take to protect your business and your clients’ sensitive data.
If you receive a courtesy call reminding you about PCI Compliance, don’t ignore it.
Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, Payment Card Industry PCI Security Tagged with: cardholder, cardholder data, cards, CCV, CCV code, credit, credit card company, credit card number, credit card payments, credit card transactions, credit cards, crm, CRM database, data, database, encryption software, merchant account, Merchant's, network, Payment Card Industry, PCI, security code, transactions, travel agents
