Make PCI DSS Assessment Easier

The complexity derives from PCI’s Data Security Standards (DSS), which include up to 13 requirements that specify the framework for a secure payment environment for companies that process, store or transmit credit card transactions.

Make PCI DSS Assessment Easier  

Training and educating employees. Technical employees should obtain any certifications or training classes necessary so that they can operate and monitor the security control set in place. Non-technical employees must be trained on general security awareness practices such as password protection, spotting phishing attacks and recognizing social engineering. All the security controls and policies in the world will provide no protection if employees do not know how to operate the tools in a secure manner. Likewise, the strongest 42-character password with special characters, numbers, mixed case, etc. is utterly broken if an employee writes it on a sticky note attached to their monitor.

For an organization to effectively manage its own risk, it must complete a detailed risk analysis on its own environment. Risk analysis goal is to determine the threats and vulnerabilities to services performed and assets for the organization. As part of a risk assessment, organization should define critical assets including hardware, software, and sensitive information and then determine risk levels for those components. This in turn allows the organization to determine priorities for reducing risk. It is important to note that risks should be prioritized for systems that will be in-scope for PCI DSS and then other company systems and networks.

Once the risk assessment has been completed the organization should have a much clearer view of its security threats and risks and can begin determining the security posture of the organization. Policies and procedures form the foundation of any security program and comprise a large percentage of the PCI DSS requirements. Business leaders and department heads should be armed with the PCI DSS requirements and the results of the risk analysis to establish detailed security policies and procedures that address the requirements but are tailored to business processes and security controls within the organization.

Building upon the foundation of security policies, the committee of business leaders and department heads should now review the PCI DSS requirements in detail and discuss any potential compliance gaps and establish a remediation plan for closing those gaps. This is where it is important to have the full support of business leaders who can authorize necessary funds and manpower to implement any remediation activities.

This is also the time to schedule the required annual penetration testing. These are typically performed by third parties, but is not required to be performed by third parties, and can take some time to schedule, perform, and remediate (if necessary). The results of a PCI DSS assessment will be delayed until the penetration test is completed so now is the time to schedule the test.

At this point the organization is ready for a full-scale PCI DSS assessment and can now enter a maintenance mode where periodic internal audits occur and regular committee meetings are held to perform risk assessments and update policies, procedures, and security controls as necessary to respond to an ever changing threat landscape. PCI DSS must become integrated into the everyday operation of the organization so that the organization remains secure and to ease the burden of the annual assessments.

Payment Card Industry (PCI) compliance assessment is a major task for any size organization, but you can make it easier.

 

Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security Tagged with: assets, card, card transactions, compliance, compliance assessment, credit card transactions, credit-card, data security standards, DSS, networks, password protection, payment, Payment Card Industry, PCI, Phishing, process, risk, risk analysis, risk assessment, secure payment, Security, security control, security policy, transactions, transmit

All about (MOTO) Merchants and Internet (Card not Present) Merchant Accounts

(Moto) Mail Order/Telephone Order Merchant – In the realm of credit card processing is defined as a merchant who manually keys in over 50% of their transactions and an Internet Merchant is one who accepts transactions over the Internet via an E-Commerce store with an online gateway or who submits transactions manually through a Virtual Terminal.

Qualified Transaction Conditions (For MOTO/Internet merchants the Mid-Qualified Rate is essentially the Qualified rate as these merchants never swipe a credit card through a terminal.)

One electronic authorization request is made per transaction and the transaction date is equal to the shipping date. The authorization response data must also be included in the settled transaction.

Additional data (sales tax and customer code) is required in the settled transaction on all commercial (business) cards at non-Travel & Entertainment (T&E) locations.
The authorization request message must include Address Verification Service (AVS), which verifies the street address and the zip code of the card holder. NOTE: The only way this happens is if your software is set up to do this, or, if you are using a terminal, then if you capture the AVS information at the time of keying in your transaction.
The settled transaction amount must equal the authorized amount.
The settled transaction must include the business’s customer service telephone number, order number, and total authorized amount.
The transaction is electronically deposited (batch transmitted) on or 1 day after authorization date.
The transaction/shipping date must be within 7 calendar days of authorization date.

Non-Qualified Transaction Conditions
One or more of the Qualified or Partially Qualified conditions were not met.
Commercial Card without the additional data.
The transaction was not electronically authorized or the authorization response data was not included in the settled transaction.
The transaction was electronically deposited (batch transmitted) greater than 1 day from transaction/shipping/authorization date, or:
The VISA Infinite card was accepted.
Commercial Card Additional Data

MasterCard

Corporate Data Rate II (Purchasing cards): Sales Tax and customer Code (supplied by cardholder at point of sale) Corporate Data Rate II (Business and Corporate cards): Sales Tax International Corporate Purchasing Data Rate II: Sales Tax and Customer Code (supplied by cardholder at point of sale)

The following information must also be provided: Merchant’s Federal Tax ID; Merchant Incorporation Status; and Owner’s full name if the merchant is a sole proprietor.

Visa

Purchasing cards: Sales Tax and Customer Code (supplied by cardholder at point of sale) Corporate and Business cards: Sales Tax

Posted in Credit card Processing, e-commerce & m-commerce, Electronic Payments, Internet Payment Gateway, Mail Order Telephone Order Tagged with: address verification service, authorization, avs, batch, business, corporate, credit card processing, data, e-commerce, electronically, entertainment, fax order, gateway, internet, internet merchant, keying, mail order, moto, phone order, qualified, settle, store, telephone order, transactions, transmit, travel, virtual terminal