May 8th, 2015 by Admin

 

 

 

 

 

 

 

 

 

All merchants that accepts, transmit or stores cardholder data are required to be PCI (Payment Card Industry) Compliant. Most believe that because they do not charge the credit cards themselves, they are exempt. Why all agencies are required to be complaint even when they don’t charge credit cards themselves, and some steps to ensure your agency is PCI compliant.

What is PCI compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. PCI applies to all organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Travel agents accepting, storing and transmitting credit card information to suppliers, are required to be compliant too. Suppliers reinforce this through their travel agent guidelines/contracts. Travel Agency must adhere to the applicable credit card company’s procedures for credit card transactions.

Consequences of Not Being PCI Compliant

If an agency is not PCI compliant, the agency can lose the ability to process credit card payments with that supplier. Not being able to pay with client credit cards can be a serious roadblock for agencies, and an inconvenience for clients.

If you have a merchant account and are found to be out of compliance, you can be fined.

How to be PCI Compliant

Don’t store the CCV security code from the client’s credit card. The client does not have the authority to grant you permission to store their CCV code. The credit card company explicitly forbid storage of the CCV code.

Make sure you securely store any client information, including their credit card number and expiration date. If you use a CRM, ensure that you have a strong password. If your CRM database is stored on your computer hard drive, encrypt it (there is a great encryption software that is free of charge). If you have an IT resource, talk to them about installing a firewall on your network, installing anti-virus and anti-malware protection, and any other steps that you can take to secure your client data even further.

If you keep paper copies of client information, keep it in a locked filing cabinet or desk drawer. When you no longer need their credit card information, cross shred it.

Home based businesses are arguably the most vulnerable simply because they are usually not well protected, according to the PCI Compliance Guide. Having strong passwords, encryption, a firewall, anti-virus and anti-malware protection are all inexpensive steps that you can take to protect your business and your clients’ sensitive data.

If you receive a courtesy call reminding you about PCI Compliance, don’t ignore it.

 

 

Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, Payment Card Industry PCI Security Tagged with: , , , , , , , , , , , , , , , , , , , , , , ,

April 21st, 2015 by Elma Jane

An advanced strain of malware called “Punkey,” is capable of attacking Windows point of sale terminals, stealing cardholder data and upgrading itself while hiding in plain sight.

Researchers from Security vendor Trustwave discovered the new strain. The investigation found compromised payment card information and more than 75 infected, and active, Internet Protocol addresses for Windows POS terminals.

 

 

Punkey poses a unique threat to payment networks, particularly because it also can download updates for itself.

If the malware author has a new feature it wants to add or updates to get rid of bugs, it actually pushes the malware down from the command and control server, revealed by Trustwave’s SpiderLabs research center. Punkey operates like a typical Botnet.

The malware hides inside of the Explorer process, which exists on every Windows device and manages the opening of individual program windows. Punkey scans other processes on the terminal to find cardholder data, which it sends to the control server.

The malware performs key logging, capturing 200 keystrokes at a time. It sends the information back to its server to store passwords and other private information.

A year ago, security vendors warned retailers against using Windows XP at the point of sale, since Microsoft stopped supporting Windows XP security patches. However, even Punkey is not attacking Windows due to any vulnerability in the systems, so even merchants with newer versions of Windows are at risk.

Punkey just runs like any Windows binary would. Even if the system is upgraded or a new system is put in place, criminals are still getting malware on the POS in other ways.

Many retailers use remote desktop support software, which fraudsters take advantage of, they steal a password and install malware like a technician would install any software.

While Punkey represents a more sophisticated POS malware than Trustwave has seen previously, merchants can still protect themselves through attention to basic security best practices.

Merchants should update antivirus and firewall protections, monitor the remote access software, establish two-factor authentication and check network activity daily for anything out of the ordinary. Unfortunately, many organizations have neither the expertise nor the manpower to perform these tasks.

 

Posted in Best Practices for Merchants, Credit card Processing, Credit Card Reader Terminal, Credit Card Security, Mobile Point of Sale, Payment Card Industry PCI Security, Point of Sale Tagged with: , , , , , , , , , , ,

September 24th, 2014 by Elma Jane

The CVV Number (Card Verification Value) on your credit card or debit card is a 3 digit number on VISA, MasterCard and Discover branded credit and debit cards. On your American Express branded credit or debit card it is a 4 digit numeric code.

The codes have different names:

American Express – CID or unique card code.

Debit Card – CSC or card security code.

Discover  – card identification number (CID)

Master Card – card validation code (CVC2)

Visa  – card verification value (CVV2) 

CVV numbers are NOT your card’s secret PIN (Personal Identification Number).

You should never enter your PIN number when asked to provide your CVV. (PIN numbers allow you to use your credit or debit card at an ATM or when making an in-person purchase with your debit card or a cash advance with any credit card.)

Types of security codes:

CVC1 or CVV1, is encoded on track-2 of the magnetic stripe  of the card and used for card present transactions. The purpose of the code is to verify that a payment card is actually in the hand of the merchant. This code is automatically retrieved when the magnetic stripe of a card is swiped on a point-of-sale (card present) device and is verified by the issuer. A limitation is that if the entire card has been duplicated and the magnetic stripe copied, then the code is still valid.

The most cited, is CVV2 or CVC2. This code is often sought by merchants for card not present transactions occurring by mail or fax or over the telephone or Internet. In some countries in Western Europe, card issuers require a merchant to obtain the code when the cardholder is not present in person.

Contactless card and chip cards may supply their own codes generated electronically, such as iCVV or Dynamic CVV.

Code Location:

The card security code is typically the last three or four digits printed, not embossed like the card number, on the signature strip on the back of the card. On American Express cards, the card security code is the four digits printed (not embossed) on the front towards the right. The card security code is not encoded on the magnetic stripe but is printed flat.

American Express cards have a four-digit code printed on the front side of the card above the number.

MasterCard, Visa, Diners Club,  Discover, and JCB credit and debit cards have a three-digit card security code. The code is the final group of numbers printed on the back signature panel of the card.

New North American MasterCard and Visa cards feature the code in a separate panel to the right of the signature strip. This has been done to prevent overwriting of the numbers by signing the card.

Benefits when it comes to security:

As a security measure, merchants who require the CVV2 for card not present payment card transactions are required by the card issuer not to store the CVV2 once the individual transaction is authorized and completed. This way, if a database of transactions is compromised, the CVV2 is not included, and the stolen card numbers are less useful. Virtual Terminals and payment gateways do not store the CVV2 code, therefore employees and customer service representatives with access to these web-based payment interfaces who otherwise have access to complete card numbers, expiration dates, and other information still lack the CVV2 code.

The Payment Card Industry Data Security Standard (PCI DSS) also prohibits the storage of CSC (and other sensitive authorization data) post transaction authorization. This applies globally to anyone who stores, processes or transmits card holder data. Since the CSC is not contained on the magnetic stripe of the card, it is not typically included in the transaction when the card is used face to face at a merchant. However, some merchants in North America require the code. For American Express cards, this has been an invariable practice (for card not present transactions) in European Union (EU) states like Ireland and the United Kingdom since the start of 2005. This provides a level of protection to the bank/cardholder, in that a fraudulent merchant or employee cannot simply capture the magnetic stripe details of a card and use them later for card not present  purchases over the phone, mail order or Internet. To do this, a merchant or its employee would also have to note the CVV2 visually and record it, which is more likely to arouse the cardholder’s suspicion.

Supplying the CSC code in a transaction is intended to verify that the customer has the card in their possession. Knowledge of the code proves that the customer has seen the card, or has seen a record made by somebody who saw the card.

 

Posted in Best Practices for Merchants, EMV EuroPay MasterCard Visa, Point of Sale, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

September 18th, 2014 by Elma Jane

Americans love gift cards, but many of those pieces of plastic go partially or entirely unused. Some are lost or forgotten. Others simply are ignored once the balance drops to a few dollars or less.

A gift card’s unused value…known in industry parlance as spillage or breakage…long has meant big profits for the gift card industry .

But the Credit Card Accountability, Responsibility and Disclosure Act of 2009, better known simply as the Credit CARD Act, tightened rules on retailers, making it more difficult for stores to cancel unused cards or charge inactivity fees. That prevents retailers from quickly cashing in on breakage.

In addition, savvy consumers are catching on and appear to be finding ways to avoid losing breakage while getting the most out of their gift cards.

According to the most recent figures, about 1 percent of the total value of gift cards was predicted to go unused in 2013. That’s down from a record high of 10 percent in 2007. Some of the reduction in breakage is a result of growing cardholder realization that even though there’s only $2.12 on gift card, they got to find a way to use it.

However, even with the decline in breakage, around $1 billion worth of gift cards will be lost to fees and expiration dates or misplaced, shoved in a drawer or otherwise neglected this year. That’s a huge amount of money that consumers will not be able to use toward a new shirt, stuffed animal or bicycle.

Retailers love when people use gift cards because studies show that most customers spend more in the store than the card is worth. Breakage makes gift cards even more profitable: An estimated $127 billion in gift cards will be sold in 2014, even a small percentage of unused cards boost a company’s bottom line.

Those profits make it feasible for retailers to make some consumer-friendly moves, such as selling gift cards at a discount. However, most of the money goes toward other endeavors.

Wal-Mart may have a billion dollars (in unused gift cards) sitting there. Wal-Mart could go out and build 30 new superstores without borrowing a penny. They know those gift cards will come in eventually, but for now, they have the use of that money.

Ways to make sure you’re not ‘breakage’
The longer you let a card sit untapped, the less likely you are to use it. Here are eight ways to make sure your gift cards are not lost to breakage:

Give again. Instead of letting that last two bucks on a card go to waste, use it to make a donation. Stockpile cards and combine them into higher-value gift cards that are donated to the needy.

A Gift Card Giver founder, got the idea when he asked a group of acquaintances how many had unused gift cards sitting in their wallets. They literally started pulling out gift cards from their wallets, everyone had one.

The Gift Card Giver founder offered to redistribute the unused cards to the needy and a new nonprofit was born.

Give low-end cards as gifts. To make sure your gift card doesn’t languish in someone else’s wallet, consider purchasing cards at Walgreens and Wendy’s instead of Nordstrom and Saks. Practical gift cards, such as those for fast-food chains and discount retailers are used faster than cards to fine dining establishments and pricey department stores.

Corral your cards. Make sure you can quickly locate your cards by storing them all in the same place.

If you have too many cards to tuck into your wallet, stowing them in a durable plastic envelope. Or upgrade to a Card Cubby (about $24), which includes alphabetized tabs and is tiny enough to keep in a purse.

Plan your shopping ahead of time. Set up your e-mail program to send you a monthly reminder to use your gift cards. Think in terms of the week or month ahead, when will you be near the store? What items do you need there? Is there a gift you need for someone else? You are more likely to use the card if you know what you want ahead of time and can get in and out quickly.

Rethink general-purpose gift cards. Gift cards from credit card companies can be used anywhere you can use a credit card. But these cards also come with drawbacks.

Use-anywhere cards, known as open-loop cards  are more likely to come with startup fees and monthly inactivity fees that chip away at your balance. Many of these gift cards also include a valid through or good through date stamped on the front. Your card’s underlying value will not expire after that date, but you will have to call customer service for a replacement card, and that raises the risk that you will simply toss the card and your remaining balance.

Read the fine print. The CARD Act  prohibits gift card inactivity fees for the first year, and requires that gift cards cannot expire within five  years of when activated. State lawsmay extend additional gift card protections. That gives you a big, but not permanent cushion of time to use the cards.

Trade or sell your cards. If you get a card you know you will not use, a Hot Topic gift card, for instance, when you are more of an L.L.Bean type, use one of the many card-swapping and card-selling sites to get what you really want.

That is because with a Wendy’s and a Walgreens on practically every corner, such lower-end cards simply are more convenient to use. They also offer more value for your card. If you give a Wal-Mart gift card to your mailman, there are plenty of things to use it on.

Posted in Best Practices for Merchants, Gift & Loyalty Card Processing Tagged with: , , , , , , , , , , , , , , , , , , , ,

September 16th, 2014 by Elma Jane

Card-not-present merchants are battling increasingly frequent friendly fraud. That type of fraud..The I don’t recognize or I didn’t do it dispute. This occurs when a cardholder makes a purchase, receives the goods or services and initiates a chargeback on the order claiming he or she did not authorize the transaction.

This problem can potentially cripple merchants because of the legitimate nature of the transactions, making it difficult to prove the cardholder is being dishonest. The issuer typically sides with the cardholder, leaving merchants with the cost of goods or services rendered as well as chargeback fees and the time and resources wasted on fighting the chargeback.

Visa recently changed the rules and expanded the scope of what is considered compelling evidence for disputing and representing chargeback for this reason code. The changes included allowing additional types of evidence, added chargeback reason codes and a requirement that issuers attempt to contact the cardholder when a merchant provides compelling evidence.

The changes give acquirers and merchants additional opportunities to resolve disputes. They also mean that cardholders have a better chance to resolve a dispute with the information provided by the merchant. Finally, they provide issuers with clarity on when a dispute should go to pre-arbitration as opposed to arbitration.

Visa has also made other changes to ease the burden on merchants, including allowing merchants to provide compelling evidence to support the position that the charge was not fraudulent, and requiring issuers to a pre-arbitration notice before proceeding to arbitration, which reduces the risk to the merchant when representing fraud reason codes.

The new “Compelling Evidence” rule change does not remedy chargebacks but brings important changes for both issuers and merchants. Merchants can provide information in an attempt to prove the cardholder received goods or services, or participated in or benefited from the transaction. Issuers must initiate pre-arbitration before filing for arbitration. That gives merchants an opportunity to accept liability before incurring arbitration costs, and Visa will be using information from compelling evidence disputes to revise policies and improve the chargeback process

Visa made those changes to reduce the required documentation and streamline the dispute resolution process. While the changes benefit merchants, acquirers and issuers, merchants in particular will benefit with the retrieval request elimination, a simplified dispute resolution process, and reduced time, resources and costs related to the back-office and fraud management. The flexibility in the new rules and the elimination of chargebacks from cards that were electronically read and followed correct acceptance procedures will simplify the process and reduce costs.

Sometimes, an efficient process for total chargeback management requires expertise or in-depth intelligence that may not be available in-house. The rules surrounding chargeback dispute resolution are numerous and ever-changing, and many merchants simply do not have the staffing to keep up in a cost-effective and efficient way. Chargebacks are a way of life for CNP merchants; however, by working with a respected third-party vendor, they can maximize their options without breaking the bank.

Reason Code 83 (Fraud Card-Not-Present) occurs when an issuer receives a complaint from the cardholder related to a CNP transaction. The cardholder claims he or she did not authorize the transaction or that the order was charged to a fictitious account number without approval.

The newest changes to Reason Code 83, a chargeback management protocol, offer merchants a streamlined approach to fighting chargebacks and will ultimately reduce back-office handling and fraud management costs. Independent sales organizations and sales agents who understand chargeback reason codes and their effect on chargeback rates can teach merchants how to prevent chargebacks before they become an issue and successfully represent those that they can’t prevent.

Posted in Best Practices for Merchants, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

September 5th, 2014 by Elma Jane

Businesses are rapidly adopting a third-party operations model that can put payment data at risk. Today, the PCI Security Standards Council, an open global forum for the development of payment card security standards, published guidance to help organizations and their business partners reduce this risk by better understanding their respective roles in securing card data. Developed by a PCI Special Interest Group (SIG) including merchants, banks and third-party service providers, the information supplement provides recommendations for meeting PCI Data Security Standard (PCI DSS) requirement 12.8 to ensure payment data and systems entrusted to third parties are maintained in a secure and compliant manner.

Breach reports continue to highlight security vulnerabilities introduced by third parties as a leading cause of data compromise. The leading mistake organizations make when entrusting sensitive and confidential consumer information to third-party vendors is not applying the same level of rigor to information security in vendor networks as they do in their own. Per PCI DSS Requirement 12.8, if a merchant or entity shares cardholder data with a third- party service provider, certain requirements apply to ensure continued protection of this data will be enforced by such providers. The Third-Party Security Assurance Information Supplement focuses on helping organizations and their business partners achieve this by implementing a robust third-party assurance program.

Produced with the expertise and real-world experience of more than 160 organizations involved in the Special Interest Group, the guidance includes practical recommendations on how to:

Conduct due diligence and risk assessment when engaging third party service providers to help organizations understand the services provided and how PCI DSS requirements will be met for those services.

Develop appropriate agreements, policies and procedures with third-party service providers that include considerations for the most common issues that arise in this type of relationship. 

Implement a consistent process for engaging third-parties that includes setting expectations, establishing a communication plan, and mapping third-party services and responsibilities to applicable PCI DSS requirements.

Implement an ongoing process for maintaining and managing third-party relationships throughout the lifetime of the engagement, including the development of a robust monitoring program. 

The guidance includes high-level suggestions and discussion points for clarifying how responsibilities for PCI DSS requirements may be shared between an entity and its third-party service provider, as well as a sample PCI DSS responsibility matrix that can assist in determining who will be responsible for each specific control area.

PCI Special Interest Groups are PCI community-selected and developed initiatives that provide additional guidance and clarifications or improvements to the PCI Standards and supporting programs. As part of its initial proposal, the group also made specific recommendations that were incorporated into PCI DSS requirements 12.8 and 12.9 in version 3.0 of the standard.One of the big focus areas in PCI DSS 3.0 is security as a shared responsibility. This guidance is an excellent companion document to the standard in helping merchants and their business partners work together to protect consumers’ valuable payment information.

Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security Tagged with: , , , , , , , , , , , , , , , , , , , , , ,

August 8th, 2014 by Elma Jane

Visa Inc., the global leader in payments, is helping U.S. fuel retailers prevent credit and debit card fraud at the pump with intelligent analytics that identify higher-risk transactions that may be fraudulent. Visa Transaction Advisor uses sophisticated analytics based on the breadth and scale of VisaNet data to flag the riskiest transactions by working with fuel companies to understand their needs, creating a new service that builds on Visa’s predictive analytics capabilities, providing fuel merchants with more intelligence to prevent fraud and improve their bottom line. While global fraud rates across the Visa payment system remain near historic lows, less than 6 cents for every $100 transacted – fuel pumps can be targets for criminals because they are often self-service terminals. The new solution, Visa Transaction Advisor (VTA), enables merchants to use real-time authorization risk scores to identify transactions that could involve lost, stolen or counterfeit cards. A pilot test of the new service showed a 23 percent reduction in the rate of fraudulent transactions – all without costly infrastructure upgrades or disruption of the customer experience.

How It Works

After a cardholder inserts the card at the pump, Visa analyzes multiple data sets such as past transactions, whether the account has been involved in a data compromise and nearly 500 other pieces of data to create a risk score. This allows merchants to identify those transactions with a higher risk of fraud and perform further cardholder authentication before gas is pumped. The time and costs associated with resolving fraudulent transactions can be substantial for both merchants and financial institutions and inconvenient for cardholders, which is one of the reasons why fraud prevention is critical. Visa’s solution is easy to implement, using existing message fields and formats as well as pump software or hardware to ensure minimal impact to merchants and acquirers. Several fuel merchants who piloted the technology over the last several months noticed a decrease in fraud, without negatively impacting their consumers’ experience. VTA as a tool help mitigate fraudulent transactions. A 23 percent reduction in the rate of fraudulent chargebacks during a pilot program in Los Angeles. This was done with minimal impact to the customer experience, making secure payment at the pump as convenient as possible. Providing fuel to millions of customers each month through approximately 15,000 service stations in the United States, said US Credit Card Operations Manager, from Shell, considering new solutions and technology it has to have a clear business benefit, be customer-centric and easy to implement. With no infrastructure investment, testing VTA as part of proactive fraud prevention tool-set to better identify fraudulent card activity earlier in the transaction cycle, without inconveniencing customers.

Visa Transaction Advisor is available to merchants through participating U.S. acquirers. Visa has partnered with Vantiv and is also working with other acquirers to offer the service to its fuel clients. Ease of implementation is a critical requirement whenever talking about a new merchant service. Visa Transaction Advisor builds on existing payment infrastructure, is easy to implement and flexible enough to allow customization by merchants.

 

Posted in Credit Card Security, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , ,

April 17th, 2014 by Elma Jane

Issuers participating in the MasterCard Rewards Platform can pursue greater engagement and value in their programs through a partnership MasterCard is announcing today with Points International Ltd. The companies say they struck the deal to take advantage of the popularity of travel and related experiences. Under the agreement, participating issuers can let their cardholders to exchange and trade earned airline miles, hotel points and loyalty currencies.

Travel happens to be one of the most popular redemption options for points on most programs today. So this is really about enabling consumers to get even more choice with regard to getting some redemption options.

Issuers individually will roll out the program later this year based on their own schedules. Any of the hundreds of banks that use the MasterCard Rewards Platform are eligible to participate. Participation is voluntary.

Enhanced flexibility in cardholder reward redemptions was a key driver behind the initiative, what this partnership allows to do is enable all customers that have points that they’ve gained from spending on their credit cards or debit cards to then exchange those points into a miles program or a hotel program that they tend to always have a lot of other points accumulated already.

Variable Exchange Rates

Cardholders will be provided with a conversation ratio applicable to the pair of rewards being exchanged. Ratios will differ by redemption transaction. Consumers also may choose to transfer small buckets of rewards points into one program and the rest in other programs. They can do transfers multiple times and across multiple rewards providers.

Posted in Best Practices for Merchants, Credit card Processing, Gift & Loyalty Card Processing, Travel Agency Agents Tagged with: , , , , , , , , , , , , , , , ,

December 5th, 2013 by Elma Jane

Recently, Consumer Reports reviewed 26 different prepaid cards and evaluated them based on different factors. The cards Consumer Reports considered to be the best scored well in each of these four factors:

  1. Clarity of Fees — How well the fees are disclosed.
  2. Convenience — Availability of in-network ATMs, bill pay features and how widely the card network brand is accepted.
  3. Safety — Whether funds are protected with FDIC deposit insurance.
  4. Value — How much they cost to use.

This is the first time Consumer Reports has evaluated and ranked prepaid cards, revealing a shift in the market for prepaid. As prepaid cards continue to grow in popularity, consumers are going to become savvier about which prepaid cards they purchase. Consider taking a closer look at this Consumer Report to determine how your financial institution’s (FI’s) prepaid offering measures up.

Highest ranked cards are those like the ATIRA suite of prepaid cards TMG’s clients issue. They have fewer fees and make it easier for consumers to avoid them, carry FDIC insurance for each cardholder, offer features comparable to traditional checking accounts and do a better job of disclosing fees.

Not surprisingly, the worst prepaid cards reviewed scored poorly in at least one, and sometimes several, of the above categories. All of the lowest ranked cards have high, unavoidable fees, including activation and monthly fees. Additionally, the lower scoring cards fail to make their fees clear and easy for consumers to access and understand.

Specifically, the report found some prepaid cards fail to provide clear explanations of how to use features such as electronic payments, text alerts and mobile remote deposit capture, and the fees that may be charged for them. Further, while all of the cards reviewed claim to offer some form of protection for consumers, the report found in these policies are often not clearly defined.

Consumer Reports also found it problematic that although issuers provide safeguards voluntarily, they can cancel them at any time. Additionally, according to the report, fee information is often hard to find and difficult to understand. The report states this problem is compounded by the lack of consistency  with fee names and descriptions” from card to card, making it challenging for consumers to compare fees and costs. Consumer Reports also found that prepaid cards offered by some of the big banks are not necessarily less expensive than other prepaid cards. Also, these big bank offerings may be less attractive to consumers because they often don’t provide the option of making both electronic payments and payment by paper check.

 

Posted in Credit card Processing, Financial Services Tagged with: , , , , , , , , , , , , , , , , , , ,

November 15th, 2013 by Elma Jane

November 7, 2013 –  Payment Card Industry (PCI) Council’s recent acceptance of the world’s first Point-To-Point Encryption-validated solution is great news for both acquirers and merchants, and will aid in reducing merchant scope and increasing business security worldwide. If your P2PE know-how is a little spotty, here are the basics.

What is P2PE?

Point-To-Point Encryption (P2PE) is the combination of hardware and processes that encrypts customer credit/debit card data from the point of interaction until it reaches a merchant solution provider’s environment for processing. Because card data is immediately encrypted as the card is swiped (or dipped), it prevents clear-text information from residing on the payment environment. Encrypted card data is then transferred to, decrypted by, and processed through the solution provider processor who is the sole holder of the decryption key.

In a POS environment, merchants often store decryption keys on their backend servers. Bad idea. If a cybercriminal hacks into that environment, they not only have access to the encrypted card numbers, but the decryption key as well. Hacker jackpot. Many question the difference between P2PE and typical point of sale (POS) encryption.

The reason P2PE is arguably the most secure way to process is because merchants don’t have access to decryption keys. If a hacker breaches a merchant using a validated P2PE solution, he/she will only recover a long string of useless encrypted card numbers with no way to decode them.

Why use P2PE?

Basically, P2PE increases data security and has the ability to make a merchant’s job of reaching PCI compliance easier. The main point of using a P2PE-valiated solution is to significantly lessen the scope of security efforts through PCI Data Security Standard (DSS) requirement and P2PE Self-Assessment Questionnaire (SAQ) reduction. Compared to the 80+ questions required of mainstream merchant SAQs, the P2PE-HW SAQ only requires merchants to answer 18 questions.

Are all P2PE solutions created equal?

Answer is no. Many P2PE solution vendors claim their solution reduces scope, but in order for a merchant to qualify, they must select only P2PE-validated solutions listed on the PCI Council’s website.

To get P2PE solutions and applications listed on the approved website, solution provider processors must go through a rigorous testing process performed by a qualified P2PE Qualified Security Assessor (QSA). P2PE QSAs help entities thorough the 210-page document of P2PE requirements, testing procedures, and controls required to keep cardholder data secure – a task which only a few companies in the world can do.

As of this post, the only P2PE hardware solution approved by the PCI Council is European Payment Services’ (EPS) Total Care P2PE solution, validated by P2PE QSA SecurityMetrics. A number of other P2PE solutions are currently undergoing the review process and will be added to the list once approved.

Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, Electronic Payments, Merchant Services Account, Payment Card Industry PCI Security, Point of Sale, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,