July 14th, 2016 by Elma Jane
PCI Compliance applies to every merchant who is accepting credit cards large or small. Refusing or delaying to become PCI Compliant can end up being a costly mistake.
If you accept any credit or debit card payment, you need to be PCI Compliant no matter the volume is.
PCI applies to any company, organization or merchant of any size or transaction volume that accepts, stores or transmits cardholder data. Any merchant accepting payments directly from the customer via credit or debit card must be PCI Compliant.
The merchant themselves are responsible for becoming PCI Compliant, as the deadline for merchants to become Compliant is long overdue
Understanding and knowing the details of PCI Compliance can help you better prepare your business. Failing and waiting to become compliant or ignoring them, could end up being an expensive mistake.
The VISA regulations have to adhere to the PCI standard forms part of the operating regulations, the regulations signed when you open an account at the bank. The rules under which merchants are allowed to operate merchant accounts.
Posted in Best Practices for Merchants, Travel Agency Agents Tagged with: cardholder, credit cards, customer, data, debit card, merchant, payment, PCI Compliance, transaction
February 29th, 2016 by Elma Jane
True Stories of our Customers in Action
Travel Agency ~ An Independent Travel Firm had been using their bank as credit card processor. When they learned that Virtuoso and NTC were going to team up they jumped on the opportunity. Not only NTC has lowered their fees but NTC has streamlined their credit card processing. The manual type-in process before has been all automated batch process now which saves time. This is a great new partnership for Virtuoso and its members.
Wholesale Hardware Industry ~ Have been turned down his business loan by a traditional bank last year due to his bankruptcy few years ago. He has no option but to borrow using a Cash Advance, making daily payment with a very high-interest rate. NTC was able to get an approval for a Real Business Loan, with monthly payment with an annual rate.
Term loan amount: $85K – Line of credit: $75K
Another Travel Agency ~ NTC has great customer service, the support team will patiently guide you through the PCI compliance. The payments specialist will check whether they could reduce your rates (which they did successfully!). They will even follow up regularly with status updates. NTC is exemplary!
NTC has a lot to offer, from our e-Pay Service and other New Programs for ISO’s, and Options for your merchants. NTC, The Payments and Technology Expert! Visit us at www.nationaltransaction.com or call us at 888-996-2273.
Posted in Best Practices for Merchants, Credit card Processing, Payment Card Industry PCI Security, Travel Agency Agents Tagged with: bank, Business Loan, card, cash advance, credit card, customers, loan, merchants, payment, PCI Compliance, processor, travel, travel agency
November 3rd, 2015 by Elma Jane
While EMV represents a significant improvement in the way credit/debit card fraud is detected and prevented, some have confused EMV’s capabilities with the concepts of data security and PCI compliance.
Does EMV override PCI?
The answer is NO, EMV technology does not satisfy any PCI requirements, nor does it reduce PCI scope.
- EMV is counterfeit card fraud protection – it makes it more difficult to make use of stolen card data.
- EMV is not encryption – EMV does not encrypt the Primary Account Number (PAN) and therefore the card data must still be protected according to PCI guidelines.
- EMV only works for card present transactions.
If your business accepts credit or debit cards in a physical store or other face-to-face setting, you will need to implement the EMV technology and PCI standards. If you upgrade your terminals for EMV, consider adding point-to-point encryption (P2PE) capabilities to reduce PCI scope and protect data end to end. In addition, using tokens after authorization can prevent the card data from being used, should it be stolen.
Posted in Best Practices for Merchants, EMV EuroPay MasterCard Visa, Payment Card Industry PCI Security Tagged with: card data, card fraud, card present, counterfeit card, credit, data security, debit card, EMV, emv technology, fraud, p2pe, PAN, PCI, PCI Compliance, point-to-point encryption, Primary Account Number, terminals, tokens
October 9th, 2015 by Elma Jane
In order to maintain some sort of order within PCI Compliance, VISA and MasterCard have created 4 risk levels that will apply to any particular business, for determining the risk level of a merchant.
Merchant Level |
Description |
Validation Requirements |
Level 1 |
Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region. |
Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) or internal auditor if signed by officer of the company.
Quarterly network scan by Approved Scan Vendor (ASV).
Attestation of Compliance Form. |
Level 2 |
Merchants processing 1 million to 6 million Visa transactions annually (all channels). |
Annual Self-Assessment Questionnaire (SAQ).
Quarterly network scan by ASV.Attestation of Compliance Form. |
Level 3 |
Merchants processing 20,000 to 1 million Visa e-commerce transactions annually. |
Annual Self-Assessment Questionnaire (SAQ).
Quarterly network scan by ASV.
Attestation of Compliance Form. |
Level 4 |
Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually. |
Annual SAQ recommended.
Quarterly network scan by ASV if applicable.
Compliance validation requirements set by acquirer. |
Posted in Best Practices for Merchants, Credit Card Security, e-commerce & m-commerce, Payment Card Industry PCI Security Tagged with: MasterCard, merchant, PCI Compliance, visa
August 16th, 2013 by Admin
Today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of electronic transaction security standards published PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) 3.0 Change Highlights as a preview of the new version of the standards coming in November 2013. The changes will help companies make PCI DSS part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and transaction security as a shared responsibility with merchant account holders.
The seven-page document is part of the Council’s commitment to provide as much information as possible during the development process and eliminate any perceived surprises for organizations in their PCI credit card security planning. Specifically, the summary will help PCI Participating Organizations and the assessment community as they prepare to review and discuss draft versions of the standards at the 2013 Community Meetings in September and October.
Changes to the standards are made based on feedback from the Council’s global constituents per the PCI DSS and PA-DSS development lifecycle and in response to market needs. Key drivers for version 3.0 updates include: lack of education and awareness; weak passwords, authorization, verification and authentication challenges; third party payment security challenges; slow self-detection in response to malware and other threats; inconsistency in assessments.
“Today, most organizations have a good understanding of PCI DSS and its importance in securing credit card data during transactions, but implementation and maintenance remains a struggle – especially in light of increasingly complex business and payment technology environments,” said Bob Russo, PCI SSC general manager. “The challenge for us now is providing the right balance of flexibility, rigor and consistency within the standards to help organizations make payment security business-as-usual. And that’s the focus of the changes we’re making with version 3.0.”
Based on feedback from the industry, in 2010 the Council moved from a two-year to a three-year standards development lifecycle. The additional year provides a longer period to gather feedback and more time for organizations to implement changes before a new version is released. Version 3.0 will introduce more changes than version 2.0, with several new sub-requirements. Proposed updates include:
- Recommendations on making PCI DSS business-as-usual and best practices for maintaining ongoing PCI DSS credit card compliance
- Security policy and operational procedures built into each requirement
- Guidance for all requirements with content from Navigating PCI DSS Guide
- Increased flexibility and education around password strength and complexity
- New requirements for point-of-sale terminal security
- More robust requirements for penetration testing and validating segmentation
- Considerations for credit card data in memory
- Enhanced testing procedures to clarify the level of validation expected for each requirement
- Expanded software development lifecycle security requirements for PA-DSS application vendors, including threat modeling
Note that these updates are still under review by the PCI community. Final changes will be determined after the PCI Community Meetings and incorporated into the final versions of the PCI DSS and PA-DSS published in November.
The change highlights document with tables outlining anticipated updates is available on the PCI SSC website:https://www.pcisecuritystandards.org/security_standards/documents.php
The Council will host a webinar series for the PCI community and the general public to outline the proposed changes. To register, visit: https://www.pcisecuritystandards.org/training/webinars.php
“PCI DSS and PA-DSS 3.0 will provide organizations the framework for assessing the risk involved with technologies and platforms and the flexibility to apply these principles to their unique payment and business environments, such as e-commerce, m-commerce, mobile acceptance or cloud computing,” added Troy Leach, PCI SSC chief technology officer.
PCI DSS and PA-DSS 3.0 will be published on 7 November 2013. The standards become effective 1 January 2014, but to ensure adequate time for the transition, version 2.0 will remain active until 31 December 2014.
For more information and to register for the 2013 Community Meetings, please visit:https://www.pcisecuritystandards.org/communitymeeting/2013/
About the PCI Security Standards Council
The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the Council has more than 650 Participating Organizations representing merchants, banks, processors and vendors worldwide. To learn more about playing a part in securing payment card data globally, please visit: pcisecuritystandards.org.
Connect with the PCI Council on LinkedIn: http://www.linkedin.com/company/pci-security-standards-council
Join the conversation on Twitter: http://twitter.com/#!/PCISSC
Posted in Credit Card Security, Digital Wallet Privacy, Mobile Payments, Mobile Point of Sale, Point of Sale Tagged with: credit card, DSS, e-commerce, m-commerce, mobile, PA-DSS, PCI Compliance, Security, transaction