PCI DSS Compliance Blog

A dialogue with Apple co-founder Steve Wozniak kicked off the 2011 ETA Annual Meeting and Expo held this year in San Diego, Calif. May 10 - 12. Wozniak explained that payment processing at Apple is not a top priority and that Apple is waiting until they can do it right – “I think they'll hold off and not make any moves until they know they can do it right” (The Green Sheet). Wozniak also discussed the future of mobile payments, suggesting that "tap-and-go technology is so compelling that it will be in everyone's hands within just a few years" (The Green Sheet). He believes that Near Field Communications (NFC) technology will be the next big thing for mobile payments.

The conference also featured keynote speaker, former Sen. Christopher Dodd, D-Mass., co-author of the Consumer Protection Act of 2010 and the Dodd-Frank Wall Street Reform. Dodd touched upon the Durbin Amendment and the looming debit interchange regulation. Dodd went on to encourage ISOs, MLSs and their partners to reach out more to their local politicians to fight against further legislation. Dodd feels that it would be easier to contact them directly, saying “I can assure you that if you were to invite your member of Congress to come to your business to learn what you do and about your issues, you'd have a lot more luck than anyone standing in the halls of Congress trying to [lobby] staffers" (The Green Sheet). However painful, regulatory and PCI compliance issues are not going away. Critical security measures are put in place to protect consumers and stay current with technology. 

Mobile payments was the hot topic for this year’s meeting, since more and more people have smart phones and are using them to shop, therefore making mobile card acceptance, couponing and security high priorities for merchants. Visa took the opportunity at the expo to announce its mobile wallet plans that feature "a range of customized mobile payments services that address the specific requirements of geographic markets around the world" (Visa). People are excited for mobile wallet solutions and it came through at the show. 

ETA 2011 had a lot of hype around a new certification program was promoted. Visa’s new Certified Payments Professional program, which had officially launched in February 2011, is designed to be the industries first professional certification process for sales agents and others engaged in the distribution of electronic payment products and services.

ETA attendees noted that this year’s show seemed to be a bit quieter, with fewer people and less industry news as compared to past expos. However, ETA contacts say that attendance and exhibitor numbers had increased. Overall, attendees reported to be pleased with the quality of the interactions and networking opportunities.  

The Electronic Transactions Association is an international trade company that represents companies who offer electronic transaction processing products and services. The ETA encourages businesses to network within the electronic payments industry through education and advocacy. The three-day meeting and expo was open to international electronic payments professionals and business owners.

Millions of people have recently been affected by serious data breaches of major corporations and organizations such as the Texas Comptrollers Office, Sony, the New York Yankees, Michaels, and Fox Entertainment. These breaches of sensitive personal information reinforce the need for strict regulations and security measures to be implemented for businesses large and small. The PCI Standard Security Council was created to prevent these types of credit and debit card information security breach situations. However, with the recent news around these notable organizations experiencing data breaches, it becomes painfully clear that data breaches can happen to any business, large or small. And as a consumer, you should be conscious of where you offer your information, and be aware of the standards such as the PCI DSS and PA-DSS are being put into place to protect your valuable information and the associated headache that comes with having it stolen.

It is crucial for people to understand that data breaches can happen to any business or organization. If a Businesses or organization collects and stores sensitive information, they need to understand the PCI DSS to avoid data breaches and regulatory fines. The Texas Comptrollers Office discovered in March of 2011 that it had left personal records openly available on a publicly accessible server for over a year. These personal records included names, addresses, social security numbers, and in some cases, dates of birth and driver’s license numbers. This is the most extensive information breach in the history of Texas, affecting 3.5 million people. The Office of the Texas Comptroller is now facing a $3.5 billion lawsuit: $1,000 statutory penalty for each individual whose privacy was violated. (Dallas News)

Sony was the first high profile corporation to be recently hacked. From April 17 through April 19, hackers had access to around 100 million people’s names, addresses, birthdays, credit card numbers, and billing history through Sony servers. The data breach forced Sony to shut down their online gaming network for over a week. Sony later released a statement that they had no evidence that credit card numbers were stolen, but they could not rule it out. Currently, the data breach has cost Sony $171 million, but with all the pending lawsuits and regulatory fines, that figure will likely be much higher. (Reuters)

The New York Yankees suffered a data breach on April 25, 2011 when an employee accidentally emailed an Excel spread sheet of names, addresses, phone numbers, seat numbers and email addresses of 21,466 season ticket holders to 2,000 fans. The email was a newsletter that the Excel sheet was attached to. The Yankees sent out an apology letter and assured fans that birth dates, social security numbers, or financial data was not included in the exposed personal information. (NYYankees)

Michaels Stores, a retailer of arts and craft supplies, announced on May 4, 2011 that PIN pad tampering had occurred, compromising credit and debit card information of at least 80 stores across the U.S. Roughly 100 Michael customers reported having their bank accounts emptied. The hackers were able to get debit card and PIN numbers, draining bank accounts in a matter of minutes. Michaels has set up a help line for customers who have any questions or concerns: 1-800-642-4235. (Michaels)

On May 6, 2011 a hacker group named LulzSec breached Fox Entertainment’s servers, gaining access to names, emails, passwords, and phone numbers of nearly 400 employees and hundreds of thousands potential X-Factor contestants. The hackers released the personal information and encouraged people to “ravage” the list of emails and passwords, and taunt their Facebook, Myspace, Paypal, LinkedIn, and Twitter accounts. (MSNBC)

In addition, LulzSec was responsible for breaching Sony’s Greek unit, affecting 8,500 user accounts, as well as smaller incidents in Thailand and Indonesia on May 24, 2011. Sony spokesman Atsuo Omagari released a statement that Sony is not sure if the attacks are related; "We don't know whether the incidents in the three countries are linked to the attacks on the PlayStation. For now, we are still investigating each incident" (Fox Business).

Hackers are like Internet train robbers, and we are in the wild west of digital payments. Working together to shut out online bandits will make payment processing stronger and more secure for merchants and consumers. To help better understand your PCI compliance level or find answers to questions on PCI compliance, check out our PCI compliance guide or contact an Element Payment Services representative.      

Don’t for get to put it on your calendar! The 2011 PCI Security Standards Council North American Community Meeting is coming up on September 20-22, 2011 in Scottsdale, Arizona at the Westin Kierland Resort, Spa and Villas.

The PCI SSC annual community meeting is a great opportunity to get the latest news and updates on the card data security industry from the experts. Each meeting brings together global leaders from across the payment chain to share insight and feedback on their experiences in protecting payment card data. With the number of people implementing or helping implement the latest PCI DSS and PA-DSS mandates, the PCI community is an ideal forum to learn and share what has worked for you and to have your voice heard on what the PCI Council should consider in future revisions. 

Join leaders from across the security, payments, finance, retail and technology fields at this two-day meeting filled with networking opportunities and informative sessions led by PCI Council and industry experts.

Each of the meeting’s sessions provides extensive opportunities for questions and answers with representatives from each of the payment brands. This meeting also offers an exclusive opportunity for Participating Organizations (PO), Qualified Security Assessors (QSAs), Approved Scanning Vendors (ASVs), PIN Transaction Security (PTS) produce providers and Payment Application QSAs (PA QSAs), to come together and gain the latest insight into current and future Council programs and resources.

Also be sure to come see Element, as we will be in attendance as an exhibiting member company in the Vendor Showcase.

If you aren’t yet registered for this industry event, register now, to save your spot.

Advancing technology has turned our cell phones into more than just a wireless communication device. Now loaded with cameras, the Internet and endless amounts of applications, our smartphones have become more of a personal computer we can hold in the palm of our hand. But with these advancements come the accompanied risks. Especially when it comes to using a phone as a payment device; a use we have seen skyrocket with the advanced abilities of the phones.

There are rumors coming from the smartphone industry, that Apple, Google and other mobile device manufacturers are advancing the payment abilities of the phones, making them into virtual wallets. While this is a beneficial function for smartphone users from a convenience standpoint, it adds a new challenge to payment security. These advancing abilities to make mobile payments has peaked the interested of the PCI SSC, as they look to secure these mobile payment systems. An initial step, taken in March 2011 by the PCI SSC, was to delist several mobile payment applications that had previously been approved as PCI compliant. This move was decided to allow the council time to work on security standards specific to the changing mobile applications, to ensure the proper requirements were put in place in order for these applications to be deemed PCI compliant. The PCI council also announced that it would no longer approve any new mobile payment applications until a new, comprehensive set of standards are in place for securing mobile payment transactions.

The PCI Council, however, does plan to issue some guidance on PCI compliance for emerging technologies over the next several months, since there are few best practices in place to protect credit card data flowing in and out of a mobile environment. Merchants can also reference guidance documents to gain data on these best practices.

The formal guidelines are scheduled to be put in place with the release of PCI Version 3.0, but this won’t be until 2013, when the PCI SSC plans to update the PCI DSS 2.0. This update version will offer more guidance and reference to emerging technologies.

The current state of the mobile payment industry makes the mobile environment vulnerable, and a prime target for cybercriminals - at least for the time being. Whereas before mobile devices were a place where valuable data may be stored, it seems these devices are becoming a location where this type of data is almost guaranteed to be stored. Consumers should be aware of these risks when using mobile devices to store sensitive data to best protect themselves against security risks. Sites that want to accept mobile payments are also exposed to compliance risks until further notice.

While technology continues to advance and trend toward a mobile platform, the PCI SSC remains active to help companies and consumers secure and protect sensitive data. While we wait for these security requirements to be put in place, it is important for those using mobile platforms to take precaution when it comes to using or sharing sensitive card data. To learn more about what you can do to protect your valuable information, contact us today or download our PCI compliance guides.

Any business that continues to store, process or transmit credit card information is feeling the pressure to comply with the PCI DSS 2.0 changes, which will begin being in enforced on January 1, 2012. The Payment Card Industry Data Security Standard (PCI DSS) released its new version 2.0 guidelines in October of 2010 that offered updates to the earlier version of the guidelines, to help merchants create a more secure purchasing environment for consumers.

A major factor of PCI compliance depends on a company’s scope. The scope is determined by identifying the cardholder environment, including system components, processes and people involved with a credit card transaction. Determining the scope of a company is the first process in a PCI DSS assessment. Reducing your scope can help your company comply with the PCI DSS requirements.

There are two great solutions to help reduce your scope:

1. Point-to-Point Encryption:
Point-to-point encryption (P2PE) secures data in flight.  By converting the information to an unintelligible form, sensitive information is protected from the point of entry, while in transit, all the way to the payment processor.  It is important to focus on this area and make sure that the ownership, creation, maintenance, updates and destruction of keys used to support the encryption are well controlled. The PCI Security Standards Council (PCI SSC) has confirmed that P2PE is the technology that processors, software providers, and merchants should be moving toward. To learn more about P2PE, check our video library.

2. Tokenization:
Tokenization is a method for securing sensitive card data at rest by breaking up information and replacing the data with unique identification symbols. The token, not the actual credit card number, is then moved to a secure, PCI DSS storage facility. This technology heavily reduces the likelihood of an attack, though it does require an appropriate database, network, platform, and application security controls. However, when the responsibility to protect stored data, along with the risks of a security breach and resulting loss is transferred to a trusted partner, business liability is dramatically reduced for merchants and software providers alike.

Point-to-point encryption (also known as end-to-end encryption) and tokenization help to remove sensitive data from the payment environment, reduce the risk of credit card data breaches, and helps your company more easily achieve PCI DSS compliance.

There are great opportunities to reduce the scope of PCI compliance by taking advantage of these emerging technologies. Wherever your organization is along the PCI journey, Element Payment Services can help you along the way. For more information, view our tokenization white paper or contact us today to get started.

Data breaches continue to be a problem, and a costly one for many organizations. According to a report by Symantec Corp and the Ponemon Institute, the average organizational cost of a data breach increased to $7.2 million and cost companies an average of $214 per compromised record in 2010. Both of these numbers are up in comparison to 2009, when the average cost per compromised record was $204. Regulators are working to crack down on non-compliant organizations, and are encouraging them to implement required data security controls. The alternative? Pay harsher fines.

There are a number of issues that companies face when trying to effectively and properly protect cardholder data. Malicious or criminal attacks are the most expensive and are on the rise. This study showed that 31 percent of all cases in 2010 involved a malicious or criminal act, which averaged a cost of $318 per record. However, even though criminal attacks are expensive, negligence remains the most common threat companies’ face. The number of breaches caused by negligence increased to 41 percent, showing the ongoing challenge of ensuring compliance of employees and partners with security policies.

Companies are putting a number of preventative measures in place, from training and awareness programs, to implementing encryption technologies. Employment training consists of educating employees on information protection policies and procedures, which then makes the employees accountable. Some of the other data protection processes being implemented include proactively encrypting laptops to minimize consequences of a lost device and integrating information protection practices into companies’ businesses processes. Also being done is the deployment of data loss prevention technologies, which assist companies with achieving compliance with industry standards, such as the PCI DSS. Achieving PCI compliance has become a greater focus during the past few years. Part of this increased focus is due to enforcement of these security standards, but the other piece is that these standards and technologies have proven effective against data theft and hackers.

The PCI Security Standards Council (PCI SSC) has been working to limit hackers’ access to valuable card data information by driving education and awareness of the PCI DSS and PA-DSS, as well as through their efforts to gain adoption industry wide standards. Companies are now being held responsible for their own PCI compliance, and those not achieving compliance are receiving fines. As the report shows, these fines are increasing when data breaches occur.

As more companies work to implement card data security standards and are taking the necessary steps to achieve PCI compliance, the more these efforts will prove to be effective, limiting hackers’ access to card data.

Though the costs that companies are facing for data breaches continue to climb, the hope is that as the data security standards being enforced will encourage such companies to achieve PCI compliance and protect their customers’ valuable card data. The more companies that achieve compliance with the PCI DSS requirements, means there will be fewer targets available for hackers, which will help lead to the decrease in the number of data breaches industry wide.

For more information on Element’s PCI compliance solutions, view our PCI Compliance Guide or contact us.

As more companies work to achieve PCI compliance, questions are arising to gain understanding around what can, and cannot be stored. This type of question has often come up surrounding the handling of CVC and CVV2 card information from the back of credit and debit cards. The answer to this question is vital for companies, as it impacts their ability to achieve PCI compliance.

So, “can you store CVC/CVV2 post authorization and stay within the PCI DSS requirements?” The answer is “no.” According to the PCI DSS requirement 3.2, the storage of sensitive authentication data after authorization is strictly prohibited. Even if this data is encrypted, it is still not allowed. The requirement goes into more detail, stating that you should not store the card-verification code or value (the three or four digit codes on the back of the payment card), which is used to verify card-not-present transactions.

It should be clarified that the PCI DSS does allow the storage of this information up until authorization, however after that it must not be stored. According to Roger Nebel, an independent PCI DSS auditor, “This was done so that merchants who process in batch mode could hold on to the CVV until they process their batch and then get authorization which might take a day or two. After that it must not be stored. Thus once there is authorization, all the places the CVV had been stored, whether on paper or in a file, must be cleansed of the CVV. The service provider and the merchant must not keep it post-authorization. Paper copies need to be shredded, and any and all files, database records, etc., must be securely erased of the CVV.”

For more information on Element’s PCI compliance solutions, please view our PCI Compliance Guide or contact us.

Smart phones have become less of a novelty and more of a necessity during the past few years, as people demand to be connected and have access to information instantly. People are using mobile phones more than ever for a variety of purposes, from e-mail and phone calls to playing online games and getting live sports scores. And now, people are using their mobile phones to shop. In a recent report by ForeSee Results, 11 percent of web shoppers made a purchase from their phones during the holiday season, a notable increase from only 2 percent during the 2009 holiday season. With this increased volume in mobile shopping comes another area of opportunity for data thieves.

The potential card data security risks that many companies face from in-store or online purchases are still present when a mobile payment is processed - from first card swipe or data entry, until the payment is processed by the bank, the card data needs to be protected. The data security best practices that companies employ to adhere to the PCI DSS still apply in the mobile space, making a secure payment processing platform a vital component in proper protection against security breaches.

The Element Express Processing Platform provides e-commerce merchants, as well brick and mortar merchants, fully integrated payment processing that protects cardholder data from the moment the card data is input (or swiped) until that information reaches the processing bank. Element Express Processing Platform allows for a real-time authorization request from the issuing bank. The approval response is then returned to the recurring billing system to record the successful payment transaction, and neither the merchant nor the billing system requires access to the sensitive cardholder information. Additionally, Element Express exceeds PCI DSS requirements with end-to-end encryption of cardholder data and off-site storage of the sensitive information. This type of security allows those consumers that make purchases from their mobile phones to do so, while limiting the risks for card theft.

As mobile technology continues to become a popular outlet for shopping, the need for proper card data security also grows. E-commerce sites, mobile sites and brick and mortar stores are all targets for security breaches, but taking the proper steps to protect against theft will save consumers and merchants time and money.

2010 was a year of progress for the card data security industry, according to some new figures published by the Identity Theft Resource Center (ITRC). The number of records known to have been exposed in a security breach decreased significantly, from 223.1 million in 2009 to 16.2 million in 2010.

The recorded breaches of security varied in the data that was exposed, including credit and debit card information, which made up 26 percent of the breaches, as well as social security numbers, which made up 62 percent. There were also numerous ways that the information was accessed, including hacking into computer systems, which made up for 17.1 percent of the reported breaches, insider actions, accounting for 15.4 percent and accidental exposure, 10.7 percent. This information made available by the ITRC shows that our valuable, personal information can be at risk of theft through a variety of methods if we, or the companies we use, are not properly protect against it properly.

Linda Foley, the founder of ITRC, predicts that cybercrimes and insider data thefts will increase in the coming years, because “it’s the path of least resistance.”

The PCI Security Standards Council (PCI SSC) has been working to limit hackers’ access to valuable card data information by driving education and awareness of the PCI DSS and PA-DSS, as well as through their efforts to implement the standards industry wide. The PCI SSC is holding companies responsible for their own PCI compliance, fining those that do not meet the requirements.

More and more companies are doing their part to take the necessary steps to achieve PCI compliance and by implementing technology solutions such as end-to-end encryption and tokenization, to protect their customers’ valuable information. These efforts by businesses play a role in limiting hackers’ access to card data.

A caveat in this report to point out, however, is that while the overall number of records exposed has dramatically decreased, the total number of security breaches increased from 498 to 662. This is an indication that now more than ever small to medium size businesses should have data security and PCI compliance at the top of their minds. Large corporations are certainly not the only targets of data thieves.

Companies that have chosen to remain non-compliant may become targets for cybercrimes and insider theft at an increasing rate, supporting Linda Foley’s prediction for the coming years. We’re looking forward to witnessing the increased uptake of the PCI DSS and PA-DSS in 2011. Continued awareness and education around PCI Compliance will make this an important year for the data security industry.

A new Self Assessment Questionnaire (SAQ) and Attestation of Compliance have been made available to merchants by the PCI Security Standards Council (PCI SSC). This new version, titled the SAQ C-VT, was developed for merchants that process cardholder data only through isolated virtual terminals on personal computers connected to the Internet. 

The SAQ C-VT is a trimmed down version of the SAQ C version 2.0. Rather than the SAQ C 2.0 80 requirements, the SAQ C-VT only has 51 requirements to meet to achieve compliance. In order for companies to reach PCI DSS compliance for this merchant environment, the merchant must complete the SAQ C-VT and Attestation of Compliance, then submit both items and any other requested documentation to their acquirer.

Merchants who complete the SAQ C-VT and the associated Attestation of Compliance must confirm that:

• The company’s only payment processing is done via a virtual terminal accessed by an Internet-connected web browser.

• The company’s virtual terminal solution is provided and hosted by a PCI DSS validated third-party service provider.

• The company accesses the PCI DSS compliant virtual terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment.

• The company’s computer does not have software installed that causes cardholder data to be stored.

• The company’s computer does not have any attached hardware devices that are used to capture or store cardholder data.

• The company does not receive or transmit cardholder data electronically through any channels.

• Your company retains only paper reports or paper copies of receipts. 

• Your company does not store cardholder data in electronic format.

From the PCI SSC:

A virtual terminal is web-browser based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.

Those merchants who operate browser-based terminals should welcome this new SAQ version as it offers a questionnaire that is designed for their low volume of credit card transactions.