PCI DSS Compliance Blog

Part 1 – PCI compliance FAQ’s one through four

1. To whom does PCI apply?
PCI compliance applies to any organization or merchant, regardless of the size or the number of transactions that are accepted, transmitted or stored. Essentially, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

2. Is PCI DSS compliance just an IT project?

The IT staff implements technical and operational aspects of PCI-related systems, but compliance to the payment brand’s programs is much more than a “project” with a beginning and end. PCI compliance is a business issue that is best addressed by a multi-disciplinary team. The risks of compromise can be more than just financial, as they can reputational as well, affecting the whole organization. Be sure your business addresses policies and procedures as they apply to the entire card payment processing workflow. 

3. Myth: PCI DSS is unreasonable; it requires too much

Most aspects of the PCI DSS are already a common best practice for security. The standard also permits the option of using compensating controls to meet most of these PCI DSS requirements. The PCI DSS standard provides significant detail, which benefits merchants and processors. This scope and flexibility leads some to view PCI DSS as an effective standard for securing all sensitive information

4. What is an easy step my business can take to achieve PCI Compliance?

The key to achieving PCI DSS compliance is to reduce the number of items that are in scope. This means to eliminate cardholder data from the business unless it is absolutely required. The less sensitive cardholder data you have in your business the less you have to control and the easier achieving PCI compliance becomes.

In 2010 the PCI Security Standards Council released version 2.0 of the PCI DSS and PA-DSS, updating the standard to help merchants better protect sensitive cardholder information on their networks. Though the variations made to Version 2.0 weren’t substantial to the standard, the changes were hoped to have a major impact on the card data industry. The updated version of the standard was released in Fall of 2010, and became effective as of January 1, 2011. However, enforcement of the new requirements for validation against the updated versions of PCI DSS and PA-DSS are not going to begin to be enforced until January 1, 2012.

So the question is, come January 1, 2012, will you be ready?

The majority of changes made to version 2.0 were modifications to language, which clarified the meaning of the PCI requirements and making understanding and adoption easier on both merchants and software providers. The changes ultimately reinforced the need for thorough scoping prior to an assessment and promoted more effective log management. Other changes to the standard broadened validation requirements for the assessment of vulnerabilities in a merchant environment, giving merchants the ability to use industry best practices to prioritize these vulnerabilities.

PCI compliance has been a popular topic of conversation during 2011, but now is the time for businesses to make sure that they are ready to meet the PCI compliance requirements put in place. This past year has given merchants and software providers alike the opportunity to meet these new requirements, and achieve PCI compliance. Come the start of the year, it will become clear who is meeting the new requirements and who is not.

Download the PCI DSS Version 2.0 from the PCI SSC today and see if your business is ready. You can also contact Element to make sure that you are taking the proper steps to meet these new compliance requirements.

On June 30 of this summer, Visa made compliance statistics of merchants’ public, detailing PCI Compliance figures for those working to achieve Level 1, Level 2 and Level 3 compliance. On Monday, October 31, 2011, the card brand released the most recent compliance numbers. The released results were mixed, with a positive trend for Level 1 merchants, but with an overall decrease for Level 2 and Level 3 compliance. It should be noted that the card brand has continued its practice of not reporting compliance numbers for Level 4 compliance, rather just announcing for this reporting period that Level 4 compliance is “moderate.”

Each PCI Compliance level is determined by the number of transactions that a merchant processes each year, as well as whether the transactions occur online, in a brick and mortar location or a combination of both. For Level 1 merchants more than six million Visa transactions must be processed a year; Level 2 merchants process from one to six million transactions a year; Level 3 merchants handle 20,000 to one million online Visa transactions a year; and Level 4 merchants process less than a one million Visa transactions per year.

The statistics were positive for Level 1 merchants, as a 98 percent compliance rate was reported. This number was up from the 97 percent compliance rate that was announced earlier in June 2011. These numbers were based on 407 retailers, which was also an increase compared to earlier this year when only 377 retailers were included in the reporting.

The PCI compliance numbers for Level 2s and Level 3s weren’t quite as encouraging. Level 2 merchants dropped from 96 percent compliance down to 91 percent. There were more Level 2 merchants accounted for in this report, with 1,060 compared to 881 in the summer report, which may have attributed to the decline in this case. Level 3 merchants saw a decline from 60 percent to 57 percent from October 2011 to June 2011 respectively. The number of Level 3 merchants being reported is the largest of the three groups, with 3,049 merchants, up 25 from the last reporting period. Compared to the other PCI compliance levels, these numbers may be alarming, though Level 3 tend to be new entry merchants, starting with a relatively low level of PCI DSS compliance, attributing to these percentages.

As the card security industry continues to push the need to achieve PCI compliance, it is somewhat concerning that the numbers overall are in a decline, as it would be expected that numbers in any group would show steady signs of improvement. There are still details that Visa is not reporting on, which could allude to the compliance decrease, though many are left speculating what exact causes can be pointed to.

For more information on how you can help your business achieve you PCI Compliance Level download our PCI compliance guide.

Element Payment Services was recently selected by Lead411 as one of the fastest growing technology firms in 2011. Element joins a number of other great firms on to create this year’s Tech 200 list.

Being selected to the Tech 200 by Lead411 is always fiercely competitive, and 2011 was no different. The final 200 were selected and ranked based on the highest percentage of revenue growth from 2008 to 2010 compared to the other privately-held businesses that applied. But what makes 2011’s list different than year’s past, is that this list consists of only 200 companies, where in years past, the top 500 companies were selected.

In addition to looking at revenue growth, companies who took part in the Tech 200 application process were also asked to answer a survey about their marketing spend, ROI and overall outlook for the future. Their answers are indicative of the community at large, if not the greater business climate.

More than half of the applicants no longer use traditional advertising - print ads and direct marketing - which speaks volumes about where marketing is headed. The largest number put money into trade shows as a marketing tool (25%). There were also a number of these successful startups that got that way without taking on investors. Also a full 60.2% of applicants have never received funding for their businesses, and 84% consider themselves profitable.

And as far as the future looks, 71.5% of the companies on the Tech 200 think the future is going to get better soon.

It is an honor for Element Payment Services to be selected to this competitive list, joining many other great technology companies. Being on this list is a product of the work and commitment that Element and its employees have put toward their mission to help merchants and software providers ease PCI compliance with fully integrated payment processing solutions.

Find Element and the rest of the companies on the Tech 200 list here.

Inc., the premier magazine for entrepreneurs and business owners, released its 2011 list of the 5000 fastest-growing private companies in America. Included on the list is Element Payment Services.

For more than 30 years, Inc.’s list of the fastest-growing companies list has served as evidence of the significant accomplishments of enterprises. Being listed among these companies is a testament to the creativity, resilience and tenacity of America’s top entrepreneurs.

Element Payment Services has become an industry-leading provider of PCI compliant payment processing solutions. And now Element joins a prestigious pedigree of companies who have made Inc.’s list before, including Intuit, Zappos, Under Armour, Microsoft, Jamba Juice, Timberland, Clif Bar, Patagonia, Oracle, Zipcar and more.

“On behalf of Element, it is truly an honor to be recognized by Inc. as one of the fastest-growing companies in 2011,” said Sean Kramer, CEO and President, Element Payment Services. “This is a testament to hard-working people at Element who have helped this company achieve what it has since its inception. We are excited for the years to come.”

Element Payment Services provides fully integrated solutions to merchants through partnerships with leading independent software vendors (ISVs). Element’s approach to payment processing is built on a simple idea – remove the value and accessibility of cardholder data to eliminate the risk. In fast, Element's innovative technology, Hosted Payments, was the first payment processing solution on the market to take software providers out of scope for PA-DSS/PCI DSS compliance requirements.

On August 1, 2011, Element’s Element Express Processing Platform solution was selected by Business Solutions magazine as one of 2011’s Best Channel Products. Value Added Resellers (VARs) and Independent Software Vendors (ISVs) participating in Business Solutions' annual survey ranked the Element Express Processing Platform as a leading payment processing technology, making it one of only three solutions in this category. Being honored with the 2011 Best Channel Products award makes this the fourth consecutive award for Element Payment Services from Business Solutions magazine since the survey debuted in January 2010. Element’s past awards include Best Channel Vendor in 2010 and 2011, and the Best Channel Product in 2010 and now in 2011.

The Element Express Processing Platform is a purpose-built payment engine, architected for an evolving industry with a Service Oriented Architecture (SOA). Using Element’s Web services or XML interface, ISVs can easily integrate software applications with Express, incorporating its robust suite of PCI compliant technologies, which include point-to-point encryption (P2PE) and tokenization.  ISVs and merchants have long relied on Express to deliver innovation, reliability and simplified payment processing.

 
Business Solutions magazine partnered with Penn State University to conduct and analyze the survey of its subscribers. As part of the Web-based survey, VARs/ISVs were asked to rate a product’s richness of features/functionality, product reliability/durability, ease of integration, ease of upgrading and the VAR’s/ISV’s ability to service. The 2011 Best Channel Products recognition was given only to the top few vendors who scored highest in the product categories. This is a new format from years past where many products were selected for each category, making this award even more competitive.

1,490 VARs/ISVs participated in the survey, casting a total of 11,711 votes, making it one of the largest surveys of its kind, especially at this level of detail.

Receiving its fourth straight award from Business Solutions magazine is representative of Element’s dedication and commitment to providing its software partners and their customers with solutions that help reduce risk, liability, and cost, while easing the burden of PCI compliance. 

Contact us today for more information on the Element Express Processing Platform solution and how Element can help your business. 

Element Payment Services recently received validation from Trustwave Holdings, Inc. confirming that Element’s Hosted Payments solution does indeed remove software applications from the scope of the Payment Card Industry Data Security Standard (PCI DSS). Trustwave Holdings, Inc. confirmed that Hosted Payments eliminates Integrated Software Vendor’s (ISVs) applications from the scope of PCI DSS and PA-DSS compliance requirements when implemented according to Element’s specification.

Hosted Payments is an integration method to Element's Express Processing Platform that removes the need for software applications to handle cardholder data when authorizing and settling payment transactions, preserving the benefits associated with integrated payments. The process shifts the responsibility of handling sensitive cardholder data over to Element's PCI DSS compliant Express Processing Platform. By shifting the entry point and storage location of card sensitive data, ISVs also avoid the hassle of costs associated with compliance as well as compliance audits.

The PCI DSS apply specifically to environments that store, process or transmit credit card numbers. Assuming ISVs (or their applications) do not otherwise store, process or transmit cardholder data, Trustwave validated that ISVs leveraging Hosted Payments are eliminated from PCI scope and compliance costs.

"The payment industry and our ISV partners have recognized the scope removing attributes of Hosted Payments since market availability in 2008," said Sean Kramer, CEO and president of Element Payment Services. "This third party validation will allow ISVs to provide reassurance to their customers that out-of-scope processing is an industry-accepted alternative to PA-DSS/PCI DSS validation for software applications."

Not only do ISVs avoid the hassles associated with PCI compliance, but also through Hosted Payment's integration with Element's Level 1 PCI DSS compliant Express Processing Platform, both merchants and consumers can rest assured that they are receiving the highest level of protection from incidents that could potentially compromise cardholder data.

To date, more than 100 software applications have certified to Express via Hosted Payments.

Contact Element Payment Services for more information on Hosted Payments or the Express Processing Platform.

Element Payment Services, the industry leader in PCI complaint payment processing, and ThoughtKey, the leading PCI-focused consulting firm, have teamed up to offer a new white paper entitled "Point-to-Point Encryption (P2PE): Reduce PCI Scope, Protect Cardholder Data and Preserve Profit". The document is aimed at helping merchants understand and address the hurdles of achieving and maintaining PCI compliance. Authored by ThoughtKey, this white paper details the benefits and pitfalls of relying solely on payment network segmentation as opposed to the robust option of P2PE plus tokenization in a highly secured host environment.

The issues present today are a result of merchants pulling double duty attempting to protect cardholder data while also defending their environments from cyber threats. Despite best efforts, a study done by The Ponemon Institute this year - in which 581 US Technology Security professionals were surveyed - reports that 90% of businesses fell victim to cyber security breaches at least once in the past 12 months; 41% of these incidents cost businesses $500,000+ to handle!

The "P2PE: Reduce PCI Scope, Protect Cardholder Data and Preserve Profit" white paper provides a simple and effective answer to these problems. The document details how Element TransForm™ P2PE suite effectively removes sensitive cardholder data from a merchant’s environment, thereby eliminating the target on the merchant’s proverbial back. The Element TransForm™ P2PE suite secures payments simply by ensuring that cardholder data is protected through P2PE from the initial point of entry and while in transit to the payment processor.

“We are excited to share this white paper with the payment processing industry and merchant community, as it offers great detail to a complete and secure solution,” said Sean Kramer, president and CEO of Element Payment Services. “At Element, we make it our number one priority to help customers protect their businesses while providing the innovative payments technologies needed to manage operations. Our comprehensive PCI compliant solutions make this possible.”

For more information about "Point-to-Point Encryption (P2PE): Reduce PCI Scope, Protect Cardholder Data and Preserve Profit" download our white paper or contact us today.

After months of collaboration and effort the PCI Security Standards Council’s Virtualization Special Interest Group (SIG), which is made up of more than 30 participating organizations in conjunction with the PCI Council, announced the release of the PCI DSS Virtualization Guidelines Information Supplement. The PCI DSS Virtualization Guidelines Information Supplement provides guidelines to those in the payment chain on the use of virtualization technology in cardholder data environments in accordance with PCI DSS.

Virtualization technology has been a key area of interest for organizations considering its implementation in their cardholder data environments and assessors who evaluate the virtualized environments as part of a PCI DSS assessment. However, while virtualization technology has numerous benefits, it also has its share of new and unique risks to be considered. This is where the Virtualization SIG comes in, as it was created to help clarify the virtualization elements of the PCI DSS.

The developed virtualization guidelines become a great resource of better understanding where PCI DSS requirements and virtualization meet, as well as the various aspects that must be considered during implementation in the cardholder data environment. These guidelines do not replace the requirements of the PCI DSS, but rather offers clarity for how these requirements fit into virtualized environments. This is important, as each company uses virtualized environments differently, but the best practices offered in the PCI DSS virtualization guidelines will help identify the ways the security of your cardholder environment could be impacted.  

There is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements. For more information on how the PCI DSS can be incorporated into your company’s virtualized environment, contact Element Payment Services today.

Are you trying to better wrap your head around PCI compliance and understand how it affects you and your company? The PCI Security Standards Council (PCI SSC) is offering PCI Awareness Training for all individuals. Whether you are looking for a self-paced course, or if you are in need of face-to-face interaction, the PCI SSC wants to help you understand the guidelines around PCI compliance, and help you work toward adopting version 2.0 of the PCI security standards.

The PCI Awareness Training is offered as a one-day, instructor led course, or also as a four-hour online course, depending on what option works best for you and your employees. The course offers an opportunity for companies to provide PCI training across multiple functional areas to ensure a universal understanding of PCI compliance. The course is designed to help answer questions and improve understanding around PCI security standards, and the adoption of version 2.0. Some specific topics covered include:

• What is PCI and what does it mean to a company that must meet compliance with the PCI Data Security Standard?

• Roles and responsibilities of the key players in the compliance process.
• How the credit card brands differ in their requirements for PCI reporting and validation.
• Overview of the infrastructure used by organizations to accept payment cards and communicate with the verification and payment facilities.
• Real world examples of PCI challenges and successes.

 Whether you choose to take the course online, or the face-to-face with an instructor option, you will come away with the knowledge needed to help you and your company better meet the PCI DSS and PA-DSS requirements, in order to achieve PCI compliance.

The instructor course is available for $995, while the online training is $495 per person (discounts available for larger numbers registered employees). For more information, take a look at the PCI Awareness Training course information. You will also be able to find dates for the instructor led courses, as well as more information on the online options (The next scheduled instructor led training is on August 24, 2011 in Boston, Mass.).