Element Payment Services

12/28/2011

Part 2 - 12 Holiday PCI Compliance Tips, Questions and Advice and Security Best Practices to Get You Ready for the New Year

Card swipePCI compliance tips five through eight

5. I heard that PCI DSS is too hard

Understanding and implementing the 12 requirements of PCI DSS can seem daunting, especially for merchants without a large security or IT department. However, the PCI DSS standard mostly calls for good, basic security practices. Even if there was no requirement for PCI compliance, the best practices for security contained in the standard are steps that every business would want to take anyway to protect their customers’ sensitive data and continuity of operations. There are many products and services available to help meet the requirements for security and PCI DSS compliance.

When people say PCI DSS is too hard, in many cases the complaints are in fact around cost. However, the business risks and ultimate costs of non-compliance, can vastly out-weigh any PCI DSS implementation costs, including fines, legal fees, and especially lost business. Implementing PCI DSS should be part of a sound, basic security strategy. This holiday season ensure that your business meets the PCI DSS Compliance standard by making achieving compliance part of your ongoing business plan and budget.

6. What are the penalties for noncompliance of the PCI Requirements?

The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. This PCI compliance fine can then be passed on downstream until it eventually hits the merchant. The acquiring bank may then also either terminate the merchant relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic, especially to a small business. This holiday season, make sure you are familiar with your merchant account agreement, which should outline your exposure.

7. If I’m running a business from my home, am I a serious target for hackers?

Yes, home users are arguably the most vulnerable, as they are usually not well protected. Adopting a 'path of least resistance' model, intruders will often zero-in on home users and will often exploit their 'always on' broadband connections and typical home use programs such as chat, Internet games and file sharing applications. This holiday season make sure you identify and fix any security vulnerabilities on your desktop or laptop computers.

8. What information should I routinely check to spot a fraudulent card?

  • Check the Expiration Date: The card is valid through the last date of the month. Do not accept an expired card.
  • Check the Valid Date: Some cards will have this feature, in which the card is not valid until the date shown. Do not accept an invalid card.

Check the Four Digits: The first four digits of the embossed card number must match the four digits pre- printed above or below that number.

 

12/16/2011

12 Holiday PCI Compliance Tips Questions and Advice and Security Best Practices to Get You Ready for the New Year

Part 1 – PCI compliance FAQ’s one through four Santa-credit-card

1. To whom does PCI apply?
PCI compliance applies to any organization or merchant, regardless of the size or the number of transactions that are accepted, transmitted or stored. Essentially, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

2. Is PCI DSS compliance just an IT project?

The IT staff implements technical and operational aspects of PCI-related systems, but compliance to the payment brand’s programs is much more than a “project” with a beginning and end. PCI compliance is a business issue that is best addressed by a multi-disciplinary team. The risks of compromise can be more than just financial, as they can reputational as well, affecting the whole organization. Be sure your business addresses policies and procedures as they apply to the entire card payment processing workflow. 

3. Myth: PCI DSS is unreasonable; it requires too much

Most aspects of the PCI DSS are already a common best practice for security. The standard also permits the option of using compensating controls to meet most of these PCI DSS requirements. The PCI DSS standard provides significant detail, which benefits merchants and processors. This scope and flexibility leads some to view PCI DSS as an effective standard for securing all sensitive information

4. What is an easy step my business can take to achieve PCI Compliance?

The key to achieving PCI DSS compliance is to reduce the number of items that are in scope. This means to eliminate cardholder data from the business unless it is absolutely required. The less sensitive cardholder data you have in your business the less you have to control and the easier achieving PCI compliance becomes.

 

11/30/2011

PCI DSS Version 2.0 to be Enforced Soon – Are you ready?

Business-in-troubleIn 2010 the PCI Security Standards Council released version 2.0 of the PCI DSS and PA-DSS, updating the standard to help merchants better protect sensitive cardholder information on their networks. Though the variations made to Version 2.0 weren’t substantial to the standard, the changes were hoped to have a major impact on the card data industry. The updated version of the standard was released in Fall of 2010, and became effective as of January 1, 2011. However, enforcement of the new requirements for validation against the updated versions of PCI DSS and PA-DSS are not going to begin to be enforced until January 1, 2012.

So the question is, come January 1, 2012, will you be ready?

The majority of changes made to version 2.0 were modifications to language, which clarified the meaning of the PCI requirements and making understanding and adoption easier on both merchants and software providers. The changes ultimately reinforced the need for thorough scoping prior to an assessment and promoted more effective log management. Other changes to the standard broadened validation requirements for the assessment of vulnerabilities in a merchant environment, giving merchants the ability to use industry best practices to prioritize these vulnerabilities.

PCI compliance has been a popular topic of conversation during 2011, but now is the time for businesses to make sure that they are ready to meet the PCI compliance requirements put in place. This past year has given merchants and software providers alike the opportunity to meet these new requirements, and achieve PCI compliance. Come the start of the year, it will become clear who is meeting the new requirements and who is not.

Download the PCI DSS Version 2.0 from the PCI SSC today and see if your business is ready. You can also contact Element to make sure that you are taking the proper steps to meet these new compliance requirements.

 

11/08/2011

Visa Releases PCI Compliance Level Stats – Results are Up and Down

New_visa_big_logoOn June 30 of this summer, Visa made compliance statistics of merchants’ public, detailing PCI Compliance figures for those working to achieve Level 1, Level 2 and Level 3 compliance. On Monday, October 31, 2011, the card brand released the most recent compliance numbers. The released results were mixed, with a positive trend for Level 1 merchants, but with an overall decrease for Level 2 and Level 3 compliance. It should be noted that the card brand has continued its practice of not reporting compliance numbers for Level 4 compliance, rather just announcing for this reporting period that Level 4 compliance is “moderate.”

Each PCI Compliance level is determined by the number of transactions that a merchant processes each year, as well as whether the transactions occur online, in a brick and mortar location or a combination of both. For Level 1 merchants more than six million Visa transactions must be processed a year; Level 2 merchants process from one to six million transactions a year; Level 3 merchants handle 20,000 to one million online Visa transactions a year; and Level 4 merchants process less than a one million Visa transactions per year.

The statistics were positive for Level 1 merchants, as a 98 percent compliance rate was reported. This number was up from the 97 percent compliance rate that was announced earlier in June 2011. These numbers were based on 407 retailers, which was also an increase compared to earlier this year when only 377 retailers were included in the reporting.

The PCI compliance numbers for Level 2s and Level 3s weren’t quite as encouraging. Level 2 merchants dropped from 96 percent compliance down to 91 percent. There were more Level 2 merchants accounted for in this report, with 1,060 compared to 881 in the summer report, which may have attributed to the decline in this case. Level 3 merchants saw a decline from 60 percent to 57 percent from October 2011 to June 2011 respectively. The number of Level 3 merchants being reported is the largest of the three groups, with 3,049 merchants, up 25 from the last reporting period. Compared to the other PCI compliance levels, these numbers may be alarming, though Level 3 tend to be new entry merchants, starting with a relatively low level of PCI DSS compliance, attributing to these percentages.

As the card security industry continues to push the need to achieve PCI compliance, it is somewhat concerning that the numbers overall are in a decline, as it would be expected that numbers in any group would show steady signs of improvement. There are still details that Visa is not reporting on, which could allude to the compliance decrease, though many are left speculating what exact causes can be pointed to.

For more information on how you can help your business achieve you PCI Compliance Level download our PCI compliance guide.

11/01/2011

Element Selected to be Listed in the 2011 Tech 200 by Lead411

Tech200badgeElement Payment Services was recently selected by Lead411 as one of the fastest growing technology firms in 2011. Element joins a number of other great firms on to create this year’s Tech 200 list.

Being selected to the Tech 200 by Lead411 is always fiercely competitive, and 2011 was no different. The final 200 were selected and ranked based on the highest percentage of revenue growth from 2008 to 2010 compared to the other privately-held businesses that applied. But what makes 2011’s list different than year’s past, is that this list consists of only 200 companies, where in years past, the top 500 companies were selected.

In addition to looking at revenue growth, companies who took part in the Tech 200 application process were also asked to answer a survey about their marketing spend, ROI and overall outlook for the future. Their answers are indicative of the community at large, if not the greater business climate.

More than half of the applicants no longer use traditional advertising - print ads and direct marketing - which speaks volumes about where marketing is headed. The largest number put money into trade shows as a marketing tool (25%). There were also a number of these successful startups that got that way without taking on investors. Also a full 60.2% of applicants have never received funding for their businesses, and 84% consider themselves profitable.

And as far as the future looks, 71.5% of the companies on the Tech 200 think the future is going to get better soon.

It is an honor for Element Payment Services to be selected to this competitive list, joining many other great technology companies. Being on this list is a product of the work and commitment that Element and its employees have put toward their mission to help merchants and software providers ease PCI compliance with fully integrated payment processing solutions.

Find Element and the rest of the companies on the Tech 200 list here.

 

08/29/2011

Inc. Magazine Recognizes Element Payment Services as one of the Fastest Growing Companies in 2011

Inc. Top 5000 Element Payment Services as Fasted Growing Companies 2011 Inc., the premier magazine for entrepreneurs and business owners, released its 2011 list of the 5000 fastest-growing private companies in America. Included on the list is Element Payment Services.

For more than 30 years, Inc.’s list of the fastest-growing companies list has served as evidence of the significant accomplishments of enterprises. Being listed among these companies is a testament to the creativity, resilience and tenacity of America’s top entrepreneurs.

Element Payment Services has become an industry-leading provider of PCI compliant payment processing solutions. And now Element joins a prestigious pedigree of companies who have made Inc.’s list before, including Intuit, Zappos, Under Armour, Microsoft, Jamba Juice, Timberland, Clif Bar, Patagonia, Oracle, Zipcar and more.

“On behalf of Element, it is truly an honor to be recognized by Inc. as one of the fastest-growing companies in 2011,” said Sean Kramer, CEO and President, Element Payment Services. “This is a testament to hard-working people at Element who have helped this company achieve what it has since its inception. We are excited for the years to come.”

Element Payment Services provides fully integrated solutions to merchants through partnerships with leading independent software vendors (ISVs). Element’s approach to payment processing is built on a simple idea – remove the value and accessibility of cardholder data to eliminate the risk. In fast, Element's innovative technology, Hosted Payments, was the first payment processing solution on the market to take software providers out of scope for PA-DSS/PCI DSS compliance requirements.

 

08/01/2011

The Element Express Processing Platform Recognized as a 2011 Best Channel Product By Business Solutions Magazine

BCP_2011_logo_tile On August 1, 2011, Element’s Element Express Processing Platform solution was selected by Business Solutions magazine as one of 2011’s Best Channel Products. Value Added Resellers (VARs) and Independent Software Vendors (ISVs) participating in Business Solutions' annual survey ranked the Element Express Processing Platform as a leading payment processing technology, making it one of only three solutions in this category. Being honored with the 2011 Best Channel Products award makes this the fourth consecutive award for Element Payment Services from Business Solutions magazine since the survey debuted in January 2010. Element’s past awards include Best Channel Vendor in 2010 and 2011, and the Best Channel Product in 2010 and now in 2011.


The Element Express Processing Platform is a purpose-built payment engine, architected for an evolving industry with a Service Oriented Architecture (SOA). Using Element’s Web services or XML interface, ISVs can easily integrate software applications with Express, incorporating its robust suite of PCI compliant technologies, which include point-to-point encryption (P2PE) and tokenization.  ISVs and merchants have long relied on Express to deliver innovation, reliability and simplified payment processing.

 
Business Solutions magazine partnered with Penn State University to conduct and analyze the survey of its subscribers. As part of the Web-based survey, VARs/ISVs were asked to rate a product’s richness of features/functionality, product reliability/durability, ease of integration, ease of upgrading and the VAR’s/ISV’s ability to service. The 2011 Best Channel Products recognition was given only to the top few vendors who scored highest in the product categories. This is a new format from years past where many products were selected for each category, making this award even more competitive.


1,490 VARs/ISVs participated in the survey, casting a total of 11,711 votes, making it one of the largest surveys of its kind, especially at this level of detail.

Receiving its fourth straight award from Business Solutions magazine is representative of Element’s dedication and commitment to providing its software partners and their customers with solutions that help reduce risk, liability, and cost, while easing the burden of PCI compliance. 

Contact us today for more information on the Element Express Processing Platform solution and how Element can help your business. 

07/19/2011

Element’s Hosted Payments: Taking ISVs out of PCI Scope

Hosted-payments-element Element Payment Services recently received validation from Trustwave Holdings, Inc. confirming that Element’s Hosted Payments solution does indeed remove software applications from the scope of the Payment Card Industry Data Security Standard (PCI DSS). Trustwave Holdings, Inc. confirmed that Hosted Payments eliminates Integrated Software Vendor’s (ISVs) applications from the scope of PCI DSS and PA-DSS compliance requirements when implemented according to Element’s specification.

Hosted Payments is an integration method to Element's Express Processing Platform that removes the need for software applications to handle cardholder data when authorizing and settling payment transactions, preserving the benefits associated with integrated payments. The process shifts the responsibility of handling sensitive cardholder data over to Element's PCI DSS compliant Express Processing Platform. By shifting the entry point and storage location of card sensitive data, ISVs also avoid the hassle of costs associated with compliance as well as compliance audits.

The PCI DSS apply specifically to environments that store, process or transmit credit card numbers. Assuming ISVs (or their applications) do not otherwise store, process or transmit cardholder data, Trustwave validated that ISVs leveraging Hosted Payments are eliminated from PCI scope and compliance costs.

"The payment industry and our ISV partners have recognized the scope removing attributes of Hosted Payments since market availability in 2008," said Sean Kramer, CEO and president of Element Payment Services. "This third party validation will allow ISVs to provide reassurance to their customers that out-of-scope processing is an industry-accepted alternative to PA-DSS/PCI DSS validation for software applications."

Not only do ISVs avoid the hassles associated with PCI compliance, but also through Hosted Payment's integration with Element's Level 1 PCI DSS compliant Express Processing Platform, both merchants and consumers can rest assured that they are receiving the highest level of protection from incidents that could potentially compromise cardholder data.

To date, more than 100 software applications have certified to Express via Hosted Payments.

Contact Element Payment Services for more information on Hosted Payments or the Express Processing Platform.

07/14/2011

Reduce, Protect, Preserve: Point-to-Point Encryption

Point-to-point-encryption Element Payment Services, the industry leader in PCI complaint payment processing, and ThoughtKey, the leading PCI-focused consulting firm, have teamed up to offer a new white paper entitled "Point-to-Point Encryption (P2PE): Reduce PCI Scope, Protect Cardholder Data and Preserve Profit". The document is aimed at helping merchants understand and address the hurdles of achieving and maintaining PCI compliance. Authored by ThoughtKey, this white paper details the benefits and pitfalls of relying solely on payment network segmentation as opposed to the robust option of P2PE plus tokenization in a highly secured host environment.

The issues present today are a result of merchants pulling double duty attempting to protect cardholder data while also defending their environments from cyber threats. Despite best efforts, a study done by The Ponemon Institute this year - in which 581 US Technology Security professionals were surveyed - reports that 90% of businesses fell victim to cyber security breaches at least once in the past 12 months; 41% of these incidents cost businesses $500,000+ to handle!

The "P2PE: Reduce PCI Scope, Protect Cardholder Data and Preserve Profit" white paper provides a simple and effective answer to these problems. The document details how Element TransForm™ P2PE suite effectively removes sensitive cardholder data from a merchant’s environment, thereby eliminating the target on the merchant’s proverbial back. The Element TransForm™ P2PE suite secures payments simply by ensuring that cardholder data is protected through P2PE from the initial point of entry and while in transit to the payment processor.

“We are excited to share this white paper with the payment processing industry and merchant community, as it offers great detail to a complete and secure solution,” said Sean Kramer, president and CEO of Element Payment Services. “At Element, we make it our number one priority to help customers protect their businesses while providing the innovative payments technologies needed to manage operations. Our comprehensive PCI compliant solutions make this possible.”

For more information about "Point-to-Point Encryption (P2PE): Reduce PCI Scope, Protect Cardholder Data and Preserve Profit" download our white paper or contact us today.

06/16/2011

PCI Security Standards Council Releases the PCI DSS Virtualization Guidelines

PCI-SSC After months of collaboration and effort the PCI Security Standards Council’s Virtualization Special Interest Group (SIG), which is made up of more than 30 participating organizations in conjunction with the PCI Council, announced the release of the PCI DSS Virtualization Guidelines Information Supplement. The PCI DSS Virtualization Guidelines Information Supplement provides guidelines to those in the payment chain on the use of virtualization technology in cardholder data environments in accordance with PCI DSS.

Virtualization technology has been a key area of interest for organizations considering its implementation in their cardholder data environments and assessors who evaluate the virtualized environments as part of a PCI DSS assessment. However, while virtualization technology has numerous benefits, it also has its share of new and unique risks to be considered. This is where the Virtualization SIG comes in, as it was created to help clarify the virtualization elements of the PCI DSS.

The developed virtualization guidelines become a great resource of better understanding where PCI DSS requirements and virtualization meet, as well as the various aspects that must be considered during implementation in the cardholder data environment. These guidelines do not replace the requirements of the PCI DSS, but rather offers clarity for how these requirements fit into virtualized environments. This is important, as each company uses virtualized environments differently, but the best practices offered in the PCI DSS virtualization guidelines will help identify the ways the security of your cardholder environment could be impacted.  

There is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements. For more information on how the PCI DSS can be incorporated into your company’s virtualized environment, contact Element Payment Services today.

Search Blog


Your email address:

Bookmark and Share




Resources

About PCI DSS Compliance Blog

Email Us

PCI Compliance Resources

Industry News on Twitter


Visit Element on