PCI DSS Compliance Blog

PCI compliance tips nine through twelve

9. What are some signs of suspicious behavior that may indicate fraud during card present transactions?

• The customer appears nervous or overly talkative
• The customer questions the sales clerk about the floor limit, and then makes several separate purchases that approach, but do not exceed the floor limit
• The card is produced from a pocket, not a wallet
• The customer signs the sales draft in a deliberate or unnatural manner

10. Educate your Employees on PCI Compliance

There is a wealth of educational materials and seminars that are dedicated to PCI compliance available. However for some, the ability to successfully digest and understand all of that information, not to mention your company’s own general security processes, can be difficult to achieve. Therefore, educating your employees can be an important step to improving the payment processing security of your company and your customers. Continued education helps ensure that all employees are up to date on the latest changes in security standards and the necessary steps.

11. Secure your Paper Trail to Avoid Theft

Believe it or not, dumpster diving for discarded receipts or documents that contain credit card information is something that still happens. There are several steps that can be taken to help your business or customers from being victimized from this practice. It is always a best practice to ensure that none of the receipts have a complete credit card number on them. This helps ensure that if a receipt is lost, thrown away or stolen, that the card number on the account is not at risk.

12. What’s the big hurry for becoming PCI compliant?

It is important for companies to achieve PCI compliance on a number of levels. For starters, becoming PCI compliant will help protect your customers’ valuable card data from theft. Ensuring your customers’ safety can help build trust and the confidence of your customers, and also help them avoid the hassle they could face by having their card data compromised.

But, the risks don't end there. Companies that don’t meet the PCI Compliance requirements could also face compromise fines and fraud costs. Ultimately, merchants should view PCI DSS compliance as an insurance policy, protecting them from the financial costs of failing to secure card data. This can be an advantage for companies; working towards compliance will help them improve their processes and operate more securely.

It is also important to note that starting January 1, 2012, that PCI DSS Version 2.0 will be enforced. While the changes to the standard weren’t major, they are hoped to have substantial impact on the card data industry.

2010, 2011 and now 2012. For the third year in a row of Element Payment Services has been selected by Business Solutions magazine as one of the Best Channel Vendors. Value Added Resellers (VARs) and Independent Software Providers (ISVs) who participated in the Business Solutions' annual survey ranked Element as a top payment processor for its innovative and reliable technologies, and service and support.

Being honored for this award actually marks the fifth award in a row for Element Payment Services from Business Solutions magazine. In addition to the Best Channel Vendors, Element has also received the Best Channel Product 2010 and 2011 awards.

Receiving the Best Channel Vendor award is a direct product of Element and the dedicated team, working to achieve their mission to reduce the burden of PA-DSS and PCI DSS compliance requirements for their software providers and customers, while providing the best possible service. Element works to develop and provide technologies that enable its partners to stay ahead of the payment industry’s security requirements and offer best-in-class solutions to their customers.

Business Solutions magazine partnered with Penn State University to conduct the survey and analyze the results. The web-based survey of nearly 4,300 of the most active VAR subscribers drew nearly 11,000 votes, continuing the tradition of this being one of the largest surveys of it s kind, across categories that included service/support, features, innovation and reliability. Once the votes were analyzed and compiled, the top vendors were awarded as the 2012 Best Channel Vendors. Of all vendors that are included, only the top five percent of selected vendors were honored with this award, making this an exclusive list of winners, of which Element is included.

Element Payment Services is recognized for its 2012 Best Channel Vendor award in the January 2012 issue of Business Solutions Magazine, as well as on the BSMinfo.com Best Channel Vendors Feature page, year-round.

For more information on Element and their award winning payment processing solutions, contact us today.

PCI compliance tips five through eight

5. I heard that PCI DSS is too hard

Understanding and implementing the 12 requirements of PCI DSS can seem daunting, especially for merchants without a large security or IT department. However, the PCI DSS standard mostly calls for good, basic security practices. Even if there was no requirement for PCI compliance, the best practices for security contained in the standard are steps that every business would want to take anyway to protect their customers’ sensitive data and continuity of operations. There are many products and services available to help meet the requirements for security and PCI DSS compliance.

When people say PCI DSS is too hard, in many cases the complaints are in fact around cost. However, the business risks and ultimate costs of non-compliance, can vastly out-weigh any PCI DSS implementation costs, including fines, legal fees, and especially lost business. Implementing PCI DSS should be part of a sound, basic security strategy. This holiday season ensure that your business meets the PCI DSS Compliance standard by making achieving compliance part of your ongoing business plan and budget.

6. What are the penalties for noncompliance of the PCI Requirements?

The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. This PCI compliance fine can then be passed on downstream until it eventually hits the merchant. The acquiring bank may then also either terminate the merchant relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic, especially to a small business. This holiday season, make sure you are familiar with your merchant account agreement, which should outline your exposure.

7. If I’m running a business from my home, am I a serious target for hackers?

Yes, home users are arguably the most vulnerable, as they are usually not well protected. Adopting a 'path of least resistance' model, intruders will often zero-in on home users and will often exploit their 'always on' broadband connections and typical home use programs such as chat, Internet games and file sharing applications. This holiday season make sure you identify and fix any security vulnerabilities on your desktop or laptop computers.

8. What information should I routinely check to spot a fraudulent card?

• Check the Expiration Date: The card is valid through the last date of the month. Do not accept an expired card.
• Check the Valid Date: Some cards will have this feature, in which the card is not valid until the date shown. Do not accept an invalid card.

Check the Four Digits: The first four digits of the embossed card number must match the four digits pre- printed above or below that number.

Part 1 – PCI compliance FAQ’s one through four

1. To whom does PCI apply?
PCI compliance applies to any organization or merchant, regardless of the size or the number of transactions that are accepted, transmitted or stored. Essentially, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

2. Is PCI DSS compliance just an IT project?

The IT staff implements technical and operational aspects of PCI-related systems, but compliance to the payment brand’s programs is much more than a “project” with a beginning and end. PCI compliance is a business issue that is best addressed by a multi-disciplinary team. The risks of compromise can be more than just financial, as they can reputational as well, affecting the whole organization. Be sure your business addresses policies and procedures as they apply to the entire card payment processing workflow. 

3. Myth: PCI DSS is unreasonable; it requires too much

Most aspects of the PCI DSS are already a common best practice for security. The standard also permits the option of using compensating controls to meet most of these PCI DSS requirements. The PCI DSS standard provides significant detail, which benefits merchants and processors. This scope and flexibility leads some to view PCI DSS as an effective standard for securing all sensitive information

4. What is an easy step my business can take to achieve PCI Compliance?

The key to achieving PCI DSS compliance is to reduce the number of items that are in scope. This means to eliminate cardholder data from the business unless it is absolutely required. The less sensitive cardholder data you have in your business the less you have to control and the easier achieving PCI compliance becomes.

No matter how familiar you are with the payment card industry, you have undoubtedly heard a variety of terms and acronyms thrown around. And though the terms are used frequently, this doesn’t mean that everyone knows exactly what the words or letters mean. While learning all of these terms won’t necessarily make you a payment card industry expert, they can help you familiarize yourself, so you can better understand what is being discussed and how it may impact you and your business.

Here are 11 payment card industry terms that everyone should know:

1. Acquirer: An acquirer is an organization licensed as a member of Visa/MasterCard as an affiliated bank or bank/processor alliance that is in the business of processing credit card transactions for businesses (acceptors) and is always acquiring new merchants.

2. Encryption: This is the process of converting information into an unintelligible form of a specific cryptographic key. The use of encryption protects valuable card data information from the encryption process, until the decryption process, against unauthorized disclosure. This helps to make the card information essentially useless to those who attempt to intercept the card data while in transit. 

3. Interchange Fee: This is a fee paid by an acquirer to an issuer for transactions entered into interchange. The interchange fee is a percentage applied, according to Visa/MasterCard regulations, to the dollar value of each transaction.

4. Merchant Identification Number (MID): This number is generated by a processor/acquirer and is specific to each individual merchant location. This number helps to identify the merchant during processing of daily transactions, rejects, adjustments, chargebacks, end-of-month processing fees, and more.

5. Payment Application Data Security Standards (PA-DSS): This standard, formerly referred to as the Payment Application Best Practices (PABP), is the global security standard created by the PCI SSC, which was implemented in an effort to provide the definitive data standard for software vendors that develop payment applications. The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data.

6. PCI: This is the acronym for the Payment Card Industry.

7. Payment Card Industry Data Security Standards (PCI DSS): The PCI DSS is an information security standard for organizations that handle cardholder information for the major debit, credit and point of service cards. The PCI DSS standard includes requirements for security management, policies and procedures.

8. PCI Compliance: PCI Compliance refers to the industry-mandated security standards (PCI DSS and PA-DSS) that apply to all businesses that handle, process or store credit or debit cards. Businesses much meet the set requirements of the standards in order to be deemed PCI compliant.

9. PCI Compliance Level: All merchants fall under four categories of PCI compliance (Level 1, Level 2, Level 3 and Level 4), depending on the number of transactions they process each year, and whether those transactions are performed from a brick and mortar location or over the Internet. Each merchant must meet the compliance requirements for their PCI compliance level.

10. Point-to-point Encryption: Point-to-point encryption (P2PE) ensures cardholder data is protected from card swipe all the way through to the processing banks. The valuable cardholder data is encrypted prior to performing an electronic payment transaction, making it useless to potential theft,

11. Point of Sale (POS): A location where credit card transactions are performed with the cardholder present, such as a retail store. The card is read magnetically, and the cardholder's signature is obtained as insurance against the transaction. This is the most secure form of credit card commerce.

To learn more about PCI Compliance, the payment security industry and how it can effect your business, contact Element Payment Services today. 

Element Payment Services recently received validation from Trustwave Holdings, Inc. confirming that Element’s Hosted Payments solution does indeed remove software applications from the scope of the Payment Card Industry Data Security Standard (PCI DSS). Trustwave Holdings, Inc. confirmed that Hosted Payments eliminates Integrated Software Vendor’s (ISVs) applications from the scope of PCI DSS and PA-DSS compliance requirements when implemented according to Element’s specification.

Hosted Payments is an integration method to Element's Express Processing Platform that removes the need for software applications to handle cardholder data when authorizing and settling payment transactions, preserving the benefits associated with integrated payments. The process shifts the responsibility of handling sensitive cardholder data over to Element's PCI DSS compliant Express Processing Platform. By shifting the entry point and storage location of card sensitive data, ISVs also avoid the hassle of costs associated with compliance as well as compliance audits.

The PCI DSS apply specifically to environments that store, process or transmit credit card numbers. Assuming ISVs (or their applications) do not otherwise store, process or transmit cardholder data, Trustwave validated that ISVs leveraging Hosted Payments are eliminated from PCI scope and compliance costs.

"The payment industry and our ISV partners have recognized the scope removing attributes of Hosted Payments since market availability in 2008," said Sean Kramer, CEO and president of Element Payment Services. "This third party validation will allow ISVs to provide reassurance to their customers that out-of-scope processing is an industry-accepted alternative to PA-DSS/PCI DSS validation for software applications."

Not only do ISVs avoid the hassles associated with PCI compliance, but also through Hosted Payment's integration with Element's Level 1 PCI DSS compliant Express Processing Platform, both merchants and consumers can rest assured that they are receiving the highest level of protection from incidents that could potentially compromise cardholder data.

To date, more than 100 software applications have certified to Express via Hosted Payments.

Contact Element Payment Services for more information on Hosted Payments or the Express Processing Platform.

Don’t for get to put it on your calendar! The 2011 PCI Security Standards Council North American Community Meeting is coming up on September 20-22, 2011 in Scottsdale, Arizona at the Westin Kierland Resort, Spa and Villas.

The PCI SSC annual community meeting is a great opportunity to get the latest news and updates on the card data security industry from the experts. Each meeting brings together global leaders from across the payment chain to share insight and feedback on their experiences in protecting payment card data. With the number of people implementing or helping implement the latest PCI DSS and PA-DSS mandates, the PCI community is an ideal forum to learn and share what has worked for you and to have your voice heard on what the PCI Council should consider in future revisions. 

Join leaders from across the security, payments, finance, retail and technology fields at this two-day meeting filled with networking opportunities and informative sessions led by PCI Council and industry experts.

Each of the meeting’s sessions provides extensive opportunities for questions and answers with representatives from each of the payment brands. This meeting also offers an exclusive opportunity for Participating Organizations (PO), Qualified Security Assessors (QSAs), Approved Scanning Vendors (ASVs), PIN Transaction Security (PTS) produce providers and Payment Application QSAs (PA QSAs), to come together and gain the latest insight into current and future Council programs and resources.

Also be sure to come see Element, as we will be in attendance as an exhibiting member company in the Vendor Showcase.

If you aren’t yet registered for this industry event, register now, to save your spot.

Data breaches continue to be a problem, and a costly one for many organizations. According to a report by Symantec Corp and the Ponemon Institute, the average organizational cost of a data breach increased to $7.2 million and cost companies an average of $214 per compromised record in 2010. Both of these numbers are up in comparison to 2009, when the average cost per compromised record was $204. Regulators are working to crack down on non-compliant organizations, and are encouraging them to implement required data security controls. The alternative? Pay harsher fines.

There are a number of issues that companies face when trying to effectively and properly protect cardholder data. Malicious or criminal attacks are the most expensive and are on the rise. This study showed that 31 percent of all cases in 2010 involved a malicious or criminal act, which averaged a cost of $318 per record. However, even though criminal attacks are expensive, negligence remains the most common threat companies’ face. The number of breaches caused by negligence increased to 41 percent, showing the ongoing challenge of ensuring compliance of employees and partners with security policies.

Companies are putting a number of preventative measures in place, from training and awareness programs, to implementing encryption technologies. Employment training consists of educating employees on information protection policies and procedures, which then makes the employees accountable. Some of the other data protection processes being implemented include proactively encrypting laptops to minimize consequences of a lost device and integrating information protection practices into companies’ businesses processes. Also being done is the deployment of data loss prevention technologies, which assist companies with achieving compliance with industry standards, such as the PCI DSS. Achieving PCI compliance has become a greater focus during the past few years. Part of this increased focus is due to enforcement of these security standards, but the other piece is that these standards and technologies have proven effective against data theft and hackers.

The PCI Security Standards Council (PCI SSC) has been working to limit hackers’ access to valuable card data information by driving education and awareness of the PCI DSS and PA-DSS, as well as through their efforts to gain adoption industry wide standards. Companies are now being held responsible for their own PCI compliance, and those not achieving compliance are receiving fines. As the report shows, these fines are increasing when data breaches occur.

As more companies work to implement card data security standards and are taking the necessary steps to achieve PCI compliance, the more these efforts will prove to be effective, limiting hackers’ access to card data.

Though the costs that companies are facing for data breaches continue to climb, the hope is that as the data security standards being enforced will encourage such companies to achieve PCI compliance and protect their customers’ valuable card data. The more companies that achieve compliance with the PCI DSS requirements, means there will be fewer targets available for hackers, which will help lead to the decrease in the number of data breaches industry wide.

For more information on Element’s PCI compliance solutions, view our PCI Compliance Guide or contact us.

With the start of 2011, so comes the start of the transition to version 2.0 of the PCI DSS and PA-DSS. As of January 1, 2011, the updated versions of the standards became effective. Companies have until December 31, 2011 to be able to meet requirements for validation against the updated versions of PCI DSS and PA-DSS, though the PCI SSC encourages them to be updated as soon as possible. From January 1, 2012, all assessments must be under the version 2.0.

Version 2.0 does not introduce any new major requirements. The majority of changes are modifications to the language, which clarify the meaning of the requirements and make understanding and adoption easier for merchants. Key revisions serve to reinforce the need for a thorough scoping exercise prior to assessment in order to understand where cardholder data resides; promote more effective log management in securing cardholder securing cardholder data; allow organizations to adopt a risk-based approach when assessing and prioritizing vulnerabilities that is based on their specific business circumstances; and accommodate the unique environments of small merchants to simplify their compliance efforts.

As the industry transitions toward the version 2.0 of both the PCI DSS and PA-DSS, we wanted to ask you how you think these updated versions of the standards will impact merchants and software vendors? Will we see changes in the industry? Who will see the biggest impact? 

Tell us what you think by commenting below, and you’ll be eligible to receive a copy of PCI DSS: A Pocket Guide.

The countdown continues, as January 1, 2011 quickly approaches. This is when version 2.0 of the PCI DSS and PA-DSS become effective, though validation against the previous version of the standard (1.2.1) is allowed until December 31, 2011. Companies have been taking the proper steps to become PCI compliant as the date nears, because the transition to version 2.0 will be a point of emphasis for 2011. Even though validation against the previous version of the standard will be allowed until December 31, 2011, the PCI SSC encourages organizations to transition to the updated version as soon as possible. From January 1, 2012 on, all assessments must be under the version 2.0 standards. 

Though the holiday season is a time to celebrate and spend time with loved ones, it is also a busy time of the year for merchants. Billions of dollars are spent as shoppers gather gifts and other holiday items in stores or online. Though this type of spending is great for businesses, it’s also a very attractive target for attackers to steal valuable card data. Do you know if your company is safe? With potentially thousands of credit cards at risk, knowing you are protected is important. 

Surely you are aware of the industry standard for credit card compliance that the PCI Security Standards Council put forth. Companies who have not met PCI compliance requirements have already been faced with fines or worse, the loss of the ability to process credit cards. These penalties can be potentially devastating to companies. 

Make sure your company is PCI compliant for the holidays. This can be the difference between a holiday season of cheer and one of security challenges. If you have any questions on what your company needs to do as the deadline for version 2.0 nears or just want to make sure that your credit card data is protected, please feel free to contact us.