Payment Processing


Visa Releases PCI Compliance Level Stats – Results are Up and Down

New_visa_big_logoOn June 30 of this summer, Visa made compliance statistics of merchants’ public, detailing PCI Compliance figures for those working to achieve Level 1, Level 2 and Level 3 compliance. On Monday, October 31, 2011, the card brand released the most recent compliance numbers. The released results were mixed, with a positive trend for Level 1 merchants, but with an overall decrease for Level 2 and Level 3 compliance. It should be noted that the card brand has continued its practice of not reporting compliance numbers for Level 4 compliance, rather just announcing for this reporting period that Level 4 compliance is “moderate.”

Each PCI Compliance level is determined by the number of transactions that a merchant processes each year, as well as whether the transactions occur online, in a brick and mortar location or a combination of both. For Level 1 merchants more than six million Visa transactions must be processed a year; Level 2 merchants process from one to six million transactions a year; Level 3 merchants handle 20,000 to one million online Visa transactions a year; and Level 4 merchants process less than a one million Visa transactions per year.

The statistics were positive for Level 1 merchants, as a 98 percent compliance rate was reported. This number was up from the 97 percent compliance rate that was announced earlier in June 2011. These numbers were based on 407 retailers, which was also an increase compared to earlier this year when only 377 retailers were included in the reporting.

The PCI compliance numbers for Level 2s and Level 3s weren’t quite as encouraging. Level 2 merchants dropped from 96 percent compliance down to 91 percent. There were more Level 2 merchants accounted for in this report, with 1,060 compared to 881 in the summer report, which may have attributed to the decline in this case. Level 3 merchants saw a decline from 60 percent to 57 percent from October 2011 to June 2011 respectively. The number of Level 3 merchants being reported is the largest of the three groups, with 3,049 merchants, up 25 from the last reporting period. Compared to the other PCI compliance levels, these numbers may be alarming, though Level 3 tend to be new entry merchants, starting with a relatively low level of PCI DSS compliance, attributing to these percentages.

As the card security industry continues to push the need to achieve PCI compliance, it is somewhat concerning that the numbers overall are in a decline, as it would be expected that numbers in any group would show steady signs of improvement. There are still details that Visa is not reporting on, which could allude to the compliance decrease, though many are left speculating what exact causes can be pointed to.

For more information on how you can help your business achieve you PCI Compliance Level download our PCI compliance guide.


What do you Really Know About Tokenization? Released Tokenization Guidelines Help Explain.

PCI-SSC-LogoAt times, there can be confusion in the industry surrounding tokenization, a process designed by technology providers, as a means to secure cardholder data while providing merchants with the functionality needed to run their businesses. Last week, the PCI SSC tried to clarify any questions surrounding this technology with the scheduled release of the PCI Data Security Standard (PCI DSS) tokenization guideline. The guidelines are designed to provide merchants with a better understanding of how they can incorporate tokenization into their card payment security strategy, as well as how their efforts relate to, and impact compliance with the PCI DSS.

At its simplest level, tokenization technology replaces a primary account number at the point of sale with a surrogate value called a “token” to improve data security. Subsequently, if tokenization is used properly, a merchant would not need to retain the primary account number in the payments system used at the business once the transaction is processed. This results in a minimized amount of data a business would need to keep on hand, ultimately bolstering the security of credit card transactions, while limiting the cost and complexity of meeting compliance requirements at the same time.

Unlike several of the other well-known technologies in the industry, tokenization does not have standards. So while the technology provides a great level of value, some merchants still need help knowing the best practices on how to incorporate tokenization so it works most optimally for their business and their customers. It is important to understand that tokenization is not an alternative to the standards, as merchants still have to comply with the PCI DSS.

The tokenization guidelines released by the PCI SSC should help merchants understand the options surrounding the technology, and how it fits their business’ needs. These guidelines will also benefit tokenization service providers and assessors, clarifying how the technology can limit or eliminate scope by transferring the responsibility of storing sensitive cardholder data away from the merchant to a payments technology provider. This is especially valuable as it also simplifies the PCI DSS assessment process by limiting the number of requirements applicable to the merchants’ environment. 

To learn more about this technology, download our tokenization white paper or contact Element today.


The Element Express Processing Platform Recognized as a 2011 Best Channel Product By Business Solutions Magazine

BCP_2011_logo_tile On August 1, 2011, Element’s Element Express Processing Platform solution was selected by Business Solutions magazine as one of 2011’s Best Channel Products. Value Added Resellers (VARs) and Independent Software Vendors (ISVs) participating in Business Solutions' annual survey ranked the Element Express Processing Platform as a leading payment processing technology, making it one of only three solutions in this category. Being honored with the 2011 Best Channel Products award makes this the fourth consecutive award for Element Payment Services from Business Solutions magazine since the survey debuted in January 2010. Element’s past awards include Best Channel Vendor in 2010 and 2011, and the Best Channel Product in 2010 and now in 2011.

The Element Express Processing Platform is a purpose-built payment engine, architected for an evolving industry with a Service Oriented Architecture (SOA). Using Element’s Web services or XML interface, ISVs can easily integrate software applications with Express, incorporating its robust suite of PCI compliant technologies, which include point-to-point encryption (P2PE) and tokenization.  ISVs and merchants have long relied on Express to deliver innovation, reliability and simplified payment processing.

Business Solutions magazine partnered with Penn State University to conduct and analyze the survey of its subscribers. As part of the Web-based survey, VARs/ISVs were asked to rate a product’s richness of features/functionality, product reliability/durability, ease of integration, ease of upgrading and the VAR’s/ISV’s ability to service. The 2011 Best Channel Products recognition was given only to the top few vendors who scored highest in the product categories. This is a new format from years past where many products were selected for each category, making this award even more competitive.

1,490 VARs/ISVs participated in the survey, casting a total of 11,711 votes, making it one of the largest surveys of its kind, especially at this level of detail.

Receiving its fourth straight award from Business Solutions magazine is representative of Element’s dedication and commitment to providing its software partners and their customers with solutions that help reduce risk, liability, and cost, while easing the burden of PCI compliance. 

Contact us today for more information on the Element Express Processing Platform solution and how Element can help your business. 


Fed Announces Final Durbin Amendment Rule – TSG Analysis

Durbin-amendment-rulling The Federal Reserve announced their final ruling on debit card interchange fees and routing. The finalized rules affect all banks issuing debit cards, pre-paid cards, and payment card networks, as well as merchants who process debit and prepaid card transactions. However, small issuers (banks and networks under $10 billion in assets), government programs and gift cards are exempt form the ruling.

Throughout the years merchants have become increasingly restless over the rising debit card transaction fees and regulations. According to the 2009 Nilson Report, $1.21 trillion in purchases were paid for by debit cards and processed through Visa and MasterCard networks, which generated $19.7 billion in fees paid to debit card issuing banks by merchants. The Durbin Amendment fought to cap these fees and regulate the control that banks and networks have over debit card transactions. 

The Durbin Amendment is a component of the Dodd-Frank Wall Street Reform and Protection Act sponsored by Senator Richard Durbin (D-Ill.). The Amendment was successfully passed to cap debit card fees for merchants. This victory for merchants offers some relief from high fees and creates a competitive market, allowing merchants to shop around for lower transaction prices.

The final ruling on debit interchanges implements a base fee cap of $.21 with an allowance of $.05 to account for fraud protection costs. An additional proposed rule is in discussion that allows banks to charge an additional $.01 per transaction if they meet specific fraud prevention standards.

The final limitations on payment card networks included:

  • Disallowing issuers or payment card networks the ability to restrict merchants to route debit transactions over any other network that processes such transactions.
  • Networks are not allowed to prohibit setting defaults for PINs or signatures.

In addition, networks cannot prevent merchants from offering payment by cash incentives, and networks cannot prevent merchants from imposing a $10 transaction minimum or prevent merchants from setting maximum transaction amount limits. (TSG Takeaways)

These debit interchange rules and limitations on payment card networks go into effect October 1, 2011. The official document can be found on the website.

Element Payment Services is a supportive resource for your payment processing questions. For help understanding how the Durbin Amendment affects your business, contact Element today. 


Highlights from the 2011 Electronic Transactions Association (ETA) Annual Meeting and Expo

A dialogue with Apple co-founder Steve Wozniak kicked off the 2011 ETA Annual Meeting and Expo held this year in San Diego, Calif. May 10 - 12. Wozniak explained that payment processing at Apple is not a top priority and that Apple is waiting until they can do it right – “I think they'll hold off and not make any moves until they know they can do it right” (The Green Sheet). Wozniak also discussed the future of mobile payments, suggesting that "tap-and-go technology is so compelling that it will be in everyone's hands within just a few years" (The Green Sheet). He believes that Near Field Communications (NFC) technology will be the next big thing for mobile payments.

The conference also featured keynote speaker, former Sen. Christopher Dodd, D-Mass., co-author of the Consumer Protection Act of 2010 and the Dodd-Frank Wall Street Reform. Dodd touched upon the Durbin Amendment and the looming debit interchange regulation. Dodd went on to encourage ISOs, MLSs and their partners to reach out more to their local politicians to fight against further legislation. Dodd feels that it would be easier to contact them directly, saying “I can assure you that if you were to invite your member of Congress to come to your business to learn what you do and about your issues, you'd have a lot more luck than anyone standing in the halls of Congress trying to [lobby] staffers" (The Green Sheet). However painful, regulatory and PCI compliance issues are not going away. Critical security measures are put in place to protect consumers and stay current with technology. 

Mobile payments was the hot topic for this year’s meeting, since more and more people have smart phones and are using them to shop, therefore making mobile card acceptance, couponing and security high priorities for merchants. Visa took the opportunity at the expo to announce its mobile wallet plans that feature "a range of customized mobile payments services that address the specific requirements of geographic markets around the world" (Visa). People are excited for mobile wallet solutions and it came through at the show. 

ETA 2011 had a lot of hype around a new certification program was promoted. Visa’s new Certified Payments Professional program, which had officially launched in February 2011, is designed to be the industries first professional certification process for sales agents and others engaged in the distribution of electronic payment products and services.

ETA attendees noted that this year’s show seemed to be a bit quieter, with fewer people and less industry news as compared to past expos. However, ETA contacts say that attendance and exhibitor numbers had increased. Overall, attendees reported to be pleased with the quality of the interactions and networking opportunities.  

The Electronic Transactions Association is an international trade company that represents companies who offer electronic transaction processing products and services. The ETA encourages businesses to network within the electronic payments industry through education and advocacy. The three-day meeting and expo was open to international electronic payments professionals and business owners.


CardSense™ PCI DSS Compliant Payment Technology

The release of CardSense™ has the industry buzzing about the new PCI Compliant technology that helps merchants and providers reduce credit card processing risk and fees. CardSense allows merchants to identify a customer’s card type before processing the transaction, resulting in risk mitigation, lower transaction fees, and secure handling at the point of sale.

Businesses, large and small, in industries, including lodging, rental car, retail and healthcare, can greatly benefit from pre-authorization identification of card types. CardSense™ easily provides this service without complicating or jeopardizing PCI compliance requirements. “CardSense allows customers to make informed decisions about how they accept payments,” said Sean Kramer, president and CEO at Element Payment Services. “As a result, customers will be able to more effectively manage processing expenses, which will improve overall operational costs.”

Earlier this year, Bluebird Auto Rental Systems (BARS), a leading provider of enterprise management software for the auto rental industry, effortlessly integrated CardSense™ into their RentWorks application. “CardSense was an anxiously awaited addition to RentWorks, and customer adoption of the technology has exceeded our expectations,” says Angela Margolit, president at BARS.


CardSense™ works by evaluating Bank Identification Numbers (BINs), a set of numbers that are issued by the credit card companies to identify the financial institution. BINs are a part of every MasterCard and Visa card number as well as account numbers to identify the type of card, i.e. credit card ranges and PIN-debit card ranges. Visa and MasterCard make these ranges available to member financial institutions in the form of BIN range tables. CardSense™ is a hosted, server-based, BIN management service allowing merchants to differentiate between credit, PIN-debit, prepaid, and FSA/HSA cards.

Adding CardSense™ to your suite of processing technologies is easy. After Independent Software Vendor’s (ISVs) business management software is incorporated with Element’s Express Processing Platform to support CardSense™, merchants simply swipe or manually run a customer transaction as usual. The business management software then allows the merchant to decide how to process the transaction: as a PIN debit, prepaid debit or a healthcare card.

CardSense™ does not require additional hardware to utilize and is designed to be fully integrated into any point-of-sale (POS) system. To get started with CardSense™, email or call an Element Payment Services customer service representative at 1.866.435.3636.


Save The Date for The 2011 PCI SSC North American Community Meeting

PCI-security-standards-meeting Don’t for get to put it on your calendar! The 2011 PCI Security Standards Council North American Community Meeting is coming up on September 20-22, 2011 in Scottsdale, Arizona at the Westin Kierland Resort, Spa and Villas.

The PCI SSC annual community meeting is a great opportunity to get the latest news and updates on the card data security industry from the experts. Each meeting brings together global leaders from across the payment chain to share insight and feedback on their experiences in protecting payment card data. With the number of people implementing or helping implement the latest PCI DSS and PA-DSS mandates, the PCI community is an ideal forum to learn and share what has worked for you and to have your voice heard on what the PCI Council should consider in future revisions. 

Join leaders from across the security, payments, finance, retail and technology fields at this two-day meeting filled with networking opportunities and informative sessions led by PCI Council and industry experts.

Each of the meeting’s sessions provides extensive opportunities for questions and answers with representatives from each of the payment brands. This meeting also offers an exclusive opportunity for Participating Organizations (PO), Qualified Security Assessors (QSAs), Approved Scanning Vendors (ASVs), PIN Transaction Security (PTS) produce providers and Payment Application QSAs (PA QSAs), to come together and gain the latest insight into current and future Council programs and resources.

Also be sure to come see Element, as we will be in attendance as an exhibiting member company in the Vendor Showcase.

If you aren’t yet registered for this industry event, register now, to save your spot.


PCI Compliance Going Mobile? May Need to Wait Until 2013 for an Update

PCI-compliant-mobile-phones Advancing technology has turned our cell phones into more than just a wireless communication device. Now loaded with cameras, the Internet and endless amounts of applications, our smartphones have become more of a personal computer we can hold in the palm of our hand. But with these advancements come the accompanied risks. Especially when it comes to using a phone as a payment device; a use we have seen skyrocket with the advanced abilities of the phones.

There are rumors coming from the smartphone industry, that Apple, Google and other mobile device manufacturers are advancing the payment abilities of the phones, making them into virtual wallets. While this is a beneficial function for smartphone users from a convenience standpoint, it adds a new challenge to payment security. These advancing abilities to make mobile payments has peaked the interested of the PCI SSC, as they look to secure these mobile payment systems. An initial step, taken in March 2011 by the PCI SSC, was to delist several mobile payment applications that had previously been approved as PCI compliant. This move was decided to allow the council time to work on security standards specific to the changing mobile applications, to ensure the proper requirements were put in place in order for these applications to be deemed PCI compliant. The PCI council also announced that it would no longer approve any new mobile payment applications until a new, comprehensive set of standards are in place for securing mobile payment transactions.

The PCI Council, however, does plan to issue some guidance on PCI compliance for emerging technologies over the next several months, since there are few best practices in place to protect credit card data flowing in and out of a mobile environment. Merchants can also reference guidance documents to gain data on these best practices.

The formal guidelines are scheduled to be put in place with the release of PCI Version 3.0, but this won’t be until 2013, when the PCI SSC plans to update the PCI DSS 2.0. This update version will offer more guidance and reference to emerging technologies.

The current state of the mobile payment industry makes the mobile environment vulnerable, and a prime target for cybercriminals - at least for the time being. Whereas before mobile devices were a place where valuable data may be stored, it seems these devices are becoming a location where this type of data is almost guaranteed to be stored. Consumers should be aware of these risks when using mobile devices to store sensitive data to best protect themselves against security risks. Sites that want to accept mobile payments are also exposed to compliance risks until further notice.

While technology continues to advance and trend toward a mobile platform, the PCI SSC remains active to help companies and consumers secure and protect sensitive data. While we wait for these security requirements to be put in place, it is important for those using mobile platforms to take precaution when it comes to using or sharing sensitive card data. To learn more about what you can do to protect your valuable information, contact us today or download our PCI compliance guides.


New SAQ C-VT for Merchants Using Web-Based Virtual Terminals

Computer-credit-card A new Self Assessment Questionnaire (SAQ) and Attestation of Compliance have been made available to merchants by the PCI Security Standards Council (PCI SSC). This new version, titled the SAQ C-VT, was developed for merchants that process cardholder data only through isolated virtual terminals on personal computers connected to the Internet. 

The SAQ C-VT is a trimmed down version of the SAQ C version 2.0. Rather than the SAQ C 2.0 80 requirements, the SAQ C-VT only has 51 requirements to meet to achieve compliance. In order for companies to reach PCI DSS compliance for this merchant environment, the merchant must complete the SAQ C-VT and Attestation of Compliance, then submit both items and any other requested documentation to their acquirer.

Merchants who complete the SAQ C-VT and the associated Attestation of Compliance must confirm that:

  • The company’s only payment processing is done via a virtual terminal accessed by an Internet-connected web browser.
  • The company’s virtual terminal solution is provided and hosted by a PCI DSS validated third-party service provider.
  • The company accesses the PCI DSS compliant virtual terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment.
  • The company’s computer does not have software installed that causes cardholder data to be stored.
  • The company’s computer does not have any attached hardware devices that are used to capture or store cardholder data.
  • The company does not receive or transmit cardholder data electronically through any channels.
  • Your company retains only paper reports or paper copies of receipts. 
  • Your company does not store cardholder data in electronic format.


From the PCI SSC:

A virtual terminal is web-browser based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.


Those merchants who operate browser-based terminals should welcome this new SAQ version as it offers a questionnaire that is designed for their low volume of credit card transactions. 



End-to-End Encryption - More than Meets the Eye

We’ve been getting Credit Card Encryptionthis question a lot lately and thought posting a short explanation on our blog would be helpful to clear up the confusion around this subject.  

 Q: Why is it necessary to get a new encrypted card reader when I change payment processors?  

A: End to end encryption, defined by the author as encryption from card swipe to processor, is increasingly one of the leading methods of securing customer credit and debit cardholder data. So if you are a savvy retailer, you have likely installed an encrypted POS card reader. But end to end encryption is not just about a piece of hardware: there’s more than what meets the eye.  

How does encryption work you ask? State of the art encrypted magnetic card readers scan and encrypt cardholder information at first card swipe, prior to performing an electronic payment transaction. These sophisticated devices securely encrypt cardholder data for transport over a network rendering it unreadable and as a result valueless to data thieves who frequently attempt to intercept the data while it is in transit to the processor. 

Each encrypted card reader is injected with an encryption key, unique to the processor, to allow for the decryption of the data once securely transmitted to the processor. Since these keys are unique and cannot be shared amongst processors, merchants are required to get new hardware when switching processing providers in order to continue to process transactions using end to end encryption. 

According to the PCI Security Standards Council’s (PCI SSC) FAQ 10359, the encrypted cardholder data being transmitted is NOT equivalent to the original cardholder data in any way if the “entity (in this case the merchant) that possesses the encrypted cardholder data does not have the means to decrypt it.” And as long as the merchant doesn’t hold the encryption keys, the data may be considered out of scope of PCI DSS compliance requirements. Utilizing end-to-end encryption is one way a merchant can achieve scope reduction and simplify the process of complying with the PCI DSS. Check out our blog article to learn about an additional method of scope reduction.  

Additionally, the PCI SSC has weighed in on the importance of key management:

Encryption solutions are only as good as the industry-approved algorithms and key management practices used, including security controls surrounding the encryption/decryption keys (“Keys”). If Keys are left unprotected and accessible, anyone can decrypt the data. The DSS has specific encryption key management controls (DSS 3.5 and 3.6), however, other DSS controls such as firewalls, user access controls, vulnerability management, scanning, logging and application security provide additional layers of security to prevent malicious users from gaining privileged access to networks or cardholder data environments that may grant them access to Keys… Merchants should ensure their solution providers who provide key management services and/or act as the point of encryption/decryption are in compliance with PCI DSS.

Hope that helps clear things up. Let us know if you have any other follow up questions regarding this topic!

Search Blog

Your email address:

Bookmark and Share


About PCI DSS Compliance Blog

Email Us

PCI Compliance Resources

Industry News on Twitter

Visit Element on