PCI DSS Compliance Blog

The Federal Reserve made final rulings on the controversial Durbin Amendment back in June of 2011 that capped processing fees on debit and credit card transactions. The impacts of the amendment are now being seen and felt throughout the banks, merchants and even down to the consumers.

The Durbin Amendment fought to protect merchants and consumers; however, the amendment is actually protecting the banks, resulting in increased costs for merchants and consumers. 

The intention of the reform was to regulate processing fees paid by merchants, but for some merchants, they have actually seen increases in their debit card transaction fees. Most notably was Redbox, a DVD rental vendor that only completes transactions through debit and credit, who had to increase their rentals 20%, from $1.00 to $1.20, in order to compensate for the added fees. Chief Executive Paul Davis was quoted saying that their price increase stems from operational costs, mainly debit-card interchange fees.

Concurrently, the banks now claim a decrease of collected money through processing fees, which has resulted in these banks ending debit card rewards programs and including fees on checking accounts, which ultimately costs the consumer more to partner with their bank.

The domino effect of the Durbin Amendment continues to roll along and unfortunately, the amendment continues to stir up questions and concern as consumers and banks go head-to-head. In November of 2011 consumers fought banks against the proposed monthly debit card fees and ultimately won; banks decided to not instate monthly fees for the use of debit cards.  

Consumers, merchants and banks will continue to encounter the waves from the Durbin Amendment tsunami, working toward a reasonable solution. Only time will tell.

Future implications of the Durbin Amendment

April 1st, 2012 – Two-network minimum requirement for issuers goes into effect.

April 1st, 2013 – Two-network minimum requirement for prepaid debit and benefit cards goes into effect.

The requirement for issuers to partner with two networks creates a two-tier pricing system that some networks may have difficulty navigating. A network can no longer only partner with Visa, who has agreed to honor the cap exemptions. They must choose a second vendor, and there is no guarantee of protection.

The Durbin Amendment has created questions and concerns throughout the industry, with business owners wondering the impact the Amendment has on their business. Payment processing technology is key to businesses keeping up with the ever-changing industry. Let the experts at Element Payment Services make sure you are ahead of the curve, and help you better understand the Durbin Amendment and its potential impact, by contacting us today.

Infographic Provided By: http://www.nerdwallet.com/infographics/durbin-timeline

PCI compliance tips nine through twelve

9. What are some signs of suspicious behavior that may indicate fraud during card present transactions?

• The customer appears nervous or overly talkative
• The customer questions the sales clerk about the floor limit, and then makes several separate purchases that approach, but do not exceed the floor limit
• The card is produced from a pocket, not a wallet
• The customer signs the sales draft in a deliberate or unnatural manner

10. Educate your Employees on PCI Compliance

There is a wealth of educational materials and seminars that are dedicated to PCI compliance available. However for some, the ability to successfully digest and understand all of that information, not to mention your company’s own general security processes, can be difficult to achieve. Therefore, educating your employees can be an important step to improving the payment processing security of your company and your customers. Continued education helps ensure that all employees are up to date on the latest changes in security standards and the necessary steps.

11. Secure your Paper Trail to Avoid Theft

Believe it or not, dumpster diving for discarded receipts or documents that contain credit card information is something that still happens. There are several steps that can be taken to help your business or customers from being victimized from this practice. It is always a best practice to ensure that none of the receipts have a complete credit card number on them. This helps ensure that if a receipt is lost, thrown away or stolen, that the card number on the account is not at risk.

12. What’s the big hurry for becoming PCI compliant?

It is important for companies to achieve PCI compliance on a number of levels. For starters, becoming PCI compliant will help protect your customers’ valuable card data from theft. Ensuring your customers’ safety can help build trust and the confidence of your customers, and also help them avoid the hassle they could face by having their card data compromised.

But, the risks don't end there. Companies that don’t meet the PCI Compliance requirements could also face compromise fines and fraud costs. Ultimately, merchants should view PCI DSS compliance as an insurance policy, protecting them from the financial costs of failing to secure card data. This can be an advantage for companies; working towards compliance will help them improve their processes and operate more securely.

It is also important to note that starting January 1, 2012, that PCI DSS Version 2.0 will be enforced. While the changes to the standard weren’t major, they are hoped to have substantial impact on the card data industry.

2010, 2011 and now 2012. For the third year in a row of Element Payment Services has been selected by Business Solutions magazine as one of the Best Channel Vendors. Value Added Resellers (VARs) and Independent Software Providers (ISVs) who participated in the Business Solutions' annual survey ranked Element as a top payment processor for its innovative and reliable technologies, and service and support.

Being honored for this award actually marks the fifth award in a row for Element Payment Services from Business Solutions magazine. In addition to the Best Channel Vendors, Element has also received the Best Channel Product 2010 and 2011 awards.

Receiving the Best Channel Vendor award is a direct product of Element and the dedicated team, working to achieve their mission to reduce the burden of PA-DSS and PCI DSS compliance requirements for their software providers and customers, while providing the best possible service. Element works to develop and provide technologies that enable its partners to stay ahead of the payment industry’s security requirements and offer best-in-class solutions to their customers.

Business Solutions magazine partnered with Penn State University to conduct the survey and analyze the results. The web-based survey of nearly 4,300 of the most active VAR subscribers drew nearly 11,000 votes, continuing the tradition of this being one of the largest surveys of it s kind, across categories that included service/support, features, innovation and reliability. Once the votes were analyzed and compiled, the top vendors were awarded as the 2012 Best Channel Vendors. Of all vendors that are included, only the top five percent of selected vendors were honored with this award, making this an exclusive list of winners, of which Element is included.

Element Payment Services is recognized for its 2012 Best Channel Vendor award in the January 2012 issue of Business Solutions Magazine, as well as on the BSMinfo.com Best Channel Vendors Feature page, year-round.

For more information on Element and their award winning payment processing solutions, contact us today.

PCI compliance tips five through eight

5. I heard that PCI DSS is too hard

Understanding and implementing the 12 requirements of PCI DSS can seem daunting, especially for merchants without a large security or IT department. However, the PCI DSS standard mostly calls for good, basic security practices. Even if there was no requirement for PCI compliance, the best practices for security contained in the standard are steps that every business would want to take anyway to protect their customers’ sensitive data and continuity of operations. There are many products and services available to help meet the requirements for security and PCI DSS compliance.

When people say PCI DSS is too hard, in many cases the complaints are in fact around cost. However, the business risks and ultimate costs of non-compliance, can vastly out-weigh any PCI DSS implementation costs, including fines, legal fees, and especially lost business. Implementing PCI DSS should be part of a sound, basic security strategy. This holiday season ensure that your business meets the PCI DSS Compliance standard by making achieving compliance part of your ongoing business plan and budget.

6. What are the penalties for noncompliance of the PCI Requirements?

The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. This PCI compliance fine can then be passed on downstream until it eventually hits the merchant. The acquiring bank may then also either terminate the merchant relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic, especially to a small business. This holiday season, make sure you are familiar with your merchant account agreement, which should outline your exposure.

7. If I’m running a business from my home, am I a serious target for hackers?

Yes, home users are arguably the most vulnerable, as they are usually not well protected. Adopting a 'path of least resistance' model, intruders will often zero-in on home users and will often exploit their 'always on' broadband connections and typical home use programs such as chat, Internet games and file sharing applications. This holiday season make sure you identify and fix any security vulnerabilities on your desktop or laptop computers.

8. What information should I routinely check to spot a fraudulent card?

• Check the Expiration Date: The card is valid through the last date of the month. Do not accept an expired card.
• Check the Valid Date: Some cards will have this feature, in which the card is not valid until the date shown. Do not accept an invalid card.

Check the Four Digits: The first four digits of the embossed card number must match the four digits pre- printed above or below that number.

Part 1 – PCI compliance FAQ’s one through four

1. To whom does PCI apply?
PCI compliance applies to any organization or merchant, regardless of the size or the number of transactions that are accepted, transmitted or stored. Essentially, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

2. Is PCI DSS compliance just an IT project?

The IT staff implements technical and operational aspects of PCI-related systems, but compliance to the payment brand’s programs is much more than a “project” with a beginning and end. PCI compliance is a business issue that is best addressed by a multi-disciplinary team. The risks of compromise can be more than just financial, as they can reputational as well, affecting the whole organization. Be sure your business addresses policies and procedures as they apply to the entire card payment processing workflow. 

3. Myth: PCI DSS is unreasonable; it requires too much

Most aspects of the PCI DSS are already a common best practice for security. The standard also permits the option of using compensating controls to meet most of these PCI DSS requirements. The PCI DSS standard provides significant detail, which benefits merchants and processors. This scope and flexibility leads some to view PCI DSS as an effective standard for securing all sensitive information

4. What is an easy step my business can take to achieve PCI Compliance?

The key to achieving PCI DSS compliance is to reduce the number of items that are in scope. This means to eliminate cardholder data from the business unless it is absolutely required. The less sensitive cardholder data you have in your business the less you have to control and the easier achieving PCI compliance becomes.

In 2010 the PCI Security Standards Council released version 2.0 of the PCI DSS and PA-DSS, updating the standard to help merchants better protect sensitive cardholder information on their networks. Though the variations made to Version 2.0 weren’t substantial to the standard, the changes were hoped to have a major impact on the card data industry. The updated version of the standard was released in Fall of 2010, and became effective as of January 1, 2011. However, enforcement of the new requirements for validation against the updated versions of PCI DSS and PA-DSS are not going to begin to be enforced until January 1, 2012.

So the question is, come January 1, 2012, will you be ready?

The majority of changes made to version 2.0 were modifications to language, which clarified the meaning of the PCI requirements and making understanding and adoption easier on both merchants and software providers. The changes ultimately reinforced the need for thorough scoping prior to an assessment and promoted more effective log management. Other changes to the standard broadened validation requirements for the assessment of vulnerabilities in a merchant environment, giving merchants the ability to use industry best practices to prioritize these vulnerabilities.

PCI compliance has been a popular topic of conversation during 2011, but now is the time for businesses to make sure that they are ready to meet the PCI compliance requirements put in place. This past year has given merchants and software providers alike the opportunity to meet these new requirements, and achieve PCI compliance. Come the start of the year, it will become clear who is meeting the new requirements and who is not.

Download the PCI DSS Version 2.0 from the PCI SSC today and see if your business is ready. You can also contact Element to make sure that you are taking the proper steps to meet these new compliance requirements.

No matter how familiar you are with the payment card industry, you have undoubtedly heard a variety of terms and acronyms thrown around. And though the terms are used frequently, this doesn’t mean that everyone knows exactly what the words or letters mean. While learning all of these terms won’t necessarily make you a payment card industry expert, they can help you familiarize yourself, so you can better understand what is being discussed and how it may impact you and your business.

Here are 11 payment card industry terms that everyone should know:

1. Acquirer: An acquirer is an organization licensed as a member of Visa/MasterCard as an affiliated bank or bank/processor alliance that is in the business of processing credit card transactions for businesses (acceptors) and is always acquiring new merchants.

2. Encryption: This is the process of converting information into an unintelligible form of a specific cryptographic key. The use of encryption protects valuable card data information from the encryption process, until the decryption process, against unauthorized disclosure. This helps to make the card information essentially useless to those who attempt to intercept the card data while in transit. 

3. Interchange Fee: This is a fee paid by an acquirer to an issuer for transactions entered into interchange. The interchange fee is a percentage applied, according to Visa/MasterCard regulations, to the dollar value of each transaction.

4. Merchant Identification Number (MID): This number is generated by a processor/acquirer and is specific to each individual merchant location. This number helps to identify the merchant during processing of daily transactions, rejects, adjustments, chargebacks, end-of-month processing fees, and more.

5. Payment Application Data Security Standards (PA-DSS): This standard, formerly referred to as the Payment Application Best Practices (PABP), is the global security standard created by the PCI SSC, which was implemented in an effort to provide the definitive data standard for software vendors that develop payment applications. The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data.

6. PCI: This is the acronym for the Payment Card Industry.

7. Payment Card Industry Data Security Standards (PCI DSS): The PCI DSS is an information security standard for organizations that handle cardholder information for the major debit, credit and point of service cards. The PCI DSS standard includes requirements for security management, policies and procedures.

8. PCI Compliance: PCI Compliance refers to the industry-mandated security standards (PCI DSS and PA-DSS) that apply to all businesses that handle, process or store credit or debit cards. Businesses much meet the set requirements of the standards in order to be deemed PCI compliant.

9. PCI Compliance Level: All merchants fall under four categories of PCI compliance (Level 1, Level 2, Level 3 and Level 4), depending on the number of transactions they process each year, and whether those transactions are performed from a brick and mortar location or over the Internet. Each merchant must meet the compliance requirements for their PCI compliance level.

10. Point-to-point Encryption: Point-to-point encryption (P2PE) ensures cardholder data is protected from card swipe all the way through to the processing banks. The valuable cardholder data is encrypted prior to performing an electronic payment transaction, making it useless to potential theft,

11. Point of Sale (POS): A location where credit card transactions are performed with the cardholder present, such as a retail store. The card is read magnetically, and the cardholder's signature is obtained as insurance against the transaction. This is the most secure form of credit card commerce.

To learn more about PCI Compliance, the payment security industry and how it can effect your business, contact Element Payment Services today. 

On June 30 of this summer, Visa made compliance statistics of merchants’ public, detailing PCI Compliance figures for those working to achieve Level 1, Level 2 and Level 3 compliance. On Monday, October 31, 2011, the card brand released the most recent compliance numbers. The released results were mixed, with a positive trend for Level 1 merchants, but with an overall decrease for Level 2 and Level 3 compliance. It should be noted that the card brand has continued its practice of not reporting compliance numbers for Level 4 compliance, rather just announcing for this reporting period that Level 4 compliance is “moderate.”

Each PCI Compliance level is determined by the number of transactions that a merchant processes each year, as well as whether the transactions occur online, in a brick and mortar location or a combination of both. For Level 1 merchants more than six million Visa transactions must be processed a year; Level 2 merchants process from one to six million transactions a year; Level 3 merchants handle 20,000 to one million online Visa transactions a year; and Level 4 merchants process less than a one million Visa transactions per year.

The statistics were positive for Level 1 merchants, as a 98 percent compliance rate was reported. This number was up from the 97 percent compliance rate that was announced earlier in June 2011. These numbers were based on 407 retailers, which was also an increase compared to earlier this year when only 377 retailers were included in the reporting.

The PCI compliance numbers for Level 2s and Level 3s weren’t quite as encouraging. Level 2 merchants dropped from 96 percent compliance down to 91 percent. There were more Level 2 merchants accounted for in this report, with 1,060 compared to 881 in the summer report, which may have attributed to the decline in this case. Level 3 merchants saw a decline from 60 percent to 57 percent from October 2011 to June 2011 respectively. The number of Level 3 merchants being reported is the largest of the three groups, with 3,049 merchants, up 25 from the last reporting period. Compared to the other PCI compliance levels, these numbers may be alarming, though Level 3 tend to be new entry merchants, starting with a relatively low level of PCI DSS compliance, attributing to these percentages.

As the card security industry continues to push the need to achieve PCI compliance, it is somewhat concerning that the numbers overall are in a decline, as it would be expected that numbers in any group would show steady signs of improvement. There are still details that Visa is not reporting on, which could allude to the compliance decrease, though many are left speculating what exact causes can be pointed to.

For more information on how you can help your business achieve you PCI Compliance Level download our PCI compliance guide.

Element Payment Services was recently selected by Lead411 as one of the fastest growing technology firms in 2011. Element joins a number of other great firms on to create this year’s Tech 200 list.

Being selected to the Tech 200 by Lead411 is always fiercely competitive, and 2011 was no different. The final 200 were selected and ranked based on the highest percentage of revenue growth from 2008 to 2010 compared to the other privately-held businesses that applied. But what makes 2011’s list different than year’s past, is that this list consists of only 200 companies, where in years past, the top 500 companies were selected.

In addition to looking at revenue growth, companies who took part in the Tech 200 application process were also asked to answer a survey about their marketing spend, ROI and overall outlook for the future. Their answers are indicative of the community at large, if not the greater business climate.

More than half of the applicants no longer use traditional advertising - print ads and direct marketing - which speaks volumes about where marketing is headed. The largest number put money into trade shows as a marketing tool (25%). There were also a number of these successful startups that got that way without taking on investors. Also a full 60.2% of applicants have never received funding for their businesses, and 84% consider themselves profitable.

And as far as the future looks, 71.5% of the companies on the Tech 200 think the future is going to get better soon.

It is an honor for Element Payment Services to be selected to this competitive list, joining many other great technology companies. Being on this list is a product of the work and commitment that Element and its employees have put toward their mission to help merchants and software providers ease PCI compliance with fully integrated payment processing solutions.

Find Element and the rest of the companies on the Tech 200 list here.

Companies large and small can have severe, business-threatening costs and fees associated with a data breach. The U.S. National Archives & Records Administration reports 50 percent of businesses that lose their critical data for 10 days or more have to file for bankruptcy immediately (pcicompliance.org). This statistic may seem alarming if one believes that data breaches are one dimensional – only affecting a single aspect of a business. Unfortunately this is not reality. A data breach – either malicious or unintentional – can spread its furry across the board.

Dr. Larry Ponemon of the Ponemon Institute, an independent research firm on privacy, data protection and information security policy, explains the magnitude of a data breach, “it’s not only direct costs of a data breach, such as notification and legal defense costs that impact the bottom line for companies, but also indirect costs like lost customer business due to abnormal churn.” Many CEOs and business owners are unaware of the ultimate costs of a breach in security until it’s too late.

The Ponemon Institute released their sixth annual study on data breach costs of the U.S. and reported that the average cost of a data breach to companies has risen to $214 per compromised record, as compared to $204 in 2009, and the average overall organizational cost increased to $7.2 million. The study also points out that the need to respond quickly to a data breach drives costs up, “we’ve seen companies that quickly respond to data breaches pay more than companies that take longer.” Unavoidably, companies feel the pressure to act quickly due to regulations like HIPAA, the HITECH Act and state data breach notification laws that require data breaches to be announced within a certain amount of time. (Ponemon Institute)

2010 saw an increase in malicious attacks, accounting for about 31 percent of data breaches studied. This percentage is up from 24 percent in 2009 and 12 percent in 2008. Malicious attacks range from data-stealing malware to social engineering and can happen from within an organization or an external source. Malicious attacks can be more costly due to the intent of the hacker. Hackers are usually out to monetize their breach and generate profit from it. These attacks are usually harder to detect, the investigation is more intensive and they are usually harder to contain and correct.

The high profile data breaches exposed in the past few years has helped bring attention to the seriousness of data security. Companies are investing more in security by following PCI compliance guides, increasing their resources in prevention and detection. Consequently, breaches due to systems failures, lost or stolen devices and third-party mistakes have decreased.

Ensuring data security is the only way to avoid data breaches and the costly fees associated with them. There are many resources available to help companies choose the best PCI compliant payment solution for their business.

Contact Element today for more information on data security and PCI compliance.