PCI DSS Compliance Blog

On June 30 of this summer, Visa made compliance statistics of merchants’ public, detailing PCI Compliance figures for those working to achieve Level 1, Level 2 and Level 3 compliance. On Monday, October 31, 2011, the card brand released the most recent compliance numbers. The released results were mixed, with a positive trend for Level 1 merchants, but with an overall decrease for Level 2 and Level 3 compliance. It should be noted that the card brand has continued its practice of not reporting compliance numbers for Level 4 compliance, rather just announcing for this reporting period that Level 4 compliance is “moderate.”

Each PCI Compliance level is determined by the number of transactions that a merchant processes each year, as well as whether the transactions occur online, in a brick and mortar location or a combination of both. For Level 1 merchants more than six million Visa transactions must be processed a year; Level 2 merchants process from one to six million transactions a year; Level 3 merchants handle 20,000 to one million online Visa transactions a year; and Level 4 merchants process less than a one million Visa transactions per year.

The statistics were positive for Level 1 merchants, as a 98 percent compliance rate was reported. This number was up from the 97 percent compliance rate that was announced earlier in June 2011. These numbers were based on 407 retailers, which was also an increase compared to earlier this year when only 377 retailers were included in the reporting.

The PCI compliance numbers for Level 2s and Level 3s weren’t quite as encouraging. Level 2 merchants dropped from 96 percent compliance down to 91 percent. There were more Level 2 merchants accounted for in this report, with 1,060 compared to 881 in the summer report, which may have attributed to the decline in this case. Level 3 merchants saw a decline from 60 percent to 57 percent from October 2011 to June 2011 respectively. The number of Level 3 merchants being reported is the largest of the three groups, with 3,049 merchants, up 25 from the last reporting period. Compared to the other PCI compliance levels, these numbers may be alarming, though Level 3 tend to be new entry merchants, starting with a relatively low level of PCI DSS compliance, attributing to these percentages.

As the card security industry continues to push the need to achieve PCI compliance, it is somewhat concerning that the numbers overall are in a decline, as it would be expected that numbers in any group would show steady signs of improvement. There are still details that Visa is not reporting on, which could allude to the compliance decrease, though many are left speculating what exact causes can be pointed to.

For more information on how you can help your business achieve you PCI Compliance Level download our PCI compliance guide.

Element Payment Services was recently selected by Lead411 as one of the fastest growing technology firms in 2011. Element joins a number of other great firms on to create this year’s Tech 200 list.

Being selected to the Tech 200 by Lead411 is always fiercely competitive, and 2011 was no different. The final 200 were selected and ranked based on the highest percentage of revenue growth from 2008 to 2010 compared to the other privately-held businesses that applied. But what makes 2011’s list different than year’s past, is that this list consists of only 200 companies, where in years past, the top 500 companies were selected.

In addition to looking at revenue growth, companies who took part in the Tech 200 application process were also asked to answer a survey about their marketing spend, ROI and overall outlook for the future. Their answers are indicative of the community at large, if not the greater business climate.

More than half of the applicants no longer use traditional advertising - print ads and direct marketing - which speaks volumes about where marketing is headed. The largest number put money into trade shows as a marketing tool (25%). There were also a number of these successful startups that got that way without taking on investors. Also a full 60.2% of applicants have never received funding for their businesses, and 84% consider themselves profitable.

And as far as the future looks, 71.5% of the companies on the Tech 200 think the future is going to get better soon.

It is an honor for Element Payment Services to be selected to this competitive list, joining many other great technology companies. Being on this list is a product of the work and commitment that Element and its employees have put toward their mission to help merchants and software providers ease PCI compliance with fully integrated payment processing solutions.

Find Element and the rest of the companies on the Tech 200 list here.

At times, there can be confusion in the industry surrounding tokenization, a process designed by technology providers, as a means to secure cardholder data while providing merchants with the functionality needed to run their businesses. Last week, the PCI SSC tried to clarify any questions surrounding this technology with the scheduled release of the PCI Data Security Standard (PCI DSS) tokenization guideline. The guidelines are designed to provide merchants with a better understanding of how they can incorporate tokenization into their card payment security strategy, as well as how their efforts relate to, and impact compliance with the PCI DSS.

At its simplest level, tokenization technology replaces a primary account number at the point of sale with a surrogate value called a “token” to improve data security. Subsequently, if tokenization is used properly, a merchant would not need to retain the primary account number in the payments system used at the business once the transaction is processed. This results in a minimized amount of data a business would need to keep on hand, ultimately bolstering the security of credit card transactions, while limiting the cost and complexity of meeting compliance requirements at the same time.

Unlike several of the other well-known technologies in the industry, tokenization does not have standards. So while the technology provides a great level of value, some merchants still need help knowing the best practices on how to incorporate tokenization so it works most optimally for their business and their customers. It is important to understand that tokenization is not an alternative to the standards, as merchants still have to comply with the PCI DSS.

The tokenization guidelines released by the PCI SSC should help merchants understand the options surrounding the technology, and how it fits their business’ needs. These guidelines will also benefit tokenization service providers and assessors, clarifying how the technology can limit or eliminate scope by transferring the responsibility of storing sensitive cardholder data away from the merchant to a payments technology provider. This is especially valuable as it also simplifies the PCI DSS assessment process by limiting the number of requirements applicable to the merchants’ environment. 

To learn more about this technology, download our tokenization white paper or contact Element today.

Element Payment Services recently received validation from Trustwave Holdings, Inc. confirming that Element’s Hosted Payments solution does indeed remove software applications from the scope of the Payment Card Industry Data Security Standard (PCI DSS). Trustwave Holdings, Inc. confirmed that Hosted Payments eliminates Integrated Software Vendor’s (ISVs) applications from the scope of PCI DSS and PA-DSS compliance requirements when implemented according to Element’s specification.

Hosted Payments is an integration method to Element's Express Processing Platform that removes the need for software applications to handle cardholder data when authorizing and settling payment transactions, preserving the benefits associated with integrated payments. The process shifts the responsibility of handling sensitive cardholder data over to Element's PCI DSS compliant Express Processing Platform. By shifting the entry point and storage location of card sensitive data, ISVs also avoid the hassle of costs associated with compliance as well as compliance audits.

The PCI DSS apply specifically to environments that store, process or transmit credit card numbers. Assuming ISVs (or their applications) do not otherwise store, process or transmit cardholder data, Trustwave validated that ISVs leveraging Hosted Payments are eliminated from PCI scope and compliance costs.

"The payment industry and our ISV partners have recognized the scope removing attributes of Hosted Payments since market availability in 2008," said Sean Kramer, CEO and president of Element Payment Services. "This third party validation will allow ISVs to provide reassurance to their customers that out-of-scope processing is an industry-accepted alternative to PA-DSS/PCI DSS validation for software applications."

Not only do ISVs avoid the hassles associated with PCI compliance, but also through Hosted Payment's integration with Element's Level 1 PCI DSS compliant Express Processing Platform, both merchants and consumers can rest assured that they are receiving the highest level of protection from incidents that could potentially compromise cardholder data.

To date, more than 100 software applications have certified to Express via Hosted Payments.

Contact Element Payment Services for more information on Hosted Payments or the Express Processing Platform.

After months of collaboration and effort the PCI Security Standards Council’s Virtualization Special Interest Group (SIG), which is made up of more than 30 participating organizations in conjunction with the PCI Council, announced the release of the PCI DSS Virtualization Guidelines Information Supplement. The PCI DSS Virtualization Guidelines Information Supplement provides guidelines to those in the payment chain on the use of virtualization technology in cardholder data environments in accordance with PCI DSS.

Virtualization technology has been a key area of interest for organizations considering its implementation in their cardholder data environments and assessors who evaluate the virtualized environments as part of a PCI DSS assessment. However, while virtualization technology has numerous benefits, it also has its share of new and unique risks to be considered. This is where the Virtualization SIG comes in, as it was created to help clarify the virtualization elements of the PCI DSS.

The developed virtualization guidelines become a great resource of better understanding where PCI DSS requirements and virtualization meet, as well as the various aspects that must be considered during implementation in the cardholder data environment. These guidelines do not replace the requirements of the PCI DSS, but rather offers clarity for how these requirements fit into virtualized environments. This is important, as each company uses virtualized environments differently, but the best practices offered in the PCI DSS virtualization guidelines will help identify the ways the security of your cardholder environment could be impacted.  

There is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements. For more information on how the PCI DSS can be incorporated into your company’s virtualized environment, contact Element Payment Services today.

Are you trying to better wrap your head around PCI compliance and understand how it affects you and your company? The PCI Security Standards Council (PCI SSC) is offering PCI Awareness Training for all individuals. Whether you are looking for a self-paced course, or if you are in need of face-to-face interaction, the PCI SSC wants to help you understand the guidelines around PCI compliance, and help you work toward adopting version 2.0 of the PCI security standards.

The PCI Awareness Training is offered as a one-day, instructor led course, or also as a four-hour online course, depending on what option works best for you and your employees. The course offers an opportunity for companies to provide PCI training across multiple functional areas to ensure a universal understanding of PCI compliance. The course is designed to help answer questions and improve understanding around PCI security standards, and the adoption of version 2.0. Some specific topics covered include:

• What is PCI and what does it mean to a company that must meet compliance with the PCI Data Security Standard?

• Roles and responsibilities of the key players in the compliance process.
• How the credit card brands differ in their requirements for PCI reporting and validation.
• Overview of the infrastructure used by organizations to accept payment cards and communicate with the verification and payment facilities.
• Real world examples of PCI challenges and successes.

 Whether you choose to take the course online, or the face-to-face with an instructor option, you will come away with the knowledge needed to help you and your company better meet the PCI DSS and PA-DSS requirements, in order to achieve PCI compliance.

The instructor course is available for $995, while the online training is $495 per person (discounts available for larger numbers registered employees). For more information, take a look at the PCI Awareness Training course information. You will also be able to find dates for the instructor led courses, as well as more information on the online options (The next scheduled instructor led training is on August 24, 2011 in Boston, Mass.).

A dialogue with Apple co-founder Steve Wozniak kicked off the 2011 ETA Annual Meeting and Expo held this year in San Diego, Calif. May 10 - 12. Wozniak explained that payment processing at Apple is not a top priority and that Apple is waiting until they can do it right – “I think they'll hold off and not make any moves until they know they can do it right” (The Green Sheet). Wozniak also discussed the future of mobile payments, suggesting that "tap-and-go technology is so compelling that it will be in everyone's hands within just a few years" (The Green Sheet). He believes that Near Field Communications (NFC) technology will be the next big thing for mobile payments.

The conference also featured keynote speaker, former Sen. Christopher Dodd, D-Mass., co-author of the Consumer Protection Act of 2010 and the Dodd-Frank Wall Street Reform. Dodd touched upon the Durbin Amendment and the looming debit interchange regulation. Dodd went on to encourage ISOs, MLSs and their partners to reach out more to their local politicians to fight against further legislation. Dodd feels that it would be easier to contact them directly, saying “I can assure you that if you were to invite your member of Congress to come to your business to learn what you do and about your issues, you'd have a lot more luck than anyone standing in the halls of Congress trying to [lobby] staffers" (The Green Sheet). However painful, regulatory and PCI compliance issues are not going away. Critical security measures are put in place to protect consumers and stay current with technology. 

Mobile payments was the hot topic for this year’s meeting, since more and more people have smart phones and are using them to shop, therefore making mobile card acceptance, couponing and security high priorities for merchants. Visa took the opportunity at the expo to announce its mobile wallet plans that feature "a range of customized mobile payments services that address the specific requirements of geographic markets around the world" (Visa). People are excited for mobile wallet solutions and it came through at the show. 

ETA 2011 had a lot of hype around a new certification program was promoted. Visa’s new Certified Payments Professional program, which had officially launched in February 2011, is designed to be the industries first professional certification process for sales agents and others engaged in the distribution of electronic payment products and services.

ETA attendees noted that this year’s show seemed to be a bit quieter, with fewer people and less industry news as compared to past expos. However, ETA contacts say that attendance and exhibitor numbers had increased. Overall, attendees reported to be pleased with the quality of the interactions and networking opportunities.  

The Electronic Transactions Association is an international trade company that represents companies who offer electronic transaction processing products and services. The ETA encourages businesses to network within the electronic payments industry through education and advocacy. The three-day meeting and expo was open to international electronic payments professionals and business owners.

Don’t for get to put it on your calendar! The 2011 PCI Security Standards Council North American Community Meeting is coming up on September 20-22, 2011 in Scottsdale, Arizona at the Westin Kierland Resort, Spa and Villas.

The PCI SSC annual community meeting is a great opportunity to get the latest news and updates on the card data security industry from the experts. Each meeting brings together global leaders from across the payment chain to share insight and feedback on their experiences in protecting payment card data. With the number of people implementing or helping implement the latest PCI DSS and PA-DSS mandates, the PCI community is an ideal forum to learn and share what has worked for you and to have your voice heard on what the PCI Council should consider in future revisions. 

Join leaders from across the security, payments, finance, retail and technology fields at this two-day meeting filled with networking opportunities and informative sessions led by PCI Council and industry experts.

Each of the meeting’s sessions provides extensive opportunities for questions and answers with representatives from each of the payment brands. This meeting also offers an exclusive opportunity for Participating Organizations (PO), Qualified Security Assessors (QSAs), Approved Scanning Vendors (ASVs), PIN Transaction Security (PTS) produce providers and Payment Application QSAs (PA QSAs), to come together and gain the latest insight into current and future Council programs and resources.

Also be sure to come see Element, as we will be in attendance as an exhibiting member company in the Vendor Showcase.

If you aren’t yet registered for this industry event, register now, to save your spot.

Data breaches continue to be a problem, and a costly one for many organizations. According to a report by Symantec Corp and the Ponemon Institute, the average organizational cost of a data breach increased to $7.2 million and cost companies an average of $214 per compromised record in 2010. Both of these numbers are up in comparison to 2009, when the average cost per compromised record was $204. Regulators are working to crack down on non-compliant organizations, and are encouraging them to implement required data security controls. The alternative? Pay harsher fines.

There are a number of issues that companies face when trying to effectively and properly protect cardholder data. Malicious or criminal attacks are the most expensive and are on the rise. This study showed that 31 percent of all cases in 2010 involved a malicious or criminal act, which averaged a cost of $318 per record. However, even though criminal attacks are expensive, negligence remains the most common threat companies’ face. The number of breaches caused by negligence increased to 41 percent, showing the ongoing challenge of ensuring compliance of employees and partners with security policies.

Companies are putting a number of preventative measures in place, from training and awareness programs, to implementing encryption technologies. Employment training consists of educating employees on information protection policies and procedures, which then makes the employees accountable. Some of the other data protection processes being implemented include proactively encrypting laptops to minimize consequences of a lost device and integrating information protection practices into companies’ businesses processes. Also being done is the deployment of data loss prevention technologies, which assist companies with achieving compliance with industry standards, such as the PCI DSS. Achieving PCI compliance has become a greater focus during the past few years. Part of this increased focus is due to enforcement of these security standards, but the other piece is that these standards and technologies have proven effective against data theft and hackers.

The PCI Security Standards Council (PCI SSC) has been working to limit hackers’ access to valuable card data information by driving education and awareness of the PCI DSS and PA-DSS, as well as through their efforts to gain adoption industry wide standards. Companies are now being held responsible for their own PCI compliance, and those not achieving compliance are receiving fines. As the report shows, these fines are increasing when data breaches occur.

As more companies work to implement card data security standards and are taking the necessary steps to achieve PCI compliance, the more these efforts will prove to be effective, limiting hackers’ access to card data.

Though the costs that companies are facing for data breaches continue to climb, the hope is that as the data security standards being enforced will encourage such companies to achieve PCI compliance and protect their customers’ valuable card data. The more companies that achieve compliance with the PCI DSS requirements, means there will be fewer targets available for hackers, which will help lead to the decrease in the number of data breaches industry wide.

For more information on Element’s PCI compliance solutions, view our PCI Compliance Guide or contact us.

The Address Verification System (AVS) is another system used to verify the identity and validity of the person claiming to own the credit card. This security measure can be reviewed in addition to the CVC/CVV2 card information as we discussed in last week’s blog article.

On all manually entered/card-not-present transactions, merchants are encouraged to collect the AVS information in order to achieve the best processing rate. If AVS information is not provided, the issuing bank may downgrade the transaction requiring the merchant to pay a higher interchange rate. This is contrary to the Security Code (CVV2/CVC2) information, which has no impact interchange fees.

For merchants using business management software applications with integrated processing modules, the software application will prompt for AVS information such as billing address and ZIP code. This information allows merchants to verify it against the cardholder information on record at the issuing bank. There are three potential outcomes as a result during the verification process: a match, partial match or no match. A “no match,” is a strong indicator of credit card fraud. Based on this information, it is up to the merchant to decide whether to accept or reject the transaction or request additional identity verification.

Merchants can still stay within the requirements of the PCI DSS while storing AVS information. This information is not considered sensitive cardholder information; therefore storage is not prohibited by the PCI DSS.

For more information on how to meet PCI DSS requirements, please take a look at our PCI Compliance Guide.