An Overview of Risk Profiling

Another notable aspect of the “PCI DSS Risk Assessment Guidelines,” released in November 2012 by the PCI Security Standards Council, is its exploration of “risk profiling.”  This is an important concept, as it gives merchants a solid framework from which to go about assessing the security risks of their systems and services.  Risk profiling refers to the comprehensive assessment of all company assets involved with processing or storing cardholder data.  The exact procedure for doing this is up to the judgment of each organization, but the PCI SSC suggests including the following four aspects:

  • Assets – Companies should enumerate any and all systems and components associated with cardholder data.  This stage involves classifying the type (e.g., hardware) and relative value of each asset.
  • Threat – Each asset should be analyzed for the kinds of threats to which it is susceptible.  For example, an off-line computer may be immune to remote hacking attempts but still vulnerable to insider (e.g., employee) attacks.  The company should also estimate the probability of each threat variety.
  • Vulnerability – The company should create a description of each vulnerability and its relative level.  This can possibly include a description of the threats that may exploit each vulnerability.
  • Risk score – Each asset is rated according to its value, threat likelihood, and vulnerability level.


The PCI SSC Releases Risk Assessment Guidelines

Individuals who consult the PCI Data Security Standards (PCI DSS) occasionally find themselves frustrated by an apparent lack of clarity or adequate explanation of certain sections.   For its part, the PCI Security Standards Council has always been open to suggestions on improving or expanding the areas of the Standards perceived to be unsatisfactory in their current form.  Some of these suggestions will be implemented in the next version of the PCI DSS (due in October 2013).  In the meantime, the Council has just issued an information supplement to augment our understanding of one particularly troublesome section of the Standards.  “PCI DSS Risk Assessment Guidelines” covers Requirement 12.1.2, which requires merchants involved with processing cardholder data to execute “an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment.”  The new document includes suggestions on creating a comprehensive risk management strategy, assembling a risk assessment team, identifying the various kinds of security threats, and more.  You can find the Guidelines on the PCI SSC’s official website.


How to Prepare for a PCI DSS Assessment

To remain PCI compliant, businesses must consent to annual assessments to ensure that their payment processing systems follow PCI Data Security Standard regulations.  For many merchants, particularly small-volume ones, this involves simply filling out the relevant version of the Self Assessment Questionnaire (SAQ) and putting it in the mail.  But some businesses will find themselves hosting a visit from a Qualified Security Assessor (QSA), an individual trained to perform on-site inspections.  How should you prepare for this inspection?

  1. Prepare Your Documentation – You should collect all paperwork that may be pertinent to the inspection, such as PCI DSS letters and your security policies.
  2. Arrange for Participation of Important Personnel – Ensure that key staff members and personnel are available to the SAQ during the visit; these could include IT employees, project managers, and persons in the legal department.
  3. Define the Payment Card Processing Environment – You should write down (or collect already prepared paperwork containing this information) a description of how and where payment cards are processed within the company.  This information should include the systems and devices that store sensitive data.


Future Changes to the PCI DSS?

Due to rapid technological advances and ongoing fluctuations in the economy, security standards for payment card processing continue to evolve.  Fortunately, the Payment Card Industry Security Standards Council (PCI SSC) has managed so far to keep pace with all these shifts in the field, continually updating PCI standards to ensure optimal protection of sensitive customer data.  In fact, the Council plans to release version 3.0 of the PCI DSS in October 2013; in anticipation of this, the PCI SSC recently solicited feedback from a variety of payment card industry professionals—such as financial institutions, merchants, and assessors (e.g., QSAs)—regarding aspects of the existing standards in need of updating.  The most common complaints about the PCI DSS focused on the following sections (in descending order of unpopularity):
  • Requirement 11.2 – This currently calls for users to use “internal and external network vulnerability scans at least quarterly and after any significant change in the network.”  Responders advised listing tools for achieving this, as well as defining “significant change” in more detail.
  • Scope of Assessment – Responders advised including more detailed guidance about network segmentation and determining PCI DSS scope.
  • Requirement 12.8 – “If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers.”  Responders asked for further clarification of this.  
  • The Self Assessment Questionnaire (SAQ) – Some responders complained that the requirements are too complicated; others claimed they’re too vague.   



Anti-Virus Software and PCI Compliance

Merchants who set up business on the Internet learn quickly that the Web holds a variety of dangers—hackers, Trojans, viruses, and much more.  For this reason, the Payment Card Industry Data Security Standard (PCI DSS) calls for Internet-based merchants to “use and regularly update anti-virus software or programs” (Requirement 5).  While it’s true that most businesses need no external encouragement to employ anti-virus software, not all of these merchants use the software in a manner fully compliant with PCI standards.  What are these standards?

How to Use Anti-Virus Software Properly

According to the PCI DSS, anti-virus software must remain activated on all systems used by the business, including servers.  Furthermore, this software has to be capable of detecting and eliminating all known types of malware, as well as providing protection against future infections.  Automatic updates must be enabled in order to keep the software as current as possible, and regular scans should be performed.  There is an additional requirement that many merchants overlook:  The anti-virus software should produce regular audit logs and—in compliance with PCI DSS Requirement 10.7—these have to be preserved for at least one year, with the last three months worth kept immediately accessible.  If these requirements seem forbidding, there’s no need for concern—Element Payment Services has a variety of programs available to make PCI compliance a snap.


Part 3 - 12 Holiday PCI Compliance Tips, Questions and Advice and Security Best Practices to Get You Ready for the New Year

Comp lockPCI compliance tips nine through twelve

9. What are some signs of suspicious behavior that may indicate fraud during card present transactions?

  • The customer appears nervous or overly talkative
  • The customer questions the sales clerk about the floor limit, and then makes several separate purchases that approach, but do not exceed the floor limit
  • The card is produced from a pocket, not a wallet
  • The customer signs the sales draft in a deliberate or unnatural manner

10. Educate your Employees on PCI Compliance

There is a wealth of educational materials and seminars that are dedicated to PCI compliance available. However for some, the ability to successfully digest and understand all of that information, not to mention your company’s own general security processes, can be difficult to achieve. Therefore, educating your employees can be an important step to improving the payment processing security of your company and your customers. Continued education helps ensure that all employees are up to date on the latest changes in security standards and the necessary steps.

11. Secure your Paper Trail to Avoid Theft

Believe it or not, dumpster diving for discarded receipts or documents that contain credit card information is something that still happens. There are several steps that can be taken to help your business or customers from being victimized from this practice. It is always a best practice to ensure that none of the receipts have a complete credit card number on them. This helps ensure that if a receipt is lost, thrown away or stolen, that the card number on the account is not at risk.

12. What’s the big hurry for becoming PCI compliant?

It is important for companies to achieve PCI compliance on a number of levels. For starters, becoming PCI compliant will help protect your customers’ valuable card data from theft. Ensuring your customers’ safety can help build trust and the confidence of your customers, and also help them avoid the hassle they could face by having their card data compromised.

But, the risks don't end there. Companies that don’t meet the PCI Compliance requirements could also face compromise fines and fraud costs. Ultimately, merchants should view PCI DSS compliance as an insurance policy, protecting them from the financial costs of failing to secure card data. This can be an advantage for companies; working towards compliance will help them improve their processes and operate more securely.

It is also important to note that starting January 1, 2012, that PCI DSS Version 2.0 will be enforced. While the changes to the standard weren’t major, they are hoped to have substantial impact on the card data industry.


Element is Named the Best Channel Vendor by Business Solutions Magazine for the Third Year in a Row

Bcv-20122010, 2011 and now 2012. For the third year in a row of Element Payment Services has been selected by Business Solutions magazine as one of the Best Channel Vendors. Value Added Resellers (VARs) and Independent Software Providers (ISVs) who participated in the Business Solutions' annual survey ranked Element as a top payment processor for its innovative and reliable technologies, and service and support.

Being honored for this award actually marks the fifth award in a row for Element Payment Services from Business Solutions magazine. In addition to the Best Channel Vendors, Element has also received the Best Channel Product 2010 and 2011 awards.

Receiving the Best Channel Vendor award is a direct product of Element and the dedicated team, working to achieve their mission to reduce the burden of PA-DSS and PCI DSS compliance requirements for their software providers and customers, while providing the best possible service. Element works to develop and provide technologies that enable its partners to stay ahead of the payment industry’s security requirements and offer best-in-class solutions to their customers.

Business Solutions magazine partnered with Penn State University to conduct the survey and analyze the results. The web-based survey of nearly 4,300 of the most active VAR subscribers drew nearly 11,000 votes, continuing the tradition of this being one of the largest surveys of it s kind, across categories that included service/support, features, innovation and reliability. Once the votes were analyzed and compiled, the top vendors were awarded as the 2012 Best Channel Vendors. Of all vendors that are included, only the top five percent of selected vendors were honored with this award, making this an exclusive list of winners, of which Element is included.

Element Payment Services is recognized for its 2012 Best Channel Vendor award in the January 2012 issue of Business Solutions Magazine, as well as on the BSMinfo.com Best Channel Vendors Feature page, year-round.

For more information on Element and their award winning payment processing solutions, contact us today.


Part 2 - 12 Holiday PCI Compliance Tips, Questions and Advice and Security Best Practices to Get You Ready for the New Year

Card swipePCI compliance tips five through eight

5. I heard that PCI DSS is too hard

Understanding and implementing the 12 requirements of PCI DSS can seem daunting, especially for merchants without a large security or IT department. However, the PCI DSS standard mostly calls for good, basic security practices. Even if there was no requirement for PCI compliance, the best practices for security contained in the standard are steps that every business would want to take anyway to protect their customers’ sensitive data and continuity of operations. There are many products and services available to help meet the requirements for security and PCI DSS compliance.

When people say PCI DSS is too hard, in many cases the complaints are in fact around cost. However, the business risks and ultimate costs of non-compliance, can vastly out-weigh any PCI DSS implementation costs, including fines, legal fees, and especially lost business. Implementing PCI DSS should be part of a sound, basic security strategy. This holiday season ensure that your business meets the PCI DSS Compliance standard by making achieving compliance part of your ongoing business plan and budget.

6. What are the penalties for noncompliance of the PCI Requirements?

The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. This PCI compliance fine can then be passed on downstream until it eventually hits the merchant. The acquiring bank may then also either terminate the merchant relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic, especially to a small business. This holiday season, make sure you are familiar with your merchant account agreement, which should outline your exposure.

7. If I’m running a business from my home, am I a serious target for hackers?

Yes, home users are arguably the most vulnerable, as they are usually not well protected. Adopting a 'path of least resistance' model, intruders will often zero-in on home users and will often exploit their 'always on' broadband connections and typical home use programs such as chat, Internet games and file sharing applications. This holiday season make sure you identify and fix any security vulnerabilities on your desktop or laptop computers.

8. What information should I routinely check to spot a fraudulent card?

  • Check the Expiration Date: The card is valid through the last date of the month. Do not accept an expired card.
  • Check the Valid Date: Some cards will have this feature, in which the card is not valid until the date shown. Do not accept an invalid card.

Check the Four Digits: The first four digits of the embossed card number must match the four digits pre- printed above or below that number.



12 Holiday PCI Compliance Tips Questions and Advice and Security Best Practices to Get You Ready for the New Year

Part 1 – PCI compliance FAQ’s one through four Santa-credit-card

1. To whom does PCI apply?
PCI compliance applies to any organization or merchant, regardless of the size or the number of transactions that are accepted, transmitted or stored. Essentially, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

2. Is PCI DSS compliance just an IT project?

The IT staff implements technical and operational aspects of PCI-related systems, but compliance to the payment brand’s programs is much more than a “project” with a beginning and end. PCI compliance is a business issue that is best addressed by a multi-disciplinary team. The risks of compromise can be more than just financial, as they can reputational as well, affecting the whole organization. Be sure your business addresses policies and procedures as they apply to the entire card payment processing workflow. 

3. Myth: PCI DSS is unreasonable; it requires too much

Most aspects of the PCI DSS are already a common best practice for security. The standard also permits the option of using compensating controls to meet most of these PCI DSS requirements. The PCI DSS standard provides significant detail, which benefits merchants and processors. This scope and flexibility leads some to view PCI DSS as an effective standard for securing all sensitive information

4. What is an easy step my business can take to achieve PCI Compliance?

The key to achieving PCI DSS compliance is to reduce the number of items that are in scope. This means to eliminate cardholder data from the business unless it is absolutely required. The less sensitive cardholder data you have in your business the less you have to control and the easier achieving PCI compliance becomes.



11 Terms Everyone in the Payment Card Industry Must Know

Pci-compliance-trainingNo matter how familiar you are with the payment card industry, you have undoubtedly heard a variety of terms and acronyms thrown around. And though the terms are used frequently, this doesn’t mean that everyone knows exactly what the words or letters mean. While learning all of these terms won’t necessarily make you a payment card industry expert, they can help you familiarize yourself, so you can better understand what is being discussed and how it may impact you and your business.

Here are 11 payment card industry terms that everyone should know:

1. Acquirer: An acquirer is an organization licensed as a member of Visa/MasterCard as an affiliated bank or bank/processor alliance that is in the business of processing credit card transactions for businesses (acceptors) and is always acquiring new merchants.

2. Encryption: This is the process of converting information into an unintelligible form of a specific cryptographic key. The use of encryption protects valuable card data information from the encryption process, until the decryption process, against unauthorized disclosure. This helps to make the card information essentially useless to those who attempt to intercept the card data while in transit. 

3. Interchange Fee: This is a fee paid by an acquirer to an issuer for transactions entered into interchange. The interchange fee is a percentage applied, according to Visa/MasterCard regulations, to the dollar value of each transaction.

4. Merchant Identification Number (MID): This number is generated by a processor/acquirer and is specific to each individual merchant location. This number helps to identify the merchant during processing of daily transactions, rejects, adjustments, chargebacks, end-of-month processing fees, and more.

5. Payment Application Data Security Standards (PA-DSS): This standard, formerly referred to as the Payment Application Best Practices (PABP), is the global security standard created by the PCI SSC, which was implemented in an effort to provide the definitive data standard for software vendors that develop payment applications. The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data.

6. PCI: This is the acronym for the Payment Card Industry.

7. Payment Card Industry Data Security Standards (PCI DSS): The PCI DSS is an information security standard for organizations that handle cardholder information for the major debit, credit and point of service cards. The PCI DSS standard includes requirements for security management, policies and procedures.

8. PCI Compliance: PCI Compliance refers to the industry-mandated security standards (PCI DSS and PA-DSS) that apply to all businesses that handle, process or store credit or debit cards. Businesses much meet the set requirements of the standards in order to be deemed PCI compliant.

9. PCI Compliance Level: All merchants fall under four categories of PCI compliance (Level 1, Level 2, Level 3 and Level 4), depending on the number of transactions they process each year, and whether those transactions are performed from a brick and mortar location or over the Internet. Each merchant must meet the compliance requirements for their PCI compliance level.

10. Point-to-point Encryption: Point-to-point encryption (P2PE) ensures cardholder data is protected from card swipe all the way through to the processing banks. The valuable cardholder data is encrypted prior to performing an electronic payment transaction, making it useless to potential theft,

11. Point of Sale (POS): A location where credit card transactions are performed with the cardholder present, such as a retail store. The card is read magnetically, and the cardholder's signature is obtained as insurance against the transaction. This is the most secure form of credit card commerce.

To learn more about PCI Compliance, the payment security industry and how it can effect your business, contact Element Payment Services today. 


Search Blog

Your email address:

Bookmark and Share


About PCI DSS Compliance Blog

Email Us

PCI Compliance Resources

Industry News on Twitter

Visit Element on