PCI DSS Compliance Blog

No matter how familiar you are with the payment card industry, you have undoubtedly heard a variety of terms and acronyms thrown around. And though the terms are used frequently, this doesn’t mean that everyone knows exactly what the words or letters mean. While learning all of these terms won’t necessarily make you a payment card industry expert, they can help you familiarize yourself, so you can better understand what is being discussed and how it may impact you and your business.

Here are 11 payment card industry terms that everyone should know:

1. Acquirer: An acquirer is an organization licensed as a member of Visa/MasterCard as an affiliated bank or bank/processor alliance that is in the business of processing credit card transactions for businesses (acceptors) and is always acquiring new merchants.

2. Encryption: This is the process of converting information into an unintelligible form of a specific cryptographic key. The use of encryption protects valuable card data information from the encryption process, until the decryption process, against unauthorized disclosure. This helps to make the card information essentially useless to those who attempt to intercept the card data while in transit. 

3. Interchange Fee: This is a fee paid by an acquirer to an issuer for transactions entered into interchange. The interchange fee is a percentage applied, according to Visa/MasterCard regulations, to the dollar value of each transaction.

4. Merchant Identification Number (MID): This number is generated by a processor/acquirer and is specific to each individual merchant location. This number helps to identify the merchant during processing of daily transactions, rejects, adjustments, chargebacks, end-of-month processing fees, and more.

5. Payment Application Data Security Standards (PA-DSS): This standard, formerly referred to as the Payment Application Best Practices (PABP), is the global security standard created by the PCI SSC, which was implemented in an effort to provide the definitive data standard for software vendors that develop payment applications. The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data.

6. PCI: This is the acronym for the Payment Card Industry.

7. Payment Card Industry Data Security Standards (PCI DSS): The PCI DSS is an information security standard for organizations that handle cardholder information for the major debit, credit and point of service cards. The PCI DSS standard includes requirements for security management, policies and procedures.

8. PCI Compliance: PCI Compliance refers to the industry-mandated security standards (PCI DSS and PA-DSS) that apply to all businesses that handle, process or store credit or debit cards. Businesses much meet the set requirements of the standards in order to be deemed PCI compliant.

9. PCI Compliance Level: All merchants fall under four categories of PCI compliance (Level 1, Level 2, Level 3 and Level 4), depending on the number of transactions they process each year, and whether those transactions are performed from a brick and mortar location or over the Internet. Each merchant must meet the compliance requirements for their PCI compliance level.

10. Point-to-point Encryption: Point-to-point encryption (P2PE) ensures cardholder data is protected from card swipe all the way through to the processing banks. The valuable cardholder data is encrypted prior to performing an electronic payment transaction, making it useless to potential theft,

11. Point of Sale (POS): A location where credit card transactions are performed with the cardholder present, such as a retail store. The card is read magnetically, and the cardholder's signature is obtained as insurance against the transaction. This is the most secure form of credit card commerce.

To learn more about PCI Compliance, the payment security industry and how it can effect your business, contact Element Payment Services today. 

Point-to-point encryption (P2PE) starts with the encryption of cardholder data at the point-of-entry immediately as the customer’s card is swiped or hand-keyed, which is the first “point.” The second “point” is a third-party service provider and often the merchant’s card processor, which manages both encryption and key management. When P2PE is properly implemented, nearly all of a merchant’s system can be considered out of PCI DSS scope.

On September 15, 2011, the P2PE guidelines were made available by the PCI SSC. While the P2PE guidance document was released, similar to the Tokenization guidelines released earlier this year, the PCI SSC wants merchants to know that these guidelines are merely the first set of validation requirements with more to come. There are still key aspects of the guidelines yet to be released, but the Council has indicated that these should be available in six to eight months. The next round of validation requirements will give merchants additional valuable information. Some information that we may expect to see include a new testing process for P2PE devices, which will be defined by PIN Transaction Security labs. Also, we should plan on seeing a list of validated applications to help become PCI compliant. This is expected to be made available to merchants once testing is done to approve these applications. 

Point-to-point encryption vendors and manufacturers’ devices will be submitted to the labs, in order to be included on the list of devices. Once the labs approve a P2PE device, there will be a level of assurance to merchants, that this device will better protect cardholder data.

Though the first round of point-to-point encryption guidelines are available, merchants, vendors and QSAs alike are now waiting to see what is next to come from the PCI SSC on P2PE implementation guidelines, to help reduce PCI scope and achieve PCI compliance.

Contact Element today to learn more about P2PE or ask any questions. We will help get you started! 

On August 1, 2011, Element’s Element Express Processing Platform solution was selected by Business Solutions magazine as one of 2011’s Best Channel Products. Value Added Resellers (VARs) and Independent Software Vendors (ISVs) participating in Business Solutions' annual survey ranked the Element Express Processing Platform as a leading payment processing technology, making it one of only three solutions in this category. Being honored with the 2011 Best Channel Products award makes this the fourth consecutive award for Element Payment Services from Business Solutions magazine since the survey debuted in January 2010. Element’s past awards include Best Channel Vendor in 2010 and 2011, and the Best Channel Product in 2010 and now in 2011.

The Element Express Processing Platform is a purpose-built payment engine, architected for an evolving industry with a Service Oriented Architecture (SOA). Using Element’s Web services or XML interface, ISVs can easily integrate software applications with Express, incorporating its robust suite of PCI compliant technologies, which include point-to-point encryption (P2PE) and tokenization.  ISVs and merchants have long relied on Express to deliver innovation, reliability and simplified payment processing.

 
Business Solutions magazine partnered with Penn State University to conduct and analyze the survey of its subscribers. As part of the Web-based survey, VARs/ISVs were asked to rate a product’s richness of features/functionality, product reliability/durability, ease of integration, ease of upgrading and the VAR’s/ISV’s ability to service. The 2011 Best Channel Products recognition was given only to the top few vendors who scored highest in the product categories. This is a new format from years past where many products were selected for each category, making this award even more competitive.

1,490 VARs/ISVs participated in the survey, casting a total of 11,711 votes, making it one of the largest surveys of its kind, especially at this level of detail.

Receiving its fourth straight award from Business Solutions magazine is representative of Element’s dedication and commitment to providing its software partners and their customers with solutions that help reduce risk, liability, and cost, while easing the burden of PCI compliance. 

Contact us today for more information on the Element Express Processing Platform solution and how Element can help your business. 

Element Payment Services, the industry leader in PCI complaint payment processing, and ThoughtKey, the leading PCI-focused consulting firm, have teamed up to offer a new white paper entitled "Point-to-Point Encryption (P2PE): Reduce PCI Scope, Protect Cardholder Data and Preserve Profit". The document is aimed at helping merchants understand and address the hurdles of achieving and maintaining PCI compliance. Authored by ThoughtKey, this white paper details the benefits and pitfalls of relying solely on payment network segmentation as opposed to the robust option of P2PE plus tokenization in a highly secured host environment.

The issues present today are a result of merchants pulling double duty attempting to protect cardholder data while also defending their environments from cyber threats. Despite best efforts, a study done by The Ponemon Institute this year - in which 581 US Technology Security professionals were surveyed - reports that 90% of businesses fell victim to cyber security breaches at least once in the past 12 months; 41% of these incidents cost businesses $500,000+ to handle!

The "P2PE: Reduce PCI Scope, Protect Cardholder Data and Preserve Profit" white paper provides a simple and effective answer to these problems. The document details how Element TransForm™ P2PE suite effectively removes sensitive cardholder data from a merchant’s environment, thereby eliminating the target on the merchant’s proverbial back. The Element TransForm™ P2PE suite secures payments simply by ensuring that cardholder data is protected through P2PE from the initial point of entry and while in transit to the payment processor.

“We are excited to share this white paper with the payment processing industry and merchant community, as it offers great detail to a complete and secure solution,” said Sean Kramer, president and CEO of Element Payment Services. “At Element, we make it our number one priority to help customers protect their businesses while providing the innovative payments technologies needed to manage operations. Our comprehensive PCI compliant solutions make this possible.”

For more information about "Point-to-Point Encryption (P2PE): Reduce PCI Scope, Protect Cardholder Data and Preserve Profit" download our white paper or contact us today.

We have highlighted a number of technologies in this blog that help achieve PCI compliance. The latest technology that should be in your IT security team’s bag of tricks is point-to-point encryption (P2PE). 

This new technology may sound strangely familiar. And it should. Does end-to-end encryption ring a bell? In early October 2010, the PCI Security Standards Council announced a new moniker for end-to-end encryption, switching the language to point-to-point encryption, with the hope of offering guidance with the new name to clarify this technology. 

The new point-to-point encryption naming concept also came with a new roadmap designed for merchants, acquirers, processors, vendors and QSAs. The new roadmap offers guidance on what businesses should look for when purchasing encryption technology to protect credit cardholder data as it is authorized and transported into a database. (However, P2PE is not designed to address card data storage. For those merchants that require storing sensitive data, tokenization is a good solution, where card data is returned in the form of tokens rather than the actual data.) 

P2PE, properly implemented, should reduce a merchant’s PCI scope. Once the card is swiped, the data is encrypted, and remains so until it reaches its destination. Decryption cannot be possible between encryption and the final destination because only the P2PE provider will be able to decrypt the data. This makes the P2PE technology ideal for those retailers that have no need to retain card data.  

A follow-up paper on point-to-point encryption from the PCI SSC is scheduled for 2011, which will expand upon their P2PE recommendations.