PCI DSS Compliance Blog

The Federal Reserve made final rulings on the controversial Durbin Amendment back in June of 2011 that capped processing fees on debit and credit card transactions. The impacts of the amendment are now being seen and felt throughout the banks, merchants and even down to the consumers.

The Durbin Amendment fought to protect merchants and consumers; however, the amendment is actually protecting the banks, resulting in increased costs for merchants and consumers. 

The intention of the reform was to regulate processing fees paid by merchants, but for some merchants, they have actually seen increases in their debit card transaction fees. Most notably was Redbox, a DVD rental vendor that only completes transactions through debit and credit, who had to increase their rentals 20%, from $1.00 to $1.20, in order to compensate for the added fees. Chief Executive Paul Davis was quoted saying that their price increase stems from operational costs, mainly debit-card interchange fees.

Concurrently, the banks now claim a decrease of collected money through processing fees, which has resulted in these banks ending debit card rewards programs and including fees on checking accounts, which ultimately costs the consumer more to partner with their bank.

The domino effect of the Durbin Amendment continues to roll along and unfortunately, the amendment continues to stir up questions and concern as consumers and banks go head-to-head. In November of 2011 consumers fought banks against the proposed monthly debit card fees and ultimately won; banks decided to not instate monthly fees for the use of debit cards.  

Consumers, merchants and banks will continue to encounter the waves from the Durbin Amendment tsunami, working toward a reasonable solution. Only time will tell.

 

Future implications of the Durbin Amendment

April 1st, 2012 – Two-network minimum requirement for issuers goes into effect.

April 1st, 2013 – Two-network minimum requirement for prepaid debit and benefit cards goes into effect.

The requirement for issuers to partner with two networks creates a two-tier pricing system that some networks may have difficulty navigating. A network can no longer only partner with Visa, who has agreed to honor the cap exemptions. They must choose a second vendor, and there is no guarantee of protection.

The Durbin Amendment has created questions and concerns throughout the industry, with business owners wondering the impact the Amendment has on their business. Payment processing technology is key to businesses keeping up with the ever-changing industry. Let the experts at Element Payment Services make sure you are ahead of the curve, and help you better understand the Durbin Amendment and its potential impact, by contacting us today.

 

Infographic Provided By: http://www.nerdwallet.com/infographics/durbin-timeline

At times, there can be confusion in the industry surrounding tokenization, a process designed by technology providers, as a means to secure cardholder data while providing merchants with the functionality needed to run their businesses. Last week, the PCI SSC tried to clarify any questions surrounding this technology with the scheduled release of the PCI Data Security Standard (PCI DSS) tokenization guideline. The guidelines are designed to provide merchants with a better understanding of how they can incorporate tokenization into their card payment security strategy, as well as how their efforts relate to, and impact compliance with the PCI DSS.

At its simplest level, tokenization technology replaces a primary account number at the point of sale with a surrogate value called a “token” to improve data security. Subsequently, if tokenization is used properly, a merchant would not need to retain the primary account number in the payments system used at the business once the transaction is processed. This results in a minimized amount of data a business would need to keep on hand, ultimately bolstering the security of credit card transactions, while limiting the cost and complexity of meeting compliance requirements at the same time.

Unlike several of the other well-known technologies in the industry, tokenization does not have standards. So while the technology provides a great level of value, some merchants still need help knowing the best practices on how to incorporate tokenization so it works most optimally for their business and their customers. It is important to understand that tokenization is not an alternative to the standards, as merchants still have to comply with the PCI DSS.

The tokenization guidelines released by the PCI SSC should help merchants understand the options surrounding the technology, and how it fits their business’ needs. These guidelines will also benefit tokenization service providers and assessors, clarifying how the technology can limit or eliminate scope by transferring the responsibility of storing sensitive cardholder data away from the merchant to a payments technology provider. This is especially valuable as it also simplifies the PCI DSS assessment process by limiting the number of requirements applicable to the merchants’ environment. 

To learn more about this technology, download our tokenization white paper or contact Element today.

On August 1, 2011, Element’s Element Express Processing Platform solution was selected by Business Solutions magazine as one of 2011’s Best Channel Products. Value Added Resellers (VARs) and Independent Software Vendors (ISVs) participating in Business Solutions' annual survey ranked the Element Express Processing Platform as a leading payment processing technology, making it one of only three solutions in this category. Being honored with the 2011 Best Channel Products award makes this the fourth consecutive award for Element Payment Services from Business Solutions magazine since the survey debuted in January 2010. Element’s past awards include Best Channel Vendor in 2010 and 2011, and the Best Channel Product in 2010 and now in 2011.

The Element Express Processing Platform is a purpose-built payment engine, architected for an evolving industry with a Service Oriented Architecture (SOA). Using Element’s Web services or XML interface, ISVs can easily integrate software applications with Express, incorporating its robust suite of PCI compliant technologies, which include point-to-point encryption (P2PE) and tokenization.  ISVs and merchants have long relied on Express to deliver innovation, reliability and simplified payment processing.

 
Business Solutions magazine partnered with Penn State University to conduct and analyze the survey of its subscribers. As part of the Web-based survey, VARs/ISVs were asked to rate a product’s richness of features/functionality, product reliability/durability, ease of integration, ease of upgrading and the VAR’s/ISV’s ability to service. The 2011 Best Channel Products recognition was given only to the top few vendors who scored highest in the product categories. This is a new format from years past where many products were selected for each category, making this award even more competitive.

1,490 VARs/ISVs participated in the survey, casting a total of 11,711 votes, making it one of the largest surveys of its kind, especially at this level of detail.

Receiving its fourth straight award from Business Solutions magazine is representative of Element’s dedication and commitment to providing its software partners and their customers with solutions that help reduce risk, liability, and cost, while easing the burden of PCI compliance. 

Contact us today for more information on the Element Express Processing Platform solution and how Element can help your business. 

Element Payment Services recently received validation from Trustwave Holdings, Inc. confirming that Element’s Hosted Payments solution does indeed remove software applications from the scope of the Payment Card Industry Data Security Standard (PCI DSS). Trustwave Holdings, Inc. confirmed that Hosted Payments eliminates Integrated Software Vendor’s (ISVs) applications from the scope of PCI DSS and PA-DSS compliance requirements when implemented according to Element’s specification.

Hosted Payments is an integration method to Element's Express Processing Platform that removes the need for software applications to handle cardholder data when authorizing and settling payment transactions, preserving the benefits associated with integrated payments. The process shifts the responsibility of handling sensitive cardholder data over to Element's PCI DSS compliant Express Processing Platform. By shifting the entry point and storage location of card sensitive data, ISVs also avoid the hassle of costs associated with compliance as well as compliance audits.

The PCI DSS apply specifically to environments that store, process or transmit credit card numbers. Assuming ISVs (or their applications) do not otherwise store, process or transmit cardholder data, Trustwave validated that ISVs leveraging Hosted Payments are eliminated from PCI scope and compliance costs.

"The payment industry and our ISV partners have recognized the scope removing attributes of Hosted Payments since market availability in 2008," said Sean Kramer, CEO and president of Element Payment Services. "This third party validation will allow ISVs to provide reassurance to their customers that out-of-scope processing is an industry-accepted alternative to PA-DSS/PCI DSS validation for software applications."

Not only do ISVs avoid the hassles associated with PCI compliance, but also through Hosted Payment's integration with Element's Level 1 PCI DSS compliant Express Processing Platform, both merchants and consumers can rest assured that they are receiving the highest level of protection from incidents that could potentially compromise cardholder data.

To date, more than 100 software applications have certified to Express via Hosted Payments.

Contact Element Payment Services for more information on Hosted Payments or the Express Processing Platform.

Element Payment Services, the industry leader in PCI complaint payment processing, and ThoughtKey, the leading PCI-focused consulting firm, have teamed up to offer a new white paper entitled "Point-to-Point Encryption (P2PE): Reduce PCI Scope, Protect Cardholder Data and Preserve Profit". The document is aimed at helping merchants understand and address the hurdles of achieving and maintaining PCI compliance. Authored by ThoughtKey, this white paper details the benefits and pitfalls of relying solely on payment network segmentation as opposed to the robust option of P2PE plus tokenization in a highly secured host environment.

The issues present today are a result of merchants pulling double duty attempting to protect cardholder data while also defending their environments from cyber threats. Despite best efforts, a study done by The Ponemon Institute this year - in which 581 US Technology Security professionals were surveyed - reports that 90% of businesses fell victim to cyber security breaches at least once in the past 12 months; 41% of these incidents cost businesses $500,000+ to handle!

The "P2PE: Reduce PCI Scope, Protect Cardholder Data and Preserve Profit" white paper provides a simple and effective answer to these problems. The document details how Element TransForm™ P2PE suite effectively removes sensitive cardholder data from a merchant’s environment, thereby eliminating the target on the merchant’s proverbial back. The Element TransForm™ P2PE suite secures payments simply by ensuring that cardholder data is protected through P2PE from the initial point of entry and while in transit to the payment processor.

“We are excited to share this white paper with the payment processing industry and merchant community, as it offers great detail to a complete and secure solution,” said Sean Kramer, president and CEO of Element Payment Services. “At Element, we make it our number one priority to help customers protect their businesses while providing the innovative payments technologies needed to manage operations. Our comprehensive PCI compliant solutions make this possible.”

For more information about "Point-to-Point Encryption (P2PE): Reduce PCI Scope, Protect Cardholder Data and Preserve Profit" download our white paper or contact us today.

A dialogue with Apple co-founder Steve Wozniak kicked off the 2011 ETA Annual Meeting and Expo held this year in San Diego, Calif. May 10 - 12. Wozniak explained that payment processing at Apple is not a top priority and that Apple is waiting until they can do it right – “I think they'll hold off and not make any moves until they know they can do it right” (The Green Sheet). Wozniak also discussed the future of mobile payments, suggesting that "tap-and-go technology is so compelling that it will be in everyone's hands within just a few years" (The Green Sheet). He believes that Near Field Communications (NFC) technology will be the next big thing for mobile payments.

The conference also featured keynote speaker, former Sen. Christopher Dodd, D-Mass., co-author of the Consumer Protection Act of 2010 and the Dodd-Frank Wall Street Reform. Dodd touched upon the Durbin Amendment and the looming debit interchange regulation. Dodd went on to encourage ISOs, MLSs and their partners to reach out more to their local politicians to fight against further legislation. Dodd feels that it would be easier to contact them directly, saying “I can assure you that if you were to invite your member of Congress to come to your business to learn what you do and about your issues, you'd have a lot more luck than anyone standing in the halls of Congress trying to [lobby] staffers" (The Green Sheet). However painful, regulatory and PCI compliance issues are not going away. Critical security measures are put in place to protect consumers and stay current with technology. 

Mobile payments was the hot topic for this year’s meeting, since more and more people have smart phones and are using them to shop, therefore making mobile card acceptance, couponing and security high priorities for merchants. Visa took the opportunity at the expo to announce its mobile wallet plans that feature "a range of customized mobile payments services that address the specific requirements of geographic markets around the world" (Visa). People are excited for mobile wallet solutions and it came through at the show. 

ETA 2011 had a lot of hype around a new certification program was promoted. Visa’s new Certified Payments Professional program, which had officially launched in February 2011, is designed to be the industries first professional certification process for sales agents and others engaged in the distribution of electronic payment products and services.

ETA attendees noted that this year’s show seemed to be a bit quieter, with fewer people and less industry news as compared to past expos. However, ETA contacts say that attendance and exhibitor numbers had increased. Overall, attendees reported to be pleased with the quality of the interactions and networking opportunities.  

The Electronic Transactions Association is an international trade company that represents companies who offer electronic transaction processing products and services. The ETA encourages businesses to network within the electronic payments industry through education and advocacy. The three-day meeting and expo was open to international electronic payments professionals and business owners.

This month we’ve interviewed PCI Compliance Thought Leader Dr. Anton Chuvakin, a recognized security expert in the field of log management and PCI DSS compliance. He is an author of two books and a contributor to several others.  Anton has published dozens of papers on log management, correlation, data analysis, PCI DSS and security management. His blog, Security Warrior, is one of the more popular in the industry.

In conjunction with this interview, we are giving away one copy of Anton’s latest book on PCI Compliance. In order for your name to be entered into the contest, begin following us on Twitter (if you are not already!) and tweet out the following:

Read @elementps interview with Anton Chuvakin and enter to win PCI compliance book: http://bit.ly/a9hv3q

The contest ends this Friday, March 26 at 5:00 pm EST.

PCI DSS Compliance Blog: You recently launched a new security consulting practice.  What are your offerings as a consultant?

Anton Chuvakin: Indeed, I have switched from being employed by the security vendor to being an independent consultant.  Given my expertise in log management and SIEM, as well as PCI DSS, this is where I focus my efforts.  For example, in one recent project I helped at Fortune 1000 company with their log management and log review implementation for PCI compliance.  I have developed operational procedures and daily tasks they’d need to follow in order to review in scope and application logs for PCI DSS, security as well as other issues.  Another set of projects I have completed involved helping security vendors with their PCI DSS focused products and services.  So far, I had a good balance of exciting enterprise and vendor projects. You can see a complete list of my services as well as examples of recent projects on my consulting site.

What are the areas of greatest confusion for your clients?

If I have to name one issue it would be “What to log for PCI DSS compliance?” We all know that security and compliance concerns can rarely be reduced to simple questions like this, but many people are still looking for a simple checklist on what to log, what to review, what to configure, and other such things.  For example, one of the famous confusions is a reference to ”system-level objects” in PCI DSS Requirement 10.2.7.  I’ve yet to meet a person who knows what exactly that means, thus the issue of logging granularity is left to interpretation by curious and other experts.

One could call you a logging evangelist…in fact, you were the Chief Logging Evangelist for LogLogic at one point.  Why is logging important for PCI compliance?

As I mentioned in a recent presentation, logging is a key IT accountability mechanism.  And accountability is a key feature of all regulatory compliance mandates, frameworks, logs and other governance documents.  Without accountability, compliance is pointless or – which is worse! - turns into an exercise of “who can lie better?”

Thus, on a high level, the value of logging is obvious.  As it happens in many cases, the devil is in the details: tying system configurations and application settings to such high level and worthwhile goals is not trivial and has been the focus of some of my recent consulting projects.

Is it realistic for small businesses to monitor their logs? If so, what processes do you recommend they implement?

The simple answer is “yes” – if you operate Internet connected computers that are involved with payment processing or other critical business tasks, you have to monitor your logs.  But before that, you have to actually have logs.  For many businesses, an essential steppingstone to log monitoring is actually a log collection and retention.  This will allow them to investigate (or hire somebody to investigate) a security incident and then adjust the controls to prevent the recurrence.  Yes, it is reactive and not proactive, but let’s be realistic here: few organizations today are proactive about security.  Being reactive – but reacting better and faster, based on solid information in the logs, is a more useful goal.

On a more practical level, there are plenty of free or low cost tools to deal with logs. I list some of them here.

A second edition of a book you co-authored - PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance - was recently released.  Who would benefit from picking up your book?

As we say in the preface, “this book is for the Information Technology (IT) managers and company managers who need to understand how PCI DSS applies to their organizations. This book is for the small- and medium-size business that doesn’t have an IT department to delegate to. The book is also for large organization whose PCI DSS project scope is immense. It is for all organizations that need to grasp the concepts of PCI DSS and how to implement an effective security framework that is also compliant.”

To put simply, the book is for everybody in the PCI ecosystem: merchants, service providers, vendors, consultants, etc.  While most of the content is useful for those actually implementing PCI DSS controls, a few of the chapters will be enlightening even to their bosses and likely even their bosses’ bosses’.

Without giving too much away, what are one or two points that emerge from the book that you think every business should know about PCI compliance?

I would like to make two points here and still risk oversimplifying an incredibly complex issue of payment security.

The first is: don’t think of protecting the data first, think of eliminating the data first.  Building a business process that does not touch sensitive card data is actually simpler than protecting said data (by the way, nowhere in that sentence it says that it is simple – just simpler).

The second point is somewhat different for larger and smaller companies.  If you are large and have to do an onsite assessment by a QSA, then don’t fear the assessor! We even have a chapter with that name: “Don’t Fear the Assessor.” You are much more likely to be successful if you treat his visit as a valuable service and not as intrusion.  If you’re small and have to self-assess, the lesson is similar: PCI is actually useful for you.  We should have written a chapter called “PCI DSS is good for you”, but we haven’t – this information on the benefits of PCI DSS is all of the book.

You are very active on social media platforms like Twitter and deli.icio.us and blog regularly.  What are your favorite resources for PCI compliance information on the web? 

To be honest, I try to follow way too many of them.  Here are some examples: Storefrontbacktalk, Treasury Institute, Merchant Account Blog, etc. Sorry if I forgot to mention somebody!

My co-author Branden Williams’s blog deserves a special mention, because it is awesome.

Where do you see the PCI compliance industry in five years?

To be honest, I don’t want to see “PCI compliance industry” at all: not now, not in a year, not to five years.  Admittedly, there is a cottage industry of people profiting off PCI compliance, but I would not want to call it “PCI compliance industry.”

On the other hand, secure payments industry will hopefully make a few significant leaps and bounds in five years.  I hope to see almost total elimination of merchant side payment card data storage, I hope to see the mag stripe to finally bite the dust (won’t happen, I know)  and I hope to see truly merchant-to-issuer encryption (used to be called “end to end encryption” ) which not only limits but prevents the exposure of all entities to cardholder data.  Also,  I hope to see a way to do secure micro payments –something that has not yet materialized at all.

Do you think that end-to-end encryption and tokenization technologies will play a significant role? 

Personally, I'd take tokenization over E3/E2EE any day now. Philosophically, "kill the data" approach just beats the "protect the data" approach with the way people approach security today. It is just harder to screw up if there is no data to protect.  Still, I see them both facing increased use since in some cases you just have to use one and not the other (or both).

Read our previous PCI Compliance Thought Leader Q&A with Rick Dakin, President of Coalfire and don't forget to enter the contest to win Anton Chuvakin's book!

In recent months, as the PCI Security Standards Council has continued to weigh the merits of what they have deemed “emerging technologies,” two terms have been highlighted most frequently. 

The first is end to end encryption, which we’ve written at length about here and here.  The other is tokenization.  As we mentioned in a recent post, these two solutions have quickly become the favorites among all other emerging technologies.

Tokenization is an attempt to mitigate the risks inherent in storing credit card data.  In the same way that end to end encryption helps to protect data in transit, tokenization helps to protect data at rest.  With data in transit is increasingly targeted by nefarious hackers (and making big headlines), it is easy to overlook the fact that data at rest can be equally prone to theft.

As a process, tokenization replaces credit card data with a unique "token" that acts as a reference pointer to that credit card data.  Using this logic, a credit card transaction sends this reference pointer token along the payment chain.  At the processing end of the payment chain, the token is verified and the transaction processed, all without having exposed any sensitive cardholder data to the various networks along the payment chain.  And because tokens are produced for accounts, rather than for specific transactions, stored tokens can be effectively used for scheduled automatic payments as well.

Because the merchant uses a “token,” rather than real credit card data, and relies on the payment processor to assign that token (and to transmit and/or store card data), merchants relying on tokenization decrease their “scope” relative to PCI compliance, transferring the onus of the most critical aspects of PCI compliance to the payment processor.     

Tokenization eliminates the need for actual credit card data to be stored or transmitted by the merchant and, in many cases, allows for an easier PCI SAQ process.  And with some payment solutions offering both tokenization and end to end encryption, the result is an integrated solution that protects data both in transit and at rest.  

Related Posts and Pages:

End-to-End Encryrption Emerges a Winner from PCI SSC Meeting

Credit Card Tokenization

At the PCI Security Standards Council community meeting last week in Las Vegas, end-to-end encryption came out at the top of the list of payment card industry “emerging technologies.”

PricewaterhouseCoopers presented findings of an independent study (which the PCI Security Standards Council enlisted them to do) that examined twelve technologies on the market that potentially could help merchants satisfy PCI compliance mandates like PCI DSS and PA-DSS.  After initial research, the study narrowed its focus to end-to-end encryption, tokenization, virtual terminals and magnetic stripe imaging. 

While it may yet be too early to declare end to end encryption (E2EE) the clear leader among these emerging technologies, as Dan Kaplan from SC Magazine wrote:

Based on their findings, PwC determined that end-to-end encryption, which encrypts data from point-of-sale at the merchant across the processor's network, may have the most success at reducing PCI compliance scope for merchants.

While most people tend to associate credit card data theft occurring when that data is stored but not sufficiently protected, the hackers at the front of the data security battle are increasingly intercepting data while it is being sent across networks, relying on packet sniffing malware and SQL injection attacks to breach networks large and small.

Most of the emerging technologies PwC researched seek to address the vulnerability of such data in transit.  End to end encryption helps protect data in transit by ensuring that cardholder data is fully encrypted, across all networks, from card swipe through bank processing.  PCI Requirement 4, the current PCI requirement that relates to data encryption, mandates that merchants and software vendors “encrypt transmission of cardholder data across open, public networks.”  Clearly, though, data is at risk across all networks which the most recent breaches have proven.    

Since current PCI standards were crafted prior to this trend of shifted risk, PCI requirements could very well change as a result of the current review.

Related Posts and Pages:

Tokenization and PCI Compliance

One area where merchants and software providers struggle with PCI compliance relates to PCI DSS Requirement 11.  Here’s a breakdown of the requirement.

PCI DSS Requirement 11 is comprised of seven sub-requirements and 14 testing procedures.  It mandates that any business handling credit cards “regularly test security systems and processes,” a requirement that is intended to secure the network environment in which most merchants and software providers operate.

Some of the sub-requirements contained within PCI DSS Requirement 11 require validation by a Payment Card Industry Security Standards Council Approved Scanning Vendor (ASV).   Others, like sub-requirement 11.3, require no validation by an ASV or Qualified Security Advisor (QSA).  Sub-requirement 11.3 can be met using a “qualified internal resource,” leaving merchants and software vendors free to go it alone.

A closer look at PCI DSS Requirement 11.3 reveals that it requires businesses:

“Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).”

Such penetration testing, also referred to as ethical hacking (or in some cases white hat hacking) is a PCI DSS requirement mandated by sub-requirement 11.3 (and clarified by PCI SSC in supplemental information). 

The reality is that many small businesses do not have a “qualified internal resource.”  Among merchants especially, many businesses end up paying an external third party to perform penetration tests.

As with any security standard, of course, performing more diligence than the minimum requirements is generally the best way to stay digitally secure.  This is why we perform multiple penetration tests instead of merely the one required by PCI DSS to our entire network every year.

Related Element Payment Services Pages:

PCI DSS Requirements
PCI DSS Compliance Level