No matter how familiar you are with the payment card industry, you have undoubtedly heard a variety of terms and acronyms thrown around. And though the terms are used frequently, this doesn’t mean…

Version 2.0 of the PCI DSS and PA-DSS  was released in 2010, updating the payment processing security standards that were in place. It should be noted that the variations made to Version 2.0 were minor but the hope is that the changes would have a major impact. Though the new version become effective as of January 1, 2011 the actual enforcement of the new requirements are not going to begin to be enforced until January 1, 2012.

The changes mainly consisted of modifications to language, clarifying the meaning of the PCI DSS requirements and making understanding and adoption easier on both merchants and software providers. While the changes were made to make the compliance process easier, the question is have merchants and software providers taken the steps to become compliant?

PCI compliance was a hot topic in 2011. This past year has given merchants and software providers alike the opportunity to meet these new requirements, and achieve PCI compliance. Come 2012, it will become clear who is meeting the new requirements and who is not.

2010 was a year of progress for the card data security industry, according to some new figures published by the Identity Theft Resource Center (ITRC). The number of records known to have been exposed in a security breach decreased significantly, from 223.1 million in 2009 to 16.2 million in 2010.

The recorded breaches of security varied in the data that was exposed, including credit and debit card information, which made up 26 percent of the breaches, as well as social security numbers, which made up 62 percent. There were also numerous ways that the information was accessed, including hacking into computer systems, which made up for 17.1 percent of the reported breaches, insider actions, accounting for 15.4 percent and accidental exposure, 10.7 percent. This information made available by the ITRC shows that our valuable, personal information can be at risk of theft through a variety of methods if we, or the companies we use, are not properly protect against it properly.

Linda Foley, the founder of ITRC, predicts that cybercrimes and insider data thefts will increase in the coming years, because “it’s the path of least resistance.”

The PCI Security Standards Council (PCI SSC) has been working to limit hackers’ access to valuable card data information by driving education and awareness of the PCI DSS and PA-DSS, as well as through their efforts to implement the standards industry wide. The PCI SSC is holding companies responsible for their own PCI compliance, fining those that do not meet the requirements.

More and more companies are doing their part to take the necessary steps to achieve PCI compliance and by implementing technology solutions such as end-to-end encryption and tokenization, to protect their customers’ valuable information. These efforts by businesses play a role in limiting hackers’ access to card data.

A caveat in this report to point out, however, is that while the overall number of records exposed has dramatically decreased, the total number of security breaches increased from 498 to 662. This is an indication that now more than ever small to medium size businesses should have data security and PCI compliance at the top of their minds. Large corporations are certainly not the only targets of data thieves.

Companies that have chosen to remain non-compliant may become targets for cybercrimes and insider theft at an increasing rate, supporting Linda Foley’s prediction for the coming years. We’re looking forward to witnessing the increased uptake of the PCI DSS and PA-DSS in 2011. Continued awareness and education around PCI Compliance will make this an important year for the data security industry.

PCI DSS compliance is of increasing concern to many merchants. Whether you are a traditional “brick and mortar” merchant, an online merchant, or some combination of the two, understanding which PCI compliance level applies to your business is the first step in assuring that your PCI compliance audits will be as simple as possible.

Now here is where PCI compliance for merchants can get a bit tricky: each payment card brand (Visa, MasterCard, etc.) has their own requirements and definitions of PCI compliance levels. Even though the PCI Security Standards Council (PCI SSC) developed these standards, compliance is actually mandated by the individual payment card brands - Visa, MasterCard, American Express, Discover and JCB International.

There is a PCI Compliance guide available to help you and your company achieve compliance. 

With the start of 2011, so comes the start of the transition to version 2.0 of the PCI DSS and PA-DSS. As of January 1, 2011, the updated versions of the standards became effective. Companies have…

A new Self Assessment Questionnaire (SAQ) and Attestation of Compliance have been made available to merchants by the PCI Security Standards Council (PCI SSC). This new version, titled the SAQ C-VT,…

A new Self Assessment Questionnaire (SAQ) and Attestation of Compliance have been made available to merchants by the PCI Security Standards Council (PCI SSC). This new version, titled the SAQ C-VT, was developed for merchants that process cardholder data only through isolated virtual terminals on personal computers connected to the Internet. 

The SAQ C-VT is a trimmed down version of the SAQ C version 2.0. Rather than the SAQ C 2.0 80 requirements, the SAQ C-VT only has 51 requirements to meet to achieve compliance. In order for companies to reach PCI DSS compliance for this merchant environment, the merchant must complete the SAQ C-VT and Attestation of Compliance, then submit both items and any other requested documentation to their acquirer.

Merchants who complete the SAQ C-VT and the associated Attestation of Compliance must confirm that:

• The company’s only payment processing is done via a virtual terminal accessed by an Internet-connected web browser.

• The company’s virtual terminal solution is provided and hosted by a PCI DSS validated third-party service provider.

• The company accesses the PCI DSS compliant virtual terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment.

• The company’s computer does not have software installed that causes cardholder data to be stored.

• The company’s computer does not have any attached hardware devices that are used to capture or store cardholder data.

• The company does not receive or transmit cardholder data electronically through any channels.

• Your company retains only paper reports or paper copies of receipts. 

• Your company does not store cardholder data in electronic format.

From the PCI SSC:

A virtual terminal is web-browser based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.

Those merchants who operate browser-based terminals should welcome this new SAQ version as it offers a questionnaire that is designed for their low volume of credit card transactions.

The countdown continues, as January 1, 2011 quickly approaches. This is when version 2.0 of the PCI DSS and PA-DSS become effective, though validation against the previous version of the standard…

The countdown continues, as January 1, 2011 quickly approaches. This is when version 2.0 of the PCI DSS and PA-DSS become effective, though validation against the previous version of the standard (1.2.1) is allowed until December 31, 2011. Companies have been taking the proper steps to become PCI compliant as the date nears, because the transition to version 2.0 will be a point of emphasis for 2011. Even though validation against the previous version of the standard will be allowed until December 31, 2011, the PCI SSC encourages organizations to transition to the updated version as soon as possible. From January 1, 2012 on, all assessments must be under the version 2.0 standards. 

Though the holiday season is a time to celebrate and spend time with loved ones, it is also a busy time of the year for merchants. Billions of dollars are spent as shoppers gather gifts and other holiday items in stores or online. Though this type of spending is great for businesses, it’s also a very attractive target for attackers to steal valuable card data. Do you know if your company is safe? With potentially thousands of credit cards at risk, knowing you are protected is important. 

Surely you are aware of the industry standard for credit card compliance that the PCI Security Standards Council put forth. Companies who have not met PCI compliance requirements have already been faced with fines or worse, the loss of the ability to process credit cards. These penalties can be potentially devastating to companies. 

Make sure your company is PCI compliant for the holidays. This can be the difference between a holiday season of cheer and one of security challenges. 

There’s been talk of non-PCI compliant fines since the standards were launched by the PCI Security Standards Council (PCI SSC) in 2006. We’ve seen companies suffering from a breach, like TJX Corporation in 2007, pay out bucket loads of money in fines, law suits and replacement credit cards. The cost of the TXJ breach has been estimated in excess of $1 billion. But for years now, fines for non-compliance – as long as you don’t suffer a breach – have seemed to be a relatively faraway threat.

That reality is quickly changing. The industry has seen a growing number of non compliant PCI fines appearing on merchants’ monthly bills from their acquirers. The fees vary depending on the volume of transactions. The average monthly non-PCI compliance fee we’ve seen falls between $20 - $25. We’ve seen a whopping $1,000 non-compliant monthly surcharge. Ouch.  

Payment brands have the ability to fine acquiring banks up to $100,000 per month for non-compliance violations. These fees are then passed down by banks to non-compliant merchants. The potential costs associated with non-PCI compliance don’t just end with fines, credit card replacement and audit fees: costs can also come in the form of loss of business and revenue, brand damage, increased transaction rates or banks terminating their relationship with a merchant. Such penalties can be catastrophic to a small business. 

Complying with the requirements of the PCI DSS can be a daunting task both in terms of time and money to invest, especially for smaller companies. However, the costs associated with potential fines, business loss, and beginning to exponentially outweigh that of implementing PCI DSS.