PCI Compliance

11 Terms Everyone in the Payment Card Industry Must Know

Thu, 17 Nov 2011 12:33:03 -0500

11 Terms Everyone in the Payment Card Industry Must Know :

No matter how familiar you are with the payment card industry, you have undoubtedly heard a variety of terms and acronyms thrown around. And though the terms are used frequently, this doesn’t mean…

Are you PCI Compliant - Version 2.0 is Right Around the Corner

Wed, 16 Nov 2011 19:58:52 -0500

Version 2.0 of the PCI DSS and PA-DSS was released in 2010, updating the payment processing security standards that were in place. It should be noted that the variations made to Version 2.0 were minor but the hope is that the changes would have a major impact. Though the new version become effective as of January 1, 2011 the actual enforcement of the new requirements are not going to begin to be enforced until January 1, 2012.

The changes mainly consisted of modifications to language, clarifying the meaning of the PCI DSS requirements and making understanding and adoption easier on both merchants and software providers. While the changes were made to make the compliance process easier, the question is have merchants and software providers taken the steps to become compliant?

PCI compliance was a hot topic in 2011. This past year has given merchants and software providers alike the opportunity to meet these new requirements, and achieve PCI compliance. Come 2012, it will become clear who is meeting the new requirements and who is not.

Security Breaches Down in 2010 - Trend for 2011?

Wed, 19 Jan 2011 18:27:00 -0500

2010 was a year of progress for the card data security industry, according to some new figures published by the Identity Theft Resource Center (ITRC). The number of records known to have been exposed in a security breach decreased significantly, from 223.1 million in 2009 to 16.2 million in 2010.

The recorded breaches of security varied in the data that was exposed, including credit and debit card information, which made up 26 percent of the breaches, as well as social security numbers, which made up 62 percent. There were also numerous ways that the information was accessed, including hacking into computer systems, which made up for 17.1 percent of the reported breaches, insider actions, accounting for 15.4 percent and accidental exposure, 10.7 percent. This information made available by the ITRC shows that our valuable, personal information can be at risk of theft through a variety of methods if we, or the companies we use, are not properly protect against it properly.

Linda Foley, the founder of ITRC, predicts that cybercrimes and insider data thefts will increase in the coming years, because “it’s the path of least resistance.”

The PCI Security Standards Council (PCI SSC) has been working to limit hackers’ access to valuable card data information by driving education and awareness of the PCI DSS and PA-DSS, as well as through their efforts to implement the standards industry wide. The PCI SSC is holding companies responsible for their own PCI compliance, fining those that do not meet the requirements.

More and more companies are doing their part to take the necessary steps to achieve PCI compliance and by implementing technology solutions such as end-to-end encryption and tokenization, to protect their customers’ valuable information. These efforts by businesses play a role in limiting hackers’ access to card data.

A caveat in this report to point out, however, is that while the overall number of records exposed has dramatically decreased, the total number of security breaches increased from 498 to 662. This is an indication that now more than ever small to medium size businesses should have data security and PCI compliance at the top of their minds. Large corporations are certainly not the only targets of data thieves.

Companies that have chosen to remain non-compliant may become targets for cybercrimes and insider theft at an increasing rate, supporting Linda Foley’s prediction for the coming years. We’re looking forward to witnessing the increased uptake of the PCI DSS and PA-DSS in 2011. Continued awareness and education around PCI Compliance will make this an important year for the data security industry.

Time to be PCI Compliant

Thu, 13 Jan 2011 13:11:02 -0500

PCI DSS compliance is of increasing concern to many merchants. Whether you are a traditional “brick and mortar” merchant, an online merchant, or some combination of the two, understanding which PCI compliance level applies to your business is the first step in assuring that your PCI compliance audits will be as simple as possible.

Now here is where PCI compliance for merchants can get a bit tricky: each payment card brand (Visa, MasterCard, etc.) has their own requirements and definitions of PCI compliance levels. Even though the PCI Security Standards Council (PCI SSC) developed these standards, compliance is actually mandated by the individual payment card brands - Visa, MasterCard, American Express, Discover and JCB International.

There is a PCI Compliance guide available to help you and your company achieve compliance.

How Do you Think PCI DSS and PA-DSS Version 2.0 Will Impact Merchants and Software Vendors in 2011?

Tue, 04 Jan 2011 10:53:42 -0500

How Do you Think PCI DSS and PA-DSS Version 2.0 Will Impact Merchants and Software Vendors in 2011?:

With the start of 2011, so comes the start of the transition to version 2.0 of the PCI DSS and PA-DSS. As of January 1, 2011, the updated versions of the standards became effective. Companies have…

New SAQ C-VT for Merchants Using Web-Based Virtual Terminals

Wed, 29 Dec 2010 07:16:22 -0500

New SAQ C-VT for Merchants Using Web-Based Virtual Terminals :

Merchants Using Web-Based Virtual Terminals Consider SAQ C-VT

Tue, 28 Dec 2010 13:11:17 -0500

A new Self Assessment Questionnaire (SAQ) and Attestation of Compliance have been made available to merchants by the PCI Security Standards Council (PCI SSC). This new version, titled the SAQ C-VT, was developed for merchants that process cardholder data only through isolated virtual terminals on personal computers connected to the Internet.

The SAQ C-VT is a trimmed down version of the SAQ C version 2.0. Rather than the SAQ C 2.0 80 requirements, the SAQ C-VT only has 51 requirements to meet to achieve compliance. In order for companies to reach PCI DSS compliance for this merchant environment, the merchant must complete the SAQ C-VT and Attestation of Compliance, then submit both items and any other requested documentation to their acquirer.

Merchants who complete the SAQ C-VT and the associated Attestation of Compliance must confirm that:

The company’s only payment processing is done via a virtual terminal accessed by an Internet-connected web browser.

The company’s virtual terminal solution is provided and hosted by a PCI DSS validated third-party service provider.

The company accesses the PCI DSS compliant virtual terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment.

The company’s computer does not have software installed that causes cardholder data to be stored.

The company’s computer does not have any attached hardware devices that are used to capture or store cardholder data.

The company does not receive or transmit cardholder data electronically through any channels.

Your company retains only paper reports or paper copies of receipts.

Your company does not store cardholder data in electronic format.

From the PCI SSC:

A virtual terminal is web-browser based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.

Those merchants who operate browser-based terminals should welcome this new SAQ version as it offers a questionnaire that is designed for their low volume of credit card transactions.

All I want for Christmas is to be PCI Compliant

Tue, 21 Dec 2010 14:28:54 -0500

All I want for Christmas is to be PCI Compliant :

The countdown continues, as January 1, 2011 quickly approaches. This is when version 2.0 of the PCI DSS and PA-DSS become effective, though validation against the previous version of the standard…

PCI Compliance for Christmas?

Tue, 21 Dec 2010 14:23:21 -0500

The countdown continues, as January 1, 2011 quickly approaches. This is when version 2.0 of the PCI DSS and PA-DSS become effective, though validation against the previous version of the standard (1.2.1) is allowed until December 31, 2011. Companies have been taking the proper steps to become PCI compliant as the date nears, because the transition to version 2.0 will be a point of emphasis for 2011. Even though validation against the previous version of the standard will be allowed until December 31, 2011, the PCI SSC encourages organizations to transition to the updated version as soon as possible. From January 1, 2012 on, all assessments must be under the version 2.0 standards.

Though the holiday season is a time to celebrate and spend time with loved ones, it is also a busy time of the year for merchants. Billions of dollars are spent as shoppers gather gifts and other holiday items in stores or online. Though this type of spending is great for businesses, it’s also a very attractive target for attackers to steal valuable card data. Do you know if your company is safe? With potentially thousands of credit cards at risk, knowing you are protected is important.

Surely you are aware of the industry standard for credit card compliance that the PCI Security Standards Council put forth. Companies who have not met PCI compliance requirements have already been faced with fines or worse, the loss of the ability to process credit cards. These penalties can be potentially devastating to companies.

Make sure your company is PCI compliant for the holidays. This can be the difference between a holiday season of cheer and one of security challenges.

PCI Fines Can Effect You and Your Business

Wed, 15 Dec 2010 19:06:24 -0500

There’s been talk of non-PCI compliant fines since the standards were launched by the PCI Security Standards Council (PCI SSC) in 2006. We’ve seen companies suffering from a breach, like TJX Corporation in 2007, pay out bucket loads of money in fines, law suits and replacement credit cards. The cost of the TXJ breach has been estimated in excess of $1 billion. But for years now, fines for non-compliance – as long as you don’t suffer a breach – have seemed to be a relatively faraway threat.

That reality is quickly changing. The industry has seen a growing number of non compliant PCI fines appearing on merchants’ monthly bills from their acquirers. The fees vary depending on the volume of transactions. The average monthly non-PCI compliance fee we’ve seen falls between $20 - $25. We’ve seen a whopping $1,000 non-compliant monthly surcharge. Ouch.

Payment brands have the ability to fine acquiring banks up to $100,000 per month for non-compliance violations. These fees are then passed down by banks to non-compliant merchants. The potential costs associated with non-PCI compliance don’t just end with fines, credit card replacement and audit fees: costs can also come in the form of loss of business and revenue, brand damage, increased transaction rates or banks terminating their relationship with a merchant. Such penalties can be catastrophic to a small business.

Complying with the requirements of the PCI DSS can be a daunting task both in terms of time and money to invest, especially for smaller companies. However, the costs associated with potential fines, business loss, and beginning to exponentially outweigh that of implementing PCI DSS.

PCI Fines in Effect

Tue, 14 Dec 2010 13:04:27 -0500

PCI Fines in Effect :

Not PCI compliant? Better get going…companies are paying monthly non-PCI compliant fines. There’s been talk of non-PCI compliant fines since the standards were launched by the PCI Security Standards…

Are you PCI Compliant?

Thu, 09 Dec 2010 16:52:56 -0500

According to a survey recently unveiled by the Ponemon Institute, a new factor is driving adoption of encryption technologies by merchants. For the first time in the six years of the U.S. Enterprise Encryption Trends survey, more businesses emphasized the meeting of PCI DSS requirements as a factor for adopting encryption technology. Previously the primary motivation to adopt data security technologies was to protect against security breaches.

In the past year, PCI compliance requirements have matured. Visa’s fifth PA-DSS security deadline passed in July, driving software vendors to comply with PA-DSS deadlines at an increased rate. This fall, Version 2.0 of the PCI DSS and PA-DSS were revealed by the Payment Card Industry Security Standards Council (PCI SSC). Penalties have begun to be doled out by acquiring banks and credit card companies on merchants not complying with the PCI DSS.

In order to protect themselves from card data theft and achieve compliance, businesses are looking to available technologies that will help them satisfy the compliance requirements of the industry. One technology that has received growing attention is encryption. End-to-end encryption (E2EE), or point-to-point encryption as the PCI SSC dubs it, protects the sensitive cardholder data from card swipe until the payment processor.

The Element Express Processing Platform uses the most advanced encryption technology to secure cardholder data. The Processing Platform ensures that sensitive cardholder information is not vulnerable to theft throughout the transaction process. Element’s technology also moves sensitive data to off-site storage through the use of tokenization technology, making it one of the most secure products on the market.

Results of the Ponemon Institute demonstrate the growing awareness of the PCI DSS requirements, as well as the increasing effectiveness to drive the uptake of advanced technology to protect cardholder data.

Make Sure You’re Included in the PA-DSS List

Tue, 23 Nov 2010 09:46:17 -0500

Make Sure You’re Included in the PA-DSS List:

When it comes to PA-DSS, software vendors should first determine which PCI compliance requirements they must meet. Distributed Independent Software Vendors (ISVs) need to achieve PA-DSS compliance,…

PA-DSS Audit: What does it entail?

Tue, 16 Nov 2010 15:38:22 -0500

PA-DSS Audit: What does it entail? :

If you’re a software vendor or payment applications developer and you know you need to be PA-DSS compliant, a PA-DSS Audit is a crucial part of the process to get on the list of compliant…

What is PCI?

Mon, 15 Nov 2010 19:53:30 -0500

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment.

The group that oversees many of the decisions and standard development is the Payment Card Industry Security Standards Council (PCI SSC), which was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.).

It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

PCI applies to all organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. If any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

Figure out which PCI DSS Level you're on

Tue, 09 Nov 2010 15:14:28 -0500

Merchants fall under four categories of PCI compliance Level, depending on the number of transactions they process each year, and whether those transactions are performed from a brick and mortar location or over the Internet. Remember: all merchants that process credit cards―whether small or large―must be PCI compliant.

Here is where PCI compliance for merchants can get a bit tricky: each payment card brand (Visa, MasterCard, etc.) has their own requirements and definitions of PCI compliance levels. Even though the PCI Security Standards Council (PCI SSC) developed these standards, compliance is actually mandated by the individual payment card brands - Visa, MasterCard, American Express, Discover and JCB International.

To give you a general idea of how to determine your PCI compliance level, here are Visa’s PCI compliance level definitions:

PCI Compliance Level 1 - Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region
PCI Compliance Level 2 - Merchants processing 1 million to 6 million Visa transactions annually (all channels)
PCI Compliance Level 3 - Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
PCI Compliance Level 4 - Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually

If you have further questions, or would like to know more about Element’s PCI Compliance solutions, view our PCI Compliance Guide or contact us. Our PCI compliance experts are standing by.

Point-to-Point Encryption – Sound Familiar?

Wed, 03 Nov 2010 21:05:59 -0400

Point-to-Point Encryption – Sound Familiar? :

We have highlighted a number of technologies in this blog that help achieve PCI compliance. The latest technology that should be in your IT security team’s bag of tricks is point-to-point encryption…

Wonder How Element's Payment Account Secure Storage Technology Works?

Fri, 22 Oct 2010 15:20:10 -0400

PASS is designed to allow merchants and payments service providers alike the ability to easily comply with PCI DSS with very little effort of financial impact.

Payment Account Secure Storage (PASS) technology has two major objectives: 1. Aid merchants and services providers with PCI Compliance. 2. Minimize the impact on existing payment processing systems.

The next piece is becoming PCI Compliance and understanding how PASS works. The PASS follows five simple steps:

1. Collect Cardholder Data

2. Securely Transmit Cardholder Data

3. Receive GUID Reference Pointer for Cardholder Data

4. Store GUID Reference Pointer In Place of Cardholder Data

5. Use GUID Reference Pointer for Future Payment Transactions

PASS dramatically reduces the complexity and expense related to PCI compliance. At the same time, PASS reduces the financial risk associated with storing sensitive cardholder data simply by removing the need to store the data all together. By not sotring sensitive cardholder data, merchants and service providers can save a substantial amount of time and money; likewise they can reduce an enormous financial risk.

New PCI Compliance Report Released – Who meets the Standard?

Wed, 13 Oct 2010 00:57:09 -0400

New PCI Compliance Report Released – Who meets the Standard?:

Last week, Verizon released a first-of-its-kind Payment Card Industry Compliance Report. The report, conducted by a team of PCI Qualified Security Assessors (QSAs), focuses on the state of compliance…

Want a better understanding of PA DSS?

Tue, 05 Oct 2010 12:42:00 -0400

According to the PCI Security Standards Council, “the PA DSS [scope] applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties.” Additionally, “PA DSS does apply to payment applications provided in modules, which typically includes a ‘baseline’ module and other modules specific to customer types or functions … If other modules also perform payment functions; PA DSS applies to those modules as well.” Therefore, the scope of PA DSS, as defined by the PCI Security Standards Council, includes not only stand alone payment applications; but also applications that integrate to payment applications if they perform payment functions.

Learn more from the Element Payment Services Whitepapers.