May 18, 2012 Contact Us At (559) 733-1940    Register   Login   
  
 
ResourcesPCI – If you Accept Credit Cards    
Home

Solutions
       Home Computers
       Home Office
       Small Business
       IT Projects

Services
       Services We Offer 
       Our Philosophy
       Network Service
       On-Site Help Desk
       Monitoring & Maintenance
       Web Design and Development
       Custom Programming
       Web, DNS and Email Hosting
       Off-Site Backups
       Technology Consulting
       Compliance

Newsletter
       Current Newsletter
       2012 Newsletters
          January 2012 Newsletter
          February 2012 NewsLetter
          March 2012 Newsletter
       2011 Newsletters
          January 2011 Newsletter
          February 2011 Newsletter
          March 2011 Newsletter
          April 2011 Newsletter
          May 2011 Newsletter
          June 2011 Newsletter
          July 2011 Newsletter
          August 2011 Newsletter
          September 2011 Newsletter
          October 2011 Newsletter
          November 2011 Newsletter
          December 2011 Newsletter

Torian Group Blog

Resources
       Articles By Topic
          Business
          Security
          Internet
          Web Marketing
          IT Management
          Hardware / Software
       Articles By Date
       Forums
          Tech Issues
       Web Content Tutorials
       SharePoint Tutorials
       Links
          Tech Links
          Certification
          Visalia High Tech Pros
          Tools
          Marketing your Business on the Web
       Regulatory Compliance
          Can Spam Act
       Best Practices
          Cyber - Security
       Passwords For Websites
       Social Media for Business
       Online Marketing
       New Phone Solutions
       Web Applications

Events

About Us
       Contact Us
       Staff
       References
       Privacy Policy
       Feed Back

Employment

Torian Group, Inc. - Live Support

 
 

Microsoft Small Business Specialist
 

Microsoft Gold Certified Partner
 

Microsoft Certified Systems Engineer
 

PartnerPoint
 

Dell Registered Partner
 

Sun Certified Professional
 		 Novell Education CNE
CCNA Cisco Certified

Certified QuickBooks ProAdvisor

CompTIA A+ Certified IT Technician

Network + CompTIA Certified

CIW Associate
 

 

Visalia Chamber of Commerce Proud Member

Proud Member

EATC - Executives Association of Tulare County

Rotary International Member
 
Newsletter Sign-Up
 
 
PCI – If you Accept Credit Cards

PCI is a requirement from the payment card companies. It is not a government regulation. The goal of PCI’s Data Security Standard (PCI DSS) is to protect credit card account information – prevent fraud caused by card/identity theft.

All organizations that process payment cards (Visa, MasterCard, AMEX, etc...) have to comply with the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS was developed by the payment card brands. and compliance is essential if a merchant wishes to continue processing payment card transactions. This includes merchants that only use paper-based processing, merchants that outsource the credit card processing, and merchants that process credit cards in-house. The PCI DSS has approximately 194 controls in 12 sections, and the 12 sections are grouped into 6 objectives.

The 6 objectives are:

  • build and maintain a secure network,
  • protect cardholder data,
  • maintain a vulnerability management program,
  • implement strong access control measures,
  • regularly monitor and test networks,
  • maintain an information security policy.

The merchant/acquiring bank will inform their merchants of the level and required process for turning in evidence. Each bank is slightly different in the process and most are focusing on merchants with high volume and working their way down to the lowest volume merchants. Even if your bank has not requested compliance data, it is wise to make sure your company is following the standard, so you fall under the “safe harbor” for liability.

The first step in complying with the PCI DSS is filling out a Self Assessment Questionnaire (SAQ). In February 2008, the PCI Council announced different validation types for merchants, depending upon the risk of the processing environment. Merchants who outsource processing have 11 questions to attest to, while merchants who process transactions in-house on custom applications have to attest to all 226 questions. Each merchant is placed in levels based upon the number of transactions processed. These levels determine what evidence of compliance must be prepared and whether it is necessary to submit the documentation to the merchant’s acquiring bank (Referred to as Merchant Bank or Acquirer). Merchants with a low number of transactions need to only complete the SAQ and maintain the documentation in-house. Merchants in the middle levels must submit the SAQs and evidence of performing external scans to their acquiring banks. At the highest level, merchants must have an external scan and a full independent PCI audit by a Qualified Security Assessor (QSA).

Merchant levels are determined by the annual number of transactions, not the dollar amount of the transactions. If you process under 20,000 transactions in e-commerce, or under 1 million credit card transactions, you are in level 4, the least restrictive. Level 4 requires a PCI compliance self-assessment, and a quarterly network vulnerability scan.

Self Assessment Questionnaires
As most Acquirer’s (Merchant Bank) require Self Assessment Questionnaires on merchant levels 2, 3 and 4, it is important to know which version of the SAQ your business may need to complete.

  1. Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
  2. Imprint-only merchants with no electronic cardholder data storage
  3. Stand-alone dial-up terminal merchants, no electronic cardholder data storage
  4. Merchants with payment application systems connected to the Internet, no electronic cardholder data storage
  5. All other merchants (not included in descriptions for SAQs A-C above) and all service providers defined by a payment brand as eligible to complete an SAQ.

Quarterly Network Scans
To demonstrate compliance with the PCI DSS, merchants and service providers may be required to have periodic PCI Security Scans conducted as defined by each payment card company. The PCI DSS requires that all merchants with externally-facing IP addresses perform external network scanning to achieve compliance. Acquirers (Merchant Banks) require the quarterly submission of scan reports for Level 1, 2 and 3 merchants and may require submission of scan reports by level 4 merchants. These scans are automated, non-intrusive web scans performed by a PCI Approved Scanning Vendor (ASV). The scans are scans conducted over the Internet by an ASV to evaluate your web perimeter for any known vulnerabilities.

“PCI Security Scans may apply to all merchants and service providers with Internet-facing IP addresses. Even if an entity does not offer Internet-based transactions, other services may make systems Internet accessible. Basic functions such as e-mail and employee Internet access will result in the Internet-accessibility of a company’s network. Such seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems and potentially expose cardholder data if not properly controlled.” - PCI DSS Security Scanning Procedures v 1.1

Additional Standards
Payment Application Data Security Standard (PA DSS) and the PIN Entry Device standard (PED) support the PCI DSS and address security of applications and hardware used to process payment card transactions. “PA-DSS is the Council-managed program formerly under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP). The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS.” - Payment Card Industry Security Standards Council “The PCI PED security alignment initiative is aimed at ensuring that the cardholder’s PIN, and any sensitive information such as resident keys, are protected consistently at a PIN acceptance device. The objective of the requirements is the provision of a single, consistent, and stringent standard for all PIN acceptance devices worldwide”. - Payment Card Industry Security Standards Council These supporting standards are aimed at vendors who are creating applications and hardware devices used in the processing of payment cards. Merchants should be aware of these standards and purchase applications and hardware devices that are compliant with these standards. At this time, Merchants will be required to use only compliant applications and hardware by July 2010.

Standards for Protecting Payment Card Data
With the rising number of credit card payments being made by telephone and the Internet... read more

Safe Harbor
Safe harbor is the outcome of the PCI certification process and provides protection from fines and compliance exposure in the event of a data compromise. If there is a data breach, the card brands will perform a forensic audit to determine if the organization was PCI DSS compliant at the time of the data breach. If the organization is found to be out of compliance at the time of the breach they may be liable for the full cost of the breach including the cost of the forensics, losses of cardholders, losses to the banks, losses to the card brand and in some states fines will be assessed. In addition, the organization will be moved to the highest merchant level and will be required to meet the most stringent evidence requirements and the credit card processing fees will increase. To obtain safe harbor status a merchant must maintain full compliance at all times, including at the time of the breach as demonstrated during a forensic investigation. Notes: 1.) For a merchant to be considered compliant, any Service Providers that store, process or transmit credit card account data on behalf of the merchant must also be compliant. 2.) The submission of compliance validation documentation alone does not provide the member safe harbor status.
 

Torian Group, Inc. Phone: (559) 733-1940  Fax: (559) 733-8209  Contact us

 
 
 
Home|Solutions|Services|Newsletter|Torian Group Blog|Resources|Events|About Us|Employment
© Copyright 2010, Torian Group Inc. Terms Of Use Privacy Statement