Payment Card Industry Security Standards

In recent years, a series of new rules and regulations regarding consumer safety and identity theft have been enacted by both the government and the Payment Card Industry (PCI). The new standards from PCI, the Data Security Standards (DSS), establish protocols for protection of cardholder data, while the government has passed the Fair and Accurate Credit Transaction Act (FACTA) mandating how card numbers and expiration dates must appear on receipts.

Bottom line – you must be compliant. It’s the law. If you aren’t compliant, you are leaving yourself open to fines and lawsuits and potential closure of your business.

What Are We Doing For You?

We’ve taken proactive steps to make sure you have the tools you need to be compliant. We work with many PCI Companies to help keep your data safe. Some of our partners are Trustwave, Control Scan and Coalfire.

The Basics of PCI Compliance and Validation Regulations

The payment card industry compliance and validation regulations apply to financial institutions, Internet vendors and retail merchants. The rules spell out what security measures must be taken to protect the private information of employers and employees during any transactions occurring with the use of a credit/debit card. They also require certain auditing procedures. The Payment Card Industry Data Security Standard (PCI DSS) is used by all card brands to assure the security of the data gathered while an employee is making a transaction at a bank or participating vendor.

 

PCI Chart

Additionally, there are four merchant categories:

  1. Merchants with more than 6,000,000 transactions per year. Other merchants in Level 1 will be merchants whose security has been violated and data compromised and merchants which another credit card company have classified as Level 1.
  2. Merchants with 150,000 to 6,000,000 transactions per year.
  3. Merchants with 20,000 to 150,000 transactions per year.
  4. Merchants with less than 20,000 transactions per year

PCI Compliance Validation

Credit card companies validate that vendors are abiding by the PCI Compliance regulations. The volume of transactions and the risk determined by the credit card company determines the validation rating for the merchants and institutions accepting credit/debit and paycards. Along with requiring participating businesses to complete a self-assessment questionnaire, MasterCard and Visa perform the following actions to validate a participating business’ security:

An on-site visit and,
A network scan performed by an authorized PCI Compliance scanning vendor.

For additional information regarding PCI security, please visit the PCI Security Standards Council.

Best Practices

Simply Credit Card Processing is committed to helping you protect your customers’ cardholder data.
A data compromise can negatively impact both your bottom line and your company’s reputation.
To reduce your vulnerability, we suggest you review and implement the following data security best practices.

Recommended Best Practices:
Consumer trust in the security of sensitive information is more critical than ever. When customers hand you their payment card or provide you with their account information, they expect you to safeguard that data. Keeping that trust is essential to fraud reduction and customer service.

  1. Ensure all printed copies containing full cardholder account number (paper receipts, orders, invoices, etc.) are physically secured.
  2. Destroy any physical or electronic records containing full cardholder account numbers when it is no longer needed for business purposes. Take the necessary steps to destroy it responsibly, preferably by shredding them.
  3. Don’t store any cardholder data that is not needed to run your business. We offer solutions for using alternative data, rather than the full cardholder account number to respond to chargebacks and other customer inquiries. Contact us for more information.
  4. Know who has access to your business computers, including any vendors who may need to connect to it remotely for maintenance purposes. If you use vendors that have access to your customers’ data, make sure they are protecting that information.
  5. If you use a computer at your business to handle cardholder data or facilitate payment card transactions, make sure you have an anti-virus program installed and it is updated regularly. If possible, do not use your computer for any function that is not business-related. This includes web surfing or accessing web-based email accounts.

If your company uses a standalone, dial-up terminal:
Program the terminal(s) to only show the last four digits of the account number and to hide the expiration date. We can assist you with this.Ensure both the customer receipt and your merchant receipt do not include the full account number or expiration date.

If your company uses an IP-based terminal, wireless terminal or payment application connected via the Internet:
Have an Approved Scan Vendor perform network vulnerability scans on your Internet connection at least every three months. We can recommend several companies.Make sure your Internet connection has a firewall installed. This firewall must be properly configured so that it does not allow any unauthorized computer access or traffic.

Using Third-Party Vendors for Payment Applications

Recent compromises have shown that payment software applications are sometimes at fault for data breaches and require extra scrutiny, even those applications that are compliant with the Payment Application Data Security Standard (PA-DSS).