|
FEATURED ARTICLE
Understanding Payment Card
Industry Compliance
The Payment Card Industry (PCI) consists of the five major credit card brands: Visa, MasterCard, American Express, Discover Card and JCB International. The purpose of the PCI Data Security Standard (PCI DSS), is to help a business or organization assure their customers that their credit card data/account information and transaction information is safe from hackers or any malicious system intrusion. It was created due to the high number of security data breaches in the past few years in organizations such as TJX, Bank of America, Citigroup and others. While the focus is on larger companies the majority of security breaches occur in small businesses. The PCI DSS has Validation Requirements. To understand the Validation Requirements a business must first know their merchant level. Merchants are broken into the four levels listed below.
The current Visa and MasterCard merchant levels
- Level 1 – More than 6 million in transactions annually across all channels, including eCommerce and any merchant that has experienced a breach
- Level 2 – Transactions totaling 1 million to 6 million per year
- Level 3 – Ttransactions totaling 20,000 to 1 million per year
- Level 4 – eCommerce transactions totaling up to 20,000 per year and all other merchants, regardless of acceptance channel, processing up to 1 million Visa or MasterCard transactions per year
The current Visa and MasterCard validation requirements are as follows:
- Level 1 – Annual onsite review by merchant’s internal auditor or a Qualified Security Assessor (QSA) or Internal Audit if signed by Officer of the company, and a quarterly network security scan with an Approved Scanning Vendor (ASV)
- Level 2 – Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV
- Level 3 – Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV
- Level 4 – Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV. Submit summary of PCI compliance plan. If a breach has been reported, or found, Visa reserves the right to move the Level 4 merchant to a Level 1. If so, the Level 4 merchant must abide by the Level 1 validation requirements.
The repercussions a merchant can face if their security is breached is fines up to $500,000 per incident, remediation costs estimated at $90 to $302 per record, potential customer lawsuits, company reputation and brand damage.
There are two types of risks when dealing with data breaches: the internal risk of an employee gaining access to information they shouldn’t have and the external risk of a hacker. Like water a hacker will follow the path of least resistance. Usually most small businesses do not have the technical expertise, nor the IT Staff, to properly secure card holder data. Cardholder data such as the account number, cardholder name, expiration date and service code may be stored, however the information must be protected. Authentication data such as the magnetic strip, CVV (Card Verification Value) and Pin data may not be stored. Merchants storing this information are not PCI DSS compliant and could be penalized with fines and remediation costs.
Merchants can be proactive by ensuring that prohibited information is being purged after authorization. If businesses need to store name, credit card number and expiration date, then it needs to be secured either internally or stored remotely. Merchants can take steps on their own, via PCI DSS guidelines, to alleviate any security loopholes.
- Install and maintain a firewall configuration to protect data
- Use and regularly update anti-virus software
- Assign a unique ID to each person with computer access
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Change user passwords every 90 days
- Protect stored data
- Encrypt transmission of cardholder data and sensitive information across public networks
- Develop and maintain secure systems and applications
- Restrict access to data by business need-to-know
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
PRODUCT SPOTLIGHT
IP Terminals – Dual Service for
IP & Dial Up
 With IP Terminals merchants can process transactions in 3-5 seconds without the cost of a dedicated phone line. Dial backup ensures that you can always process transactions, even if your Internet connection is unavailable. Eliminate the cost of a dedicated phone line by leveraging your existing internet line. High-speed communications module supports DSL, cable and other IP-based communications. IP Terminals meet all latest security standards in the industry. They are extremely fast terminals that support a full range of payment types including credit, debit, gift cards and Dynamic Currency Conversion through one easy-to-use solution.
|
|
DID YOU KNOW?
- Card Security Code (CSC), sometimes called Card Verification Value (CVV), Card Verification Value Code (CVVC), Card Verification Code (CVC), or Verification Code (V-Code or V Code) is a security feature designed to increase protection against credit card fraud.
- CVC1 or CVV1 is encoded on the magnetic stripe of the card and used for transactions in person.
- CVV2 or CVC2 – This CSC (also known as a CCID or Credit Card ID) is for “card not present” transactions occurring over the Internet, by mail, fax or over the phone.
- Many card issuers will decline a transaction if the CVV2 or CVC2 is not provided.
- CVV2 is most often confused with Address Verification Service (AVS) which can be used to qualify for lower credit card rates.
|
|
ABOUT NTC TEXAS
A provider of Elavon Payment Partner, NTC Texas enables your business with all the transactional capabilities of the processing network rated #1 by MasterCard for reliability and availability. Whatever size your business is now, together, we can make it grow.
- Healthcare Providers
- Retailers
- Web Developers
- eCommerce/eBusiness
- Legal
- Assisted Living & Nursing Homes
- Day Care Centers
- Salons/Spas
- Restaurants
- Entertainment
- Travel & Lodging
- Not -for-profit
- Business-to-Business
- Government & Utility
|
|
CONTACT US
NTC Texas
106 Decker Court Suite 260
Las Colinas, Texas 75062
Email: Info@NTC Texas.com
Web: www.ntctexas.com
Tel: 972.406.8111
Toll Free: 877.877.6511
Fax: 972.406.8611
|
|
Understanding
Payment Card
Industry Compliance
|
|
What Type of
Credit Information
Should Be Stored?
|
| |
Storage
Permitted
|
Protection
Required
|
|
Cardholder Data
|
|
Account Number
|
Y
|
Y
|
|
Cardholder Name
|
Y
|
Y
|
|
Expiration Date
|
Y
|
Y
|
|
Service Code
|
Y
|
Y
|
|
Authentication Data
|
|
Magnetic Strip
|
N
|
N/A
|
|
CVV
|
N
|
N/A
|
|
PIN Data
|
N
|
N/A
|
|
| |
|
TECH TIP
AVS – Address
Verification System
 The (AVS Address Verification System) system allows the Merchant to enter in specific details about the Customer such as zip code and address, in order to make the transaction more secure, therefore qualifying for lower rates. The AVS is not something that can be purchased, it is part of a processing network. Merchants accepting online, phone, or mail transactions should always use AVS. By using the Address Verification System, a merchant can protect both the customer and himself from counterfeit charges. AVS will verify whether the address provided by the cardholder matches the billing address. AVS keeps a transaction from downgrading (qualifying at a higher rate) to a Non-qualified Transaction.
|
|