What You NEED To Know About PCI Merchant Edition It’s universally feared and largely misunderstood. It’s hard to interpret and easy to overlook. It’s PCI Compliance. And it’s critical that every merchant who processes credit cards understand exactly what it means, what it mandates, and what a merchant’s responsibility is to ensure they meet the requirements. The purpose of this piece is to define PCI Compliance - in easyto-understand language - and to explain exactly what you need to know to ensure your business is safe and within compliance guidelines.
What is “PCI”? The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.
Who needs to be concerned about the PCI DSS? PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accept, transmit or store any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.
How do I know if I am PCI Compliant? Most merchants do not understand what PCI compliance means, nor do they fully understand the potential consequences of non-compliance. If you are in the dark about PCI compliance, you are not alone. A study published by VISA in February 2008 found that less than 5% of all Level 4 merchants (less than 1,000,000 transactions annually) were PCI-compliant.
The 12 Best Practice PCI DSS Requirements
1. Install and maintain a firewall to protect cardholder data 2. Don’t use default passwords or security defaults 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data 5. Use and update anti-virus software If you perform any of the following, you are 6. Develop and maintain secure systems not PCI-compliant: • You use a debit card PIN entry device 7. Restrict access to cardholder data (business that has not been approved by the PCI “need to know”) Security Standards Council. PIN entry 8. Assign unique IDs for computer access devices that were purchased prior to 9. Restrict physical access to cardholder data December 31, 2007 are typically not approved. 10. Track and monitor access to the network and • You use a credit card terminal that runs cardholder data a non-PCI compliant internal software 11. Regularly test security systems and processes application. • You use a credit card terminal that prints 12. Maintain a policy that addresses information security for employees and contractors the customer's full credit card number on the sales receipt
Brought to you by
What You NEED To Know About PCI Merchant Edition How do I know if I am PCI Compliant? (continued) If you perform any of the following, you are not PCI-compliant: • You store non-encrypted, electronic credit card data (common issue with credit card processing software purchased prior to 2006). • You use software that touches credit card data that has not been PA-DSS-validated. • You physically store imprints of credit cards in a non-secure location. • You allow unlimited employee access to paper and/or electronically stored credit card data.
What is the significance of July 1, 2010? July 1 has been a mandated date for several years, requiring: 1) That all merchants, if using payment application software, must be using PA-DSS Validated software. 2) That all merchants if using PINPad Debit, use Triple DES encrypted PINPads. An important note of clarification: t o : Ju Julyy 1 has as nothing ot g to do with t a merchant’s requirement to “be PCI Compliant”, this mandate has existed d for many years.
If you are currently using a PINpad that lookss like this P/N P003-160-02
Check the label for a part number. If the label reads P/N P003-160-02, your device needs to be replaced with part number P/N P003-18002.
You need to upgrade to a PCI-Compliant PIN entry device such as the VeriFone 1000SE P/N P003-180-02
If you are currently using any of these non-compliant legacy SigCap devices:
You need to upgrade to a PCI-compliant PIN Entry device, such as the Verifone MX-850
Helpful Websites You Can Visit to Get More Information Helpfu The Data Security Standard can be found on the PCI Security Standards Council's Website: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml You can also get more information about risk management on VISA’s Website: http://usa.visa.com/merchants/risk_management/index.html To get information and downloads associated with the PCI DSS and MasterCard Site Data Protection Program, you can visit MasterCard’s resource site at http://www.mastercard.com/us/merchant/security/sdp_program.html Additional information is available to merchants, including links to the Self-Assessment Questionnaire (SAQ). For more information, please visit VISA’s Cardholder Information Security Program page at http://usa.visa.com/merchants/risk_management/cisp_merchants.html
Brought to you by
What You NEED To Know About PCI Merchant Edition How are merchants classified and what are SAQ requirements? Level / Tier 1
Merchants processing over 6 million transactions annually
Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) • Quarterly network scan by Approved Scan Vendor (“ASV”) • Attestation of Compliance Form
Merchants processing 1 million to 6 million transactions annually
Merchants processing 20,000 to 1 million e-commerce transactions annually
Merchants processing less than 20,000 e-commerce transactions annually and all other merchants processing up to 1 million transactions annually
Annual Self-Assessment Questionnaire (“SAQ”) Quarterly network scan by ASV • Attestation of Compliance Form •
Annual SAQ Quarterly network scan by ASV • Attestation of Compliance Form •
Annual SAQ recommended Quarterly network scan by ASV if applicable • Compliance validation requirements set by acquirer •
There are five SAQ Validation categories, shown briefly in the table below. Use the table to gauge which SAQ applies to your organization. Page 2 of this document provides a link to more information on the SAQs. SAQ Validation Type 1
2 3 4 5
Description SAQ: V1.2 Card-not-present (e-commerce or mail/telephone-order) A merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. Imprint-only merchants with no electronic cardholder data storage B Stand-alone terminal merchants, no electronic cardholder data storage B Merchants with POS systems connected to the Internet, C no electronic cardholder data storage All other merchants (not included in Types 1-4 above) and all service D providers defined by a payment brand as eligible to complete an SAQ.
How X-Charge Helps Shoulder the Burden of PCI Compliance Accelerated Payment Technologies, developers of X-Charge, are committed to educating merchants about their PCI compliance responsibilities. Yet, there are many advantages to utilizing X-Charge as it relates to PCI. First of all, X-Charge has been a PA-DSS validated application since 2006. This can be validated by visiting this page: https://www.pcisecuritystandards.org/security_standards/vpa/vpa_approval_list.html?mn=C If you are a current X-Charge user, we urge you to immediately upgrade to the latest version, as X-Charge version 7.1.3 provides additional benefits that are critical to maintaining a secure processing environment. X-Charge users are not required to provide certifications proving PCI compliance and merchants processing with X-Charge 7.1.3 or XWEB qualify for SAQ C, which is a much shorter version and easier to complete. To upgrade to version 7.1.3, click “Help” within X-Charge, then click “About X-Charge” and then “Check for upgrade.” Additionally, Accelerated will soon offer a compliance assistance program to X-Charge users, including monthly IP scans to check a merchant’s system for vulnerabilities, an online SAQ process, a security policy template, toll-free support and more. This program is designed to greatly reduce the time and resources you need to spend to comply with Payment Card Industry Data Security Standards. For more information on X-Charge, visit www.acceleratedpay.com.
Brought to you by
CREATING FEAR, UNCERTAINTY AND DOUBT Recently, you may have noticed that some payment solution providers have decided to go to market with messages intended to create fear, uncertainty and doubt regarding PCI compliance. As a sales tactic, some payment providers have suggested to a prospective merchant that their current payment application is not PCI compliant. In other cases, unseemly organizations have even called merchants suggesting they are calling on behalf of VISA and MasterCard to verify a merchant’s compliance standing. These tactics are intended to prey on a merchant’s concern over PCI compliance and are misleading, unprofessional and certainly, unethical.
PCI compliance is required regardless of how you process a transaction, which technology solution you use or who you chose as a payment provider.
If you are engaged by a payments provider that uses these or other types of scare tactics in order to sell you their payment solution, may we suggest, “buyer beware.” Do not be fooled by a salesperson suggesting that because you have chosen an integrated payment solution that you are at additional risk; this is simply untrue. In fact, many of the PCI compliance requirements are identical regardless of how you process a payment – as an integrated payment solution or through a stand-alone terminal. PCI compliance is required regardless of how you process a transaction, which technology solution you use or who you chose as a payment provider.
X-CHARGE: YOUR SECURITY SOLUTIONS PARTNER At Accelerated Payment Technologies, we take PCI compliance seriously, and helping our merchants achieve compliance is our #1 priority. It is unfair to expect merchants to navigate the complicated landscape of PCI compliance alone, and we take our responsibility as your solution provider and security partner seriously. We also believe it is our role to inform, educate and offer solutions that make the compliance process a less daunting task for our merchants. Accelerated has taken a leadership role in the integrated payments industry and actively participates in key organizations such as the PCI Security Standards Council whose mission is the ongoing development, enhancement, dissemination and implementation of security standards for cardholder data protection. We continue to leverage our extensive in-house expertise to shoulder the burden of compliance for our merchants.
HOW WE MINIMIZE THE PCI COMPLIANCE BURDEN Our X-Charge and X-Web solutions are designed to inherently minimize the time, costs and complexity of meeting PCI compliance requirements.
X-Charge has been on VISA's List of PABP Validated Payment Applications and PCI Security Standards Council's List of Validated Payment Applications since 2006. X-Charge has a history of maintaining the highest level of compliance. We continue to go above and beyond PCI requirements to ensure our merchants benefit from a secure payment processing application. X-Charge not only exceeds the minimum requirements, but continues to implement cutting-edge security best practices. Within the PCI Security Council’s web site, you may view a list of PA-DSS validated solutions including the X-Charge application at https://www.pcisecuritystandards.org/security_standards/vpa/ To locate X-Charge on the PCI Security Standards web site, click on “C” under the Filter Payment Applications by Company Name section. X-Charge is registered as the payment processing application for CAM Commerce Solutions.
X-Web Gateway (Transaction Transport Technologies):
a history of maintaining the
Our processing platforms are built on security and redundancy. Our data centers have been independently certified to be PCI compliant, adhering to Visa’s CISP and MasterCard’s SDP. Redundant processor connections and redundant data centers offer the highest reliability for our merchants. Additionally, our processing platform has been PCI DSS Compliant since 2003, and has delivered 100% uptime since 2006.
highest level of
BETTER SECURITY SERVICE THROUGH TRUSTED PARTNER compliance.
go above and
Accelerated has recently entered into a partnership with a leading provider of compliance assessment tools and services. Through this partnership merchants have access to an online wizard which serves as a guide for completing a Self-Assessment Questionnaire (SAQ). The SAQ is the method used for small and mid-sized merchants to demonstrate their PCI compliance. Our partnership allows X-Charge to offer you a powerful and yet, uncomplicated tool at a tremendous value.
For more information, contact Accelerated at 800.637.8268
We continue to
requirements to ensure our merchants benefit from a secure payment processing application.
We would like to thank our merchants and partners who have shared with us their experiences receiving misinformation in the marketplace. In an effort to educate and inform all of our merchants, the following is a summary of some of those “myths” which we have debunked for you. We hope this is helpful insight and we welcome your feedback. And as always, we want to thank you for your continued business.
Myth: You must pay a Qualified Security Assessor to
Myth: You must hire an independent, outside Approved
complete the SAQ (D) annually Truth: All but the largest merchants, known as Level 1 merchants, are eligible to complete a Self Assessment Questionnaire without engaging a Qualified Security Assessor and without an on-site audit. The Self Assessment Questionnaire (SAQ) is designed to be completed by the merchant, not a Qualified Security Assessor (QSA). QSAs are engaged primarily by Level 1 merchants. A Level 1 merchant is defined as a merchant which performs more than 6 million credit card transactions per year.
Scanning Vendor to repeatedly scan your system four times a year. Truth: Level 4 merchants (those processing less than 1 million annual credit card transactions) are recommended to undergo a quarterly network scan if they are using Internet-enabled computers for credit card processing. Although the scans are recommended and are not mandatory, X-Charge has included quarterly scans in our new compliance offering through our security vendor for those merchants interested in this service.
Myth: Even after completing a scan four times a year, you Myth: Your Qualified Security Assessor must prepare a Report on Compliance Truth: Only Level 1 merchants must engage a Qualified Security Assessor (QSA) and submit a Report on Compliance, also known as a Report on Validation. Small merchants only need to complete a Self Assessment Questionnaire (SAQ). X-Charge’s security vendor partnership provides you with an online SAQ wizard that makes completing the SAQ a quick and easy process.
For More Information, Contact Accelerated at
remain liable for any fines, penalities or legal fees that may result from a security breach. Truth: There is no “magic bullet” which will completely eliminate a merchant’s potential liability in the event of a breach. Liability is part and parcel of the card association agreements, and exists regardless of the payment processor, application or technology you choose. X-Charge not only exceeds the minimum PCI requirements, but continues to implement cutting-edge security best practices. We are committed to providing you with the education, guidance and support to confidently address PCI compliance mandates and give you peace of mind.