Merchant Services Providers and merchants have been hearing about PCI Compliance for the past few years. Sometimes there is a lack of understanding about what is needed to become PCI compliant. We come across information online or by word of mouth, and it may not always be correct. Some say it’s better to be safe than sorry, so make sure to do your research.
Some online merchants think if they select a PCI Compliant gateway and shopping cart that they are automatically PCI Compliant. It is important that online merchants remember that physical location security and written policy is part of the process as well. Merchants are required to submit a SAQ (Self Assessment Questionnaire) to their acquirer once a year, but just submitting the SAQ may not be enough. It is also important that employees undergo training on security policies. Businesses must have ongoing assessment and remedies.
Merchants may think that PCI Compliance is for large businesses and may be too expensive for the average small retailer; however fines from noncompliance are much greater. Businesses will not only lose out on audit fees but also will have to consider a loss of reputation. Even if you are a smaller business, you are still required to be PCI Compliant regardless of the volume your business does.
Continue reading "What Does PCI Really Mean to the Average Business Owner?"
WEP (Wired Equivalent Privacy) is an algorithm used to secure wireless networks. Many major retailers, such as TJ Maxx, use WEP and have recently been hacked into. Many weaknesses have been identified when using a WEP connection and it has been known to be easily hacked.
In the PCI DSS 1.2 Summary of Changes, the PCI Security Standards Council announced several adjustments to the wireless network security requirements:
- Wireless must be implemented using strong encryption for authentication and transmission. The Council cites IEEE 802.11i as an appropriate example.
- Merchants are no longer permitted to deploy any new Wired Equivalent Privacy (WEP) networks as of March 31st, 2009.
- Merchants using WEP networks must transition to Wi-Fi Protected Access (WPA) security no later than June 30, 2010.
Converting to WPA should be a fairly easy process. Most technical websites show that all wireless equipment manufactured since late 2003 comes standard with WPA (Wireless Application Protocol), which is an open standard for application layer network communications in a wireless environment. It is mainly used to enable mobile phones.
Continue reading "Is Your Company’s Wi-Fi Network Secure?"
Although Red Flag Rules were created to protect against identity theft, are some types of businesses more affected then others? In previous blogs I wrote about how merchants are not getting a fair shake when it comes to these rules, and many law suits have been filed against merchants. Different industries face government fines because they say some of the rules are difficult to follow.
For example, car dealerships fear they will not be able to comply. Since car dealers extend auto financing, they are considered creditors. Dealerships argue that it is very difficult to detect suspicious or unusual activity, and most of their staff is not trained to look for these types of things. According to Andrew Koblenz, the National Automobile Dealers Association’s general counsel, “We want to fight identity theft, and dealers have a tremendous self-interest in not selling a car to an identity thief, but the real world impact is that it would burden dealers.” Auto dealers speculate it could add as much as five hours to the loan application process.
The healthcare industry also falls into the category of creditor. If a hospital offers payment plans so patients can pay in installments, the hospital would be considered a creditor as well. Non-profit organizations and government entities that defer payment for goods or services are also considered a creditor. For the healthcare industry, the Federal Trade Commission is responsible for interpreting and enforcing the Red Flag Rules.
Continue reading "The Red Flag Deadline is Approaching"
In previous posts I’ve talked about identity theft and ways to prevent fraud, but are our banks doing enough to protect its customers? Recently thousands of consumers’ personal information was stolen from Wells Fargo. MicroBilt which is the self proclaimed “single source industry leader in risk management information” notified Wells Fargo of the breach caused by a stolen employee code. Wells Fargo declined to comment on what alerted MicroBilt. So how did Wells Fargo make this up to their customers? They offered them a one-year free subscription to their identity theft protection service. I feel this service should already be free and mandatory to all customers and not only to those who may have had their identity stolen.
In similar news, thieves made off with ATM PIN Codes and account numbers from Citibank ATMs. Does this mean that Citibank ATM PIN numbers were not encrypted like they were supposed to be? The bank has about 5,700 ATMs, owned and operated by Cardtronics Inc and Fiserv Inc, inside 7-Eleven stores across the United States. How were these hackers able to access the system? Citibank has refused to comment much like Wells Fargo.
Continue reading "Do the Big Banks Do Enough To Keep Identity Safe?"
In today’s economy, more and more people are turning to using credit cards. With this new onslaught of credit card users there comes a greater possibility of fraud. The payment card industry had made great progress in compliance and security. Visa and MasterCard are actively creating technology and guidelines to protect consumers and merchants alike.
Visa and MasterCard have developed ways to improve the security of online transactions. Verified By Visa and SecureCode allow the card holder and card issuer to authenticate each other. This is done by exchanging digital secure certificates. Card holders can be assured that they are dealing with a real merchant and conversely provide a merchant with proof of a real cardholder. A digitally signed record of the transaction is created. Most issuing banks encourage card holders to sign up for these programs and many online merchants give consumers the opportunity to sign up before they proceed with payment.
Continue reading "New Innovations Are Keeping Credit Card Information Secure"
For years the government has taken a Laissez Faire approach to Interchange Rates, but recently the U.S House Judiciary Committee has begun heavily campaigning to control them. Proposed legislation (HR 5546 The Credit Card Fair Fee Act) would require Visa and MasterCard to negotiate Interchange fees directly with merchants. This would put a stop to a credit card processing company’s ability to set non negotiable fees. If the merchant and the credit card company are not able to come to terms, then they would have to submit their final offers to binding arbitration by a three judge panel.
If this new bill is passed by Congress, it is could potentially create more of a mess and ultimately higher costs. I am sure there are millions of businesses in the U.S alone, and if it passes, Visa and MasterCard are going to be getting a lot of calls from people looking to negotiate their fees. This means they will have to hire more staff to take the calls, and possibly even create systems to track all the various negotiated rates. So will this bill help the situation, or only put a band aid on what merchants believe to be an issue? Fees collected generally go to rewards programs, credit losses, and operating costs.
There are a total of 23 Bills regulating the card processing industry; some of the key ones are as follows:
Continue reading "Should The Government Be Involved In Interchange Legislation?"
Many merchants ask me this question and want to know how it will affect their business. The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements developed by the major credit card companies to enhance credit card data security. These requirements only apply to e-commerce merchants or merchants that are using an online payment gateway. In recent years there have been many card industry security breaches. It became apparent that there needed to be specific guidelines for all merchant services providers that store card holder data and all merchants that pass data through their terminal.
According to the bank card associations, in October 2008 any merchant that applies for a new merchant ID from any credit card processing company must be PCI DSS compliant. In some cases this may mean the merchant will have to download a new application into their terminal. By October of 2009, all merchants must be PCI DSS compliant.
If you are using a POS terminal at a retail location, you are still passing data through the system. The application running on your terminal must be an up-to-date version. Most card processors call you to do a download or an upgrade similar to when truncation laws were put into effect. If you have not received a call yet, be proactive and call your card processor to get compliant.
Continue reading "What is PCI DSS?"
Even if you’ve never been on the dreaded Terminated Merchant File (also known as MATCH) list, you need to take measures to ensure that you don’t end up on it.
How? For starters, rethink whom you do business with. Signing up with the wrong processor greatly increases your chance of landing on the MATCH file, especially for incidental reasons like fee discrepancies. Continue reading "How to Stay Off the MATCH File"
We’re here to help marketing and finance executives solve the biggest problems in your commerce model, and understand best practices associated with fraud management, customer retention and attrition. TM&S can help you build online revenue with our on-demand billing solution designed for recurring and real-time transactions. Manage fraud and minimize chargebacks with the highest levels of compliance and flexibility.
December 4, 2008 
Posted by 
Tags: 
Loading ...