Visa, who has always been the strictest association regarding PCI compliance, data security, and cardholder protection, has set the pace again. Merchants who accept multiple card types are required to follow the strictest card operating guidelines, which usually come from Visa. They issued series of mandates requiring its acquirers to ensure that their U.S. merchants, VNPs, and agents use only PA-DSS compliant payment applications and that PIN pads connected to Visa’s network use triple DES (triple data encryption standard technology). The final mandate in this series went into effect on July 1. Continue reading "Merchants: Are Your Vendors PCI Compliant?"
In Part I, I discussed the importance of PCI compliance, consequences of non-compliance and the effect of account termination on a merchant. Part II will discuss the basics of PCI compliance responsibility and how merchants can avoid fines and account termination. Continue reading "PCI Compliance – Why Merchants Need To Take It Seriously – Part II"
Having a merchant account comes with responsibility. While a merchant may be concerned with revenue and how to grow its business, payment card industry (PCI) compliance should be at the top of the list as well. The main purpose of PCI compliance is data security, which applies to any party involved in processing credit card transactions. Not following the rules – or practicing risky activities – can result in card association fines and can also put a merchant account in jeopardy of being terminated – not to mention data breaches that may occur. A merchant account termination can be detrimental to any business accepting credit cards – especially if they operate purely online. Continue reading "PCI Compliance – Why Merchants Need To Take It Seriously – Part I"
The Payment Card Industry Security Standards Council is always creating new and effective versions of PCI DSS. The most recent of such compliance standards is version 1.2 which has 12 requirements for enhancing payment account security. These requirements are designed to address a broad range of data security, from software design to policies and procedures. Version 1.2 is not intended to change the existing DSS, but only to provide added security in a time when many feel it is most needed.
There are two notable changes, one requires that off-site data storage locations be visited and validated as compliant with PCI DSS. The other imposes a sunset date on wired equivalency privacy (WEP) use. For those of us who don’t speak techie, WEP is a software application intended to protect data as it travels across wireless networks. In previous posts, I have talked about WEP having to be upgraded by June 30th, 2010 to Wi-Fi protected access (WPA).
Here are the 12 core requirements as outlined by the card associations:
Continue reading "The Payment Card Industry Security Standard Dozen"
The Federal Trade Commission announced that “creditors” will not have to worry about fines associated with non compliance with Red Flag Rules until May 1st 2009. A creditor is defined as any entity that extends, renews, or continues credit and any entity that regularly arranges for the extension, renewal, or continuation of credit. For example, mortgage brokers, utility companies and automobile dealers are classified as creditors.
This decision to extend is said to be largely due to complaints from creditors that they were unaware of the existence of the new regulation and some say they only found out after the deadline had passed. This deadline according to the official press release only applies to organizations that are not under the jurisdiction of any of the other regulatory agencies other than the Federal Trade Commission. FACTA requires financial institutions and creditors to implement a written identity theft prevention program that should help detect identity theft, hopefully before any damage is done. If identity theft is not detected, the regulation calls for the financial institution or the creditor to reduce the risk to the consumer and the organization.
Continue reading "Red Flag Compliance Deadline Extended"
Business owners already have a lot to worry about regarding changing tax laws and employee wage laws, now they have to add Payment Card Industry Data Security Standards Compliance to the mix. PCI Compliance has evolved with each passing year. Business owners are already up against rules, restrictions, and deadlines that are added every year. Some feel that compliance is expensive or too hard to achieve, but achieving PCI Compliance does not have to be difficult.
PCI Compliance is a key element in protecting card holder data. So how can your business stay compliant without breaking the bank?
Continue reading "How Do Business Owners Keep Up With New Compliance Rules Each Year?"
Merchant Services Providers and merchants have been hearing about PCI Compliance for the past few years. Sometimes there is a lack of understanding about what is needed to become PCI compliant. We come across information online or by word of mouth, and it may not always be correct. Some say it’s better to be safe than sorry, so make sure to do your research.
Some online merchants think if they select a PCI Compliant gateway and shopping cart that they are automatically PCI Compliant. It is important that online merchants remember that physical location security and written policy is part of the process as well. Merchants are required to submit a SAQ (Self Assessment Questionnaire) to their acquirer once a year, but just submitting the SAQ may not be enough. It is also important that employees undergo training on security policies. Businesses must have ongoing assessment and remedies.
Merchants may think that PCI Compliance is for large businesses and may be too expensive for the average small retailer; however fines from noncompliance are much greater. Businesses will not only lose out on audit fees but also will have to consider a loss of reputation. Even if you are a smaller business, you are still required to be PCI Compliant regardless of the volume your business does.
Continue reading "What Does PCI Really Mean to the Average Business Owner?"
WEP (Wired Equivalent Privacy) is an algorithm used to secure wireless networks. Many major retailers, such as TJ Maxx, use WEP and have recently been hacked into. Many weaknesses have been identified when using a WEP connection and it has been known to be easily hacked.
In the PCI DSS 1.2 Summary of Changes, the PCI Security Standards Council announced several adjustments to the wireless network security requirements:
- Wireless must be implemented using strong encryption for authentication and transmission. The Council cites IEEE 802.11i as an appropriate example.
- Merchants are no longer permitted to deploy any new Wired Equivalent Privacy (WEP) networks as of March 31st, 2009.
- Merchants using WEP networks must transition to Wi-Fi Protected Access (WPA) security no later than June 30, 2010.
Converting to WPA should be a fairly easy process. Most technical websites show that all wireless equipment manufactured since late 2003 comes standard with WPA (Wireless Application Protocol), which is an open standard for application layer network communications in a wireless environment. It is mainly used to enable mobile phones.
Continue reading "Is Your Company’s Wi-Fi Network Secure?"
Many merchants ask me this question and want to know how it will affect their business. The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements developed by the major credit card companies to enhance credit card data security. These requirements only apply to e-commerce merchants or merchants that are using an online payment gateway. In recent years there have been many card industry security breaches. It became apparent that there needed to be specific guidelines for all merchant services providers that store card holder data and all merchants that pass data through their terminal.
According to the bank card associations, in October 2008 any merchant that applies for a new merchant ID from any credit card processing company must be PCI DSS compliant. In some cases this may mean the merchant will have to download a new application into their terminal. By October of 2009, all merchants must be PCI DSS compliant.
If you are using a POS terminal at a retail location, you are still passing data through the system. The application running on your terminal must be an up-to-date version. Most card processors call you to do a download or an upgrade similar to when truncation laws were put into effect. If you have not received a call yet, be proactive and call your card processor to get compliant.
Continue reading "What is PCI DSS?"
July 12, 2010 
Posted by 
Tags: 
Loading ...