Archive for the ‘PCI Compliance’ Category

Accepting Credit Cards Safely and Securely

Thursday, March 31st, 2011

These days, rarely anyone carries around a wad of cash. In the old days, before the era of plastic credit cards, folks that wanted to drop a large amount of money at once, for instance, to reserve a hotel room or go out to an expensive dinner, were required to carry a large amount of paper bills on them. Times have changed and it seems that cash might become a thing of the past. It’s much bulkier than a credit card, and once you lose it, it’s gone for good.

Credit cards, on the other hand, are light and easy to use. If you lose one and someone makes unauthorized purchases on it, you’ll be reimbursed. If you were carrying cash and your wallet was stolen, you’d never get that money back. More and more, people seem to be choosing credit cards as their preferred method of payment. Because of this, more and more businesses are choosing to work with merchant services providers that allow them to process credit cards safely and securely.

These days, accepting credit cards and other forms of non-cash payment (such as online transactions) is a necessity for any business to survive. In such an oversaturated market, your business has to do anything and everything to keep its customers around – and this means processing credit cards in a way that’s simple.

Unfortunately for most businesses, processing credit cards costs a fee – so it’s in the interest of your business to ensure that this fee is as low as possible. A low fee means that your business gets to keep more of its hard-earned dollar. Of course, the secure processing benefits of credit cards don’t just stop at the lowest rate. The more forms of payment you accept, the more customers you’ll garner.

Stay a step ahead of the competition by offering all forms of payment under the sun. This means your business should offer everything from advanced payment processing solutions, including credit cards, debit cards and checks, to pre-paid gift card and loyalty card processing, as well as electronic balance transfers and everything in between.

Whether you’re a new business that is hoping to start off on the right foot by providing great payment processing services, or you’re an already successful business looking to take things to the next level, partnering with a good merchant service provider can help ensure that your business is able to process credit cards safely and securely.

Good merchant providers will offer processing for all major payment brands (VISA, MasterCard, etc), real-time processing and fast authorizations, so you won’t have to worry about those customers that stand there waiting for their transaction to go through, while simultaneously tapping their fingers in anger and sighing loudly. A quality provider will also offer access to customer support from a highly experienced team twenty four hours a day and seven days a week, as well as next day access to funds, solutions that are customized to your specific industry and business, and PCI compliant equipment that promises to offer the most secure transactions. In short, you’ll find everything you need to process your customers’ credit cards safely and securely.

Still wavering on the line? Consider this: many merchant service providers offer the great perk of free equipment! That’s right – all that payment processing equipment you were worried about purchasing, from space-saving countertop terminals that allow your customers to sign easily, to tiny PIN pads to check readers. They’ll provide you with all of it, so that your customers don’t have to worry about waiting for you to make an old-fashioned iron-down copy of their credit card, or have to photocopy their check, or sign for a transaction that, with a PIN pad, could have easily been a debit transaction.

In this trying economy, the key to staying in business is keeping your customers happy – and nothing could make them happier than the knowledge that they’re in good hands when they’re in your store. Money is tight these days for everyone and, therefore, a safe and secure payment processing system ensures that nothing will go wrong. Customers like to feel safe at their favorite places to shop, whether it’s the small boutique that carries the underground clothing designers they can never find at the department store, or the cooking supply shop that has their favorite truffle oil, or the restaurant that serves the best Caesar salad around.

Keep your customers coming back with a safe and secure payment system, and you’ll be sure to keep your business booming, even when times are tough and the economy is sluggish. With a low rate guarantee, a full range of processing options, and great service and support, a merchant service provider is about as good as it gets when it comes to safe and secure payment.

Tags: ,
Posted in PCI Compliance | No Comments »

VeriFone calls Square’s Credit Card Reader Unsafe and Reckless (Video)

Wednesday, March 30th, 2011

VeriFone has published an An Open Letter to the Industry and Consumers bringing to the forefront the issue of mobile credit card processing security.

At issue is the ability for criminals to use unencrypted card readers to steal full mag-stripe data which can then be use to make fraudulent purchases.   Fraudulent card use is a problem for all merchants (and in particular card not present e-commerce merchants) who shoulder the losses.

Square has made headlines shipping hundreds of thousands of free dongles (square card readers that plug into the iPhone jack for swiping cards).  In its announcement, VeriFone demonstrates how promulgating cheap readers enables criminals while making the point that the payments industry needs to take card data security seriously.

The competing VeriFone iPhone card reader by comparison features end-to-end security using VeriShield Protect to encrypt card data during the card swipe process, so no sensitive data ever reaches the PAYware Mobile iPhone payment app.

VeriFone makes the case that “Consumer trust is what’s really at stake.”  And VeriFone is right in that it is the payment industry’s responsibility to ensure this.  Consumers can’t be asked to determine what swipe device is secure.

The letter, video and details of this call to action can be found at a new site launched today: http://sq-skim.com/.

Posted in PCI Compliance | No Comments »

PCI Compliance The Digital Dozen

Saturday, October 9th, 2010

The current version of the standard (1.2) specifies 12 requirements for compliance, organized into 6 logically related groups, which are called “control objectives.”

The control objectives and their requirements are:
Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data

Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software.
Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security.

Tags: , ,
Posted in PCI Compliance | No Comments »

Visa revokes PCI approval from some pads after breach

Tuesday, July 20th, 2010

In a move that seems to reflect a very different PCI approach coming from Visa, the world’s largest card brand has ripped the PCI approval from two Ingenico PIN entry devices (PEDs) after a data breach

What makes this move especially interesting is how it undercuts two strongly held Visa positions, both in terms of publishing the names of vendors whose products are engaged in PCI naughtiness and in its position that no PCI-compliant retailer has ever been breached.

Behind all of this commotion are an increasing number of physical attacks against PEDs, sort of “cloners gone wild.” Many of the compromised units are older (a Visa memo said “many are more than 10 years old and were never evaluated by an independent lab or approved by Visa or PCI”), but some were in a Visa pre-PCI phase and some – and here’s where things get interesting – had actually been PCI approved.

Visa also pointed out that the attacks are quite fast, even with the PCI-compliant pads: “Surveillance footage shows that the suspects in most cases were able to remove and install a POS PED in less than one minute.”

Visa’s memo unmasked the latest naughty devices. In the “untested” category were four VeriFone units (PINpad 101, 201 and 2000 plus the Everest model P003-3xx), two Hypercom units (S7S and S8) and an Ingenico model (eN-Crypt 2400, also known as the C2000 ProtÈgÈ). In addition, Ingenico had one pre-PCI unit (Ingenico: eN-Crypt 2100). The breached PCI-approved units were both from Ingenico: the i3070MP01 and the i3070EP01.

“As a precaution (and to prevent further deployments), the PCI SSC, in coordination with Ingenico, revoked the approval of these devices,” said the Visa memo, which also repeated anti-skimming advice, including several points that should be followed quite strictly. “Validating the identity of repair technicians. Authorized and validated repair technicians should be escorted and monitored. Periodically weighing the equipment and comparing it to vendors’ specification weight to identify the insertion of bugging devices. Many of these vulnerabilities can be addressed if terminals are deployed with a terminal authentication system. In this case, the host system continuously verifies the PED’s internal serial number and confirms that terminals are online and operating correctly. If a terminal is ever replaced with an unauthorized device (or is unplugged, as would be necessary to execute this attack), the host system would immediately be alerted to tampering.”

But unlike a related story earlier this month about Visa’s list of software applications that store prohibited data, this memo was not confidential. It was made public. With the software document, Visa strongly argued against the information being shared with retailers publicly. But this PED list was disclosed voluntarily by Visa. Why the change in attitude? Is telling retailers there are security problems in their environment now considered a good thing?

Perhaps even more intriguing is what this disclosure will do to Visa’s oft-stated position that no PCI-compliant retailer has ever been breached. One of the key elements to being a PCI-compliant chain is housing only PCI-compliant equipment. Will Visa and PCI be issuing a blanket get-out-of-PCI-jail-free card for any merchants who were breached because they relied on a PCI-sanctioned device?

And what’s behind that compliance revocation? Was the device tested improperly? It seems unlikely that no one would have thought to test a PED for a physical skimming attack, which has been a thief favorite for far more than a decade. Did the test not factor in the latest attack’s methodology?

This time, we have to applaud Visa. Its latest memo gets it right on just about every count. It’s public; it explicitly discloses the names and models of the breached devices; it includes concrete advice on preventing this type of attack; and it encourages retailers to quickly move to machines still on the compliant list. The only thing it doesn’t say is that Visa will have a chain’s back if those PCI-approved devices later get breached.

Tags: , , , , , , ,
Posted in PCI Compliance | No Comments »

Millions of online stores have missed the July 1st, PCI, Phase 5 deadline

Thursday, July 1st, 2010

Millions of online stores have missed the July 1st, Payment Card Industry (PCI), Phase 5 deadline, putting their business, their customers, and possibly their home and future on the line. And at last count, only a handful, of the nearly 500 e commerce shopping cart
products, will meet the deadline. In this article, I’ll cover the background and then explain the PCI deadline, who it affects, risks of non-compliance, and if you’re at risk, what to do if you cannot upgrade to a certified product now.

In 2005, Visa put forth a set of guidelines, Payment Application Best Practices (PABP), for anyone involved in the chain of a VISA transaction on the internet, or off. During the early phases, only large merchants were ‘put to the screws’ with costly validations by independent certification agencies, now known as Qualified Security Assessors (QSA) – the ‘CSI’ forensic labs of our technology field. Small to medium businesses (SMB’s), and their suppliers in the VISA chain, simply had to ‘self certify’ that they were following the rules, until now…

Five years have passed, and now we’re into the final phase of VISA’s ‘Compliance Mandates’ and still, the majority of SMB’s appear to be unaware, unconcerned, or simply believe the rules won’t apply to them. We’ve heard it all, “We’re using a custom ecommerce solution so we’re not required to be certified, we don’t store credit card numbers in our database, we’re using a ‘PCI compliant solution’, or we do less than a million a year in sales, so the rules don’t apply to us”, or do they?

If you accept credit card transactions directly on your website, where the payment form or checkout page asking for the credit card data is hosted on your domain then you should keep reading. However, if you are only using a certified offsite payment solution such as PayPal Express, Google Checkout or similar systems, where the customer is directed to another site to make a payment, then fortunately, the rules don’t apply to you.

You might be a little concerned right now and you should be. As of July 1st, everyone in the chain of a VISA transaction must be using systems and applications
certified compliant by a QSA. Just like the big boys, you can no longer just claim you’re ‘compliant’ – and if you don’t follow the rules, then you won’t get protection when you have a breach. Just like Visa protects it’s cardholders from fraudulent transactions, if they follow the rules, Visa may protect you, as a merchant, from the expenses of a breach, if you follow the rules. Since these breaches are so very costly, expect Visa to be carefully watching the ‘naughty and nice’ list.

Any breach is almost certainly equal to a death sentence for any unprotected SMB.

Even if you don’t have a breach, come October, the 12-month deadline on Phase 4 looms where VNPs and agents must decertify all vulnerable payment applications. Which really means that, quietly in the background, merchant account providers and payment gateways are compiling a list of ‘vulnerable payment applications’ which they must decertify within 12 months of identification. Products at most risk for decertification are high profile open source products, that most certainly have been identified by multiple VNPs and agents by now.

Revolution Payment Systems has partnered with TrustWave to establish procedures to protect your business and your customers from theft, fraud, and other security risks from the compromise of card data. TrustWave will help you comply with PCI.

Tags: , , , , , , ,
Posted in PCI Compliance | 26 Comments »