Our PCI Compliance and Security partner ControlScan plans to integrate the SAQ P2PE-HW into our merchant portal by the end of the quarter, as it’s expected that P2PE certified solutions will be listed on the PCI SSC website later this year. We will alert our merchants as soon as the SAQ P2PE-HW is available.

The PCI SSC Releases its P2PE SAQ
In May the PCI Security Standards Council (SSC) published a fact sheet to offer guidance for merchants evaluating technology to accept payments using a smartphone or iPad/tablet. The fact sheet explains how a point-to-point encryption (P2PE) solution can be leveraged to secure mobile payments.

As a next step in its P2PE program, the SSC has released a P2PE Self-Assessment Questionnaire (SAQ). The new, reduced SAQ (SAQ P2PE-HW) is similar to SAQ B and contains 18 questions.

The PCI SSC website does not currently list validated P2PE solutions; however, the SSC plans to release the necessary documents for reporting and validation "in the coming weeks." Once this occurs, P2PE assessors, solution providers and application vendors can complete their assessments and submit their reports and validation documentation for acceptance and listing.

As the P2PE validation process progresses, merchants meeting the following criteria should use the SAQ P2PE-HW:

• Merchants processing cardholder data via hardware terminals included in a validated and PCI SSC-listed P2PE solution;
• Merchants who do not have access to clear-text account data on any computer system, and only enter account data via hardware payment terminals from a PCI SSC-approved P2PE solution; and
• Merchants who are brick-and-mortar (card-present) and/or mail-order-telephone-order (card-not-present) merchants. For example, a MOTO merchant could be eligible for SAQ P2PE-HW if they receive cardholder data on paper or over a telephone, and directly key it into a P2PE validated hardware device. Note that SAQ P2PE-HW would never apply to ecommerce merchants.

The merchants cited above would validate compliance by completing SAQ P2PE-HW and the associated Attestation of Compliance (AoC), confirming that:

• Their business does not store, process or transmit any cardholder data on any system or electronic media (for example, on computers, portable disks or audio recordings) outside of the hardware payment terminal used as part of a validated PCI P2PE solution;
• Their business has confirmed that the implemented PCI P2PE solution is listed on the PCI SSC's List of Validated P2PE Solutions;
• Their business does not store any cardholder data in electronic format, including no legacy storage of cardholder data from prior payment devices or systems; and
• Their business has implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider.

A Special PCI DSS (Payment Card Industry Data Security Standards) Alert for Vantage clients.

This week the number of reported solicitations by phone and fax to our merchant community, especially medical, dental and veterinary practices, has spiked.

The common scare tactic involves being subject to fines if immediate action is not taken. Merchants are told that they have no option but to follow the instructions provided, which typically involves providing contact information, setting an appointment, or paying a fee.

Many of the tactics used will try to make it sound as if they are calling on behalf of your service provider. Please be aware that these solicitations are NOT endorsed by Vantage. We do NOT release any information to any 3rd party.

The PCI scare game has also become the “lead story” for the acquisition of merchant accounts by many sales organizations. And PCI fees have also become a popular revenue source for these same sales groups.

While it’s important to recognize the above solicitation tactics, it is in every merchant’s best interest to understand and comply with the basic tenants of PCI to protect your business. While all the payment technology Vantage recommends for payment processing is PCI compliant, only you can ensure that your procedures and policies on how your employees handle card data are enforced at your business. If you have card data in a file drawer or stored on your PC, or if you have other software or systems in place that touch card data besides the actual payment application (payment terminal, payment gateway, payment software), let’s make sure these are secure.

For years, we have communicated the importance of securely handling card data. A PCI statement message runs every month on your merchant statement and a host of PCI information can be found on the Vantage Card Services web site at: http://www.vantagecard.com/resources/PCI_Data_Security.html. And as you know, Vantage does not charge our clients monthly or annual PCI fees.

We have established a PCI hotline. Email your PCI questions to pci@vantagecard.com. In addition to replying to your question directly we will also compile a FAQ&A on the Vantage web site as an additional reference tool.

As always, Thank You for entrusting your merchant services and payment processing to Vantage Card Services.

Merchants should be aware of the pending payment industry deadline of July 1, 2010 related to the Payment Application Data Security Standards (PA-DSS).

Effective July 1, 2010, acquirers must ensure that merchants only use PA-DSS compliant applications.

What does this mean to merchants?  If you are using old payment devices or software, you may need to upgrade.  Merchants using point of sale register systems should inquire with their point of sale vendor about their compliance status if they have not already done so. Merchants should also review the information posted on the PCI Security Standards Council website at https://www.pcisecuritystandards.org/security_standards/vpa/ or on the Visa website at http://usa.visa.com/merchants/risk_management/cisp.html?ep=v_sym_cisp.

PA-DSS is part of the overall Payment Card Industry Data Security Standard (PCI DSS) to protect account data in payment transactions. Unfortunately, there are no single-step solutions for PCI DSS compliance as security standards continually evolve based on industry feedback, real world security incidences and new emerging payment technologies like unattended payment terminals and EMV chips.

The last revision of the data security standard was in October 2008.  According to Bruce Rutherford, chairman of the PCI Security Standards Council, a new iteration of the DSS is coming this year.

• Late April: New PIN transaction security (PTS) standard released (formerly PIN Entry Device (PED) Standard).
• October 2010: Next iteration of both PCI DSS and PA DSS released to public.

While many merchants are not deemed high risk, all merchants should follow best practices to comply with securing cardholder data. Remember; if you don’t need it, don’t store it.

Please visit http://www.vantagecard.com/resources/PCI_Data_Security.html for additional information on PCI and compliance.

Compromised point-of-sale (POS) PIN-entry devices (PEDs) equipped with tapping mechanisms designed to capture PIN and card data have recently been found in the U.S. marketplace. Visa has received an increasing number of reports regarding POS PED theft from merchant store locations. Evidence indicates the POS PEDs are being physically removed from their locations and replaced with modified devices designed to skim account and PIN data. Surveillance has shown that suspects in most of these cases were able to remove and install a POS PED in under one minute. This type of fraud typically occurs in merchant locations with “after-hours” operations where there is minimal customer traffic or employee supervision over cash registers.

Visa strongly recommends that merchants use heightened vigilance and maintain a secure store environment at all times, especially around cash registers and POS PEDs. Visa recommends merchants physically secure PEDs at all locations so PEDS cannot be easily modified or replaced.

Merchants should train their employees on the potential for PIN compromise and what action to take if a POS PED is stolen or missing, or there are noticeable signs of device-tampering. If POS PED tampering is suspected, merchants should immediately contact their merchant bank, Visa, and law enforcement.

According to a Bank Info Security article, House hearings may start later this year or in early 2010 to address the increasing problem of data breaches. According to the Identity Theft Resource Center report, 407 breaches and nearly 220.6 million records have been exposed so far in 2009.

The current environment seems to be more government regulation on things than less. The purpose of hearings is to discuss the way data is retrieved, transmitted, intercepted and stored and to see how government can regulate aspects of IT -- including companies involved in finance, health, welfare and safety.

However, before the federal government tries to regulate how the private sector handles and stores data, Congress should consider updating the 7-year-old Federal Information Security Management Act that regulates how the federal government secures its data and systems.

Update: March 2011

There are federal laws, various state laws and association rules which require merchants to truncate the cardholder copy of receipts.   It is the merchant's responsibility to comply with applicable laws and regulations regarding truncation.  Please check your POS and terminal receipts to insure you are in compliance.

Seven (7) states have passed legislation that requires merchants to truncate both cardholder and merchant receipts.  The states are:

• New Mexico - as of 01/01/2004
• Wisconsin - as of 08/01/2005
• Colorado - as of 01/01/2006
• Tennessee - as of 01/01/2007
• California - as of 01/01/2009
• Alaska - as of 07/01/2009
• Nevada - as of 07/01/2009
• Washington State - as of 07/26/2009

Additional states have legislation in progress which may be enacted in the near future which may require merchants to truncate both cardholder and merchant receipts. Under the current legislation merchants in the above states are required to truncate both the cardholder and merchant copy of the receipt by masking the card number and the expiration date as follows:

• Card number truncation is defined as masking all but the last 4 digits of the card number by using * or X. (Example: XXXXXXXXXXXX1234 OR ************1234)
• Expiration date truncation is defined as masking the expiration date by using * or X. (Example: XX/XX OR **/**)

If you need help, contact us at 800-397-2380.

Just like everything else, a lot has changed since our original post on this topic on June 4, 2009.

Today the card associations require that all merchants regardless of size validate Payment Card Industry Data Security Standards (PCI DSS) compliance with this data protection standard.

Compliance with PCI DSS has always been very important to protect your business. It’s only the validation requirements that have changed. The fees being charged for PCI Compliance are not uniform throughout the industry. Some merchant account providers charge monthly, some annually and some both and these fees can really start to add up.

Merchants need to be aware of how and when PCI fees are billed to avoid being gouged with excessive fees. Merchants should also know that they may choose to complete an SAQ on their own and can work with any PCI vendor they choose should a system scan be required. Merchants are not forced to pay for PCI services through their merchant account provider.

Vantage has partnered with ControlScan to help our clients meet PCI compliance at a very reasonable price. This is simply a well researched and negotiated choice but our clients can opt out of using the ControlScan service by providing a copy of their PCI validation documents.

It is also important to remember that there is a difference between security and compliance. While PCI compliance is a mandated point-in-time measurement of your security readiness, the underlying security requirements must be adhered to on a daily basis to protect your business.

In the event of a data compromise, merchants face significant fees and fines. The average breach cost for a Level 4 merchant is around $39,000 and PCI DSS validation does not affect your responsibilities associated with your merchant account in the event of a data compromise. You may want to contact your business insurance provider and ask them about a comprehensive data compromise rider to cover you in case of a breach.

For additional PCI DSS info visit: http://www.vantagecard.com/resources/PCI_Data_Security.html.

The MasterCard Academy of Risk Management has introduced a complimentary initiative to raise awareness and promote the adoption of PCI. The program provides a holistic and informative platform for participants to increase their understanding of PCI DSS through sessions led by payment industry and data security experts.

The PCI Merchant Education Program provides a complete view of the PCI DSS through a series of on-demand webinars designed for merchants. These events are designed to:

• Gain the knowledge needed to become PCI compliant
• Learn directly from industry security experts
• View recorded webcasts on your own time
• Take advantage of materials to educate your team and new employees  

The current course curriculum includes:

• PCI Perspectives: A Payment Application Vendor
• 2009 - An Update on the PCI Data Security Council
• Data Storage 
• PCI DSS Requirements Update - Version 1.2 
• Maximize Internal Preparation for PCI DSS
• Network Segmentation
• Data Encryption: Understanding Encryption and PCI DSS
• A Detailed Look at PCI DSS Requirements
• A look into the new Self Assessment Questionnaire
• A Merchant's Journey towards PCI Compliance
• Understanding Account Data Compromise
• Preparing for a Successful PCI Assessment, Lessons from the Field
• Reducing Your Risk: A Look Into PCI Vulnerability Scanning

To register visit: http://www.iian.ibeam.com/events/mast001/24008/

For additional PCI DSS info visit: http://www.vantagecard.com/resources/PCI_Data_Security.html

Vantage would like to take this opportunity to remind merchants of pertinent upcoming PCI DSS mandates and impacts:

• Effective July 1, 2010, acquirers must ensure their merchants use only compliant applications.

This Payment Card Industry Data Security Standards (PCI DSS) compliance mandate is just around the corner and impacts the entire payment industry.  As a result, terminal equipment vendors are discontinuing production of hardware and replacement parts.  Payment applications previously supported are being fully retired. 

Some merchants using late model terminals will need to upgrade within the next 14 months.  We highly recommend that merchants avoid purchasing used or refurbished terminals.  Also, please be aware of a rise in proprietary terminals in the market.  Many merchants are unknownly purchasing terminals that can only be used on a single network.  Before you purchase a credit card terminal, please call us at 800-397-2380 with the make and model to insure a sound investment. 

Visa and MasterCard have also set a mandate effective July 1, 2010 to ensure that all installed Point of Sale terminal models have been approved and are using the most up to date encryption standards for processing PIN debit transactions. If you currently process PIN-based debit transactions, you may be operating a Point of Sale device that will need a software upgrade or device replacement in order to continue processing.

Vantage will work with you to upgrade your terminal or PIN pad with a new certified payment application.  If your terminal hardware is too old to update to a secure compliant payment application, Vantage offers a specially priced terminal upgrade package.  Please call us at 800-397-2380 or by email at support@vantagecard.com.

The Payment Card Industry Security Standards Council (PCI SSC) has released a new resource for achieving PCI DSS Compliance.  This new resource is referred to as the Prioritized Approach and it is intended to provide best practices that will help merchants identify and reduce risk to sensitive data.

The tool groups together the requirements of PCI DSS v1.2 into six key milestones for merchants to consider in achieving their PCI DSS compliance. It also offers guidance on how to focus PCI DSS implementation efforts in a way that expedites the security of cardholder data. 

Additional benefits of the Prioritized Approach are:

• An increased awareness of cardholder data security
• Assistance for businesses to identify highest risk targets
• The creation of a common language around PCI DSS implementation efforts
• Enabling merchants to demonstrate progress on compliance process

For additional information on Prioritized Approach, please visit:
http://www.vantagecard.com/resources/PCI_Data_Security.html