 Cash is no longer king. It hasn’t been for several years. That little piece of plastic is in charge. Credit cards are often what your customers use to buy products. Technology has made it easier to use credit cards. People are more comfortable using credit cards online than ever before. But, unfortunately, technological improvements also make it easier for hackers to steal information. On this topic, Payment Card Industry (PCI DSS) Data Security Standards were created and it’s something you must be familiar with if you are not already. To make it easier, we’re going to refer to PCI DSS as simply PCI or PCI compliance throughout the rest of this story because most retailers refer to it as simply PCI.
PCI compliance is already required by credit card companies. However, you must have payment-compliant terminals by July 1. If you are not compliant, you could face fines. Amounts of such fines would vary. If you don’t meet compliance standards, there’s a good chance you will need to make a purchase or purchases to rectify the situation. However, there are so many retailers in the United States that it would be difficult—although certainly not impossible—to be fined for a failure to be PCI compliant unless you had a security breach.
The payment card industry was formed jointly by Visa, MasterCard, American Express and Discover to reduce dramatically the possibility of security breaches. To get the entire scoop, we spoke to Jason Wagner, senior national account manager for Omaha, Neb.-based First National Merchant Solutions, NAMM’s recommended vendor. One of the processor’s roles has been to work with vendors to make sure they are PCI compliant before the July 1 deadline.
Let’s start with the most important question. What is PCI compliance and why should you care about it? “The goal is to make sure merchants are not improperly storing any data so that, if there were a security breach, nobody’s card numbers would be compromised,” said Wagner.
First National Merchant Solutions currently is making sure merchants are in tune with the 12 PCI requirements. “The validation has to be completed by a qualified security assessor (QSA), though,” said Wagner. “So, at First National Merchant Solutions, we combined forces with a company named Trustwave, which is a certified QSA. First National Merchant Solutions makes sure merchants comply with PCI standards, but also provides ongoing training as requirements may change.”
For more on First National Merchant Solutions, visit www.fnms.com.
Wagner added there are four levels of PCI compliance: Levels 1 through 4. Level 1 merchants have more than 6 million credit card transactions per year. Level 2 merchants have between 1 million and 6 million credit card transactions per year. Level 3 refers to those with 20,000 to 1 million transactions, and Level 4 refers to those processing less than 1 million transactions or less than 20,000 e-commerce transactions per year.
Being PCI compliant is intended to ensure breaches cannot occur from either the outside and internally—meaning your employees.
All four levels must become PCI compliant. To become PCI compliant, you must follow all of these 12 steps:
1. Install and maintain a firewall configuration to protect data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored data.
4. Encrypt transmission of cardholder data and sensitive information across public networks.
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.
For more on this topic, visit www.visa.com/cisp.
We also looked into another aspect of PCI compliance. Merchant Link, which is involved in credit card tokenization. What is tokenization? Merchant Link’s Dan Lane and Tim Kinsella will fill us in. “Merchants have to trust vendors like Visa and MasterCard to make sure money gets into their accounts,” said Kinsella. “Many times, that works. But sometimes, it doesn’t. What do you do then? Merchant Link provides an answer. We offer a gateway between a store’s credit system and the banks to make sure transactions go to the right place and are tracked. It’s become much easier for bad guys to steal credit card data and turn it into money for themselves. As that risk accelerated, card associations created Payment Card Industry (PCI) compliance, which is a requirement to protect personal data. We saw an opportunity to create a technology to help merchants.”
“Credit card companies expect you, the merchant, to protect that data,” added Lane. “Our product is called tokenization. It does that for merchants. You know how difficult it is just to protect information on your home computer. It gets much more complex on the merchant level. It can be very challenging. Even for small merchants. Since broadband [Internet service] became widely available, bad guys immediately took advantage of that and hacked into merchant security systems more easily.”
Merchant Link said the average cost of using its service is two to three cents per transaction. For more, visit www.
merchantlink.com.
[ pages: 1 ]
|
you can download this entire issue here >>
