The most important reason that Payment Card Industry Data Security Standards are in place is so that the customers and the businesses will not be open to identity theft and to discourage computer “hackers” from breaking into your business or entering into your bank accounts.  A hacker is someone who performs a network intrusion which is an unauthorized access to a computer network environment or payment system, to illegally obtain cardholder data.

Here is another definition – “data compromise and that is it is a deliberate attack on the communications or information processing systems exposing cardholder account information to third parties, and placing cardholders at risk of fraudulent use.  This attack can be initiated by a disgruntled employee, a malicious competitor, or a misguided hacker.  Attacks often result in damage or disruption to the entire payment system.  Protect your cardholder customers as best you can as you would want to be protected if you were your own customer. 

It is a requirement that merchants protect credit card processing data.  Companies are using common practices that have adopted common industry security requirements referred to as Payment Card Industry (PCI).  One of the ways that this is being accomplished is by going into partnerships with various security companies that can provide the data security and the mandatory industry requirements around the protection of data through the payment transaction process.

There are twelve requirements that need to be met and they range anywhere from installing a firewall to your mainframe network, encrypting all transmissions of cardholder data across open public networks, updating antivirus software, assigning unique IDs, maintaining an Information Security Policy, and regularly testing security systems and processes.

The PCI Security Council is an independent body responsible for the development and ongoing evolution of security standards for account data protection has developed the “Priority Approach”, which provides guidance for non-compliant merchants striving to achieve compliance.   This is a pretty powerful statement and a useful statement letting you as a merchant know that there is help available to get you where you need to be with your business.  This is in place for the protection of your customers.

Depending on the size and number of transactions your business processes each year will depend on the requirement or assessment you will be responsible for whether it is a quarterly scan or an onsite assessment.  Virus scanning is important and beneficial because you want to have your environment sealed off to individuals trying to break through your network.  The quicker you are able to catch someone the quicker you are able to shut them off.  Your goal is to safeguard your customer’s cardholder data, when you perform the scans continuously you are also following the requirements for ongoing Payment Card Industry compliance.

To learn more on on becoming PCI compliant for your online merchant account check out http://www.stradafee.com!  Make your credit card processing safe and secure for your clients.

Approximately 85% of online shoppers are concerned with their security, as well they should be. Credit card fraud and identity theft is at an all time high following the explosion credit card transactions made through the Internet. This is why it is extremely important for online retailers and businesses to gain the trust of customers, helping them to believe in the security of your eCommerce system. According to recent research by TNS, 65% of purchases are lost when the customer reaches the check-out area. This is largely due to doubt in the security of the credit card form, which can be avoided by making sure your website displays proper security measures.

Many eCommerce savvy shoppers have learned to look for certain signs of security before entering their credit card information. Some of the most typical security signs are “https” and the padlock graphic found in the URL of the website. The padlock graphic is a VeriSign Secured Seal, one of many companies providing secure transaction online. Almost four out of five Americans recognize the VeriSign Secured Seal, making it an extremely effective security mark. Newer browsers make it possible for authenticated certificates to be detected, displaying the address bar in green. However, most people do not have this feature to help them along and are looking for other signs.

Most reputable companies providing online transaction security utilize SSL technology. SSL, or Secure Sockets Layer, is a military grade encryption that protects customer credit card information as it is transferred on the Internet. This type of information encryption authenticates identity information in association with the credit card data by an authority, verifying the identity of the owner of that certificate. Thought SSL is not a required element for shopping cart security, it certainly shows your commitment to the level of security customers will experience.

The use of these online security measures not only provides protection, it also helps to demonstrate the authenticity of your business. Some customers may still be wary to enter their credit card information online, but the demonstration of such security measure may help them in deciding to make a transaction over the phone, or perhaps contact you for further information. Online retailers see an increase in sales on an average of ten percent after installing some form of security system on the payment pages of their website. This should be a sign to retailers that customers are really looking for ways to make sure their credit card information is safe. Earn the trust of online shoppers by providing the professional security people want.

Merchant accounts make it possible for businesses to provide credit card processing for card present and card-not-present transactions. For more information on credit card processing visit http://www.stradafee.com

Before a merchant or acquirer ponders PCI compliance, it is important to understand which entities PCI compliance applies to. While it is very likely that for each merchant or acquirer, PCI compliance will be mandatory, it is important to remember that it is only required if you are receiving, storing or processing the Primary Account Number (PAN) or the main credit card number of the customer, which is usually no longer than 19 and no less than 16 digits in length.  In addition, a merchant or acquirer must remember that if a PAN is being stored or processed, the other information such as CVV/CVC and card holder information must be protected as well.

For a merchant to become PCI compliant, the merchant has to assess the merchant level relevant for the PCI guidelines, as each different merchant level will have different requirements. In addition, both VISA and MasterCard have certain PCI guidelines in addition to the PCI DSS standard, which need to be adhered to. Discover and American Express follow the PCI DSS standard in addition to a ‘good practices’ handbook, while there are no specific additional requirements. However, in general, the process will begin with the merchant or service provider assessing the validation level, as each different level will involve different audit, questionnaire and network scan requirements.

It would seem obvious that Level 1 merchants occupy the bulge bracket of hacker activity, but it’s actually Level 4, since there merchants tend to be smaller and occupy around 99% of the total market share of credit card transactions, as per estimates by VISA. These merchants tend to be more prone to hacker attacks primarily because they are small and usually do not possess the high end technical infrastructure as mandated by the PCI DSS. To that end, VISA requires that all Level 4 merchants submit a PCI compliance plan. In addition, the level 4 merchant must ensure that in case they are using a point of sale terminal, the terminal must be compatible with PABP and PIN requirements.

Validation levels apply to service providers as well. Service provider levels are categorized differently by MasterCard and Visa, though the emphasis in both cases is on the volume of transactions. For instance, for a Level 2 service provider, VISA prescribes the number of transactions transmitted as more than 100,000 annually, PLUS those who are not in Level 1. MasterCard simply prescribes that Service Providers who transmit on behalf of Level 1 merchants are Level 1 service providers.

The merchant or service provider must build an infrastructure in terms of firewalls, access control systems and data encryption that comply with the PCI DSS. The 1.1 standard issues the following directives for merchants to ensure that they are in compliance with the PCI standards<!–[if !supportFootnotes]–>[1]<!–[endif]–>:

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor supplied defaults of system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for employees and contractors.

Once the technical infrastructure is in place, the merchant or service provider must locate an Approved Scanning Vendor (ASV), who will conduct a network scan to ensure that the safety requirements highlighted above are actually functional and not just placeholders in the self-assessment questionnaire required for Level 2, 3 and 4 merchants and service providers. The purpose of the scan is to locate vulnerabilities in the system that can lead to data breaches and diagnose & recommend measures to fix these problems. The ASV submits a report to the PCI highlighting the potential security holes and the level of vulnerability from 1-5 (but this time, a Level 5 is the highest point of vulnerability). In case of a level 1 merchant, an on site assessment is also mandated by the PCI, to be conducted by a Qualified Security Assessors (QSAs).

Finally, a self-assessment questionnaire on a prescribed format needs to be submitted to the acquiring bank by the processor &/or merchant service provider, which acts as a checklist to ensure that the 12 requirements outlined above have been addressed and met. Some experts believe that PCI compliance has less to do with network and information security, than it has to do with compliance. For one thing, a merchant only needs to be 100% compliant at the time of the review- this loophole can make a merchant lax throughout the year, and only fix up the security holes during the time of the review or audit. That won’t solve any security crises, only make them worse.

<!–[if !supportFootnotes]–>

For more information on how to become PCI Compliant please vist http://www.stradafee.com!