Ensuring Cardholder Information is Secure

myposdepot.com - "THE BEST IN POS"

What is PCI Compliance and How Can It Affect Me?

The twentieth century U.S. criminal Willie Sutton was said to rob banks because “that’s where the money is.” The same motivation in our digital age makes merchants the new target for financial fraud. The lack of security by merchants enables criminals to easily steal and use personal consumer financial information from payment card transactions and processing systems.

It’s a serious problem – more than 510 million records with sensitive information have been breached since January 2005, according to PrivacyRights.org. As a merchant, you are at the center of payment card transactions so it is imperative that you use standard security procedures and technologies to thwart theft of cardholder data.

Merchant-based vulnerabilities may appear almost anywhere in the card-processing ecosystem including point-of-sale devices; personal computers or servers; wireless hotspots or Web shopping applications; in paper-based storage systems; and unsecured transmission of cardholder data to service providers.

A survey of businesses in the U.S. reveals activities that may put cardholder data at risk.*

• 81% store payment card numbers
• 73% store payment card expiration dates
• 71% store payment card verification codes
• 57% store customer data from the payment card magnetic stripe
• 16% store other personal data

Compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) helps to alleviate these vulnerabilities and protect cardholder data.

Payment Card Industry (PCI) Compliance is a complex system put in place by the five major swipe card brands/associations. These are: Visa, MasterCard, American Express, Discover, and JCB. A merchant who accepts one of these brands is subject to PCI Compliance. Any debit, credit, or pre-paid swipe card is subject to the PCI Compliance rules.

The rules for compliance deal with Data Security Standards (PCI DSS). The official site for the Security Standards Council (SSC) which oversees and enforces PCI compliance can be found here. The SSC mandates compliance standards to be in place prior to the transaction. Further compliance deadlines are set at various times. For most small to medium sized businesses, the deadline and enforcement will come from your merchant bank.

For PCI DSS, a merchant is any entity which accepts payments from one of the five brands. A merchant can also be a service provider if the merchant accepts cards for payments of goods or services on behalf of another entity. A service provider is subject to the same rules as a merchant.

Whether you use internet sales transactions or point of sale transactions, you must comply with PCI DSS. Use of even one swipe card in a merchant’s business in a calendar year, places the merchant under PCI DSS. For merchants, use includes: storage, transmission, or processing of cardholder data. The standards for compliance do vary for the number of transactions per year.

Merchants must complete a quarterly scan from a PCI SSC approved scanning vendor. Alpha Card Services is pleased to announce that upon launch of our new PCI Security website portal, where we will be able to help you evaluate and comply with requirements for PCI DSS. This website will also help you to validate your compliance and complete an Attestation of Compliance. Contact one of our helpful representatives to learn more.

The purpose of these standards is to protect cardholder account data, the account number printed on the card. Merchants and any other service provider involved in the transaction process must never store this sensitive data after the authorization. This includes sensitive data printed on the card, or stored on the magnetic strip or chip- and personal information entered by the cardholder. When merchants comply with PCI DSS, it ensures a number of things:

• The cardholders will use their cards knowing their information is secure. This helps you because when consumers know their information is secure, they will want to use their card to purchase your goods or services.
• The merchant will not be subject to fines or sanctions from the SSC.
• The banks the merchant uses will not be directly fined by the SSC (these fines generally are passed down the line until the merchant bears the cost)
• Merchants’ own storage and information is secure from malicious attacks, intrusions, or computer hackers.
• Many states require merchants who have been compromised to reveal the information to the public. Compliance prevents this embarrassment and potential loss of business.

How Do I know my Customers are Protected?

As a merchant you might wonder how you can comply with the standards and also ensure protection of your customer’s information. By utilizing our PCI Security website portal, and other safety measures, you can achieve maximum security of information.

First, Visa has promulgated a list of best practices for merchants. Although it is not all encompassing, it will help small to medium sized businesses protect themselves and their customers. Some of these practices include using a payment systems provider with a good reputation for updating his or her software for processing, not sharing access information for firewalls or secured networks, and not hiring cyber-criminals.

Second, one can avoid some common downfalls. Perhaps the most common is that small businesses with few transactions believe that an SSL Certificate is sufficient to ensure compliance. This is incorrect. Also, some small businesses that are run from homes are particularly targeted by hackers. This means that those who run small businesses should ensure they have a secure network and a good processing center.

Finally, merchants can ensure they have secure payment gateways. A payment gateway is the method through which a merchant is connected to the actual bank. Often these gateways are facilitated by processors, such as MyPOSDepot, and so finding a secure gateway is as simple as finding a good processor.

Dealing with PCI Compliance does not have to be a painful process, and is helpful to both you, the merchant, and to your customers. As we launch our brand new PCI Security portal, you can be assured that we will help you to comply with PCI DSS and that we will be using state-of-the-art software and security systems to ensure that our services to you will not be compromised. As small to medium sized businesses are the most vulnerable to hacking and are targeted by banks for compliance issues, any Level 4 merchant needs to make sure it has a good partner in swipe card processing. Contact one of our representatives for help today.

*Source: Forrester Consulting: The State of PCI Compliance (commissioned by RSA/EMC)

Grant Rowlands
National Account Executive
P: (866) 480-2433
C: (215) 421-3333
F: (215) 494-0368

Follow MyPOSDepot & Receive Exclusive Offers!

Merchant Services & Credit Card Processing Solutions

Merchant Services & Credit Card Processing Solutions

MyPOSDepot is a bank direct payment processor. There’s no middleman to contend with. When you get your payment processing directly from the source you save!

The Impact of the Durbin Amendment on Everyday Merchants What is the Durbin Amendment?

The Durbin Amendment is an addendum to the Dodd-Frank Financial Reform and Consumer Protection Act. The Act has the overarching goal of consumer protection while promoting economic growth. The Durbin Amendment promotes these goals through capping the interchange fee for debit card transactions.

An interchange fee is the amount paid between merchants and banks to facilitate a consumer using a swipe card at the merchant’s business. This fee is used to cover administration and fraud prevention costs. The Durbin Amendment caps the interchange fee for debit cards at 21 cents plus 0.05% of the transaction. Merchants pay this fee for the privilege of having customers use their debit cards to pay for merchandise.

The electronic payments system is an economy in itself. This means that one factor cannot change without changing all other factors. There are consequences of changing the debit card fees, and some of these consequences will greatly affect the way you, the merchant, does business. These changes will span from debit cards, through gift cards, credit cards, and cash payments.

What merchants can profit from these changes?

The Durbin Amendment is promoted as being beneficial to merchants because it could lower the cost of doing business. The Durbin Amendment caps the debit card interchange fee so that the cost of having a customer pay for his or her purchase with a debit card is lower than the cost before the Amendment. This theoretically allows the merchant a higher profit margin.

For the savvy merchants, the Durbin Amendment allows them to lower prices and draw in new customers without changing their profit margins. If the debit card fee is set at a certain price then some merchants may be able to pass on savings to their consumers.

It falls upon each business owner to ensure he or she is saving money. These owners are calling providers to find out about changes in pricing methods resulting from the new Durbin Amendment. To try to take advantage of these new lower debit fees, merchants are out looking for new contracts with processing providers. For merchants, switching providers or shopping for new contracts can be the best way to profit from the fee restrictions.

What difficulties will arise from the Durbin Amendment that merchants should be aware of?

The Durbin Amendment has created new challenges for merchants. Merchants have previously always born the cost of consumers using debit or credit cards, through processing fees from the banks. With the new restrictions on fees for swipe cards, consumers are beginning to bear the costs of using a debit card to make purchases, through changes in their checking account fees.

The Durbin Amendment is only intended to change caps on debit card interchange fees, and not on credit card interchange fees. Because of this, banks are dis-incentivizing debit card use, and attempting to promote credit card use. So the lower debit card interchange fee may have less impact, because debit cards could have less use. Which means some merchants will be hard pressed to benefit from the Durbin Amendment.

The merchants who may face difficulties will include both large and small companies. Any company which processes transactions with a low dollar amount, such as coffee shops, small stores, cafes, and similar businesses, may find an increased cost, despite the debit card processing fee cap. Whether a large business or a small one, merchants with low ticket prices may find debit card usage has an increased cost of approximately eight cents per transaction.

Additionally, merchants may find they have more consumers avoiding using their debit cards to avoid potential bank fees. Merchants may see either a higher rate of alternative payments (credit card, cash, gift cards) or may see less purchasing occurring. You can read an impartial in-depth analysis of the challenges your company may face here.

Generally, merchants can be proactive to prevent losses and common pitfalls in the changing electronic payments market. To avoid selling less, merchants should make using any form of alternative payment easy for consumers. My POS Depot provides services to help you to use credit cards and gift cards to your advantage, and avoid losing sales.

How can My POS Depot Help the Merchant Benefit?

The Durbin Amendment is only just beginning to take effect. It has been in place for less than two months, and so opportunities to benefit from this change in legislation abound. Debit card usage is still on the rise and more and more small businesses are trying to maximize debit transactions.

Small businesses who want to benefit from the Durbin Amendment, and to lower costs can do so by finding business payment processors which will be able to explain how their pricing was adjusted to fit the Durbin Amendment. My POS Depot has changed their pricing system and representatives can help small businesses and merchants to understand and maximize the positive effects the Durbin Amendment could have on their business transaction processing.

http://www.myposdepot.com
Grant Rowlands
National Account Executive
P: (866) 480-2433
C: (215) 421-3333
F: (215) 494-0368

MPD Best Price Guarantee on Merchant Services Accounts!

MyPOSDepot.com is the leader in low cost merchant services equipment and credit card processing solutions. Our dedicated staff is knowledgeable on the industry and MPD will lower any merchants credit card processing cost by at least 25%! Contact our sales department at (866) 480-2433 or click the following link and one of our sales representatives will contact you within 24 business hours.

Grant Rowlands
National Account Executive

http://www.myposdepot.com
P: (866) 480-2433
C: (215) 421-3333
F: (215) 494-0368

What is Tokenization?

Tokenization is a process by which the primary account number (PAN) is replaced with a surrogate value called a token.‖ De-tokenization is the reverse process of redeeming a token for its associated PAN value. The security of an individual token relies predominantly on the infeasibility of determining the original PAN knowing only the surrogate value.
Depending on the particular implementation of a tokenization solution, tokens used within merchant systems and applications may not need the same level of security protection associated with the use of PAN. Storing tokens instead of PANs is one alternative that can help to reduce the amount of cardholder data in the environment, potentially reducing the merchant’s effort to implement PCI DSS requirements.
The following key principles relate to the use of tokenization and its relationship to PCI DSS:
Tokenization solutions do not eliminate the need to maintain and validate PCI DSS compliance, but they may simplify a merchant’s  validation efforts by reducing the number of system components for which PCI DSS requirements apply.
Verifying the effectiveness of a tokenization implementation is necessary and includes confirming that PAN is not retrievable from any system component removed from the scope of PCI DSS.
Tokenization systems and processes must be protected with strong security controls and monitoring to ensure the continued effectiveness of those controls.
Tokenization solutions can vary greatly across different implementations, including differences in deployment models, tokenization and de-tokenization methods, technologies, and processes. Merchants considering the use of tokenization should perform a thorough evaluation and risk analysis to identify and document the unique characteristics of their particular implementation, including all interactions with payment card data and the particular tokenization systems and processes.
One of the primary goals of a tokenization solution should be to replace sensitive PAN values with non-sensitive token values. For a token to be considered non-sensitive, and thus not require any security or protection, the token must have no value to an attacker.
Tokens come in many sizes and formats. Examples of some common token formats are included in the following table.

Tokens can be generally identified as either single-use or multi-use. A single-use token is typically used to represent a specific, single transaction. A multi-use token represents a specific PAN, and may be used to track an individual PAN across multiple transactions. A multi-use token always maps a particular PAN value to the same token value within the tokenization system. Determining whether single-use or multi-use tokens, or a combination of both, are appropriate for a particular merchant environment will depend on the merchant’s specific business need for retaining tokens.
When evaluating a tokenization system, it is important to consider all elements of the overall tokenization solution. These include the technologies and mechanisms used to capture cardholder data and how a transaction progresses through the merchant environment, including transmission to the processor/acquirer. The tokenization solution should also address potential attack vectors against each component and provide the ability to confirm with confidence that associated risks are addressed.
The security and robustness of a particular tokenization system is reliant on many factors, including the configuration of the different components, the overall implementation, and the availability and functionality of security features for each solution.

Grant Rowlands
National Account Executive
P: (866) 480-2433
C: (215) 421-3333
F: (215) 494-0368

Follow MyPOSDepot & Receive Exclusive Offers!
        

What is interchange?

Grant @ myposdepot

Visa, MasterCard, and Discover do not issue any credit cards. Rather, they license their payment brands to Issuers and Acquirers. Issuing banks are the entities that provide the consumer, with the credit cards in their pocket. Acquirers are the entities that process the transactions. We are part of the acquiring side. As a registered Independent Sales Organization (ISO) of Visa and MasterCard, we pay them thousands of dollars a year for the privilege of using those brands.

Transaction Process

As shown in the Transaction Process above, Visa, MasterCard, and Discover do not approve transactions. The bank that issued your credit card approves the transaction. The issuing bank takes on the risk that the consumer will pay them back for the items they purchase. In turn, the issuing bank gets paid Interchange-not Visa and MasterCard

The cost of interchange depends on the card type that is presented. A check card, which is tied to your checking account, is a low risk, low cost interchange. If you don’t have money in your checking account, the transaction is declined.

Corporate, government and foreign credit cards are high risk. They have the highest interchange rates. You may ask why. Simply, if someone from a foreign country buys an item here but refuses to pay for it later, perhaps because of a dispute, it is very difficult, sometimes almost impossible to get that money back. Also, people in corporations and government make purchases that are not authorized by higher management. If they quit or are terminated, these entities will often dispute the charges as unauthorized. This makes these three card types high risk.

Grant Rowlands
National Account Executive
P: (866) 480-2433

Follow MyPOSDepot & Receive Exclusive Offers!

             

PCI compliance checklist-

Grant @ myposdepot

The issue of merchants becoming “PCI Compliant” has raised a lot of questions surrounding what a merchant must do to become compliant in the payment card industry.  Compliance rules and regulations have a lot to do with the type of business a merchant has and how they accept credit cards. Some of the benefits of following the standards set by PCI compliance include the following:

• Being compliant with the PCI DSS demonstrates that your customers’ private information is protected, so they can entrust their credit card payments to you without needing to worry about the security of their data.
• Compliance with PCI DSS enhances your business reputation and is held in high regard by banks and credit card companies — the very same corporations that help you do business and help you to gain customers trust.
• Following the PCI security standards helps you to demonstrate an ongoing commitment to enhance the shopping experience for your customers – and a genuine desire to protect their data by preventing security breaches.

The following 12 components form part of the PCI compliance checklist outlined by the PCI Security Standards Council. This checklist aims to establish and maintain a secure, impenetrable network focusing on security of payment brands users.

• Install and keep updated a firewall between the public network and the payment card data
• Change vendor-supplied passwords that come with network and payment processing equipment
• Protect any customer data stored for business purposes or regulatory purposes
• Encrypt all transmissions of customer data over any public network
• Maintain antivirus software in all of your computers
• Deploy only secure card processing applications and systems
• Limit access to the customer payment data to as few people as possible on the “need-to-know” basis within your business
• Use building entry authentication such as visitor and employees badges with identification to limit access to stored data
• Keep restricted physical access to business computers and customer data
• Regularly test security applications and any PCI security processes that you have in place
• Keep all employees informed about your information security policies

Generally, a merchant will implement what is necessary to ensure these requirements are adhered to. Evaluation of the PCI security processes and the compliance checklist will help to ensure that your business is providing a secure environment and protecting customer data efficiently.

Grant Rowlands
National Account Executive
P: (866) 480-2433

Follow MyPOSDepot & Receive Exclusive Offers!

             

http://www.myposdepot.com

Are digital receipts and mobile card processing the next evolution of commerce?

Grant @ MyPOSDepot

How often have you waited in line at the local home improvement store for the one clerk to checkout 20 patrons; often with tired, screaming children running through the aisles?  Perhaps you’ve enjoyed a long meal at a Zagat-rated restaurant, and you’ve been waiting for over a ½ hour for your server to process your check.  You know the story; its wait, wait, and wait some more!  Waiting is what we seem to do best these days.  If you’re like me, when you purchase a product or service, you want to get in and out of the retail environment as soon as possible, with no complications at the register.

Recently, an increasing number of retailers and restaurants are offering mobile credit card processing as a solution to alleviate these long checkout queues, as well as enjoy other benefits to the merchant and consumers.  In a nutshell, the merchant utilizes a placement reader or card swiper that attaches directly to a smartphone, such as the iPhone, Android or Blackberry.  A smartphone app downloaded by the merchant provides the technology for credit card processing, digital signatures and electronic receipt transmission to the customer.  The merchant swipes the customer’s card through the placement reader, the card transaction processes in the background, the customer signs the smartphone screen and a receipt is emailed to the customer’s email inbox.

Beyond the obvious convenience factor of reducing retail checkout queues and the efficiency of emailing a receipt directly to a customer email inbox, merchants are starting to tout the other benefits that accompany mobile credit card processing.  Merchants that are migrating towards paperless, digital receipts are finding that expensive to maintain receipt printers are no longer necessary.  This in turn reduces the merchant’s receipt paper and printer ink costs.  With a reduction of paper usage, merchants can now champion the environmentally friendly aspect of paperless receipts in their green marketing campaigns.  Customers also appreciate the green alternative to a crumbled receipt that often gets misplaced.

Cardholder security is a major concern for both merchants and customers alike.  Most mobile processing systems are equipped with rigorous encryption standards that meet or exceed conventional processing terminals.  For example, Alpha Card Service’s QwickPAY mobile processing device surpasses current PCI DSS standards by combining multi-layered MagneSafe™ security, in addition to encrypting card data from the point-of-swipe.  The QwickPAY service enables merchants to use their existing mobile devices to make secure, card present transactions anytime and anywhere, without the concerns of storing sensitive card data.

Smartphone with QwickPAY

QwickPAY digital receipt

For merchants, there are clear opportunities for direct marketing with obtaining the customer’s email address.  Special offers, coupons, newsletters and social media outreach are all possible with this direct relationship with the customer.  However, some privacy advocates have expressed concern that obtaining customer email accounts constitute an intrusion into personal information.  As electronic receipts have been optional for consumers thus far, most of these concerns are unfounded.

As a person who is frequently impatient with long lines and slow checkout staff, I fully embrace this transformation to digital receipts and mobile credit card processing.

Grant Rowlands
National Account Executive
P: (866) 480-2433
C: (215) 421-3333
F: (215) 494-0368

http://www.myposdepot.com

Follow MyPOSDepot & Receive Exclusive Offers!

             

The true cost of Credit Card Data Breaches

The true cost of Credit Card Data Breaches

The most recent study conducted by the Ponemon Institute on Data Breach in the United States indicates that the cost of credit card data breaches continues to rise.  Most merchants think Data Breach is a fee associated with the protection of the credit card processing company if a merchant has a breach of personal information.

A data breach is the intentional or unintentional release of secure information to an untrusted environment. Other terms for this phenomenon include unintentional information disclosure, data leak and also data spill. Incidents range from concerted attack by black hats with the backing of organized crime or national governments to careless disposal of used computer equipment or data storage media. Definition “A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.” Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), personally identifiable information (PII), trade secrets of corporations or intellectual property.

Dr. Ponemon draws out some highlights from the study, including:

·         Rapid response to data breaches costs more. This could be because customers are being notified when no risk is present – companies that use forensics to narrow the customers to those only at risk will lower costs

·         Malicious criminal attacks are causing more breaches (31% in 2010, up from 24% in 2009 and 12% in 2008)

·         Malicious attacks are the most expensive because they are harder to detect and remediate

·         Negligence is the leading cause of data breaches (41%)

In addition to the cost of data breach that can be measured financially there are also cost associated with the company’s reputation and consumer brand perceptions the measurable financial costs associated with a breach, there are inevitably costs associated with the impact on company trust when data breaches occur.  Some experts predict that consumers are becoming more immune to data breaches because large brands like Sony & Citi Group have been affected. Another study done by the Ponemon Institute disputes that assumption.  The study found that 63 percent of consumers were not satisfied with data breach notification and response methods.  Thirty one percent of consumers polled said they terminated their relationship with the organization.  Twenty-six percent said they took no action after being notified, while 57 percent said they lost trust and confidence in the organization that suffered the security breach.

The study supports the argument that consumers are not immune to data breach and it can have a lot more than a short term financial strain on the brand. Consumers are becoming more knowledgeable on data security and proactive with researching brands before they provide them with vital information.

Gartner Research predicts the following regarding the cost and security related to data breach and protection:

·         By 2012, 3% of enterprise customers’ desktops will be infected with financially targeted malware, leading to dramatic enterprise security upgrades.

·         By 2015, all G8 member nations will have created a linked network of “walled garden” domestic Internets.

·         Through 2015, mitigating data breaches will cost 10 times more than installing data protection mechanisms on mobile devices.

·         By 2015, 40% of the security controls used within enterprise data centers will be virtualized.

·         Through 2013, 80% of enterprises that adopt “bring your own PC to work” programs will see their botnet compromise rates increase by 100% or more.

Gartner Research did a case study on data breach specifically in the credit card industry and the cost is projected to increase.

·         In 2007 it was $197 per breached record;

·         In 2008 it was $202; in 2009 it was $204.

The cost per breached record in 2010 was $214, a significant increase over the $2 – $3 increase per record seen in each year past. With the information provided in these study’s and the major brands who have been effected by data compromise the future of data breach security will be very interesting and most likely expensive.

 

Grant @ myposdepot

Grant Rowlands
National Account Executive
P: (866) 480-2433
C: (215) 421-3333
F: (215) 494-0368

  

Follow MyPOSDepot & Receive Exclusive Offers!

             

Who are the “players” in the credit card industry?

THE PLAYERS IN THE INDUSTRY

Cardholder (Consumer)

Holds MasterCard or Visa credit card issued by a bank with a line of credit

Card Issuer

(Financial Institution and/or Bank) Licensed member of MasterCard and/or Visa; in which, they issue bank credit cards to consumers and applicants. They receive interchange from every transaction (see interchange chart)

Merchant Acquirer

Solicits screens, accepts and sets up merchants with its bankcard program. It uses front-end networks to authorize credit card transactions and back back-end networks to settle the funds

Merchant

Any business entity that is approved to accept credit cards as a form of payment. If a merchant is approved to accept credit cards they must accept all credit cards, they can’t refuse to take a particular card. A merchant can’t “surcharge” a cardholder paying with a credit card. Also, a merchant can’t require a minimum purchase for accepting credit cards

Member Service Provider

Third party organizations approved and registered with Visa and MasterCard to offer processing Services; also known as Independent Sales Organizations (ISO’s). My POS Depot is a Member Service Provider.

MasterCard & Visa International

Worldwide payment service organization made up of Financial Institutions (banks). They manage the industry, monitor fraud, and set the rules and regulations. They also market their brand to the public

Merchant Level Sales Representative (MLSR)

They market the products and services from a Member Service Provider to merchants allowing the merchants to accept credit cards, debit cards, checks, EBT, gift & Loyalty cards, Cash advance, and ATM services.

http://www.myposdepot.com

 

grant @ myposdepot

growlands@myposdepot.com

http://www.myposdepot.com