Card Associations

Over the last few years there have been a variety of initiatives brought forth by each of the different card networks. Visa’s Cardholder Information Security Program (CISP), MasterCard’s Site Data Protection (SDP), American Express’ Data Security Operating Policies (DSOP) and Discover’s Information Security and Compliance (DISC) regulations. In December of 2004, the Card Associations came together to create a single security program to set a single standard for Merchants to comply with: the Payment Card Industry Data Security Standard (PCI DSS).

PCI DSS focuses on six areas of operation

• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy

For most Merchants, in order to certify to the PCI DSS standards, you must complete a detailed self-assessment form and receive quarterly network scans from an independent auditor. For bigger Merchants (6 million transactions annually or above), the regulations require a detailed onsite assessment. Even Merchants who process less than 20,000 transactions annually are required to comply with the regulations, even though they are not currently required to be validated by the Card Associations. Certification and compliance guidelines for smaller Merchants are dictated by its Merchant Bank.

Regardless of your size, failure to comply can lead to steep financial and operational penalties. The first time any of your data is compromised the Visa fine will be $50,000. For any subsequent breaches, the fine goes up exponentially. More importantly, Visa, MasterCard, Discover and so forth can and, in fact have, taken away the ability of the Merchant to accept credit cards.

To help aid in our customers efforts to comply with PCI DSS, Shift4 has created a preferred relationship with SecurityMetrics. SecurityMetrics is a certified assessor for Visa, MasterCard, American Express and Discover Card and your best source for accurate, in-depth and up-to-the-minute information on security. We chose them for their outstanding customer support and for the preferred, industry leading discount pricing they are offering our customers. You may contact SecurityMetrics directly at (801) 705-5665 or visit them online at www.securitymetrics.com. Be sure to reference your Shift4 account to receive the discounted pricing.

These regulations have been around long enough that any organization that you choose to do business with should be able to provide you proof of their certification for PCI DSS. Less stringent certification requirements have been created called PABP which are detailed below. For more information regarding PCI DSS you can read Visa's PCI information.

PAYMENT APPLICATION – DATA SECURITY STANDARD (PA-DSS)

The Payment Card Industry Security Standards Council™ (PCI SSC) introduced the PA-DSS in 2008. It has its roots in Visa’s Payment Application Best Practices (PABP), and is a comprehensive set of payment application security requirements. Vendors who develop and sell payment applications to Merchants must have their products PA-DSS validated by a Payment Application Qualified Security Assessor (PA-QSA). Merchants who purchase and properly implement PA-DSS validated payment applications as part of their overall data security program can be assured that prohibited cardholder data such as full magnetic swipe, sensitive authentication data and PIN block data is not retained or stored, post authorization.

It is important to note here that Merchants who are using payment applications that are not PA-DSS validated, or in some cases not PABP validated, will never be compliant with the PCI DSS Furthermore, an improperly configured PA-DSS validated payment application may also render a Merchant not compliant with the PCI DSS.

Shift4 Corporation and all of the payment card associations endorse the PA-DSS, which includes the following security requirements:

• Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2), or PIN block data
• Protect stored cardholder data
• Provide secure authentication features
• Log payment application activity
• Regularly monitor and test networks
• Develop secure payment applications
• Protect wireless transmissions
• Test payment applications to address vulnerabilities
• Facilitate secure network implementation
• Cardholder data must never be stored on a server connected to the Internet
• Facilitate secure remote software updates
• Facilitate secure remote access to payment application
• Encrypt sensitive traffic over public networks
• Encrypt all non-console administrative access
• Maintain instructional documentation and training programs for customers, resellers and integrators

The complete PA-DSS along with a list of qualified PA-QSAs and PA-DSS validated payment applications can be found by visiting the following website: www.pcisecuritystandards.org

Take Control
You need to be your own criminal lurking around your business. Look for ways that a thief would be able to get access to sensitive information about your customers. When you are in other Merchants’ businesses, look around their operation and see what they are doing wrong with cardholder information. If you can see it happening there, does it happen in your business?

Set an employee policy outlining access to sensitive customer information. Make your employees read and acknowledge it on a regular basis. Limit access to cardholder information and maintain a log of each of your employee’s access to the information. This is very hard to do and enforce without an automated system and database that allows for each of your employees to have their own login and security rights to limit their access to sensitive credit card data.

Digital video cameras and network storage have made video surveillance simple and affordable. You should be recording your employee’s actions at the cash register and in areas where information is stored. You should have a written policy outlining this and have your employees read and acknowledge the policy.

Test your employees. Call your business from a phone number they won’t recognize and ask some simple questions to try and learn a bit about your business from the employee on the phone. Will they tell you what kind of equipment is being used? What bank is used? The phone number you call for support? These are all simple and common questions that a thief will use to start learning about your business to try and commit fraud.

Make sure that you are destroying all credit card information on a regular basis. Storing bags of receipts in your office is only inviting a thief to walk in and take the bag. Some businesses keep years worth of printed credit card receipts sitting in boxes in their backrooms where any employee could get to them and it could be a very long time, if ever, before someone knew they were missing.

If you are running a website, consider purchasing Web Liability Insurance and Web Outage Loss of Income Insurance. Just as you insure your physical business, insurance for your website is just as important. Do not store cardholder information on your Web Server. Also do not e-mail cardholder information. Both of these are the easiest for hackers to gain access to and therefore access to your customer’s information. Use an SSL certificate to provide Secure Socket Layers for your website and encryption of customer information between your Web Server and your customer’s Web Browser.
Any of your computers that have access to the Internet should be hidden behind a Firewall to prevent unauthorized access by thieves looking for an easy target.

Have a policy/plan drawn up that identifies all the steps and measures necessary should you become aware that a breach of your security has been committed. Check with the state your business is in and find out what its requirements are for such a breach. Each state has different laws identifying the Merchant’s responsibility.

Summary of Laws & Regulations
There are a variety of different law enforcement agencies involved with the enforcement of laws focusing on credit cards and transactions. You need to check with your local, state and federal laws to find out which pertain to credit cards and Merchants. There isn’t a state in the U.S. that accepts ignorance of the law as a defense. A good collection of these laws can be found at the FTC's Credit Website. And while you’re looking, visit the Fair Credit Billing Act.

There are also a variety of laws that pertain to the safeguarding of customer’s sensitive (private) information: California Database Protection Act, Gramm-Leach-Bliley Act, FTC Security Regulations applying to GLB, FTC Financial Institutions and Customer Data, U.S. Department of Treasury: Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. The U.S. Secret Service has been the primary law enforcement agency for credit card crimes. They handle all levels of criminal activity involving credit card crimes.

Reporting to Law Enforcement
One of the reasons thieves do what they do is because they believe they will get away with the act. This holds true with credit card fraud and theft as well. If you experience criminal behavior in your business you need to report it. If you think the next guy will report it and you don’t need to, the thief could go on forever and never face the consequences of his/her actions.
Immediately after an incident, gather all of the information you have regarding the incident. Sit down and outline a summary of the actions and facts regarding the incident. This will help make sure that you don’t forget anything later on when you talk to Law Enforcement.

Contact an appropriate Law Enforcement Agency and let them know what happened and that you wish to file a report.