» Merchant Resources
» PCI Data Security
» Merchant Memos

PCI DSS

Payment Card Industry Data Security
Data security issues continue to become more prevalent and capture news headlines. It is important that merchants implement proper safeguards to prevent fraud. The primary threat has to do with your POS system connected to the internet and your network environment.

Payment Card Industry Data Security Standard (PCI DSS) prohibits the storage of the full contents of any magnetic-stripe, CVV2 or PIN data.  Storage of this type of data is in violation of (PCI DSS) and the card company operating regulations. 

Restaurants are at high risk of being compromised. Approximately 62% of known compromises last year involved a restaurant, with nearly all compromises involved data that should not be stored by merchants. This is the largest percentage of incidents among merchant groups. 

If your POS system is connected to the Internet, hackers can compromise computer networks within your location to steal cardholder data!!  Don't think it will not happen to you.  Merchants just like you are getting compromised and it is putting their business at risk.  Please protect yourself, your business and your customers data.

It is very important to secure any type of PC based point of sale payment system used to accept credit and debit cards. Please act now to secure your system and comply with the Payment Card Industry Data Security Standards.  

ALERT! The Financial Risk of a Breach
If full mag-stripe data is stored on your system's hard drive or log files and this data is stolen from your system, criminals can manufacturer counterfeit cards and use these counterfeit cards at stores to buy electronics, jewelry, etc. and  you are responsible for these fraudulent card sales performed at other stores!  These compliance chargebacks can quickly add up in the tens, even hundreds, of thousands of dollars.  So until the card acceptance rules change (which Vantage is strongly lobbying for) your business is not only responsible for chargebacks on sales you make but for chargebacks on fraudulent sales made at other merchants with stolen card data from your system! 

A hacker can mine cardholder data from your system for days, weeks, or months, then wait a year or more before using the stolen data.  Once the stolen cards are used, a sophisticated ?Compromised Account Management System? will track them back to a common place of purchase.   As the rules & regulations now stand, once your business has been identified as the compromised location, YOU are responsible for the costs of a POS forensics exam, remediation, mandated security monitoring, fines and chargebacks!

Resources
Vantage has launched a series of online security training courses. We strongly encourage you to use the information, tools and resources available. Education and due diligence are the keys to protecting your business.

• http://training.vantagecard.com

PCI Compliance course brochure
Assess your Vulnerabilities course brochure

Review the following Reference Tools for security audit procedures, self-assessment questionnaires, a list of validated payment applications and more?

• www.pcisecuritystandards.org
• www.visa.com/cisp

The best place to start is to check your POS software version number against the certified payment application list available at www.visa.com/pabp, where you will find a list of validated payment applications (make sure your POS is on the list) and best practices. We also recommend you review these PDF documents:

Visa Merchant Security Guide
Visa_Keep_Data_Security_on_the_menu
The Payment Card Industry (PCI) Data Security Standard

It is critical that you ensure that you do not use payment applications known to retain prohibited data elements and that you take corrective action to address any identified deficiencies because these applications are at risk of being compromised.

Protect yourself? Payment Application Best Practices

• Upgrade to a secure Payment Application immediately.  Get a certification letter from your POS vendor that your specific payment application version is PCI compliant for your records
• In addition to upgrading your payment application, any old storage of prohibited data must be securely deleted from all systems, databases and log files. 
• Enforce network security on your POS.  Insecure networks connected to the internet are prime candidates for  attacks. 
• Secure remote management applications like PCAnywhere.  Turn on your remote management software ONLY when needed.
• Don't store it if you don't need it? and avoid fines, lawsuits and bad press. Take steps to protect your customer's data if you do store it to meet data security compliance standards.
• Skimming fraud can be addressed with new Pay at the Table solutions.
• Process your card payments using a credit card terminal not tied to your POS.

The primary threat has to do with your POS system and network environment. You can upgrade your POS software version and firewall and then constantly monitor your IT network. But this is not your only option. An inexpensive alternative is to process your card payments using a credit card terminal not tied to your POS. Stand alone credit card terminals are PCI compliant and are not at risk from a hacker. These units are small with built in thermal printers and offer high speed IP connections with dial back up. You can even tie multiple units together without a network for a single batch settlement. Separating the payment technology from the rest of your POS functionality offers a low tech way of meeting pressing security concerns. All it takes is to reconcile the POS sales report with your card terminal's batch report, which, unlike IT, is a skill set that most of us have. By separating the payment component from your POS, you can avoid the threats from hackers compromising your POS network, as well as costly upgrades to your POS and ongoing validation procedures and security scans to ensure your POS system, firewall and network are secure.

Important PCI Update
Effective January 1, 2008, Phase 1 of the Visa Payment Application Mandates stipulates that no merchant may be boarded that uses a payment application identified as storing vulnerable data. The Payment Card Industry Data Security Standard (PCI DSS) prohibits the storage of the full contents of any magnetic stripe, CVV2 or PIN data. Merchants are at high risk of being compromised if they use payment applications that store prohibited data or have security weaknesses.