Payment Card Industry Data Security
This resource page is designed to provide important information regarding PCI's data security and compliance requirements.
Hackers Shift Attacks to Small Firms
Cyber Security Report Says Tough Times May Be Ahead for Small Businesses
The card associations require that all merchants validate PCI DSS compliance.
Note: SimpleGive clients please call 888-368-4483.
Use ControlScan to become PCI compliant
Vantage has selected ControlScan, an Approved Scanning Vendor (ASV) by the PCI Council and leading provider of security solutions, to provide personalized support to help simplify the PCI compliance process and to better understand the security requirements. The ControlScan system wizard will help you complete the Self Assessment Questionnaire (SAQ) and provides a help desk where representatives can help answer any questions you may have.
Every merchant is different, some are a greater risk than others. For example, only those merchants conducting payment processing over the internet (verses dial up connections) require a system scan. As a market leader in PCI compliance, ControlScan will help your business achieve and maintain PCI compliance with the SAQ and vulnerability system scanning (Scan), both designed to uncover security gaps and provide best practices to prevent data compromise. Additional tools include a Security Policy Builder and an Internal Security Awareness training program.
- Go to www.controlscan.com/vantagecard
- Enter your merchant ID (878821000…) as your username
- Enter this generic one-time password, ‘ vantage123 ' (you will change your password once logged in)
- Follow the wizard to complete your PCI validation and print your Compliance Certificate for display at your business.
If you need personal assistance, call ControlScan at 800-370-9180.
Merchants may choose to complete an SAQ on their own and can work with any PCI vendor they choose should a system scan be required. Vantage provides the ControlScan reference to help our clients meet PCI compliance at a reasonable price. Merchants can opt out of using the ControlScan service, by providing a copy of their PCI Validation certificate with an alternative vendor.
Please remember, there is a difference between security and compliance. While PCI compliance is a mandated point-in-time measurement of your security readiness, the underlying security requirements must be adhered to on a daily basis. In the event of a data compromise, merchants face significant fees and fines. The PCI DSS Validation does not affect your responsibilities associated with your merchant account in the event of a data compromise.
What is PCI?
PCI is a data protection standard and it provides a lot of detail on how that protection should be implemented. This means that PCI is not only good for protecting payment card data, but also protecting your business and any personally identifiable information you may have about your customers and employees.
Specifically, the Payment Card Industry Data Security Standard (PCI DSS) prohibits the storage of the full contents of any magnetic-stripe, CVV2 or PIN data. Storage of this type of data is in violation of (PCI DSS) and the card company operating regulations. It also provides security requirements for transmitting card data.
It is important that merchants implement proper safeguards to prevent fraud. The primary threat has to do with your POS system connected to the internet and your network environment. If your POS system is connected to the Internet, hackers can compromise computer networks within your location to steal cardholder data!! Don't think it will not happen to you. Merchants just like you are getting compromised and it is putting their business at risk. Please protect yourself, your business and your customers data.
Please act now to secure your system and comply with the Payment Card Industry Data Security Standards. Additional, comprehensive information can be obtained at https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml .
The Financial Risk of a Breach
If full mag-stripe data is stored on your system's hard drive or log files and this data is stolen from your system, criminals can manufacturer counterfeit cards and use these counterfeit cards at stores to buy electronics, jewelry, etc. and you are responsible for these fraudulent card sales performed at other stores! These compliance chargebacks can quickly add up in the tens, even hundreds, of thousands of dollars. So until the card acceptance rules change (which Vantage is strongly lobbying for) your business is not only responsible for chargebacks on sales you make but for chargebacks on fraudulent sales made at other merchants with stolen card data from your system!
A hacker can mine cardholder data from your system for days, weeks, or months, then wait a year or more before using the stolen data. Once the stolen cards are used, a sophisticated “Compromised Account Management System” will track them back to a common place of purchase. As the rules & regulations now stand, once your business has been identified as the compromised location, YOU are responsible for the costs of a POS forensics exam, remediation, mandated security monitoring, fines and chargebacks!
Good Advice: Contact your business insurance provider and ask them about a comprehensive data compromise rider to cover you in case of a breach.
Additional Resource Links
Review the following Reference Tools for security audit procedures, self-assessment questionnaires, a list of validated payment applications and more…
Visa's Payment Application Best Practices (PABP). A list of PABP-validated applications is available at www.visa.com/pabp. A list of PA-DSS validated applications is available at: www.pcisecuritystandards.org/security_standards/vpa/.
We also recommend you review these PDF documents:
PCI Quick Reference Guide
PCI DSS FAQs
Visa Merchant Security Guide
The Payment Card Industry (PCI) Data Security Standard
PCI Data Storage Do's & Don'ts at a Glance
It is critical that you ensure that you do not use payment applications known to retain prohibited data elements and that you take corrective action to address any identified deficiencies because these applications are at risk of being compromised.
Payment Application Best Practices
- Upgrade to a secure Payment Application immediately. Confirm with your POS vendor that your specific payment application version is PCI compliant.
- In addition to upgrading your payment application, any old storage of prohibited data must be securely deleted from all systems, databases and log files.
- Enforce network security on your POS. Insecure networks connected to the internet are prime candidates for attacks.
- Secure remote management applications like PCAnywhere. Turn on your remote management software ONLY when needed.
- Don't store it if you don't need it… and avoid fines, lawsuits and bad press. Take steps to protect your customer's data if you do store it to meet data security compliance standards.
- Skimming fraud can be addressed with new Pay at the Table solutions.
- Process your card payments using a credit card terminal not tied to your POS.
- Invoice your clients using a branded Secure Checkout page
- Use a customer management token solution for repeat and recurring transactions to stay out of scope with PCI.
What to Do If Compromised
In the event of a security incident, merchants must take immediate action to investigate the incident and limit the exposure of cardholder data. Please notify us right away. The following steps used in conjunction with the instructions in Visa's What to Do If Compromised document should be adhered to in the event of a security incident. These steps include:
- Immediately contain and limit the exposure
- Isolate compromised systems (do not log on to or access systems)
- Preserve evidence for forensic investigation
- Work with your internal information security and incident response team
- Keep a log of all actions taken and follow the chain of custody control
- Be on high alert and monitor traffic on all systems with cardholder data
- Notify local law enforcement
- Consult with your legal department regarding state and federal notification laws