Magento, a popular e-commerce platform, released multiple security patches this year, several addressing critical and high credit card data breach vulnerabilities. Merchants that haven’t deployed security patches, as required by PCI standards, are vulnerable to remote exploits that can compromise customer account and credit card data.

One cross-site scripting (XSS) flaw potentially allows an attacker to add malicious JavaScript code to a comment via the PayFlow Pro payment module. The JavaScript code is executed server-side when the targeted site’s administrator views the attacker’s order.

PCI Compliance Requirement 6: Develop and maintain secure systems and applications. All critical systems must have the most recently released software patches to prevent exploitation. The average merchant relies upon third party developers for web site maintenance, but unless specifically contracted to update the e-commerce software and add-on modules, don’t count on it.

Only 16.4% of organizations that had suffered a data breach were compliant with Requirement 6, compared to an average of 64% of organizations assessed by our QSAs in 2014- Verizon 2015 PCI Compliance Report.

Payment gateway implementation requirements have changed over time as a result of cross-site scripting and cross-site request forgery (CSRF) to meet current PCI Compliance standards. Merchants should verify all components of their ecommerce ecosystem are current, and have a system for ongoing monitoring and updating.


  • Magento Security Center
  • Christine Speedy, 3D Merchant Services, offers Magento payment gateway module for merchants to improve their omnichannel customer experience and mitigate risk. B2B customer benefits include friction-less payments across all sales channels; text and email Express Checkout, customer invoice portal for 24/7 ACH, credit card, wire and more payment types, and US EMV with level 3 processing. Magento and ERP modules combine to provide a powerful array of solutions to improve cash flow and profits while maximizing security. 954-942-0483.



Retailers Ask FTC to Investigate Credit Card Industry’s PCI Security Group for Antitrust Concerns

WASHINGTON – The National Retail Federation today announced that it has asked the Federal Trade Commission to conduct an investigation into an organization founded by the credit card industry that sets data security standards, saying the group’s controversial practices raise antitrust concerns.

“We urge the FTC not to rely on PCI DSS for any purpose, particularly not as an example of industry best practices nor as a benchmark in determining what may constitute responsible data security standards in the payment system or any other sector,” NRF Senior Vice President and General Counsel Mallory Duncan said in a letter to FTC Chairwoman Edith Ramirez and other commission members.

The Payment Card Industry Security Standards Council is “a proprietary organization formed and controlled by a single industry sector – the major credit card networks” and “fails to meet any of the principles adopted by the federal government for voluntary standard-setting organizations,” Duncan said. “We believe you will conclude PCI itself is an inappropriate exercise of market power by the dominant U.S. payment card networks and PCI should not continue setting data security standards through its current processes.”

NRF’s request comes as the FTC is conducting an inquiry into how third-party companies perform assessments of PCI compliance by retailers and other businesses that accept credit cards. NRF understands that the FTC is also considering PCI requirements as an example of industry best practices.

The PCI council was formed in 2006 by the major credit card companies – Visa, MasterCard, American Express, Discover and JCB. It imposes its rules on millions of U.S. businesses but continues to be governed by an executive committee made up of representatives of only those five companies.

In a 19-page white paper submitted to the FTC, NRF said the card companies use their market power to “unfairly leverage their brands and proprietary technology through webs of closely controlled interdependent bodies and compliance regimes” including the council. While portrayed as voluntary, the Payment Card Industry Data Security Standard requirements set by the council are “forced upon businesses that cannot refuse to accept credit and debit cards.”

The council’s practices “raise antitrust concerns” for a number of reasons, including “general antitrust dangers when competitors collaborate on setting market standards” and “more targeted concerns insofar as they allow the networks to leverage their proprietary technology,” the paper said.

Among other concerns, PCI requirements act as “as an anticompetitive barrier to innovation” because they “exhaust” funds and other resources retailers have available for data security, the paper said.

NRF asked that the FTC investigate the council’s practices in general and particularly their impact on competition. The FTC should also reject government use of PCI standards as any benchmark for data security, and instead work with “legitimate U.S. standard setting bodies” such as the American National Standards Institute, NRF said.

NRF is the world’s largest retail trade association, representing discount and department stores, home goods and specialty stores, Main Street merchants, grocers, wholesalers, chain restaurants and Internet retailers from the United States and more than 45 countries. Retail is the nation’s largest private sector employer, supporting one in four U.S. jobs – 42 million working Americans. Contributing $2.6 trillion to annual GDP, retail is a daily barometer for the nation’s economy. NRF’s This is Retail campaign highlights the industry’s opportunities for life-long careers, how retailers strengthen communities, and the critical role that retail plays in driving innovation.

PCI Compliance email

PCI Compliance, credit card authorization form, and CenPOS bulletin were all in the February 2016 enewsletter. Did you miss it? Subscribe here for payment news.

PCI Compliance Fail

80% of companies FAIL an interim Payment Card Industry Data Security Standards (PCI-DSS) audit. It’s time to admit it- you’re company is one of the many struggling to keep up with new rules.

Have you noticed $19.95 fee sneak back into your merchant statements?

Check your quarterly scans. You may discover a scan failed with a reason related to SSL.  Fight back to stop these monthly fees. Not only is it premature, but the Payment Card Industry Security Standards Council (PCI SSC) changed the migration to date requiring TLS 1.1 encryption or higher from June 2016 to June 2018.

 Credit card authorization forms – a weak link for compliance

“We keep all cardholder data in a locked file drawer and I’m the only one with a key” does not comply with PCI 3.0 standards.
For new best practices, think like a forensic auditor. In the event of a suspected breach, how will you identify who, what, when, how, and maybe even where card data was touched? Without a system to automate logging, the time and cost of an audit will explode.


  • Unprotected data cannot be sent via messaging technologies such as e-mail, instant messaging, chat, etc. (PCI section 4.2)
  • PAN data (card number) cannot be stored unencrypted. (PCI section 3.x)
  • Sensitive authentication data, which includes the security code (CVV/CID), can never be stored. (PCI section 3.2)

Every moment a paper form exists, there’s an opportunity for misuse and identity theft. If your company extends credit, then Red Flags Rules also apply. The FTC can seek both monetary civil penalties and injunctive relief for violations. All told, the expense of a breach could run over a million dollars, uncovered by insurance, plus ongoing lost business due to damaged reputation.

Is your service provider PCI Compliant?

If a third party touches card data, they’re required to register with the card brands and have an annual on-site audit. That includes your payment gateway, caging service, and other software if their payments are not segregated from the applications. Click here to search the Visa service provider database 

Software Updates
Reminder: PCI section 6.1 mandates software security updates be applied within 30 days.  With all the activity lately, that means every month. Windows XP users are automatically non-compliant. Click here for Internet Explorer & other Microsoft CRITICAL updates issued this year

CenPOS Question of the Month

How can we collect cardholder data for B2B card not present customers without our credit card authorization form?

  1. Hosted online pay page
  2. Electronic request for payment (push to email or text)
  3. Electronic bill presentment & payment
  4. All of the above and a PCI Compliant authorization form

PCI Compliant credit card authorization form example: Video

Training & educational videos

Christine Speedy

Omnichannel payment solutions targeting  middle market ($10M to $1B per year), primarily to technology companies and distributors. With one call, I can provide any gateway, acquirer, or integrated solution.  Best of all, I’m agnostic- you can keep your merchant services or check processors. Call today for a free consultation and for answers about any burning question for business to business.

CenPOS is a processor agnostic end to end payment engine that increases EBITDA virtually instantly. From compliance to automating collections, we solve everyday business problems. Protecting the front door with US EMV certified multi-lane terminals for all processors and the back door with 3-D Secure certified solutions for customer initiated sales. Now in over 140 countries.

Feb 01, 2016 1:04 pm | Christine Speedy

Replacing ICVerify or other legacy software for batch credit card processing? Whether you’re in the cloud, or headed there, methods of payment processing have changed to meet current and future requirements for PCI Compliance and fraud prevention. For service providers, … Continue reading ?

Jan 25, 2016 11:14 am | Christine Speedy

Winter Storm Jonas is a reminder of the importance for business to business companies to accept payments online. What if you have a desktop terminal, but staff is working from home? How can accounts receivable be reached for call in … Continue reading ?

Jan 13, 2016 8:36 am | Christine Speedy

Getting a VeriFone EMV Vx520, FD55, Vx510, Vx570 CAPK expired error message? Visa has extended the EMV key’s expiration date from 12/31/2015 to 2022, and the terminal must be updated. OPTION 1: UPDATE CAPK FILE ONLY via partial download For … Continue reading ?

Jan 12, 2016 2:04 pm | Christine Speedy

Ready to improve PCI Compliance with token billing? Step by step instructions for CenPOS card not present token billing including creating, modifying, and using tokens follows. In the virtual terminal admin, Create a new Role* or Modify an existing role … Continue reading ?

Jan 11, 2016 12:26 pm | Christine Speedy

Need a 3rd party credit card authorization form template? Don’t count on and other internet resources that scrape the internet for free content and then redistribute it. There’s no guarantee that anything published is accurate, legal, or virus free. … Continue reading ?

Calendar Notes
February 5 – out of office, CenPOS training
February 12 – 15 Tampa/ Orlando
February 18 – 24 Atlanta
Contact me for FREE consultation
Monthly: Login to Paymentech Resource online- use it or lose it

About Christine Speedy

Global payment solutions; focused on card not present and omnichannel merchants. Is your integrated solution failing to keep up with technology? Send me an integration referral and I’ll send you a cool gift!

4 Credit Card Processing Tips for Consultants & Accountants

profits Following several years of regulatory and technology credit card processing changes, 2015 has been another big year of changes. As we close out 2015, what are you advising clients to maximize profits? Every consultant to distributors, especially for building materials, including lumber and millwork, electrical, marble & stone, and plumbing supply, needs to update their merchant services knowledge. These businesses tend to have both a retail and a ‘to the trade’ component, making old solutions potentially outdated, risky, and costly.

  1. EMV liability shift October 2015, shifted liability for counterfeit card, and sometimes lost and stolen card, transaction losses from the issuer to the merchant, if the merchant does not support EMV chip card acceptance. Since businesses never saw this fraud, the financial risk is unknown, but guesses put it in the 1-2% of sales range. The first acquirer (Vantiv) announced penalties effective January 1 if a retail operation does not support EMV chip card transactions. These fees will grow throughout the payment chain in 2016, and be passed down to the merchant. If profit margins are important, EMV compliance is not optional. Between growth in credit card fraud losses and new penalties, distributors need to make the change ASAP.
  2. EMV terminal selection. Retail Distributors fall into two categories: Those who use countertop terminals, and those who use anything else, including mag swipe reader or signature capture terminal. Only the latter are even capable of supporting level 3 data, critical for qualifying for level 3 interchange rates, which makes up more than 95% of credit card processing, or merchant, fees. Yet, the vast majority of recommended EMV solutions are incapable of level 3, and or there is no certification for it. While updating, add NFC for ApplePay and newer payment methods, and P2PE, which encrypts at the terminal head, further mitigating data breach risk.  The best EMV terminal selection for distributors may reduce merchant fees an average of 32% and mitigate data breach risk. Conversely, the wrong choice will directly reduce profit margins. 
  3. PCI Compliance. Internal and external data breaches are a serious growing problem (Lowes and Home Depot both admitted), and best practices are being shared among peers that are ‘risky’ at best. Top areas of concern are paper credit card authorization forms and electronically storing card data (without certified compliant tokenization such as a payment gateway). Both should be eliminated. Online pay pages and other technology solutions have negated the need for employees to ever have access to credit card data, not even for a minute. Has your own company eliminated them?
  4. Quickbooks. For operations that used Intuit Merchant Services because there was no other integrated choice, that’s no longer an issue. Third party integrations empower businesses to use any acquirer. Look for one that supports all payment methods needed (ACH, check, wire, credit card etc). If processing more than $500k annually, fees may drop up to 50%.


  • Implement EMV ASAP to avoid penalties and fraud losses.
  • Only implement an EMV solution certified for level 3 processing to maximize profit margins.
  • Get PCI 3.0 Compliant to mitigate risk of financial losses from a data breach- Replace all practices that include credit card access by any employee, even for a minute, with a technology solution.
  • Replace Intuit Merchant Services to maximize profit margins.

Note: this advice is applicable to any business that has a customer base which includes some business to business and retail, even if retail is a small part of the overall payment types accepted.

Can you recommend a PCI Compliant policy for storing credit cards?

Distributors and manufacturers can overcome PCI Compliance issues with better awareness of rules, and cost efficient solutions to ease PCI burden. A review of key problems and solutions will help companies with internal credit card authorization and storage policies. For credit card processing, a virtual terminal or integrated gateway, is the only cost efficient and secure option for these business types.

It’s never Ok to store credit card forms that have the CVV2, or security code, on them. It’s also never Ok to store CVV2 electronically in any format, encrypted or not. This is both a card acceptance and PCI Compliance 3.0, section 3 Protect Cardholder Data, problem. For any recurring charges, including variable, merchants only need to validate the CVV one time for a fraud check, and then never again. This is easily accomplished with a zero dollar authorization, however not all gateways support this feature.

The best paper credit card authorization form, is one that doesn’t have full card data, or better yet, doesn’t exist at all. If sales reps in the field are getting card numbers to be charged later, consider a mobile payment app that let’s them swipe and create a token, using a P2P encrypted reader. That way card data is never exposed at any point in time. Instead of getting card numbers over the phone, empower customers to self pay or store card data using online payment solutions, including either a hosted online pay page or electronic bill presentment and payment (EBPP). Use this to also eliminate credit card data in emails, which is another PCI Compliance problem.

Need to keep a card stored on file that you initiate charges on? It’s indefensible with today’s technology to have credit card data on paper, and it’s risky to use your own encrypted media. Tokenization, a payment gateway service for merchants to remove sensitive data from their environments, is the best practice for security and PCI Compliance.

Some businesses want a signature on file. A sales receipt is generated with almost any online payment solution and merchants can require a customer to print and sign it, or to simply forward the email receipt from company email address with typed name approving it. For recurring billing, choose a payment gateway that generates a PCI Compliant recurring billing authorization form. They’re useless if stolen, and contain all the right language for credit card authorization. It should be supplemented by a signed document with your own custom business terms and conditions, and limitations for duration and maximum charge amounts allowed. Merchants might also get a signed sales order with all terms and conditions, plus the token ID the customer has agreed you’ll charge to.

Third-party credit card authorization doesn’t exist as far as card issuers are concerned. It’s specifically written in the cardholder terms that they cannot allow any third party to use their card. Any form a merchant creates authorizing other parties is at risk for future disputes. The merchant can eliminate the risk by having the company issue purchasing cards for each buyer, or mitigate risk by sending the sales receipt automatically to the cardholder and asking the buyer to confirm receipt per T’s & C’s.

A huge problem is managing old stored data created prior to new PCI Compliance rules. The reality is, the merchant is not PCI Compliant as long as the old stuff exists. That likely means someone will need to be assigned to identify all the past ways that credit card numbers were captured. For electronic, IT will need to get involved to securely remove old data. There are tools to search emails and servers for card data as well.

PCI 3.0, in effect now, requires merchants not only are PCI compliant at a point in time, but that there’s a plan in place for monitoring and inspecting. Whoever is cleaning up the old problems should document who, what, where, how and when activities were identified and or completed, and continually add this to the master PCI file.


Payment Card Industry (PCI) Data Security Standard, v3.1, pg 36 CVV
Visa Core Rules, October 2014 page 266, Merchant Must Not Request the Card Verification Value 2 data on any paper Order Form