You completed PCI Rapid Comply, what’s next?

irst Data pci rapid comply

Screenshot of PCI Rapid Comply by First Data home page

You’ve completed the online forms at PCI Rapid comply, what’s next? By now you already know that PCI is not a quarterly or annual event.

First, If you received notice of noncompliance, print the web page shown above and send to your merchant processor relationship manager to stop recurring non-compliance fees, if applicable.

Next, go to MY DOCUMENTS and download everything. These are starter documents to help you with compliance, but you’ll need to modify and add some information.

pci-rapidcomply-docsFor example, on the incident response form, you’ll need to add the responsible names and contact information.

The security policy should be reviewed and disseminated to all employees that touch payments, and are involved in network security. I recommend HR manage the confirmed receipt as part of employee performance reviews. You may want to create a test to validate employee understanding, and record the date and time of completion to prove compliance.

  • The Risk Management Guide has a number of blanks to fill in. If you have retail transactions, you’ll need to create a monitoring and inspection program, which includes serial numbers and locations of all equipment.
  • Enter network administrator and payment administration on the access control guide. If you’re a CenPOS user, most of this requirement is managed with CenPOS Roles & user management.
  • Maintaining and monitoring your program is a critical component of PCI 3.0. If you don’t currently have a compliance officer, create accountability by assigning someone to ensure monitoring is completed on schedule.

About PCI Rapid Comply: PCI Rapid Comply is a First Data service available to all their merchants. First Data merchants can use this or a third party service of their choice.

About 3D Merchant Services author Christine Speedy: Offers payment gateway and cloud solutions to reduce scope and PCI Compliance burden. No new merchant account is required, however merchant services are available upon request. PCI Rapid Comply is available to merchant clients on select processor platforms, at no additional fee.

 

3D Merchant Services Powered by CenPOS
2633 NE 26th Ave Metro South FloridaFL33064 USA 
 • 954-942-0483

PCI SECURITY STANDARDS COUNCIL PUBLISHES SECURITY AWARENESS GUIDANCE

pci security awareness guideOctober 30, 2014. In order for an organization to comply with PCI DSS Requirement 12.6, a formal security awareness program must be in place. There are many aspects to consider when meeting this requirement to develop or revitalize such a program. The best practices included in this information supplement are intended to be a starting point for organizations without a program in place,or as a minimum benchmark for those with existing programs that require revisions. Best Practices for Implementing Security Awareness Program v1.0, 25 pg PDF recommended for IT and PCI compliance leaders.

One of the biggest risks to an organization’s information security is often not a weakness in the technology control environment. Rather it is the action or inaction by employees and other personnel that can lead to security incidents.

The free guidance will help merchants establish security standards in their business.

 

PCI DSS version 3.0 : January 2015 Deadline Looms

PCI DSS 3.0 deadline

Merchants who submit annual SAQ’s can continue to validate compliance with 2.0 SAQs until January 1, 2015. If merchants annual validation occurs in December,they’re not mandated to validate with version 3.0 until December 2015.

Are you ready?  Every merchant is impacted by the update, which are considerable. The PCI DSS Quick Reference Guide is 40 pages so there will be no attempt to duplicate it here. Here’s some issues merchants mostly likely need to address:

  1. Maintain an inventory of system components that are in scope for PCI DSS and also further, protect devices from tampering. Merchants have to identify all software, hardware, networks, what it’s used for, why it’s needed. This is a difficult task for larger retail operations where equipment is regularly moved and replaced. To comply, there must be a plan to regularly inspect equipment with serial number verification.
  2. Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties. Even if in place, rarely is the case where every employee is fully informed. Adding a component to HR employee reviews is the simplest way to initiate a system.
  3. Render PAN unreadable anywhere it is stored- the card number must be unreadable per 3.4.
  4. The CAV2/CVC2/CVV2/CID can never ever be stored. OK, this one is old, but it’s still abused so it’s being repeated again. It’s NOT OK to store if ‘for a while’.
  5. Control physical access for on-site personnel; access authorized and based on individual job function and revoked immediately upon termination.The vast majority of companies have little control over employee access by job function. Their equipment or software simply has too many limitations. Merchants need to micro manage what employees can do, and document each employees interaction ( who processed what transaction etc.)
Goals of the PCI Data Security Standard
  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy
PCI: IS AN ongoing 3-step process
  • Assess – identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.
  • Remediate – fixing vulnerabilities and not storing cardholder data unless you need it.
  • Report – compiling and submitting required reports to the acquiring bank and card brands you do business with.

US Homeland Security Alerts: “Shellshock” Vulnerability

US computer emergency readiness team Over one thousand merchants have been impacted by issues the US Computer Emergency Readiness Team has issued alerts for.

GNU Bourne-Again Shell (Bash) ‘Shellshock’ Vulnerability is a critical vulnerability reported in the GNU Bourne-Again Shell (Bash), the common command-line shell used in many Linux/UNIX operating systems and Apple’s Mac OS X.

PCI Security council released an alert for merchants https://www.pcisecuritystandards.org/pdfs/14_10_15%20PCI%20SSC%20Bulletin%20on%20Shellshock_Final.pdf

 

Is it OK for sales reps to collect credit card data?

secure credit card salesman token biulling

If salespeople accept credit cards, instead of writing down credit card data on paper, sales should immediately process the transaction or enter sensitive payment data into a secure payment portal to encrypt and tokenize for future use.

What’s the best practice for sales reps to collect credit card data? This question primarily pertains to business to business companies, where billing may be done later by the credit or finance department. The initial sale, and possibly future sales, requires a credit card. 

Option 1: Eliminate sales from ever touching credit card data. This can be achieved by:

  • Creating an online payment page. The customer self-creates an account and manages their payment data, including whether they want to store it.
  • Using a ‘request for payment‘ service. This is a slimmed down version of electronic bill presentment and payment ( or EBPP Lite). The user enters whatever customer data management requires, including email or mobile number, invoice number, and amount due. The customer immediately receives a link to a unique secure URL to make the payment.
  • EBPP – there are multiple methods to send an electronic invoice for the customer pay, both integrated and non-integrated. This may be less desirable for new customers

Option 2: If the salesperson physically meets with the customer, use an enterprise mobile payment solution to include card reader, point to point encryption, tokenization, and data management for both card present and card not present transactions.

It’s much harder for merchants to maintain PCI compliance while mitigating risk of losses due to disputes or fraud, when sales uses alternative methods, including paper authorization forms.

PCI Compliance Requirement: Stored Cardholder Data on Paper

For businesses that are still storing cardholder data on paper, are you really PCI Compliant? Meeting requirement 9, Restricting physical access to cardholder data,  is a lot harder than you may think. Here are some key questions you may face in the event of an audit, which is required in the event of a data breach.

locked file stored card data

  • Do you have a secure storage area exclusively for sensitive payment data?
  • Can you show an audit trail of everyone who accessed the secure area where the card data is stored, with date and time?
  • Is that area restricted to only those personnel who need access to that information?
  • Do you have a log to maintain a physical audit trail of visitor information and activity in any area that payments are processed, including visitor name and company, and the onsite personnel authorizing physical access?
  • Do you have a visitor badge system that expires for all visitors authorized to enter areas where cardholder data is processed or maintained?
  • Do you have an audit trail for the documents- created, removed from storage, and returned to storage, with names and dates?

Let’s face it, the requirements for PCI compliance are so cumbersome what merchant would want to store card data on paper? The argument that PCI Compliance paperwork takes more time for online solutions than with desktop terminals may be true, but the daily operational efficiencies and security gained far outweigh any extra paperwork.

3 Private Duty Home Health Care Provider PCI Compliance Mistakes

As a business owner, PCI Compliance, or payment card industry data security standards, should be a priority, but too often owners are given poor advice or simply haven’t found a way to fix the problem of collecting and storing credit card data. Here’s 3 major mistakes and how to fix them.

credit card authorization form healthcare

MISTAKE 1: PATIENT CARE MANAGEMENT AGREEMENT & INTAKE PAYMENT FORM- PAPER

Most companies have an intake form with terms and conditions for payment, which includes fields for credit card authorization with full card data.

Employers entrust home health care provider staff and contractors with people’s lives, so surely they can be trusted with credit card information too, right? Not necessarily. Whether intential or by mistake, there are many ways the data can be compromised, and as an owner, the penalties in the event of a breach leading to identity theft could be crippling.

  • What if the forms are left in a car  (lunch breaks, forgot to bring them in house overnight etc) , and they’re stolen?
  • How are forms returned to the home office for processing? Are those methods secured every step of the way?
  • The form needs to be cross-cut shred. If the right shredder isn’t provided for home offices, how can one be sure the employee invested in one?
  • Merchants can never store the CVV or security code. If the form is needed for any purpose, can the sensitive payment data be cut off and shred without compromising the purpose of the document?

MISTAKE 2:  RECURRING BILLING PROCEDURES

 There’s a variety of excuses why the paper form is needed to be kept on file so the card can be charged for each billing period, but all of them are baseless if the provider does their homework for alternative solutions.

  • Stored paper forms present significant risk. Cleaning staff, vendors and trusted employees all have potential access to the data. A top reason cited for data breaches is, “it was easy”, and this tops them all.
  • Businesses with up to 100 employees are at extremely high risk for identity theft.

Additionally, it’s just plain inefficient to manage billing by key entering the same card data over and over again.

MISTAKE 3:  ENTERING DATA INTO COMPUTER SOFTWARE

Gathering the data digitally has the potential to be an excellent solution to paper methods.

  • Do not allow payment data to be entered into a spreadsheet or other non-secured form.
  • Is the payment application part of the private duty software, such that the software is in scope for PCI Compliance? Does the software need to be updated? Is the full card information ever available to users? The architecture of the solution strongly influences security. (Recall Target & Neiman Marcus data breaches).
  • Entering the card data directly into a cloud payment solution that is segregated from the business application software provides the optimal security. (Users should still follow all other PCI procedures.

3 METHODS TO IMPROVE PCI COMPLIANCE WITH FIELD PERSONNEL:

  1. Encrypt data at the point of acceptance either with a secure swipe device or key entered.
  2. Directly enter payment data into a secure payment processing platform.
  3. Use tokenization. Tokenization replaces sensitive PAN (Primary Account Number) data with a unique identifier known as a token, which is useless to anyone who may intercept it.

How can the provider get a written authorization on paper, that is safe for the customer and safe for the provider? Contact us for a FREE Credit Card & ACH Authorization form make- over, that can be used in combination with safe, secure, PCI Compliant technology.