No, not if the goal is to defend against future disputes. Merchants can never store the security code on paper or electronically. It’s a violation of the both merchant card acceptance and PCI Compliance* rules. The penalties can be especially stiff, even reaching over one million dollars in fines and jail time, for merchants in industries covered by special identity theft rules. For example, automotive dealers and health care providers also collect sensitive personal data, increasing regulatory obligations for protecting consumers from identity theft.

First Data, a leading credit card processor, has this language in their PCI Rapid Comply 2013 questionairre:  “Do you make sure that you NEVER, EVER store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions after authorization (even if encrypted)?”

If it’s never OK, how can card not present merchants protect against fraud and disputes?

1. Increase capabilities to accept card present transactions. For example, a local business might add mobile card readers for delivery personnel to swipe credit cards.
2. Require remote buyers to print the sales receipt, sign and send back. A signed sales receipt containing the authorization code and correct authorization language enhances the trail of evidence.
3. Same as above, except for commercial accounts, require the cardholder forward the email receipt with their electronic signature from a company email address.
4. Require cardholders to specifically approve any 3rd party delivery address or personnel. Maintain all email communication records related to the sales process.
5. Switch to self-serve payments such as an online pay page or electronic bill presentment and payment, both of which create opportunities for trails of electronic evidence. Use a third party provider to reduce PCI Compliance burden.
6. Use a third party service to electronically store sensitive payment information in a ‘vault’ for recurring customers. Ensure that no one can access the full card or ACH information.
7. Have a set of policies that can be remotely managed, monitored and enforced. This is critical in a multi location environment.

* PCI Compliance: short for Payment Card Industry Data Security Standards, or PCI DSS. All merchants are subject to PCI Compliance and the requirements vary by a number of factors including how payments are accepted and business size.

About the author: Christine specializes in providing innovative card not present payment processing solutions for manufacturers, wholesale distributors and new car dealers to improve PCI Compliance and streamline the payment experience for both merchants and customers. It’s fast, easy to use, and requires no capital investment to implement. For CenPOS sales call Christine at 954-942-0483 or click here for more information.

In this training video, I show how to securely store credit card data so that no one can ever see it again. It’s virtually impossible to prove Payment Card Industry Data Security Standards (PCI DSS) Compliance if storing credit card authorization forms with full card data. This solution can significantly increase boost PCI Compliance and reduce losses due to disputes and resulting chargebacks.

The positive card verification checkbox is used to submit a zero dollar authorization transaction. This validates all rules in the merchant administration and on a user basis. For example, if rules require an address, zip code, and cvv security code verification, the items will be validated with the card issuer. The receipt is the merchant record of proof that the card issuer passed the verification.

Optionally send the repeat sale credit card charge form to your customer. Have the customer sign and send it back. This replaces credit card authorization forms that have full card data.

TIP: Include a cancellation and refund policy on all invoices, as required for all card not present transactions per card acceptance guidelines.

CenPOS works with your existing processor, and is fast, easy, and requires no capital investment to implement. Call Christine Speedy in sales 954-942-0483 or click here for more information.

Interestingly, it’s 2013 and yet a 2010 document related to cardholder data breaches affecting franchise locations is a top 5 rated download at Visa.com. The definition of Corporate Franchise Servicer (CFS) , the new Visa third party servicer category, links related to the subject, and commentary are shared below.

Visa determined that data breaches quickly spread among franchises that use a system owned or operated by a corporate franchise organization. Particularly when the franchisor has no role or say in the system used to process, store or transmit payments,  they cannot manage PCI DSS (Payment Card Industry Data Security Standards) compliance.

As a result Visa created a new third party category. From Visa, “A Corporate Franchise Servicer is defined as a corporate entity or franchisor that provides or controls a centralized or hosted network environment irrespective of whether Visa cardholder data is being stored, transmitted or processed through it.” Further, “If PCI DSS-compliant segmentation exists between these assets and the franchisee cardholder data environment, the corporate franchise may be excluded from this requirement.”

Is Your Data Secure? – Published by Multi-Unit Franchise, Issue 2 2011

Visa Classifies Corporate Franchisors As Third-Party Agents - Storefront Backtalk November 11th, 2010

BLOG AUTHOR COMMENTS:

CenPOS is an intelligent payment processing network that streamlines the payment experience for businesses and consumers by using state-of-the-art technology to replace inefficient, outdated payment systems.  CenPOS products include a virtual terminal, electronic bill presentment and payment, secure online pay page, and mobile payment applications. Additionally, the Dashboard provides executives insights with hierarchy based organization.

CenPOS reduces the burden of PCI DSS compliance, while also providing transparency and scalability in the franchise environment.  Special markets include business to business, automotive, fitness, moving and storage, retail and medical.

PCI Special Interest Group offers guidance for securing payment card data in cloud environments —

WAKEFIELD, Mass., February 07, 2013 — Today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of payment card security standards published the PCI DSS Cloud Computing Guidelines Information Supplement, a product of the Cloud Special Interest Group (SIG). Businesses deploying cloud technology can use this resource as a guide for choosing solutions and third-party cloud providers that will help them secure their customer payment data and support PCI DSS compliance.

PCI Special Interest Groups (SIGs) are community-driven initiatives that provide additional guidance and clarifications or improvements to the PCI Standards and supporting programs.
PCI Participating Organizations selected cloud computing as a key area to address via the SIG process. More than 100 global organizations representing banks, merchants, security assessors and technology vendors collaborated on this guidance designed to help companies identify and address the security challenges for different cloud architectures and models, and understand their PCI DSS responsibilities when implementing these solutions.

“One of cloud computing’s biggest strengths is its shared-responsibility model. However, this shared model can magnify the difficulties of architecting a secure computing environment,” said Chris Brenton, a PCI Cloud SIG contributor and director of security for CloudPassage. “One of this supplement’s greatest achievements is that it clearly defines the security responsibilities of the cloud provider and the cloud customer. With PCI DSS as the foundation, this guidance provides an excellent roadmap to crafting a secure posture in both private and public cloud.” The PCI DSS Cloud Computing Guidelines Information Supplement builds on the work of the 2011 Virtualization SIG, while leveraging other industry standards to provide guidance around the following primary areas and objectives:

• Cloud Overview – provides explanation of common deployment and service models for cloud environments, including how implementations may vary within the different types.
• Cloud Provider/Cloud Customer Relationships– outlines different roles and responsibilities across the different cloud models and guidance on how to determine and document these responsibilities.
• PCI DSS Considerations – provides guidance and examples to help determine responsibilities for individual PCI DSS requirements, and includes segmentation and scoping considerations.
• PCI DSS Compliance Challenges- describes some of the challenges associated with validating PCI DSS compliance in a cloud environment.
• Additional Security Considerations – explores a number of business and technical security considerations for the use of cloud technologies.

The document also includes a number of appendices to address specific PCI DSS requirements and implementation scenarios, including: additional considerations to help determine PCI DSS responsibilities across different cloud service models; sample system inventory for cloud computing environments; sample matrix for documenting how PCI DSS responsibilities are assigned between cloud provider and client; and a starting set of questions that can help in determining how PCI DSS requirements can be met in a particular cloud environment.
The information supplement can be downloaded from the documents library on the PCI SSC website athttps://www.pcisecuritystandards.org/security_standards/documents.php. Download cloud computing guidelines document here.
Merchants who use or are considering use of cloud technologies in their cardholder data environment and any third-party service providers that provide cloud services or cloud products for merchants can benefit from this guidance. This document may also be of value for assessors reviewing cloud environments as part of a PCI DSS assessment.

As with all PCI Council information supplements, the guidance provided in this document is supplemental and does not supersede or replace any PCI DSS requirements.
“At the Council, we always talk about payment security as a shared responsibility. And cloud is by nature shared, which means that it’s increasingly important for all parties involved to understand their responsibility when it comes to protecting this data,” said Bob Russo, general manager, PCI Security Standards Council. “It’s great to see this guidance come to fruition, and we’re excited to get it into the hands of merchants and other organizations looking to take advantage of cloud technology in a secure manner.”

Those interested in learning more about this guidance and how to use it are invited to join the PCI Council for a webinar on February 7 and 14, 2013. Visit the PCI SSC website for more information and to register: https://www.pcisecuritystandards.org/training/webinars.php.

About the PCI Security Standards Council
The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the Council has over 600 Participating Organizations representing merchants, banks, processors and vendors worldwide. To learn more about playing a part in securing payment card data globally, please visit: pcisecuritystandards.org.
Connect with the PCI Council on LinkedIn: http://www.linkedin.com/company/pci-security- standards-council Join the conversation on Twitter: http://twitter.com/#!/PCISSC

— PCI Special Interest Group offers guidance to merchants to help secure payments accepted over the Internet—

WAKEFIELD, Mass., January 31, 2013 — Today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of payment card security standards published the PCI DSS E-commerce Guidelines Information Supplement, a product of the E-commerce Security Special Interest Group (SIG). Businesses selling goods and services over the Internet can use this resource as a guide for choosing e-commerce technologies and third-party service providers that will help them secure customer payment data and support PCI DSS compliance efforts.
PCI Special Interest Groups (SIGs) are community-driven initiatives that provide additional guidance and clarifications or improvements to the PCI Standards and supporting programs.
In 2012, PCI Participating Organizations selected e-commerce security as a key area to address via the SIG process. More than 60 global organizations representing banks, merchants, security assessors and technology vendors collaborated to produce guidance that will help organizations better understand their responsibilities when it comes to PCI DSS; the risks they need to evaluate when considering ecommerce solutions; and how to determine their PCI DSS scope.
“Take SQL injections as an example. This is not a new attack, and something we’ve known about in the industry for years. Yet it continues to be one of the most common methods by which e-commerce websites are compromised, said Bob Russo, general manager, PCI Security Standards Council. “This can be addressed through simple, prudent coding practices, but merchants often don’t know where to start. These guidelines will help them better understand their responsibilities and the kinds of questions they need to ask of their service providers. In the case of SQL injections, one of the most important items to request of an e-commerce service provider is a description of the security controls and methods it has in place to protect websites against these vulnerabilities.”
The PCI DSS E-commerce Guidelines Information Supplement provides an introduction to e- commerce security and guidance around the following primary areas and objectives:

•  E-commerce Overview – provides merchants and third parties with explanation of typical e-commerce components and common implementations and outlines high-level PCI DSS scoping guidance to be considered for each.
• Common Vulnerabilities in E-commerce Environments – educates merchants on vulnerabilities often found in web applications (such as e-commerce shopping carts) so they can emphasize security when developing or choosing e-commerce software and services.
• Recommendations – provides merchants with best practices to secure their e- commerce environments, as well as list of recommended industry and PCI SSC resources to leverage in e-commerce security efforts.

The document also includes two appendices to address specific PCI DSS requirements and implementation scenarios:

•  PCI DSS Guidance for E-commerce Environments – provides high-level e-commerce guidance that corresponds to the main categories of PCI DSS requirements; includes chart to help organizations identify and document which PCI DSS responsibilities are those of the merchant and which are the responsibility of any e-commerce payment processor.
• Merchant and Third-Party PCI DSS Responsibilities – for outsourced or “hybrid” e- commerce environments, includes sample checklist that merchants can use to identify which party is responsible for compliance and specify the details on the evidence of compliance.

The information supplement can be downloaded from the documents library on the PCI SSC website at https://www.pcisecuritystandards.org/security_standards/documents.php.
Merchants who use or are considering use of e-commerce technologies in their cardholder data environment, and any third-party service providers that provide e-commerce services, e- commerce products, or hosting/cloud services for merchants can benefit from this guidance. This document may also be of value for assessors reviewing e-commerce environments as part of a PCI DSS assessment.
As with all PCI Council information supplements, the guidance provided in this document is supplemental and does not supersede or replace any PCI DSS requirements.
“E-commerce continues to be a target for attacks on card data, especially with EMV technology helping drive so much of the face-to-face fraud down in Europe and other parts of the world, said Jeremy King, European director, PCI Security Standards Council. “We are pleased with this guidance that will help merchants and others better understand how to secure this critical environment using the PCI Standards.”
Those interested in learning more about this guidance and how to use it are invited to join the PCI Council for a webinar on February 7 and 14, 2013. Visit the PCI SSC website for more information and to register: https://www.pcisecuritystandards.org/training/webinars.php.
About the PCI Security Standards Council
The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the Council has over 600 Participating Organizations representing merchants, banks, processors and vendors worldwide. To learn more about playing a part in securing payment card data globally, please visit: pcisecuritystandards.org.
Connect with the PCI Council on LinkedIn: http://www.linkedin.com/company/pci-security- standards-council Join the conversation on Twitter: http://twitter.com/#!/PCISSC

Highlights from the  Global Payments quarterly report  released January 8 2013, reveals that costs related to the 2012 data breach have reached 93.9 million and additional material costs will be incurred in 2013.  The company is still working on PCI DSS certification. The company has not yet been put back on the list of PCI DSS compliant service providers, however, the impact on revenue has been “immaterial”. 

“As a result of this event, certain card networks removed us from their list of PCI DSS compliant service providers. Our removal from certain networks’ lists of PCI DSS compliant service providers could mean that certain existing customers and other third parties may cease using, referring or selling our products and services. Also, prospective customers and other third parties may choose to delay or choose not to consider us for their processing needs. In addition, the card networks could refuse to allow us to process through their networks. To date, the impact on revenue that we can confirm related to our removal from the lists has been immaterial. Also the impact on revenue of customers or other third parties who have failed to renew, terminated negotiations, or informed us they are not considering us at all, where we can confirm it is related to our removal from the lists, has been immaterial.    We continue to process transactions worldwide through all of the card networks. We hired a Qualified Security Assessor, or QSA, to conduct an independent review of the PCI DSS compliance of our systems. Our work to remediate our systems and processes is substantially complete. Our QSA is currently evaluating our remediation work. Once the QSA’s evaluation is complete we will work closely with the networks to return to the list of PCI DSS compliant service providers as quickly as possible. Our failure or a delay in returning to the list could have a material adverse effect on our business, financial condition, results of operations and cash flows.”

In addition to the credit card data breach, the “investigation also revealed potential unauthorized access to servers containing personal information collected from merchants who applied for processing services.” Merchant account applications contain sensitive information for identity theft thieves, including business owner social security numbers and home addresses.

Another potential financial blow is the class action suit related to the ‘intrusion’, as Global Payments has identified the breach. “We have not recorded a loss accrual related to this matter because we have not determined that a loss is probable.”

With a proliferation of newcomers to the market, merchants need to be aware of potential mobile payments security problems. The PCI Security Standards Council recently released new standards for developers as well as guidelines for merchants. One important aspect to ask questions about, is ‘store and forward‘.

If the mobile application enables you to accept credit cards when you cannot connect to the internet, clearly the data resides on the device, which creates a potential security risk.  This issue is addressed in a new Best Practice for Mobile Payments Developers released by the PCI Security Standards Council. Who can access the card information, pending presentment to your processor for an authorization? In what format does that data reside? If the user cannot access, is it possible other malware could access the data?

Editor’s note: Our CenPOS iPad mobile app does not support store on device and forward for presentment later. Merchants must have access to an internet connection. There are multiple options should you need to store payment data with that live connection:

1. Zero dollar auth- validate the card only, and store data for later billing.
2. Auth- Get an authorization for a specific sale, but don’t charge yet; store data for later billing.
3. Repeat sale- Process transaction now, and store payment information for future billing.

In each case above, the credit card information is encrypted and replaced by a random alpha-numeric character, or ‘token’.   The encrypted payment information can never be seen again.
Accepting Mobile Payments with a Smartphone or Tablet  (PDF download from PCI Security Standards Council)

For additional information about mobile payments solutions, please contact Christine.

Earlier this month, September 13, 2012, the PCI Security Standards Council released new standards for developers creating mobile payments applications. While the advice is geared towards developers, merchants are advised to review so that they have adequate information to ask questions about potential mobile apps they are considering. Here are three key objectives:

Objective 1: Prevent account data from being intercepted when entered into a mobile device.

Objective 2: Prevent account data from compromise while processed or stored within the mobile device

Objective 3: Prevent account data from interception upon transmission out of the mobile device.

PCI Security Standards Council Releases Best Practices for Mobile Software Developers