This is a great question. Should non-profits have a field on their mail order donor response cards? Reading the 2011 Visa Card Acceptance Guidelines for Visa Merchants, it’s still  open to interpretation as to whether to ask for CVV on mailings. Here’s the official excerpts:

General Card-Absent Transaction Procedures

Pg 46 “Always ensure that, at a minimum, you collect the following details from your customer:

• The card account number
• The name as it appears on the card
• The card expiration date as it appears on the card
• The cardholder’s statement address”

Pg 46 “If you are taking an order through the mail or via a fax:

• Obtain a signature on the order form .
•  Always retain a copy of the written order .
• Get proof of delivery”

Pg 48  “A cardholder’s CVV2 may never be stored as a part of order information or customer data . The storage of CVV2 is strictly prohibited subsequent to authorization.”

“An initial, or set-up, recurring transaction should be processed the same as any MO/TO or Internet transaction . If set up by mail or telephone, you should submit both AVS* and CVV2** queries with the authorization.

The sales receipt for an initial recurring transaction must include the following information:

• The phrase “recurring transaction.
• The frequency of the charges.
• The period of time the cardholder has agreed to for the charges.”

* In certain markets, CVV2 is required to be present for all card-absent transactions . ** In some markets, if the transaction is approved, but the CVV2 response is a no match, the merchant is protected against fraud chargebacks.

In summary, the merchant can leave the CVV off and reduce risk, but should use the correct indicator for authorizations, “You have chosen not to submit CVV2.”

If the merchant has a history of mail order fraud, then the merchant may want to collect the CVV2 using a lockbox service to reduce risk. If the merchant is retaining response cards, then the response card should be designed so that the CVV can easily be detached after the initial authorization, and securely shredded. If the response card is scanned, the fields with sensitive data cannot be scanned.

Please note PCI DSS compliance rules always take precedence over individual card network rules.

See also, new 2011 card absent receipt requirements.

Is it any surprise that actual Payment Card Industry (PCI) Data Security Standard (DSS) assessments by Verizon’s team of Qualified Security Assessors (QSAs) shows growth of compliance is stagnant? Even worse, organizations that suffered data breaches were much less likely to be compliant than a normal population of PCI clients? About 20 percent of organizations passed less than half of the DSS requirements, while 60 percent scored above the 80 percent mark. For all those merchants sounding off about an annual PCI Compliance Fee, the evidence is clear that merchants still have a long ways to go. 100% PCI DSS compliance is the only acceptable statistic.

Organizations struggled most with the following PCI requirements:

• 3 (protect stored cardholder data)
• 10 (track and monitor access)
• 11 (regularly test systems and processes)
• 12 (maintain security policies)

The first two of these can easily be resolved with our hosted payment processing technology, CenPOS. If you’re going to store cardholder data, it needs to be encrypted. One of the major problems with this has been ready access to solutions for storing cardholder data for variable billing. Most gateways have a PCI Compliant solution to store encrypted card data for recurring billing,  charging the same amount on a fixed schedule. However, CenPOS is unique to offer storing card data for billing a variable amount, token billing. Additionally, it is the only technology this writer is aware of that also includes interchange optimization, of major importance to companies trying to control credit card processing fees.

Tokens are issed for stored card data, worthless if stolen.

Requirement 10 (Tracking and Monitoring) is a major component of CenPOS. Every user has a unique login and management can micro manage permissions. Where others create a few tiered levels of permission such as cashier, finance, and administrator, CenPOS offers a plethora of options, plus management tracking and research tools.

• User Permissions: Control precise transaction types allowed, set maximum thresholds, set alerts based on responses, amounts and other criteria. Extensive Permissions enable maximum merchant protection from lower level employees, plus there are tools for secondary oversight at the admin level to mitigate risk of high level employee fraud.
• Tracking and Monitoring: The requirement calls for the tracking and monitoring of all access to network resources and cardholder data, the main objective is to maintain system logs and have procedures that ensure proper utilization, protection, and retention. According to the Verizon Report, this has historically been one of the most challenging, but is critical to forensic investigations if needed. CenPOS logs everything related to the payments process including user ID, time stamps and every other element of interaction with the system. Merchants must have their own internal logging system for their network.

Requirement 11 (Regular Testing) had the least compliance in the Verizon report. “Organizations continue to have difficulty meeting the sub-requirements regarding network vulnerability scanning (11.2), penetration testing (11.3), and file integrity monitoring (11.5).”  Our recommendation is that merchants hire a qualified outside vendor to assist them with this requirement. We have no direct affiliation with such companies but know several with good reputations should you need a resource.

Requirement 12 (Security Policies) While the best laid written plans may exist, there is still the human factor. Weaknesses identified include poorly written policies, including so long that they are stuffed in a desk never to be read again, and those that are too vague. Note that the requirements are directly related to the services in scope of the organization’s PCI DSS. The more the merchant reduces their scope, the more the burden is on their service provider instead of their internal personnel. CenPOS reduces the merchant scope in several ways, including but not limited to:

• Web payments on a hosted pay page, not the merchants web page
• Electronic Bill Presentment and Payment- same as above.
• Storing all card data, encrypted, on CenPOS servers, eliminating file drawer and merchant stored data

Verizon 2011 PAYMENT CARD INDUSTRY COMPLIANCE REPORT (PDF) download

Learn more about how CenPOS can help you with PCI DSS Compliance.

Have you ever needed to check if a credit or debit card is valid, but you don’t want to authorize or charge yet? We’ve added a new feature for our CenPOS Virtual Terminal called Positive Card. CenPOS will go out to the networks with a zero authorization amount to validate the card with the issuer prior to being stored.

REVIEW OF ENCRYPTED PAYMENT STORAGE OPTIONS NOW AVAILABLE:
Positive Card- validates card. Merchant validate CVV, address and zip code passes fraud check and decide whether the answers are acceptable before storing. Why would you accept a card if it doesn’t pass everything? Only Canada and the UK participate in AVS check; If you know your customer, you may wish to allow the card anyway. This feature allows you to enter a card, then make an educated decision as to whether you want to store it for recurring billing.
Repeat Sale- Offered for check/ACH and credit/debit. Process a transaction and it creates a new token to use for future sales transactions. CVV not allowed per PCI Compliance. Later, check the Token Box, enter the Token ID, amount and invoice #. That’s it.
Recurring Payments Module: Offered for check/ACH and credit/debit. Set up client contracts and store multiple cards, payors, and payment methods for a single account. Regardless of where a token was issued (resale, recurring, positive etc) the token is the same for all.
Securely store any payment type for variable amount token billing or fixed recurring billing.

FAQ:
How do I get this feature? Administrators login to the Virtual Terminal and turn on for each user you want to have access. (This also applies to the other options.)
Will this also validate checks? No, It resides in the credit/debit. If you have a need, let us know.
Are there fees? Yes. 6/14/11 MasterCard charges $.03 for this service, effective with their announcement to support zero auth address verification (AVS), card verification code 2 (CVC 2) validation or both. Expect similar fees on all networks now or in the future. Standard CenPOS per transaction fees apply.
Can we use tokens for the EBPP/ E-invoice service? Not yet, but it’s in development. Currently customers will click the email and enter payment information for each invoice.

The tools are in place for you to eliminate faxed authorization forms that expose payment data and reduce PCI Compliance scope. If you need help using the features or how to deliver the token approval form for signature to your clients, please do not hesitate to call.

Visa is announcing plans to accelerate the migration to contact and contactless EMV chip technology in the United States. The adoption of dual interface chip technology will help prepare the U.S. payment infrastructure for the arrival of NFC-based mobile payments by building the necessary infrastructure to accept and process chip transactions.

Not only will chip technology accelerate mobile innovations, it is also expected to secure payments into the future through the use of dynamic authentication. Chip technology greatly reduces a criminal’s ability to use stolen payment card data by introducing dynamic values for each transaction. Even if payment card data is compromised, a counterfeit card would be unusable at the point-of-sale without the presence of the card’s unique elements. By eliminating static authentication, we reduce the value of stolen cardholder data, benefiting all stakeholders.

Visa’s plan includes merchant incentives to upgrade to EMV chip-enabled terminals, requirements for acquirer processors to support chip acceptance and the introduction of U.S. liability shift policies. Specifically, Visa will waive PCI DSS compliance validation requirements to encourage merchant investment in contact and contactless chip payment terminals. Visa will also require acquirer processors to ensure their systems support dynamic data acceptance, i.e., chip, and will institute a domestic and cross-border counterfeit liability shift.

Infrastructure Upgrade and Dynamic Authentication Benefits
The adoption of chip technology based on global standards will help prepare the U.S. payment infrastructure for the arrival of Near Field Communication (NFC)-based mobile payments, given that the underlying processing infrastructure and required back-end systems are the same as for EMV chip cards. Additionally, in a card- present or physical POS environment, EMV chip technology has proven to be the most effective and broadly adopted dynamic data authentication solution available in the marketplace today.
EMV chip technology is already being used around the world to facilitate contact, contactless and mobile payments, and has been leveraged for emerging complementary services like public transit, Internet and mobile banking. Based on extensive research and the positive experience expressed by many major countries, Visa will promote the broad adoption of EMV chip technology in both contact and contactless / mobile form factors for card-present transactions across all markets, including the U.S.
As the POS payment infrastructure continues to evolve from the static magnetic stripe to intelligent devices such as EMV chip cards and NFC mobile phones, it is critical to ensure that cardholders can continue to make convenient, secure and reliable payments for card-absent transactions as well.
Visa’s new digital wallet with “click-to-buy” functionality will be able to support dynamic authentication across multiple channels, including the e-commerce environment.

Visa will also enhance intelligent network-based fraud detection tools, such as Visa Advanced Authorization, to complement dynamic and risk-based authentication methods.
Visa Public 1
Roadmap for U.S. Migration to Dynamic Authentication Solutions
Visa’s plan to encourage U.S. adoption of dynamic EMV chip authentication technology includes the following three initiatives:

1. Expand the Technology Innovation Program (TIP) to merchants in the U.S. For more information, refer to the 9 August 2011 Visa Bulletin “Visa Expands Technology Innovation Program for U.S. Merchants to Adopt Dual Interface Terminals.”
2. Build the processing infrastructure for chip acceptance by establishing a U.S. acquirer processor EMV chip processing requirement. For more information, refer to the 9 August 2011 Visa Bulletin “Visa Sets U.S. Acquirer Processor Mandate for Chip Transaction Processing.”
3. Establish domestic and cross-border POS counterfeit liability shift policies. For more information, refer to the 9 August 2011 Visa Bulletin “Visa Announces U.S. Participation in Global Point of Sale Counterfeit Liability Shift.”

Over the coming months, Visa will provide technical guidance to issuers, acquirers, processors and merchants to support payment system participants as they execute these actions.
While stakeholders collectively prepare for the future, Visa will continue to secure the current payment environment by:

• Providing effective network-based risk management services, like Visa Advanced Authorization and Transaction Alerts
• Ensuring that all participants do their part to protect sensitive cardholder data by, at a minimum, complying with Payment Card Industry Data Security Standards (PCI DSS)
• Evaluating and promoting new security solutions, such as encryption and tokenization, as they emerge. Next Steps

Over the coming months and years, Visa will make adjustments to its products, operating regulations and security programs to help consumers, issuers, acquirers and merchants adopt dynamic authentication solutions. This effort will also require the participation of many key entities; Visa is committed to working with its stakeholders to further develop the industry’s U.S. and global roadmap to adopt EMV chip technology.

Download PDF of this Visa 2011 Chip Migration & Mobile Payments Merchant Bulletin

I received a cold call from a representative of HostedPCI so I decided to review what they offer. HostedPCI sales pitch is to offer an quick and easy way to become PCI DSS compliant by offering an interface to your existing applications. Basically, their ‘vault’ receives the payment information, tokenizes it, and from that point, only the token is used for processing payments., regardless of the connection interface such as authorize.net.

The core services are currently call center and checkout express. The call center application changes the customer over to a secure payment call session where the consumer enters their card information. Then the operator gets a pop up on the screen with the token ID which can then be used for processing. This removes the operator from hearing the card information, improving security, and also making it easier to comply with regulations regarding recording payment information over the phone. Is this a one time use token? Is the customer told their card data is being stored? How long is it stored for? Whether they exist now or later, there are certain to be new regulations coming regarding the rules for storing, even with a secure token.

The company 2138617 Ontario Inc., dba HostedPCI appears to be Canadian, though it’s not entirely transparent since there is no address on the web site.

It is not a gateway and the salesperson said you’d still need one to accept payments online. I have to wonder, what is the real value of this application vs our Smart Virtual Terminal?

Tokenization – Yes, they both have it. HostedPCI tokenizes every transaction.  Our Smart VT only tokenizes data if there is a need for a repeat sale, and the merchant can issue an approval form for signature, perfect for B2B needs. There are so many other benefits for ours vs theirs (see our token billing page), there is really no comparison. Winner: Smart Virtual Terminal.

Call center - HostedPCI wins hands down because we don’t offer any voice related services. However, you can explore 3rd party options that already exist and if it makes business sense, we’ll integrate.

Gateway- HostedPCI integrates with gateways, ours Smart VT replaces them, eliminating gateway fees. Winner- open to interpretation.

Shopping cart integration- Hosted PCI Checkout Express uses an iFrame and also offers an API, same as our Smart VT. Hosted PCI has ready made API’s for Drupal and Magento;  We’ve never had a customer ask for this so we haven’t made one specifically for this purpose yet. Winner: open to interpretation.

Reporting: HostedPCI doesn’t mention any and our Smart Vt is more robust than anything else on the market. There is no comparison. Winner: Smart Virtual Terminal.

Flexibility: HostedPCI is developing new applications. Smart Virtual Terminal is ready today for Kiosk, EBPP, ecommerce, web payments, mobile, and retail POS and accepts loyalty, credit/debit, check, check guarantee, ACH and other payment methods. Numerous ground breaking features are in the works. Winner” Smart Virtual Terminal.

With prices that start at $.30 per transaction for HostedPCI, if you have an ecommerce PCI Compliance problem and spend less than $100 per month in gateway fees now,  then HostedPCI may be a viable option for you. If you have a call center, check the legal requirements in your state on what’s allowed, including phone script requirements. Smart Virtual Terminal provides significantly more value for mid size merchants at competitive prices (non-published).

Does your company record calls for quality assurance or other purposes? The PCI Security Standards Council has issued supplemental guidelines “Protecting Telephone-based Payment Card Data” for you to maintain PCI DSS ( Payment Card Industry Data Security Standards) compliance. The intent is to provide supplemental guidance, and does not replace or supersede PCI DSS requirements.
Why Telephone Card Payment Security is Important
In face-to-face and e-commerce environments, risk-mitigating technologies have helped significantly reduce fraud rates, resulting in a shift of card fraud towards the Mail Order / Telephone Order (MOTO) space. Additionally, a number of regulatory bodies are requiring some companies to record and store telephone conversations in a range of situations. The Payment Card Industry Data Security Standard (PCI DSS), however, stipulates that the three-digit or four-digit card verification code or value printed on the card (CVV2, CVC2, CID, or CAV2) cannot be retained after authorization, and full primary account numbers (PANs) cannot be kept without further protection measures.

As such, there is a risk that organizations taking customer payment card details over the telephone may be recording the full cardholder details to comply with various regulatory bodies, thereby causing them to be in contravention of PCI DSS requirements and potentially exposing cardholder data to unnecessary risk.

Recap: The PCI SSC FAQ
PCI SSC FAQ 5362 – Are audio/voice recordings containing cardholder data and/or sensitive authentication data included in the scope of PCI DSS?
This response is intended to provide clarification for call centers that record cardholder data in audio recordings, and applies only to the storage of card validation codes and values (referred to as CAV2, CVC2, CVV2 or CID codes by the payment brands).
It is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.
It is therefore prohibited to use any form of digital audio recording (using formats such as WAV, MP3, etc.) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queried; recognizing that multiple tools exist that potentially could query a variety of digital recordings.
Where technology exists to prevent recording of these data elements, such technology should be enabled. If these recordings cannot be data-mined, storage of CAV2, CVC2, CVV2 or CID codes after authorization may be permissible as long as appropriate validation has been performed. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call-recording formats.

August 2011 chart from PCI Security Standards

Note: Encrypting sensitive authentication data is not by itself sufficient to render the data non-queriable.
For data to be considered “non-queriable” it must not be feasible for general users of the system or malicious users that gain access to the system to retrieve or access the data. Access to the types of functions listed above must be extremely limited, explicitly authorized, documented, and actively monitored. Additionally, controls must be in place to prevent unauthorized access to these functions.
Other methods that may help to render SAD non-queriable include but are not limited to: a. Removing call recordings from the call recording solution b.    Taking the call recordings offline c.    Vaulting the call recordings d.    Enforcing dual access controls to the vaulted call recordings e.    Allowing only single call recordings to be retrieved from vaults

Before considering this option, every possible effort must first be made to eliminate sensitive authentication data. In general, no cardholder data should ever be stored unless it is necessary to meet the needs of the business. There must be a documented, legitimate reason why sensitive authentication data cannot be eliminated (for example, a legislative or regulatory obligation), and a comprehensive risk assessment performed at least annually. The detailed justification and risk assessment results must be made available to the acquiring bank and/or payment card brand as applicable. This option is a last resort only, and the desired outcome is always the elimination of all sensitive authentication data after authorization.    If technologies are available to fulfil PCI DSS requirements without contravening government laws and regulations, these technologies should be used.

The PCI Security Standards Council (PCI SSC) is not responsible for enforcing compliance or determining whether a particular implementation is compliant. It is the primary recommended source for all merchants to obtain current PCI DSS information.

Download the complete report here
PCI Data Security Standard (PCI DSS) Protecting Telephone-based Payment Card Data

In this first article of a series we explore insider theft, related to data breaches,  based on key elements of the Verizon 2011 data breach report.  The number of 2010 data breaches exploded in companies with 11 to 100 employees. A key commonality is simply the opportunity was there.

The 2011 Data Breach Investigations Report (DBIR) is a study conducted by the Verizon RISK team in cooperation with the U.S. Secret Service and the Dutch High Tech Crime Unit.

Who is behind the data breaches?

• 92% external agents
• 17% implicated insiders
• < 1% business partners
• 9% involved multiple parties

How do breaches occur? ?

• 50% involved some sort of hacking
• 49% incorporated malware
• 29% physical attacks
• 17% from privilege misuse
• 11% employe social tactics

What commonalities exist?

• 83% were victims of opportunity
• 92% were not difficult
• 76% of all data was compromised from servers
• 86% discovered by a third party
• 96% were avoidable through simple or intermediate controls
• 89% of victims subject to PCI-DSS had not achieved compliance

End of excerpt. Continue reading for blog author comments.

A healthcare company stores credit card data on servers, unencrpyted. Their excuse? It’s not connected to the actual credit card processing and access is restricted so it’s not a PCI Compliance problem.  See related article Shocking lack of payment processing security in healthcare industry. No data breach yet, but statistically, the company is at great financial risk, including up to  $1.5 million fine for violating the HITECH ACT.

Employees at a car dealer tape passwords next to their computer and in the first unlocked drawer of their desk. Their excuse?  It’s too hard to remember the password and they don’t acknowledge it’s a security issue.

Employees at a retail rental shop have a file folder in plain view of anyone entering the shop containing copies of drivers licenses and the front and back of credit cards. Their excuse? They didn’t know they couldn’t do it and didn’t know of an alternative method that would meet their needs to bill customers if they never returned with the goods.

Think these are exceptions? Businesses everywhere have these problems in some fashion. As each of these examples illustrate,  employee training is essential. Industry wide, merchants are completing  PCI Compliance Security Standards data worksheets. At that point in time, the merchant can be certified PCI Compliant. But without internal enforcement and training, the merchant is generally not compliant when a data breach occurs and thus is fully liable for all the associated fines, fees and damages.

In conclusion, the establishment of training procedures and distribution of data security expectations to employees is essential. Most employees are honest, right? But when companies have lax security policies, it presents an OPPORTUNITY for good employees to break the law.

Here’s three things you can do to mitigate internal employee risk:

1. Create a data security training checklist for all employees handling sensitive data. Update the training and content quarterly or at least once per year. The employee cannot accept credit cards or any sensitive data until they’ve completed training, plus sign and date the checklist.
2. Make data security a formal part of employee performance reviews. Require annual checklist review and signature at the time of performance reviews.
3. Implement a reward system for identifying vulnerabilities of real life practices- whether people, software, or hardware.

Bonus: Implement a hosted payment processing solution with extensive tools to prevent internal fraud. Call for information.

There’s room for improvement in medical billing for card not present transactions. The lack of security in the healthcare industry with respect to payment processing is evident in nearly every business I’ve interviewed in the last two years. With all the effort put into HIPAA, you’d think they’d be more likely to be PCI Compliant than other industries, but in my experience talking to and interacting with healthcare  companies, I think 50% PCI DSS  (Payment Card Industry Data Security Standards) Compliance would be extremely optimistic.

So what’s got my gander up today? A widespread lack of security by healthcare suppliers with my HSA debit card data. Before giving out my credit card information, I always ask what they are going to do with it.  As a cardholder, I have a right to know. Like many Americans, I have an HSA account and funds for payments are accessible only via a debit card. That means any misuse could wipe out the account.  Under Visa’s Zero Liability policy  consumers are not held responsible for fraudulent charges made with the card or account information, but identity theft is another matter the consumer is left to deal with.

I talked to three different personnel for the story that follows. The last one said the first two didn’t entirely follow normal protocol, which does nothing to spare them from the liabilities associated with identity theft.

This article is about a medical industry merchant storing credit card data in a database and the misunderstanding of potential  liability exposure as a result. Storing card data even for 24 hours poses a huge risk both financially and criminally. In this article we’ll review their processes and solutions to mitigate risk.

First, let’s review the payments process.  Consumers receive invoices in the mail. They can mail a check or pay by Visa or MasterCard by returning a form, or call on the phone. The merchant then uses a multi-step process to collect the information and process it.

PAY INVOICE BY MAIL

This invoice format is quite common for medical billing.

RISK: Merchant collects the CVV code, listed as signature code above, and bills are sent to a their corporate office. Collecting and storing CVV codes is always a bad idea. The mail could be stolen by internal employees familiar with the billing process. Someone could copy or even quickly photo each billing form. It’s doubtful they could prove PCI Compliance and would likely have no safe harbor in the event of a data breach.

SOLUTION: Remove the security code from the form. Have all bills sent to a lockbox. Reduce mail payments by enabling customers to pay their bills online.

PAY INVOICE BY PHONE

The first person to take my payment was covering for someone who was on vacation or otherwise out of the office.

• She took down my invoice number and credit card information on a piece of paper. She entered something into their billing system so there was  a record of my call and payment.
• The paper went into an “in box”. It was Friday.
• The person emptying the “in box” and posting payments would be in Monday to complete the transaction.
• Monday the posting person key entered the transaction into a desktop terminal.
• Tuesday, presumably,  paper was shredded. The paper is held for a day to ensure the payment went through properly so the customer does not need to be called.

RISK:  The paper with full card data was exposed for up to 5 days. Was the ‘in box’ emptied and put in a locked drawer when not being worked on, including breaks? Do cleaning personnel have access to the facility on evenings and weekends?

SOLUTION: Enter the card information directly into our smart virtual terminal. Some flexible options include:

• Entering the card and customer data and instantly charging the account. In this case, you can enter the CVV for extra fraud protection.
• Creating a customer and entering the card information for later billing. Using a process called tokenization, the card data is stored encrypted on PCI Compliant servers, never at the merchant location.  CVV is NEVER stored, not even encrypted, since it’s against card association rules.
• Entering the card and customer information and obtaining an authorization only, for other personnel to charge later.

The seccond person to take my payment on a future date was the actual representative for my account.

• She entered information in the billing system so there was  a record of my call and payment.
• My card data, including CVV,  was entered into a ‘notes’ section of the billing database.
• The customer service representative has no access to see the card data after it is entered.
• An accounting person retrieves the card data for payment in bulk with others within 1 business day.
• The posting person key enters the transaction into a dial-up desktop terminal.
• The next business day, presumably,  the computer notes are deleted.

RISK:  Full card data is exposed on a computer network. It doesn’t matter that access is restricted to certain personnel. This data storage is certainly a violation of FACTA and PCI Compliance standards, and probably HIPAA too. The merchant is open to both criminal and financial penalties in the event of a data breach. Additionally, the merchant would need to securely wipe or destroy every associated hard drive removed from service in the future to eliminate data theft potential.

SOLUTION: Enter the card information directly into our smart virtual terminal, same as above.

What are the financial risks with this data exposure?

• Replacement cost per card compromised, $25.
• Mandatory consumer credit report service for one year, $12/mth per card holder.
• Reimburse all claims from card associations.
• Fines from FACTA, HIPAA, and PCI Compliance violations
• Your business could come to a screeching halt while a forensics team investigates.
• Bad PR could result in loss of business.

What are the criminal risks associated with card data exposure? Felony.

FINAL NOTES: There is some use of an online gateway within the organization, but those details are unknown. I spoke to staff that believes since the payment processing is via a dial up terminal and is not connected to the card data in the database, that there is no risk. That is completely untrue. The company would not only save time by reducing steps, but would tremendously reduce risk by key entering card data directly into a virtual terminal. Moreover, an intelligent VT would provide a boatload of other benefits.

Ignorance is not an excuse. PCI Compliance standards were established nearly a decade ago. A critical first step to compliance and mitigating risk is a solution that supports all your payment processing needs. We offer that solution.

See also related article, How to reduce time and money for outpatient procedure billing.

On a side note, based on the invoice billing form, the merchant is not accepting American Express cards, probably because they don’t want to pay the high fees associated with Amex. If managing costs to improve EBITDA is important, our hosted payment processing platform with intelligent switch is critical.