Most medical billing solutions address HIPPA, but what about secure payments?  Our medical billing solution enables you to securely collect current payments and outstanding bills after insurance claims are completed. Additionally, there are many built in merchant controlled settings to help reduce and eliminate both internal and external fraud.

MEDICAL BILLING SOLUTIONS

Tired of getting paid weeks and months after services are rendered?

Do you have patients paying a co-pay on the visit, then after you’re paid by the insurance company, the patient ends up having a balance due?

How long on average does it take you to collect that balance? Are you paying a medical billing company to collect it for you?

Do you have patients that are billed the same amount every month?

Do you offer a payment plan in some situations?

SOLUTION: TOKEN ACCOUNTS.

1. Merchant accesses a secure payment processing platform and creates a TOKEN to enable rebilling the patient or to set up recurring billing. Card data is never stored at the merchant location and the token links only to remotely hosted encrypted data. To re-bill, the merchant enters the patient name, transaction amount, and the TOKEN ID.
2. Patients agree to have their card charged, usually up to a specified amount, at the time of the original transaction. Merchants can print a receipt, or have an email automatically sent with the receipt.

BENEFITS:

1. Improve cash flow.
2. Reduce or eliminate collections.
3. Simplify the billing process- reduce workload.
4. PCI Compliant- secure solution eliminates exposed card data.
5. Reduce opportunities for internal fraud by eliminating receiving card data within mailed billing responses.
6. Managed payment processing costs- eliminates costly human errors that result in interchange qualification downgrades.

FEATURES:

1. Optional Signature Capture stores patient opt-in agreement electronically indefinitely.
2. Access secure web page from any computer.
3. User control for all functions and reporting. You decide who can perform what type of transaction. Enable off site billing or accounting to access reporting.
4. Optional industry template to capture insurance policy number, account number etc. Export reports on demand.
5. Real- time cash flow. Enables management to see  multiple locations at a glance.
6. Multiple merchant accounts- Use the same system for multiple doctors within a location.
7. Minimal set- up. No major upfront investment.
8. Optional pay page- simple code you can add to your web site so patients can pay a bill.

SALES CONTACT: Christine Speedy 954-942-0483

SCREEN SHOTS

Figure 1. The customer is present and you swipe the card. The card number, expiration and name on card are automatically recognized, as with any swipe device. Confidential information will be x’d out and will not appear on the screen.  Enter the  sale amount, as usual.

Notes: Other required or optional fields are determined by the merchant prior at account set-up.  The merchant determines data capture preferences balancing speed at the cashier, information needs, and risk.  In all the figures shown, invoice is mandatory, but that is strictly a merchant decision.

FIGURE 2.  When the customer is not present, different data needs to be captured for risk and interchange qualification  ( how much a transaction costs the merchant) concerns. i

FIGURE 3. If the merchant wants to bill the same customer again, the repeat sale button is selected. Information is collected for both the initial sale and future sales. A token is automatically generated, or the merchant can specify one. We recommend you collect the email address so that you can send automatic receipts for future billing. (You can also ask the customer to opt-in or opt-out to marketing via email.)

FIGURE 4.  When you’re ready to go back and bill the patient, enter the TOKEN ID along with the amount to charge.

If you captured an email previously and set up automatic receipts, an email is automatically generated and sent. Email set up can be programmed with your own FROM and SUBJECT.

The benefits I’ve discussed are just the tip of the iceberg. This technology is leaps ahead of anything else on the market, including ease of use. Your staff can complete a repeat sale with less than 5 minutes of training. Setting up recurring billing, where the same amount is billed multiple times, is not shown here and is just as easy.

Protect your patient data. Protect your business from internal fraud. Improve your cash flow. Look at functional graphical reports that let you see and compare cash flow from multiple operations in minutes.

Questions? Need a demo? Call Christine at 954-942-0483.

Most medical and dental billing solutions address HIPPA, but what about secure payments?  Our dental billing solution enables you to securely collect current payments and outstanding bills after insurance claims are completed. Collecting payments in a secure manner is equally important to HIPPA. Most staff at medical practices don’t even know what PCI DSS is, even after having 6 years to comply.

DENTAL BILLING SOLUTIONS

Tired of getting paid weeks and months after services are rendered?

Do you have patients paying a co-pay on the visit, then after you’re paid by the insurance company, the patient ends up having a balance due?

How long on average does it take you to collect that balance? Are you paying a medical billing company to collect it for you?

Do you have orthodontia patients that are billed the same amount every month?

Do you offer a payment plan in some situations?

SOLUTION: TOKEN ACCOUNTS.

1. Merchant accesses a secure payment processing platform and creates a TOKEN to enable rebilling the patient or to set up recurring billing. Card data is never stored at the merchant location and the token links only to remotely hosted encrypted data. To re-bill, the merchant enters the patient name, transaction amount, and the TOKEN ID.
2. Patients agree to have their card charged, usually up to a specified amount, at the time of the original transaction. Merchants can print a receipt, or have an email automatically sent with the receipt.

BENEFITS:

1. Improve cash flow.
2. Reduce or eliminate collections.
3. Simplify the billing process- reduce workload.
4. PCI Compliant- secure solution eliminates exposed card data.
5. Reduce opportunities for internal fraud by eliminating receiving card data within mailed billing responses.
6. Managed payment processing costs- eliminates costly human errors that result in interchange qualification downgrades.

FEATURES:

1. Optional Signature Capture stores patient opt-in agreement electronically indefinitely.
2. Access secure web page from any computer.
3. User control for all functions and reporting. You decide who can perform what type of transaction. Enable off site billing or accounting to access reporting.
4. Optional industry template to capture insurance policy number, account number etc. Export reports on demand.
5. Real- time cash flow. Enables management to see  multiple locations at a glance.
6. Multiple merchant accounts- Use the same system for multiple doctors within a location.
7. Minimal set- up. No major upfront investment.
8. Optional pay page- simple code you can add to your web site so patients can pay a bill.

SALES CONTACT: Christine Speedy 954-942-0483

SCREEN SHOTS

Figure 1. The customer is present and you swipe the card. The card number, expiration and name on card are automatically recognized, as with any swipe device. Confidential information will be x’d out and will not appear on the screen.  Enter the  sale amount, as usual.

Notes: Other required or optional fields are determined by the merchant prior at account set-up.  The merchant determines data capture preferences balancing speed at the cashier, information needs, and risk.  In all the figures shown, invoice is mandatory, but that is strictly a merchant decision.

FIGURE 2.  When the customer is not present, different data needs to be captured for risk and interchange qualification  ( how much a transaction costs the merchant) concerns. i

FIGURE 3. If the merchant wants to bill the same customer again, the repeat sale button is selected. Information is collected for both the initial sale and future sales. A token is automatically generated, or the merchant can specify one. We recommend you collect the email address so that you can send automatic receipts for future billing. (You can also ask the customer to opt-in or opt-out to marketing via email.)

FIGURE 4.  When you’re ready to go back and bill the patient, enter the TOKEN ID along with the amount to charge.

If you captured an email previously and set up automatic receipts, an email is automatically generated and sent. Email set up can be programmed with your own FROM and SUBJECT.

The benefits I’ve discussed are just the tip of the iceberg. This technology is leaps ahead of anything else on the market, including ease of use. Your staff can complete a repeat sale with less than 5 minutes of training. Setting up recurring billing, where the same amount is billed multiple times, is not shown here and is just as easy.

Protect your patient data. Protect your business from internal fraud. Improve your cash flow. Look at functional graphical reports that let you see and compare cash flow from multiple operations in minutes.

Questions? Need a demo? Call Christine at 954-942-0483.

Reduce the risk of accepting credit cards with these tips for summer resident camps. How many people who handle credit card processing really understand PCI Compliance? Below I list some do’s, dont’s and solutions that really work.

Best practices for payment PROCESSING TIPS FOR CAMP ORGANIZATIONS:

DEPOSITS: To accept reservation deposits, the merchant must clearly state the rules for refunds whether online or via mail in form. Does your system allow refunds to occur without a corresponding sale? Ask me about solutions that block this type of transaction and also control who can perform refunds. Do not refund a credit card if the original transaction was a check.

MAIL IN FORMS:

1. Do not ask customers to put their security code on the mail order form. It’s just too high of a risk. Remember, the 3-4 digit security codes (CVV, CID) never affects your credit card processing costs.
2. Create a form that enables you to shred the card data, yet still maintain the rest of the information you need, including signature.
3. If applicable, ask the customer for permission to allow you to rebill their credit card with whatever terms you want to create. A simple check box works great. Instead of storing card data, use Tokenization for recurring billing or rebilling.

PHONE ORDERS AND COLLECTIONS

It happens all the time. The date when final funds needs to be received has arrived.  Who calls who is irrelevant. If the customer wants to give you the information over the phone, how are you obtaining it? In most cases, the phone order taker simply writes it down on a piece of paper. The information is then used to process the payment later, whether after hanging up or by someone else in the office. How often is that card data then immediately put into a cross cut shredder to destroy it?

RECOMMENDATION: Have the phone operator enter the card data into a virtual terminal (VT).  The VT is a secure web page in which you enter transaction information. If that person is not authorized to run transactions, we have a solution that enables the operator to enter the card data and get an immediate authorization, and the proper personnel can process the transaction later. The receipt can be automatically emailed to the customer, or you can print and put in the mail.

ECOMMERCE: Don’t choose a payment processor just because they have a solution for your ecommerce needs. There are several excellent gateways to choose from for online payments, so the processor and gateway need not be the same and in my experience they almost always have higher costs. Even though I could offer a single solution myself, I never tie the two together. Keeping them separate gives you the most flexibility over time. I liken it to getting free equipment. There’s a catch and it’s usually not to your benefit.

COSTS:  Is your account set up the best way to qualify for the lowest rates for your type of organization? How do you know? In most cases you need a MOTO account, which stands for mail order, telephone order. Did you know it’s a violation to accept payments on your web site with a MOTO account? Merchants are required to have an ECOMMERCE designated account to accept payments online.

Payment processing is very complex and the nature of a business that gets the bulk of its payments in a short window only makes it harder for personnel to keep up with all the latest information.

Our team can help you with data security, compliance, cost control, and any other issues you face regarding payment collection, especially with temporary summer personnel.

Related articles:

Should you require CVV or AVS for phone orders?

2009 story on credit card processing for summer camps.

Want a FREE Camper Reservation Order Form makeover? Fax your existing form with FREE MAKEOVER on the cover sheet  to 954-942-9804 and I’ll mark it up with recommended changes to improve your PCI DSS Compliance at no cost! Include your merchant statement(s) along with total annual volume and I’ll send you a video report you can view at your leisure that clearly identifies areas for improvement including cost savings.

Nearly all the medical bills I see now have an option to pay with a credit card. These forms also request the security code (CVV, CVV2) on the form. Should merchants ask for it? Is it legal? Is it safe? What are they doing with these forms?  I’m personally not writing down my 3 digit security code on any form and returning that through the mail.

Should medical billing companies ask for the card security code on mail response forms?  NO. The CVV is not needed for interchange qualification; it has zero impact on your processing costs. It is used to protect against fraud, especially cloned credit cards. If the customer has already used their card to swipe, the CVV is no longer needed for rebilling. But that’s not something the biller knows.

According to Visa’s Ecommerce Risk Management Guide dated December 2009, for information security purposes, all merchants are prohibited from storing Card Verification Value 2 (CVV2). Per Visa’s Data Security Tips, “Do not store the three-digit number on the back of Visa payment cards (CVV2) in any format. Do not request the CVV2 number on mail-order forms or billing forms. ”

Per a merchant processor RULES ON MOTO/INTERNET, You (the merchant) are prohibited from storing CVV2, CVC2, magnetic stripe track data, and AVS and PIN data. Each party will store all media containing Cardholder numbers in an area limited to selected personnel on a ‘need to know’ basis only and prior to either party discarding any material containing cardholder information, the party will destroy it in a manner rendering the Card account numbers unreadable.

MERCHANT QUESTIONS:

What if my payment processing system requires a CVV to process a credit card transaction? You need an alternative solution to input transactions. You’re required to ask for the security code on internet transactions, but not on mail order. Call and we can set you up quickly with a virtual terminal.

Tokenization is now offered for resale of variable sales amounts. Enter card data one time only via PCI Compliant interface. The system will generate a token for you. To process future transactions, enter the TOKEN instead of card data, which can never be seen again.

The card data is encrypted and is never stored on your servers or computers. The token, which is worthless to others, is your way to submit future billing requests.

Tokenization and PCI DSS (payment card industry data security standards). PCI compliance is streamlined with tokenization and our end-to-end encryption solution.

The average user will submit cardholder data via the virtual terminal RESALE function. A token is automatically generated which you then store offline. To rebill, simply submit the token in lieu of the actual card number.

TYPICAL REPEAT SALE SET UP FOR RETAIL ENVIRONMENT:

- Merchant has customer fax a standard approval form with card data.

- The paper is filed in a locked drawer with limited personnel access. CVV is never stored.

- Merchant retrieves the information and key enters the transaction on a virtual terminal or desktop terminal when they need to rebill the customer.

- Merchant prints receipt and mails or faxes to the client.

TYPICAL REPEAT SALE SET UP FOR RETAIL ENVIRONMENT WITH CENPOS AND CARD IS NOT PRESENT:

- Merchant has customer fax a standard approval form listing the last 4 digits of the card only,  an email field, and with language about opting-in to receiving email from the merchant.

- Merchant gets card data over the phone and directly enters it into the secure virtual terminal using the RESALE button.

- Merchant copies the TOKEN  generated onto the merchant approval form which is then stored, in a locked drawer with limited personnel access.

- Merchant retrieves the token and key enters the transaction details on a virtual terminal or desktop terminal when they need to rebill the customer.

- Merchant uses the automated email function to send the customer a receipt, or prints receipts the old way.

What if the customer is in the store for the first order, but then won’t be there later when you bill more? You’ll swipe the card as usual, using the resale button. The cashier will be prompted for address and other data as if the customer is not present.

The first transaction will process via your retail swipe account. The future card not present transactions will process via your MOTO account, automatically, when you key enter the transaction later. This is a significant competitive product difference from any other solution you may looked at.

1. Merchants will qualify for the best interchange rate for each type of transaction, thereby lowering costs.
2. Merchants will meet the card association requirements for proper presentment to reduce risk of chargebacks from disputes. (Different rules apply about data submitted and signatures on swipe vs moto.)
3. Both transactions will be in a fully PCI Compliant environment, reducing risk of liability from improperly protecting card data.
4. Cashiers are removed from any decision making that can affect your rate qualification in every transaction. The system will automatically prompt for data needed based on transaction parameters.
5. Best of all, no terminal progamming updates! The hosted solution is always current and any terminal connected is simply a slave of the system.

Because they have no meaning by themselves, tokens or aliases are useless to criminals if your customer hard copy files were compromised. Per the PCI DSS standards for your organization, you’ll need to have your workstations scanned that you enter transaction on.

Ideal solution for any B2B companies with corporate customers. Sign up for RSS for more details on this feature. For a demo, call the hotline at the top of this web page.

Related articles: Can you store track data and be PCI Compliant?
Storing CVV codes so you can rebill

Merchants must scan computer systems at various intervals for Payment Card Industry Data Security Standard (PCI DSS), depending on their merchant type and other criteria.

Read our merchant data security sticky web page for further information and links.

PCI Security Standards Council maintains a list of certified scanning companies

Below is a select list of those I’ve had the most positive interaction with over the years.

Comodo CA Ltd
www.comodo.com HackerGuardian PCI Scanning Service

ControlScan
www.controlscan.com PCI 1-2-3

Digital Resources Group
www.drgsf.com DRG SecureScan

McAfee Inc.  McAfee Secure, formerly Hacker Safe (I knew Hacker Safe very well, but have had little experience with McAfee Secure)
www.mcafee.com

Qualys
www.qualys.com QualysGuard

This list does not infer the other companies would be less acceptable to work with, only that I’ve personally not dealt with the company or simply not had enough interaction to remember them. To protect your company from credit card processing fraud and the costly repercussions of it, all companies should have completed a PCI Compliance Certification whether you have standalone terminals or are connected to computers.

Expanded Study Finds More Insider Threats, Greater Use of Social Engineering, Continued Strong Organized Criminal Involvement

BASKING RIDGE, N.J. – July 28, 2010 –

The 2010 Verizon Data Breach Investigations Report, based on a first-of-its kind collaboration with the U.S. Secret Service, has found that breaches of electronic records last year involved more insider threats, greater use of social engineering and the continued strong involvement of organized criminal groups.

The study, released Wednesday (July 28), also noted that the overall number of breaches investigated last year declined from the total for the previous year – “a promising” indication, the study said.

The report cited stolen credentials as the most common way of gaining unauthorized access into organizations in 2009, pointing once again to the importance of strong security practices both for individuals and organizations.  Organized criminal groups were responsible for 85 percent of all stolen data last year, the report said.

Verizon Business investigative experts found, as they did in the company’s prior data breach reports, that most breaches were considered avoidable if security basics had been followed.  Only 4 percent of breaches assessed required difficult and expensive protective measures.

The 2010 report concluded that being prepared remains the best defense against security breaches. For the most part, organizations still remain sluggish in detecting and responding to incidents. Most breaches (60 percent) continue to be discovered by external parties and then only after a considerable amount of time.  And while most victimized organizations have evidence of a breach in their security logs, they often overlook them due to a lack of staff, tools or processes.

The collaboration with the Secret Service, announced in May, enabled this year’s Data Breach Investigations Report to provide an expanded view of data breaches over the last six years. With the addition of Verizon’s 2009 caseload and data contributed by the Secret Service – which investigates financial crimes – the report covers 900-plus breaches involving more than 900 million compromised records.

“This year we were able to significantly widen our window into the dynamic world of data breaches, granting us an even broader and deeper perspective,” said Peter Tippett, Verizon Business vice president of technology and enterprise innovation.   “By including information from the Secret Service caseload, we are expanding both our understanding of cybercrime and our ability to stop breaches.”

Michael Merritt, Secret Service assistant director for investigations, said: “The Secret Service believes that building trusted partnerships between all levels of law enforcement, the private sector and academia has been a proven and successful model for facing the challenges of securing cyberspace.  It is through our collaborative approach with established partnerships that the Secret Service is able to help expand the collective understanding of breaches and continue to augment our advanced detection and prevention efforts.”

(NOTE: Additional resources supporting the 2010 data breach report are available, including an audio podcast, video podcast and high-resolution charts and graphs.)

Key Findings of the 2010 Report

This year’s key findings both reinforce prior conclusions and offer new insights. These include:

• Most data breaches investigated were caused by external sources. Sixty-nine percent of breaches resulted from these sources, while only 11 percent were linked to business partners.  Forty-nine percent were caused by insiders, which is an increase over previous report findings, primarily due in part to an expanded dataset and the types of cases studied by the Secret Service.
• Many breaches involved privilege misuse. Forty-eight percent of breaches were attributed to users who, for malicious purposes, abused their right to access corporate information.  An additional 40 percent of breaches were the result of hacking, while 28 percent were due to social tactics and 14 percent to physical attacks.
• Commonalities continue across breaches. As in previous years, nearly all data was breached from servers and online applications. Eight-five percent of the breaches were not considered highly difficult, and 87 percent of victims had evidence of the breach in their log files, yet missed it.
• Meeting PCI-DSS compliance still critically important. Seventy-nine percent of victims subject to the PCI-DSS standard hadn’t achieved compliance prior to the breach.

The State of Cybercrime: 2010

The report said the decline in the overall number of data breaches may be due to a number of factors, including “law enforcement’s effectiveness in capturing criminals.”  The report cited the arrest of Albert Gonzalez, one of the world’s most notorious computer hackers, who pleaded guilty to helping run a global ring that stole hundreds of millions of payment card numbers and who was sentenced last year to 20 years in prison.

“The reduction in breaches is a positive sign that we are gaining some ground in the fight against cybercrime,” said Tippett.  “As we are able to share more information through the use of the VERIS security research framework to gather comparative security data such as the caseload of the Secret Service, we believe we will be even better equipped to arm organizations with best practices, processes, tools and services that will continue to make a difference.”

Data breaches continue to occur within all types of organizations. Financial services, hospitality and retail still comprise the “Big Three” of industries affected (33 percent, 23 percent and 15 percent, respectively) in the merged Verizon-Secret Service dataset, though tech services edged out retail in Verizon’s caseload.  A growing percentage of cases and an astounding 94 percent of all compromised records in 2009 were attributable to financial services.

More than half of the breaches investigated by Verizon in 2009 occurred outside the U.S., while the bulk of the breaches investigated by the Secret Service occurred in the U.S.  The report finds no correlation between an organization’s size and its chances of suffering a data breach.

“Thieves are more likely to select targets based on the perceived value of the data and cost of attack than victim characteristics such as size,” Verizon researchers noted.

Recommendations for Enterprises

The 2010 study once again shows that simple actions, when done diligently and continually, can reap big benefits. These actions include:

• Restrict and monitor privileged users. The data from the Secret Service showed that there were more insider breaches than ever before. Insiders, especially highly privileged ones, can be difficult to control. The best strategies are to trust but verify by using pre-employment screening; limit user privileges; and employ separation of duties. Privileged use should be logged and messages detailing activity generated to management.
• Watch for ‘Minor’ Policy Violations. The study finds a correlation between seemingly minor policy violations and more serious abuse. This suggests that organizations should be wary of and adequately respond to all violations of an organization’s policies.  Based on case data, the presence of illegal content on user systems or other inappropriate behavior is a reasonable indicator of a future breach. Actively searching for such indicators may prove even more effective.
• Implement Measures to Thwart Stolen Credentials. Keeping credential-capturing malware off systems is priority No. 1. Consider two-factor authentication where appropriate. If possible, implement time-of-use rules, IP blacklisting and restricting administrative connections.
• Monitor and Filter  Outbound Traffic. At some point during the sequence of events in many breaches, something (data, communications, connections) goes out externally via an organization’s network that, if prevented, could break the chain and stop the breach. By monitoring, understanding and controlling outbound traffic, an organization can greatly increase its chances of mitigating malicious activity.
• Change Your Approach to Event Monitoring and Log Analysis. Almost all victims have evidence of the breach in their logs. It doesn’t take much to figure out that something is amiss and make needed changes.  Organizations should make time to review more thoroughly batch-processed data and analysis of logs. Make sure there are enough people, adequate tools and sufficient processes in place to recognize and respond to anomalies.
• Share Incident Information. An organization’s ability to fully protect itself is based on the information available to do so.  Verizon believes the availability and sharing of information are crucial in the fight against cybercrime.  We commend all those organizations that take part in this effort, through such data-sharing programs as the Verizon VERIS Framework.A complete copy of the “2010 Data Breach Investigations Report” is available at http://www.verizonbusiness.com/go/2010databreachreport/.

About the United States Secret Service
Well known for protecting the nation’s leaders, the U.S. Secret Service also is responsible for protecting America’s financial infrastructure.  The Secret Service has taken a lead role in mitigating the threat of financial crimes since the agency’s inception in 1865.  As technology has evolved, the scope of the U.S. Secret Service’s mission has expanded from its original counterfeit currency investigations to also include emerging financial crimes.   As a component agency within the U.S. Department of Homeland Security, the U.S. Secret Service has established successful partnerships in both the law enforcement and business communities – across the country and around the world – in order to effectively combat financial crimes.

About Verizon Business
Verizon Business, a unit of Verizon Communications (NYSE, NASDAQ: VZ), is a global leader in communications and IT solutions. We combine professional expertise with one of the world’s most connected IP networks to deliver award-winning communications, IT, information security and network solutions.  We securely connect today’s extended enterprises of widespread and mobile customers, partners, suppliers and employees – enabling them to increase productivity and efficiency and help preserve the environment.  Many of the world’s largest businesses and governments – including 96 percent of the Fortune 1000 and thousands of government agencies and educational institutions – rely on our professional and managed services and network technologies to accelerate their business. Find out more at www.verizonbusiness.com.

To clarify the 2010 Debit Pin Entry Device standard merchants are expected to comply with by July 2010, not all merchants will need to change their pinpads. If you deployed a POS PED by December 31, 2007 AND it was on the 2004-2007 Visa PCI lab approved list, you have until December 31, 2014 to replace it.

If you do not meet that requirement, then you’ll need to replace your PED by July 1, 2010 with a unit that meets the new Triple Data Encryption Standard (TDES) standard. Look carefully. There are companies that will sell you units that do not comply with the new standard.

POS- Point Of Sale

PED – Pin Entry Device

POS PED- a device in a merchant location where the customer is present at the time of the transaction.

Pinpad – pin pad- another name for PED

Triple DES- Triple Data Encryption Standard

3DES – same as above

OVERVIEW OF THE 2010 PCI COMPLIANCE RULE FOR DEBIT PIN ENTRY DEVICES:

The new standard is to improve the security of customer debit cards. The technology has been widely implemented over a number of years in ATM’s and such, and merchant pinpads are the last piece to complete.

DEADLINES:

July 1, 2010 If your unit was deployed after 12/31/2007 and it does not have Triple DES encryption, then you need to replace it. Any unit deployed prior to 2004 needs to be replaced.

12/31/2014 If you deployed a POS PED by December 31, 2007 AND  it was on the 2004-2007 Visa PCI lab approved list, then you must replace with a PCI SSC POS PED by this date.

When you deployed your PED is a matter of record with your current service provider. Where is a copy of the 2004-2007 Visa PCI lab approved list? https://partnernetwork.visa.com/vpn/global/category.do?userRegion=1&categoryId=19&documentId=33

HOW DO I VERIFY IF I HAVE A PCI COMPLIANT PED?

The PCI Data Security Standards Council has an updated list for all merchant providers. List of PCI compliant PEDs

WHICH NEW PIN ENTRY DEVICE DO YOU RECOMMEND?

First, make sure the unit has Triple Data Encryption Standard (TDES) certification. Just because someone is selling it, doesn’t mean it’s TDES. The PED must be matched to your terminal and the merchant services provider. You can’t just pick any unit and attach it. A hugely popular unit is the

First Data FD-10 debit pin pad

because First Data is one of the largest payment processors in the country. Many merchant providers utilize the First Data system, therefore can use the unit. Additionally, it works with many different desktop terminals.

If you need to upgrade, now is the time to look at your entire system. Do you need a PED or would you be better off with a signature capture terminal that has an integrated PED? You can get a wireless, desktop or, or even a device that connects to a host based system like CenPOS that provides incredible benefits for organizations processing $1 million per month and up.  Take a look at the Ingenico i6580, a top of the line unit.

ingenico i6580 i6550

In summary, I like units that have in integrated Debit PED over a separate device that attaches. Oh, and this is another area that you have to be very careful reading product description text. Some product technical descriptions say they accept debit cards but they are not referring to accepting pin debit transactions! As if merchants don’t have enough to get confused about.

All debit PED’s must be encrypted. This is done via a process called an injection. There are a limited number of facilities in the USA that can perform the injection. That means you should not wait until the last minute because a lot of other people will.

3D Merchant Services is an authorized reseller for current equipment ONLY for major brands including Verifone, Hypercom, and Ingenico. We also offer Nurit, Way and other brands. Because of our high volume, we have wholesale prices compared to others. We’re independent- you can use our credit card processing or not. We don’t give free equipment- you’ll get a better deal on your processing and your equipment if you keep the transactions separate. Equipment is never really free.

Related article:

Which Verifone pin entry devices are pci compliant?