Test and fix TLS 1.0 to TLS v1.2 for merchant non-compliance notice

To keep your data safe, the Payment Card Industry Security Standards Council (PCI SSC) has mandated a security upgrade impacting all merchants where web browsers can be used in the payment process. Acquirers and payment gateways have set various deadlines in advance of the required PCI TLS v1.2 Security Protocol Upgrade by  2018. Either hardware may need to be replaced or software updated.

Recently, multiple vulnerabilities have been uncovered. Criminals are using the vulnerabilities at massive levels over prior years. Security company Zscaler blocked an average of 8.4 million SSL/TLS-based malicious activities per day in the first half of 2017 for its customers on its Zscaler cloud platform. That’s why all merchants need to upgrade to the most current version of TLS (Version 1.2) and should do so as soon as possible. Because this is an absolute necessity, merchants are getting emails about hard stop dates; if not fixed, merchants will not be able to process transactions after the deadline.

TLS Deadlines vary by acquirer and payment gateway.

  • Chase Paymentech, September 30, 2017.
  • Authorize.Net, February 28, 2018.
  • CenPOS, January 15th, 2018.
  • First Data varies by solution. Datawire will remove SSL v3, TLS v1.0, and TLS v1.1 on February 15th 2018.

TLS 1.0 and TLS 1.1 need to be disabled from browsers, servers and related applications. SSL 3.0 should have been disabled years ago.

Do not rely on server host companies or consultants to do this for you. It’s up to merchants to maintain PCI Compliance. If you get a notice of non-compliance from your acquirer and use a virtual terminal, test your browser below.

FREE Test SSL/TLS for Browser and Servers and updating TLS for card not present transactions:

Free SSL and TLS test from Qualys. https://www.ssllabs.com/ssltest/index.html.  If you get a YES next to TLS 1.0, SSL 3, or SSL 2, then hardening is needed.

Try updating your browser and then run the test again. If the browser is current, go to your web browser settings or preferences and disable SSL and TLS 1.0. Run the same test on your web site. If you get a yes, go to your host administration and disable in security settings.

What is TLS Security Protocol?

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) are both frequently referred to as “SSL”. When you go to a web page and the URL is “https”, the S stands for secure, and the domain host has a security certificate installed and enabled on the web host. Websites use TLS to secure all communications between their servers and web browsers. For example, when a merchant logs into a virtual terminal using a web browser, or a customer makes a payment online via a hosted pay page or ecommerce shopping cart.

 

Christine Speedy, CenPOS authorized reseller, 954-942-0483. B2B cloud payments solutions and CenPOS enterprise cloud payment solutions expert. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

CenPOS Launches PCI-Validated P2P Encryption

Florida-Based Payment Solutions Company, CenPOS, Strives to Make Customer Experience More Secure with Launch of PCI-Validated P2P Encryption.

Data breaches are on the rise and they are costing both consumers and merchants money.

The 2017 Identity Fraud Study, released by Javelin Strategy & Research, found that $16 billion was stolen from 15.4 million U.S. consumers in 2016.

When the consumer data that makes such fraudulent activity possible comes from the merchant’s database, then the merchant can also incur some major damages. In fact, the 2017 Cost of Data Breach Study: United States, found that the total average organizational cost of a data breach has reached a new high at $7.35 million.

CenPOS aims to reduce the vulnerability of sensitive consumer data — that could be used to drain debit card-linked bank accounts, make “clone” credit cards, or buy items on certain less-secure online sites — to hackers with the release of its Validated P2PE solution.

Officially released on July 7th of this year, CenPOS Validated P2PE encrypts cardholder data so businesses can simplify compliance with Payment Card Industry Data Security Standards (PCI DSS) and consumers can stop worrying about data being stolen between “the store” and the bank.

Surprisingly, Validated P2PE is not new technology. It’s the strongest level of data encryption in the market right now and is offered by other merchant payment services companies. However, CenPOS is the first and only company with the Qualified Integrator & Reseller (QIR) designation to offer a Validated P2PE solution.

The QIR designation is awarded by the Payment Card Industry Security Standards Council, a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security.

According to their standards, “the quality, reliability, and consistency of a QIR Company’s work” should provide confidence that the merchant’s payment application has been implemented in a manner that supports PCI DSS compliance.

Chris Justice, CEO of CenPOS, is quoted saying: “We believe that loyalty is built on trust and that trust is built by delivering great customer experience over and over again. So, when consumers can have greater peace of mind because they know that the merchant has the proper data security in place to reduce exposure to painful events, like data breaches, we believe customer experience is enhanced and that consumer will choose that merchant over others who are less diligent.”

CenPOS Validated P2PE launched on Friday, July 7, 2017. To learn more, visit https://cenpos.com/solutions/data-security
More facts and further information about CenPOS, can be discovered at https://www.cenpos.com/

About CenPOS
CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS’ secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships. | CenPOS | @CenPOS

###

Christine Speedy, 3D Merchant Services, is an authorized CenPOS Reseller. There is no middleman; all solutions offered are direct CenPOS agreements with CenPOS direct billing.

CenPOS Announces its Relationship Renewal with Verifone and the MX Line

CenPOS renews their relationship with Verifone and MX link by purchasing 5,000 Verifone MX 915 devices.

Integrated payment services and gateway provider, CenPOS, purchased 5,000 Verifone MX 915 devices and is deploying point-to-point encryption and advanced data security to auto dealers of all sizes, higher-education, law firms, insurance, manufacturing and distribution.

CenPOS SECURE is a suite of solutions designed to remove sensitive cardholder data from software applications like the merchant’s primary ERP, POS, PMS, DMS, etc. The suite consists of point-to-point encryption, tokenization and encrypted virtual PIN Pads that protect software systems by securing data in-flight and at rest.

When using CenPOS SECURE, merchants can reduce the time requirement and scope of their PCI DSS assessments. The Verifone MX line of products encrypts data at the point of interaction and facilitates a robust shopping experience for the consumer that includes secure PIN entry and signature capture.

“Merchants have enjoyed the CenPOS omni-channel shopping experience and the security that comes from it for the last 8 years. Verifone’s platform was the right choice for CenPOS. Their team of professionals have worked well with CenPOS to incorporate the next level of data security into the solution,” said Christopher Justice, CEO of CenPOS. “We’re pleased with the collaboration and diligence of the technology teams to launch these advancements.”

The Verifone MX line of products provides solid capabilities at the point-of-sale. Its design and attractive styling deliver a comfortable checkout experience while the state-of-the art technology provides added security.

“As a global payments and commerce solutions provider, Verifone’s goal is to create a world-class platform capable of supporting the ingenuity that’s constantly shaping the future of commerce. In a shared effort with CenPOS, we work to bring the highest level of security to transactions,” said Joe Mach, President, Verifone North America.

CenPOS Secure protects card present, eCommerce, mobile, mail order/phone order, and portable device transactions at the point of interaction with multiple layers of security. Integrated into the merchant’s software applications, no sensitive data is ever processed nor stored by those applications eliminating them from the scope of PCI DSS.

To better understand how CenPOS SECURE can help your business, call 877-630-7960 Or visit our website.

About CenPOS:
CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS’ secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.
| CenPOS | @CenPOS

About Verifone:
Verifone is transforming everyday transactions into opportunities for connected commerce. We’re connecting payment devices to the cloud—merging the online and in-store shopping experience and creating the next generation of digital engagement between merchants and consumers. We are built on a 35-year history of uncompromised security with approximately 30 million devices and terminals deployed worldwide. Our people are trusted experts that work with our clients and partners, helping to solve their most complex payments challenges. We have clients and partners in more than 150 countries, including the world’s best-known retail brands, financial institutions and payment providers.
Verifone.com | @verifone

###

Blog author Christine Speedy, CenPOS global sales and integrated solutions, can be reached at 954-942-0483.

PCI SECURITY STANDARDS COUNCIL PUBLISHES SUPPLEMENTAL PCI DSS SCOPING GUIDANCE

Guidance Clarifies Scoping Principles Outlined in the PCI Data Security Standard —
WAKEFIELD, Mass., 9 December 2016 — Incorrectly identifying where and how payment data is at risk in an organization’s systems continues to lead to data breaches. Today, the PCI Security Standards Council (PCI SSC) published Guidance for PCI DSS Scoping and Network Segmentation to help businesses address this challenge.

PCI Data Security Standard (PCI DSS) Requirement 1.1 states that organizations need to maintain a cardholder data flow diagram to help identify which systems are in scope and need protection. Yet data breach investigation reports continue to find that companies suffering compromises were unaware that cardholder data was present on their compromised systems. This guidance provides a method to help organizations identify systems that, at a minimum, need to be included in scope for PCI DSS. It includes guidance on how segmentation can be used to help reduce the number of systems that require PCI DSS controls and illustrative examples of some common segmentation approaches.

“For years, we have preached the need to simplify and minimize the footprint of cardholder data,” said PCI SSC Chief Technology Officer Troy Leach. “One way to accomplish this is through good segmentation. It allows an organization to focus their attention on a limited number of assets and more readily address security issues as they arise. As a result, it should also reduce the level of effort to comply with PCI DSS.”

While segmentation is not a PCI DSS requirement, it is a strongly recommended practice. Segmentation of networks included in or connected to the cardholder data environment is important for organizations as it can limit the exposure of payment data in a system, simplify PCI DSS compliance efforts and reduce the chance of being targeted by a criminal. However, as improper segmentation can put cardholder data at risk, it’s critical that organizations understand and implement segmentation properly.

The guidance was developed with industry input and collaboration in order to address common questions from PCI SSC stakeholders on scoping and segmentation. Christian Janoff, PCI SSC Board of Advisor member and Security Solutions Architect for Cisco, works regularly with merchants using scoping and segmentation products and was a leading contributor to the guidance. “Knowing the scope of your cardholder data environment and properly segmenting to protect it has been a challenge for many organizations. By providing guidance, we hope this will help to simplify the process, making it easier to secure payment card data,” he said. “We at Cisco are proud to partner with the Council and industry peers to bring additional scoping and segmentation guidance to the industry.”

Guidance for PCI DSS Scoping and Network Segmentation is intended for organizations looking to understand scoping and segmentation principles when applying PCI DSS to their environments. It also provides a method for facilitating effective scoping discussions between entities and is useful for:

  • • Merchants, acquirers, issuers, service providers (issuer processors, token service providers, and others) responsible for meeting PCI DSS requirements for their enterprises;
    • Assessors responsible for performing PCI DSS assessments;
    • Acquirers evaluating merchants’ or service providers’ PCI DSS compliance documentation;
    • PCI Forensic Investigators (PFI) responsible for determining PCI DSS scope as part of an investigation.

It is important to note each organization is responsible for making its own scoping decisions and that following this guidance does not guarantee that effective segmentation has been implemented, nor does it guarantee compliance with PCI DSS. The guidance is available on the PCI SSC website. Chief Technology Officer Troy Leach provides additional insights on the topic on the PCI Perspectives blog.

About the PCI Security Standards Council
The PCI Security Standards Council is a global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security.

Credit Card Authorization Form and PCI Compliance Update

A Credit Card Authorization Form enables a business to charge a credit card one-time or for recurring purchases. Is your form PCI Compliant with 2016 standards? Edited from my original contribution to Credit Today, learn the pitfalls and solutions to traditional paper authorization forms.

Do your business practices meet current PCI Compliance standards?

  1. Is it OK to store the form in a locked drawer?
  2. Is it OK to store the form in the cloud if it’s encrypted?
  3. Is it OK to receive them via email?
  4. Is it possible to qualify for the lowest processing rates using them?
  5. Is it OK to key enter each transaction for cards on file?credit card authorization form pci compliant

Credit Card Authorization Forms and PCI Compliance Rules

  • Per PCI 3.2, Neither Primary Account Number (PAN) nor Card Verification Code (CVV) can be stored on paper after authorization.
  • Per PCI 3.4, must render PAN unreadable anywhere stored (including on portable digital media, backup media, and in logs) using one of four cited approaches.
  • No. Per PCI 2 Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.).
  • No. Most cards, except regulated debit, can qualify for multiple rates depending on how the transaction is submitted. For example, MasterCard World card rates:
Rate Name Rate Qualified Rate Reason
Standard 2.95% + $.10 Not all criteria met for another rate.
Merit I 2.05% + $.10 Key-entered or ecommerce and valid authorization + other criteria met.
Full UCAF 1.87% = $.10 Ecommerce; Cardholder authentication and other criteria met.

To qualify for UCAF, the customer must initiate payment.

Ecommerce includes online paypage and other electronic payment channels the customer initiates.

  • No. If a customer authorizes to store a card, then after the initial transaction, all subsequent transactions must be sent with the correct transaction type: recurring or repeat sale.

Alternative methods to process Card Not Present orders:

Hosted pay page. The merchant directs customers to web page to pay any invoice online. Acceptable implementation methods have changed in the last year or two for PCI Compliance. For maximum reduced PCI burden, send customers directly to the 3rd party payment gateway web URL. The gateway may or may not be the same as your processor. NOTE: If hosting on your own web site with an embedded payment (iframe) object, PCI requirements have changed; any old forms should be updated.

Electronic Bill Presentment & Payment. (EBPP or EIPP) This is basically a proactive version of the above. As a standalone solution, the merchant user logs in to a gateway web portal, and sends a payment request via text or email which the customer clicks and pays. Integrated to billing software, it sends the actual invoice, and may require customer to login to make the payment.

All the major payment gateways include a Virtual terminal, hosted pay page, and shopping cart checkout capability, tokenization to store card data for future orders. Some, including CenPOS also offer EBPP.

If you accept cards over the phone, gateways with a virtual encrypted keyboard can reduce PCI scope since card data never touches computers or networks.

Christine Speedy, CenPOS reseller, maximizes profits, efficiency, and security with payment processing solutions including EIPP, collections automation, and online payments. She can be reached at 954-942-0483 or cspeedy AT 3dmerchant.com.