Las Vegas, Nevada (December 17, 2008) – Shift4 Corporation, a supplier of secure payment processing services, today announced the availability of a podcast titled, “Trying to Protect Payment Data When You Can’t Even Find It All.”

The objective of the podcast was to generate a meaningful conversation between two leading payment card authorities, David Talyor, founder of the PCI Knowledge Base and former security analyst with Gartner, and J.D. Oder, Founder and Chief Technology Officer, Shift4 Corporation.

The podcast discusses Card Information Replacement Technologiessm (CIRT) and how retailers effectively evaluate alternative payment security solutions. “The goal is that if they don’t have it (payment data) then it can’t be stolen. I think the key here is to look at this as a very, very corporate-wide systemic approach and look at all of the data that you’re storing including payment data,” stated in the podcast by J.D. Oder, CTO, Shift4.

The podcast also discusses how an Information Technology department can regain control of their most sensitive data. As David Taylor stated, “The less storage you put in the hands of individual employees, the less likely they are to be able to put data in a whole bunch of places, whether that’s USB sticks or on their PCs or in their email messages that are sitting on their servers. What we really need to do is look at how we reduce the volume of data that is all over the place. Finding and purging it is a necessary thing.”

“Shift4’s podcast produced in partnership with StorefrontBacktalk reflects our commitment to helping merchants learn how they can simplify PCI and achieve Real Security for their payment systems. CIRT, such as Tokenization and Shift4’s PABP compliant 4Go SafeSwipe™, are complementary to the objectives of the PCI DSS. If implemented properly, these solutions relieve merchants from the burden of storing, processing and transmitting cardholder data. In most cases it is not necessary for merchants to replace their legacy systems in order to utilize Shift4’s Technologies. In this economic climate, Real Security and direct cost savings are equally important to our customers,“ said Randy Carr, Vice President of Marketing, Shift4 Corporation.
About Shift4 Corporation

Shift4, a leading developer of secure financial transaction processing software and services, provides web-based, real-time enterprise payment solutions for leaders in the hospitality, retail, foodservices, auto rental and e-commerce markets. Through connectivity to most major processors, DOLLARS ON THE NET provides both high speed and low cost authorizations and settlements for credit, debit, check, private label and gift card transactions. DOLLARS ON THE NET also includes the ability to access, review and edit transactions prior to settlement, as well as a searchable, 24-month archive of transactions for reporting and charge back defense. For more information, contact John Mann, Vice President of Sales, (702) 597-2480 ext. 43200 or jmann@shift4.com, or visit www.shift4.com.
Media Contacts

Randy Carr
Vice President of Marketing
Shift4 Corporation
702-597-2480 ext. 43300
randy@shift4.com

If you plug a PCI Compliant credit card processing terminal into a VoIP connection, then your processing is no longer compliant.

This explanation attempts to detail why. Traditional phone = analog. Traditional lines use hardware to send data ie the copper line. When using a 2008 compliant credit card terminal, the desktop terminal sends encrypted credit card data from the merchant to the processor and back using analog signals.

VoIP = digital. VoIP traffic flows across the Internet in unencrypted packets, which means anyone that has access to the network between sender and recipient can intercept them. So the desktop terminal may be compliant, but once the data is on the open network, the merchant set up is no longer PCI Compliant. Even though there are optional packages that can be attached to some VoIP networks, they do not meet current PCI compliance standards for the credit card processing industry.

If you attach a magnetic card swipe to your computer the transaction is processed using SSL security. It is not the same as VoIP. SSL uses a cryptogaphic system. It has two keys to encrypt data- a public key known to everyone, and a private key known only to the recipient. The magnetic card reader can be used with many POS systems and a high speed DSL, cable modem or T1 line.

Internet, ecommerce, and virtual terminal transactions all use SSL.

There are important considerations to check for both mag card readers and ecommerce transactions. Each requires a Gateway. The Gateway enables secure, real-time payment processing of credit card transactions. It is not the same as a credit card processor. Most people don’t realize that gateways and ecommerce stores must pass specific information through to the credit card processor to get better rates. Most systems focus on fraud protection, but do not necessarily pass through critical data required to meet specific interchange requirements. Sometimes the store doesn’t pass the data, and sometimes the gateway doesn’t pass the data- it all depends on company capabilities.

I’m not a tech expert but in general, the description above is sufficiently accurate to explain why. Bottom line: Visa & MasterCard officially state there is no acceptable VoIP solution that meets PCI Compliance requirements.

PCI is an acronym for Payment Card Industry. PCI Compliance is simply meeting the standards of the Payment Card Industry. Visit our sticky page PCI Compliance links. The terminology you probably really need to know is PCI DSS Compliance.

PCI DSS is a set of comprehensive requirements for enhancing payment account data security created to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

You can get current information about PCI DSS on the PCI Security Standards Council web site.

If every business met all these standards, the problem with data security losses would be minimized and we wouldn’t see the headlines we do today.