Merchants must scan computer systems at various intervals for Payment Card Industry Data Security Standard (PCI DSS), depending on their merchant type and other criteria.

Read our merchant data security sticky web page for further information and links.

PCI Security Standards Council maintains a list of certified scanning companies

Below is a select list of those I’ve had the most positive interaction with over the years.

Comodo CA Ltd
www.comodo.com HackerGuardian PCI Scanning Service

ControlScan
www.controlscan.com PCI 1-2-3

Digital Resources Group
www.drgsf.com DRG SecureScan

McAfee Inc.  McAfee Secure, formerly Hacker Safe (I knew Hacker Safe very well, but have had little experience with McAfee Secure)
www.mcafee.com

Qualys
www.qualys.com QualysGuard

This list does not infer the other companies would be less acceptable to work with, only that I’ve personally not dealt with the company or simply not had enough interaction to remember them. To protect your company from credit card processing fraud and the costly repercussions of it, all companies should have completed a PCI Compliance Certification whether you have standalone terminals or are connected to computers.

Expanded Study Finds More Insider Threats, Greater Use of Social Engineering, Continued Strong Organized Criminal Involvement

BASKING RIDGE, N.J. – July 28, 2010 –

The 2010 Verizon Data Breach Investigations Report, based on a first-of-its kind collaboration with the U.S. Secret Service, has found that breaches of electronic records last year involved more insider threats, greater use of social engineering and the continued strong involvement of organized criminal groups.

The study, released Wednesday (July 28), also noted that the overall number of breaches investigated last year declined from the total for the previous year – “a promising” indication, the study said.

The report cited stolen credentials as the most common way of gaining unauthorized access into organizations in 2009, pointing once again to the importance of strong security practices both for individuals and organizations.  Organized criminal groups were responsible for 85 percent of all stolen data last year, the report said.

Verizon Business investigative experts found, as they did in the company’s prior data breach reports, that most breaches were considered avoidable if security basics had been followed.  Only 4 percent of breaches assessed required difficult and expensive protective measures.

The 2010 report concluded that being prepared remains the best defense against security breaches. For the most part, organizations still remain sluggish in detecting and responding to incidents. Most breaches (60 percent) continue to be discovered by external parties and then only after a considerable amount of time.  And while most victimized organizations have evidence of a breach in their security logs, they often overlook them due to a lack of staff, tools or processes.

The collaboration with the Secret Service, announced in May, enabled this year’s Data Breach Investigations Report to provide an expanded view of data breaches over the last six years. With the addition of Verizon’s 2009 caseload and data contributed by the Secret Service – which investigates financial crimes – the report covers 900-plus breaches involving more than 900 million compromised records.

“This year we were able to significantly widen our window into the dynamic world of data breaches, granting us an even broader and deeper perspective,” said Peter Tippett, Verizon Business vice president of technology and enterprise innovation.   “By including information from the Secret Service caseload, we are expanding both our understanding of cybercrime and our ability to stop breaches.”

Michael Merritt, Secret Service assistant director for investigations, said: “The Secret Service believes that building trusted partnerships between all levels of law enforcement, the private sector and academia has been a proven and successful model for facing the challenges of securing cyberspace.  It is through our collaborative approach with established partnerships that the Secret Service is able to help expand the collective understanding of breaches and continue to augment our advanced detection and prevention efforts.”

(NOTE: Additional resources supporting the 2010 data breach report are available, including an audio podcast, video podcast and high-resolution charts and graphs.)

Key Findings of the 2010 Report

This year’s key findings both reinforce prior conclusions and offer new insights. These include:

• Most data breaches investigated were caused by external sources. Sixty-nine percent of breaches resulted from these sources, while only 11 percent were linked to business partners.  Forty-nine percent were caused by insiders, which is an increase over previous report findings, primarily due in part to an expanded dataset and the types of cases studied by the Secret Service.
• Many breaches involved privilege misuse. Forty-eight percent of breaches were attributed to users who, for malicious purposes, abused their right to access corporate information.  An additional 40 percent of breaches were the result of hacking, while 28 percent were due to social tactics and 14 percent to physical attacks.
• Commonalities continue across breaches. As in previous years, nearly all data was breached from servers and online applications. Eight-five percent of the breaches were not considered highly difficult, and 87 percent of victims had evidence of the breach in their log files, yet missed it.
• Meeting PCI-DSS compliance still critically important. Seventy-nine percent of victims subject to the PCI-DSS standard hadn’t achieved compliance prior to the breach.

The State of Cybercrime: 2010

The report said the decline in the overall number of data breaches may be due to a number of factors, including “law enforcement’s effectiveness in capturing criminals.”  The report cited the arrest of Albert Gonzalez, one of the world’s most notorious computer hackers, who pleaded guilty to helping run a global ring that stole hundreds of millions of payment card numbers and who was sentenced last year to 20 years in prison.

“The reduction in breaches is a positive sign that we are gaining some ground in the fight against cybercrime,” said Tippett.  “As we are able to share more information through the use of the VERIS security research framework to gather comparative security data such as the caseload of the Secret Service, we believe we will be even better equipped to arm organizations with best practices, processes, tools and services that will continue to make a difference.”

Data breaches continue to occur within all types of organizations. Financial services, hospitality and retail still comprise the “Big Three” of industries affected (33 percent, 23 percent and 15 percent, respectively) in the merged Verizon-Secret Service dataset, though tech services edged out retail in Verizon’s caseload.  A growing percentage of cases and an astounding 94 percent of all compromised records in 2009 were attributable to financial services.

More than half of the breaches investigated by Verizon in 2009 occurred outside the U.S., while the bulk of the breaches investigated by the Secret Service occurred in the U.S.  The report finds no correlation between an organization’s size and its chances of suffering a data breach.

“Thieves are more likely to select targets based on the perceived value of the data and cost of attack than victim characteristics such as size,” Verizon researchers noted.

Recommendations for Enterprises

The 2010 study once again shows that simple actions, when done diligently and continually, can reap big benefits. These actions include:

• Restrict and monitor privileged users. The data from the Secret Service showed that there were more insider breaches than ever before. Insiders, especially highly privileged ones, can be difficult to control. The best strategies are to trust but verify by using pre-employment screening; limit user privileges; and employ separation of duties. Privileged use should be logged and messages detailing activity generated to management.
• Watch for ‘Minor’ Policy Violations. The study finds a correlation between seemingly minor policy violations and more serious abuse. This suggests that organizations should be wary of and adequately respond to all violations of an organization’s policies.  Based on case data, the presence of illegal content on user systems or other inappropriate behavior is a reasonable indicator of a future breach. Actively searching for such indicators may prove even more effective.
• Implement Measures to Thwart Stolen Credentials. Keeping credential-capturing malware off systems is priority No. 1. Consider two-factor authentication where appropriate. If possible, implement time-of-use rules, IP blacklisting and restricting administrative connections.
• Monitor and Filter  Outbound Traffic. At some point during the sequence of events in many breaches, something (data, communications, connections) goes out externally via an organization’s network that, if prevented, could break the chain and stop the breach. By monitoring, understanding and controlling outbound traffic, an organization can greatly increase its chances of mitigating malicious activity.
• Change Your Approach to Event Monitoring and Log Analysis. Almost all victims have evidence of the breach in their logs. It doesn’t take much to figure out that something is amiss and make needed changes.  Organizations should make time to review more thoroughly batch-processed data and analysis of logs. Make sure there are enough people, adequate tools and sufficient processes in place to recognize and respond to anomalies.
• Share Incident Information. An organization’s ability to fully protect itself is based on the information available to do so.  Verizon believes the availability and sharing of information are crucial in the fight against cybercrime.  We commend all those organizations that take part in this effort, through such data-sharing programs as the Verizon VERIS Framework.A complete copy of the “2010 Data Breach Investigations Report” is available at http://www.verizonbusiness.com/go/2010databreachreport/.

About the United States Secret Service
Well known for protecting the nation’s leaders, the U.S. Secret Service also is responsible for protecting America’s financial infrastructure.  The Secret Service has taken a lead role in mitigating the threat of financial crimes since the agency’s inception in 1865.  As technology has evolved, the scope of the U.S. Secret Service’s mission has expanded from its original counterfeit currency investigations to also include emerging financial crimes.   As a component agency within the U.S. Department of Homeland Security, the U.S. Secret Service has established successful partnerships in both the law enforcement and business communities – across the country and around the world – in order to effectively combat financial crimes.

About Verizon Business
Verizon Business, a unit of Verizon Communications (NYSE, NASDAQ: VZ), is a global leader in communications and IT solutions. We combine professional expertise with one of the world’s most connected IP networks to deliver award-winning communications, IT, information security and network solutions.  We securely connect today’s extended enterprises of widespread and mobile customers, partners, suppliers and employees – enabling them to increase productivity and efficiency and help preserve the environment.  Many of the world’s largest businesses and governments – including 96 percent of the Fortune 1000 and thousands of government agencies and educational institutions – rely on our professional and managed services and network technologies to accelerate their business. Find out more at www.verizonbusiness.com.

To clarify the 2010 Debit Pin Entry Device standard merchants are expected to comply with by July 2010, not all merchants will need to change their pinpads. If you deployed a POS PED by December 31, 2007 AND it was on the 2004-2007 Visa PCI lab approved list, you have until December 31, 2014 to replace it.

If you do not meet that requirement, then you’ll need to replace your PED by July 1, 2010 with a unit that meets the new Triple Data Encryption Standard (TDES) standard. Look carefully. There are companies that will sell you units that do not comply with the new standard.

POS- Point Of Sale

PED – Pin Entry Device

POS PED- a device in a merchant location where the customer is present at the time of the transaction.

Pinpad – pin pad- another name for PED

Triple DES- Triple Data Encryption Standard

3DES – same as above

OVERVIEW OF THE 2010 PCI COMPLIANCE RULE FOR DEBIT PIN ENTRY DEVICES:

The new standard is to improve the security of customer debit cards. The technology has been widely implemented over a number of years in ATM’s and such, and merchant pinpads are the last piece to complete.

DEADLINES:

July 1, 2010 If your unit was deployed after 12/31/2007 and it does not have Triple DES encryption, then you need to replace it. Any unit deployed prior to 2004 needs to be replaced.

12/31/2014 If you deployed a POS PED by December 31, 2007 AND  it was on the 2004-2007 Visa PCI lab approved list, then you must replace with a PCI SSC POS PED by this date.

When you deployed your PED is a matter of record with your current service provider. Where is a copy of the 2004-2007 Visa PCI lab approved list? https://partnernetwork.visa.com/vpn/global/category.do?userRegion=1&categoryId=19&documentId=33

HOW DO I VERIFY IF I HAVE A PCI COMPLIANT PED?

The PCI Data Security Standards Council has an updated list for all merchant providers. List of PCI compliant PEDs

WHICH NEW PIN ENTRY DEVICE DO YOU RECOMMEND?

First, make sure the unit has Triple Data Encryption Standard (TDES) certification. Just because someone is selling it, doesn’t mean it’s TDES. The PED must be matched to your terminal and the merchant services provider. You can’t just pick any unit and attach it. A hugely popular unit is the

First Data FD-10 debit pin pad

because First Data is one of the largest payment processors in the country. Many merchant providers utilize the First Data system, therefore can use the unit. Additionally, it works with many different desktop terminals.

If you need to upgrade, now is the time to look at your entire system. Do you need a PED or would you be better off with a signature capture terminal that has an integrated PED? You can get a wireless, desktop or, or even a device that connects to a host based system like CenPOS that provides incredible benefits for organizations processing $1 million per month and up.  Take a look at the Ingenico i6580, a top of the line unit.

ingenico i6580 i6550

In summary, I like units that have in integrated Debit PED over a separate device that attaches. Oh, and this is another area that you have to be very careful reading product description text. Some product technical descriptions say they accept debit cards but they are not referring to accepting pin debit transactions! As if merchants don’t have enough to get confused about.

All debit PED’s must be encrypted. This is done via a process called an injection. There are a limited number of facilities in the USA that can perform the injection. That means you should not wait until the last minute because a lot of other people will.

3D Merchant Services is an authorized reseller for current equipment ONLY for major brands including Verifone, Hypercom, and Ingenico. We also offer Nurit, Way and other brands. Because of our high volume, we have wholesale prices compared to others. We’re independent- you can use our credit card processing or not. We don’t give free equipment- you’ll get a better deal on your processing and your equipment if you keep the transactions separate. Equipment is never really free.

Related article:

Which Verifone pin entry devices are pci compliant?

Non-receipt of PCI Validation fee for $19.95 showing up on your merchant statements? This is normally from failure to complete your required PCI Compliance paperwork at SecurityMetrics.com. What paperwork? If you’re one of my customers, below is what was sent in the mail from Security Metrics.

PCI compliance validation FAQ (PDF)
Security Metrics Enrollment (PDF)
Payment Processor Letter Security Metrics Overview (PDF)

DISCLAIMER:  Your documents and fees may vary. Newer documents may have been published since these. Please contact your processor for specific information about your PCI Compliance statement fees.

This subject was highlighted in the January 3D Merchant newsletter. First Data created a mandatory PCI Compliance Assistance Service Program in 2009. Since so many merchant processors have First Data relationships, the reach is huge. Security Metrics administers the program, which has a mandatory annual fee and compliance certification requirement. Merchants MUST return the PCI Compliance Validation form in a timely manner. If you do not return the form, or are not PCI Compliant, you’ll be charged $19.95/month. All fees are deducted from your merchant account. I’ve already seen this fee appear on a Sun Trust merchant statement from a non-customer as a non-receipt of PCI Validation so please turn in your paperwork per the instructions.

A few merchants I’ve spoken to said they didn’t receive the letter from Security Metrics  but they are getting billed. Unfortunately, this is basically a blind program. We don’t know when letters are sent, and don’t know there is a problem until the non-compliance fee shows up. Merchants should read the ALERT messages that appear on their statements. There is information about upcoming fee changes, and other critical messages.

WHO GETS THE LETTERS?

It’s delivered to the same name and address that merchant statements are sent to. If you have an old name on your merchant statement, update your records.

WHEN ARE THE LETTERS SENT? They are being sent at random until every merchant receives them.

WHAT IF I DON’T HAVE A LETTER, BUT I’M GETTING A MONTHLY Non-receipt of PCI Validation FEE? If you’re one of my customers, you can go straight to SecurityMetrics.com and register. Your company is in the database and you’re automatically billed on your merchant statements.

DO I NEED TO FAX OVER THE ENROLLMENT FORM? No. That is one of the options. I recommend that you simply start with the online form.

DO I NEED TO KNOW ALL THE ANSWERS BEFORE I START ONLINE? No, but I recommend you visit the PCI Security Standards web site first and download the appropriate SAQ (self assessment questionnaire). That way when you do online you can zip through the questions.

WHAT IF I’VE ALREADY BEEN CERTIFIED BY ANOTHER APPROVED VENDOR? You can submit your certification documentation via fax to 402-916-8240 or via email. Contact your processor or sales agent for details.

IS THE MONTHLY FEE PERMANENT? No. The fee is for non-receipt of materials. Once you are proven PCI Compliant, the fee will come off, however, it may not be immediate.

related articles:

First Data PCI Compliance fee

First Data Merchants Attain Record PCI Compliance

Merchant services for political campaigns tend to cost more than for retail merchants. Why? The main reasons are their lack of knowledge about the subject and then all the other reasons. Other reasons include how payment is collected, the types of cards presented, and the credit card processing price plans they are on. Below I’ll address each issue in brief.

First their lack of knowledge makes it easier for other companies to charge them more money. Think used car salesmen 25 years ago. Small campaign races will generally pay more than big races because there is little to process. This is simply an ROI issue just like with small businesses. But what about the bigger campaigns?

How do politicians collect money for campaign contributions? The most popular are checks in the mail, donor cards collected at speaking events (check or credit card which is key entered later), and online donations. The donor card exposes the politician to substantial risk. Where are the cards stored while traveling from one event to the next? Who opens the mail? Who keypunches the data? What kind of training have they had in protecting card data? Do you perform background checks on volunteers who see donor cards?

• Reduce risk by keypunching data into a virtual terminal on site.
• Reduce risk and cost by attaching a card reader to a computer. You’ll save about 0.5% by swiping vs key entering.
• Always securely shred card data upon completion of transaction. With a well-developed donor form, you can detach or cut off the credit card data while still keeping critical information on the form such as payment amount. Record the authorization number and date processed on the form for your records.

Costs are affected by the type of card presented for payment. You can’t control this. But you also need to know the merchant services game because this is a big gotcha. In my experience, the card type can relate to the type of race; the bigger dollar donors use rewards or corporate cards. Campaigns targeting smaller donations attract a high amount of debit cards, up to 50%. Here’s the big catch on merchant agreements- QUALIFIED RATE. Chances are 80% of cards presented will never hit the qualified rate. So what’s your non-qualified rate? What’s your best rate for corporate cards for a MOTO merchant account? (Interchange is 2.2% plus $.10 per transaction. )

Common Visa interchange rates for reference: RETAIL= swiped card. MOTO = mail order or phone order. Ecommerce rates are the same, but account set up and rules are different. Below is a very small list of the 500 or so possible rates. We see every day on merchant accounts.

• debit/check card, swipe .95% plus $.20 per transaction
• debit/check card, MOTO 1.53% plus $.10 per transaction
• credit card, swipe 1.79% plus $.10 per transaction
• rewards card, MOTO 1.95% plus $.10 per transaction
• Commercial card MOTO 2.2% plus $.10 per transaction
  Downgrade costs can be nearly 1%, and remember, these are interchange costs. Your fees will be higher.

Credit card processing price plans vary widely for this industry, but in general, are much higher than others. That’s not because the raw costs are higher, its because the payment processors take bigger profits. Remember what I said about the used car salesman. Credit card processing is not the core skill of the average politician and it may not be for the finance manager either. One of the most valuable assets of a politician is their time. Therefore they tend to copy what others in their party are doing, or simply look for the easiest solution that solves many of their time issues.

Ecommerce solutions for politicians are plentiful as they are for non-profits. I have no problem with payment processing costs being higher than average if you get a robust software package at no cost. Companies have to recoup their investment somewhere. But what if you pay for the software and the payment processing?

Let’s look a little deeper into an example such as Click & Pledge. It has lots of cool features to manage donors and build an online community. They also have an integrated payment processing solution option. I had to read several sections a few times, and based on what I read,  I’m still not sure. Can you use their other features but not the payment processing/ They have API section which looks like a yes, but the non-existent comments in the forum make me wonder.

Their rates are among the highest I’ve seen at 4.5% and $.35 per transaction. But wait- that’s not for all cards. “Visa & MasterCard may add additional fees for affinity and cards which earn points. These cards are referred to as non-qualified cards and typically have 1% surcharge associated with them. The fees are not being charged by Click & Pledge and we have no control over which cards will be charged as a non-qualified card.”  So merchants can expect to pay up to 5.5%. Basically they’ve locked in at least 2% profit (also known as 200 basis points) by my estimation, and that’s very high in todays marketplace.

Two percent is about double the norm for a small business from what I’ve seen, although that market is not my specialty. Maybe solutions like this are still a good fit for your campaign. But before  you buy, ask if you’re allowed to use your own merchant account. In most cases you’ll do better far on price and there are other benefits as well. For example, if I were managing your account, I’d make sure you had the right type of merchant accounts for different situations to meet Visa and MasterCard regulations. You’ll get advice and handouts for volunteers on proper data security. We can assist with your check processing, including remote deposit capture. We can assist with payment type and provide risk management advice to help protect you against embarassing data security breaches.

Keep more money from your online donations. Get a merchant account separate from your software or web host.

Merchant Account and Payment Processing Newsletters, events, and marketing collateral. 3D Merchant shares insights with you. Not all newsletters are posted for public viewing.

3D Merchant news ISSUE 5, 2010: Red Flags Rule, American Express merchant fees, Identity theft risk. (PDF download 2.8 mb)

3D Merchant news ISSUE 4, 2010: PCI DSS Compliance, Tokenization & recurring billing, Preventing Credit Card Fraud. (PDF download 2.8 mb)

3D Merchant news ISSUE 3, 2010: May Madness follows April price increases, Data Security- PCI Compliance, Internal Fraud Prevention, PCI Compliance fees. (PDF download 2 mb)

TransArmor^SM Solution Piloted by Spectrum of Brick-and-Mortar and Card-Not-Present Retailers; First Commercial Transaction Tokenized on STAR ® Network

RSA CONFERENCE 2010 SAN FRANCISCO, March 1, 2010 First Data Corporation, a global leader in electronic commerce and payment processing, today announced the expansion of a merchant pilot of the First Data^® TransArmor^SM solution. More than 400 U.S. merchants of all sizes will assess the comprehensive data security solution over the next four months. The TransArmor solution (previously called First Data^® Secure Transaction Management^SM) was developed in close partnership with EMC Corporation (NYSE: EMC).

The TransArmor secure payments service is designed with the needs of merchants in mind, and it has the opportunity to fundamentally change the way merchants secure and manage cardholder data. The TransArmor solution addresses the root cause of merchant data security issues by removing payment card data from the merchant environment as part of processing the transaction, significantly reducing risk and the scope of PCI compliance efforts.

Deploys RSA SafeProxy Architecture
The solution leverages the RSA SafeProxy^TM architecture, a powerful combination of asymmetric encryption, tokenization and key management engineered to provide the benefit of end-to-end protection and eliminate on-site cardholder data storage for merchants. Unique features of the token make it possible for merchants to continue to handle key business functions such as returns, recurring billing, loyalty programs and other analysis, without enabling card data to be used for fraudulent transactions.

On Feb. 26, 2010, the TransArmor solution tokenized the very first commercial transaction over the STAR ® Network at the Center of Science & Industry (COSI) in Columbus, Ohio. A First Data company, STAR is one of the nation’s leading electronic funds transfer (EFT) networks with more than two million retail and ATM locations.

As an early participant in the TransArmor pilot, COSI is already experiencing the benefits of the solution. Like most consumers today, several of our customers had concerns about the safety of their credit and debit card data while visiting our center. TransArmor gives us peace of mind that their payment card data is locked in a virtual vault at First Data and nowhere on site at COSI,” said Brad Morgan, senior IT operations manager at COSI.

Works with Existing Merchant Hardware
Unlike some solutions in the marketplace, the TransArmor solution can be implemented without the need for new hardware or back-end IT operations. The solution works with First Data as well as other terminals or point-of-sale systems and can be consistently applied across brick-and-click environments.

The response from merchants interested in participating in this trial has been enormous and a testament to the sought-after service TransArmor delivers said Craig Tieken, vice president of Merchant Product Management at First Data. Up until now, there have been few easy and cost-effective solutions to the growing problem of managing the risks of handling sensitive payment card data. TransArmor represents a fundamental change in how merchants can confidently protect and manage cardholder data.

The consequences of a merchant data compromise in legal, financial, consumer confidence and brand loyalty terms can be overwhelming. According to the 2009 U.S. Cost of a Data Breach Study by the Ponemon Institute, the average cost for merchants coping with a data breach in 2009 rose to $6.7 million with the cost per customer record breached estimated at $204. With the TransArmor solution, customer card information is retained only at the processor and protects merchants from the dangers of malicious attacks designed to steal payment card data in transit or in storage from merchant databases.

Implementing effective data security can’t mean more complexity for businesses, said Brian Fitzgerald, vice president, Marketing, RSA, The Security Division of EMC. TransArmor successfully embeds industry-leading security technology into the payment processing infrastructure to make it available to, and more importantly, usable, by merchants of all sizes. TransArmor is an example of the type of partnerships required from industry leaders that will reduce the reliance on point solutions and enable an industry ecosystem with pervasive built-in security.

Teams from RSA and EMC Consulting worked collaboratively with First Data through product strategy development and technology proof of concept for a successful pilot and product launch.

About First Data
First Data powers the global economy by making it easy, fast and secure for people and businesses to buy goods and services using virtually any form of electronic payment. Whether the choice of payment is a gift card, a credit or debit card or a check, First Data securely processes the transaction and harnesses the power of the data to deliver intelligence and insight for millions of merchant locations and thousands of card issuers in 36 countries

Did you receive a letter from Security Metrics regarding PCI Compliance? Please follow the steps as appropriate for your business type.

PCI Security Standards Council The granddaddy of everything you need to know for compliance, including form templates.

- Read The PCI DSS New Self-Assessment Questionnaire (SAQ) Summary

- Determine which SAQ validation you need to complete

- if needed, see page 12 in link to submit the CenPOS MasterCard PCI Certification

Complete the appropriate paperwork.

Merchant Account Security Links

Which level merchant am I?