CenPOS Completes EMV Certification

emv smart card

Miami, FL (PRWEB) January 5, 2015 CenPOS announced today that it has successfully completed its EMV (Europay, MasterCard & Visa) certification with Visa, American Express, Discover and MasterCard. The Card Association announced in August 2011 its EMV migration plan for the US as well as the benefits of EMV compliance, including a liability shift for merchants. Under the current migration plan, merchants processing 75 percent or more of their transactions captured by EMV terminals will be relieved 100 percent from Account Data Compromise compliance. Merchants that do not migrate to EMV and/or are utilizing providers that are not EMV certified will assume 100 percent of the POS fraud liability and retain 100 percent of the PCI burden and related costs.
Currently, POS fraud in the US is estimated in the billions of dollars annually. CenPOS provides merchants with a unified payment platform, a single solution for businesses regardless of the industry type: Retail, Mail Order, eCommerce with VbyV, Mobility, Recurring Billing and Electronic Bill Presentment and Payment. CenPOS also offers additional services at no additional cost to merchants such as Point-to-Point encryption, tokenization, electronic signature capture and BIN management. As a single point provider the platform drives a myriad of payment types like PayPal, ACH, Remote Deposit Capture, Gift cards, Cash, and the typical debit, credit card transactions.
“We are very pleased to have completed this very important certification well ahead of schedule and ahead of most of the other providers. Our merchants now have a sigh of relief in knowing that they will be EMV ready by the current mandated date of October 1st 2015”, remarked Jorge Fernandez Co-Founder and Chairman of CenPOS. “Under the current Card Association mandates the weakest link in the payment ecosystem will bear 100 percent of the POS fraud liability, which is currently assumed by the card issuing banks. CenPOS merchants can now be early adopters of EMV and avoid the risk of being ‘late to the game’ and possibly not meeting the current deadline,” added Fernandez
About CenPOS: CenPOS’ secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships. For additional information please call 877.630.7960.
### For global sales,  integrations and more information, contact Christine Speedy, 954-942-0483, 8-6 ET. 

You completed PCI Rapid Comply, what’s next?

irst Data pci rapid comply

Screenshot of PCI Rapid Comply by First Data home page

You’ve completed the online forms at PCI Rapid comply, what’s next? By now you already know that PCI is not a quarterly or annual event.

First, If you received notice of noncompliance, print the web page shown above and send to your merchant processor relationship manager to stop recurring non-compliance fees, if applicable.

Next, go to MY DOCUMENTS and download everything. These are starter documents to help you with compliance, but you’ll need to modify and add some information.

pci-rapidcomply-docsFor example, on the incident response form, you’ll need to add the responsible names and contact information.

The security policy should be reviewed and disseminated to all employees that touch payments, and are involved in network security. I recommend HR manage the confirmed receipt as part of employee performance reviews. You may want to create a test to validate employee understanding, and record the date and time of completion to prove compliance.

  • The Risk Management Guide has a number of blanks to fill in. If you have retail transactions, you’ll need to create a monitoring and inspection program, which includes serial numbers and locations of all equipment.
  • Enter network administrator and payment administration on the access control guide. If you’re a CenPOS user, most of this requirement is managed with CenPOS Roles & user management.
  • Maintaining and monitoring your program is a critical component of PCI 3.0. If you don’t currently have a compliance officer, create accountability by assigning someone to ensure monitoring is completed on schedule.

About PCI Rapid Comply: PCI Rapid Comply is a First Data service available to all their merchants. First Data merchants can use this or a third party service of their choice.

About 3D Merchant Services author Christine Speedy: Offers payment gateway and cloud solutions to reduce scope and PCI Compliance burden. No new merchant account is required, however merchant services are available upon request. PCI Rapid Comply is available to merchant clients on select processor platforms, at no additional fee.



pci security awareness guideOctober 30, 2014. In order for an organization to comply with PCI DSS Requirement 12.6, a formal security awareness program must be in place. There are many aspects to consider when meeting this requirement to develop or revitalize such a program. The best practices included in this information supplement are intended to be a starting point for organizations without a program in place,or as a minimum benchmark for those with existing programs that require revisions. Best Practices for Implementing Security Awareness Program v1.0, 25 pg PDF recommended for IT and PCI compliance leaders.

One of the biggest risks to an organization’s information security is often not a weakness in the technology control environment. Rather it is the action or inaction by employees and other personnel that can lead to security incidents.

The free guidance will help merchants establish security standards in their business.


PCI DSS version 3.0 : January 2015 Deadline Looms

PCI DSS 3.0 deadline

Merchants who submit annual SAQ’s can continue to validate compliance with 2.0 SAQs until January 1, 2015. If merchants annual validation occurs in December,they’re not mandated to validate with version 3.0 until December 2015.

Are you ready?  Every merchant is impacted by the update, which are considerable. The PCI DSS Quick Reference Guide is 40 pages so there will be no attempt to duplicate it here. Here’s some issues merchants mostly likely need to address:

  1. Maintain an inventory of system components that are in scope for PCI DSS and also further, protect devices from tampering. Merchants have to identify all software, hardware, networks, what it’s used for, why it’s needed. This is a difficult task for larger retail operations where equipment is regularly moved and replaced. To comply, there must be a plan to regularly inspect equipment with serial number verification.
  2. Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties. Even if in place, rarely is the case where every employee is fully informed. Adding a component to HR employee reviews is the simplest way to initiate a system.
  3. Render PAN unreadable anywhere it is stored- the card number must be unreadable per 3.4.
  4. The CAV2/CVC2/CVV2/CID can never ever be stored. OK, this one is old, but it’s still abused so it’s being repeated again. It’s NOT OK to store if ‘for a while’.
  5. Control physical access for on-site personnel; access authorized and based on individual job function and revoked immediately upon termination.The vast majority of companies have little control over employee access by job function. Their equipment or software simply has too many limitations. Merchants need to micro manage what employees can do, and document each employees interaction ( who processed what transaction etc.)
Goals of the PCI Data Security Standard
  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy
PCI: IS AN ongoing 3-step process
  • Assess – identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.
  • Remediate – fixing vulnerabilities and not storing cardholder data unless you need it.
  • Report – compiling and submitting required reports to the acquiring bank and card brands you do business with.

ERP Alert: 3 Reasons Merchants Fail PCI Compliance

pci compliance fail

I’ve identified a significant reason why business to business merchants using ERP’s will fail a PCI Compliance stress test. Whether you’re a consultant engaged to implement or extend an ERP, or you’re responsible for your company’s PCI Compliance, chances are even a non-hacker like me can find vulnerabilities in your security. Why? The PCI Payment Card Industry (PCI) Data Security Standards are the foundation of any security plan, but ‘real world’ and ‘written policies’ are not always aligned, leaving businesses wide open to a potential data breach.

Regardless of security efforts, it’s impossible to overcome product limitations or inefficiencies that result in employees using alternative ‘non-pci compliant’ procedures for accounts receivable. Ah, but you say someone should have known and planned better. That may be true, but there is also sometimes a disconnect between internal policies, software selection, and perceived practical necessities to conduct business efficiently. Case in point, I’ve called on many companies that forbid storing card data anywhere (per CTO and or CFO policy), however, departments have a number of practical processes that violate the policy, ‘in order to comply with other departmental requirements’. If all parties fully understood the requirements for security and business needs, there’s always a PCI Compliant solution.

What are 3 top ERP related PCI failures?

  1. Need for written approval to store card data and use for variable recurring billing. This is frequently on a credit card authorization form the merchant desires to keep on file.
  2. Business does not use the merchant services portion of the accounts receivable module due to ERP specific processor partner requirement (price, banking relationship interference or other reason given not to implement)
  3. Personnel collecting credit cards do not have access to the system to store credit card data (problem with user access, financial control, or personnel restriction limitations; inefficient to use in sales process)

Surprised? It’s not the ERP specifically that is cited as cause for failure, it’s procedures and flexibilities not being met that cause employees to bypass established security procedures.

How can merchants prevent employees from violating PCI Compliance guidelines?

  • Follow the money. Identify all personnel involved in the sales, billing and collections process. Interview staff starting with salesmen and through to how payment data is collected, invoicing, payment processing, and collections for delinquent accounts. Always ask questions about processes that you know are not allowed or that need to be fixed.
  • Implement appropriate agnostic cloud payment technology for all facets of billing and collections.

How long do you think it will take for an outsider like me to prove your business is NOT PCI compliant?

  • 5 minutes
  • 4 hours
  • 1 week

Take the FREE test and call 954-942-0483.