PCI SECURITY STANDARDS COUNCIL RELEASES PCI DSS E-COMMERCE SECURITY GUIDELINES

— PCI Special Interest Group offers guidance to merchants to help secure payments accepted over the Internet—

WAKEFIELD, Mass., January 31, 2013 — Today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of payment card security standards published the PCI DSS E-commerce Guidelines Information Supplement, a product of the E-commerce Security Special Interest Group (SIG). Businesses selling goods and services over the Internet can use this resource as a guide for choosing e-commerce technologies and third-party service providers that will help them secure customer payment data and support PCI DSS compliance efforts.
PCI Special Interest Groups (SIGs) are community-driven initiatives that provide additional guidance and clarifications or improvements to the PCI Standards and supporting programs.
In 2012, PCI Participating Organizations selected e-commerce security as a key area to address via the SIG process. More than 60 global organizations representing banks, merchants, security assessors and technology vendors collaborated to produce guidance that will help organizations better understand their responsibilities when it comes to PCI DSS; the risks they need to evaluate when considering ecommerce solutions; and how to determine their PCI DSS scope.
“Take SQL injections as an example. This is not a new attack, and something we’ve known about in the industry for years. Yet it continues to be one of the most common methods by which e-commerce websites are compromised, said Bob Russo, general manager, PCI Security Standards Council. “This can be addressed through simple, prudent coding practices, but merchants often don’t know where to start. These guidelines will help them better understand their responsibilities and the kinds of questions they need to ask of their service providers. In the case of SQL injections, one of the most important items to request of an e-commerce service provider is a description of the security controls and methods it has in place to protect websites against these vulnerabilities.”
The PCI DSS E-commerce Guidelines Information Supplement provides an introduction to e- commerce security and guidance around the following primary areas and objectives:

  •  E-commerce Overview – provides merchants and third parties with explanation of typical e-commerce components and common implementations and outlines high-level PCI DSS scoping guidance to be considered for each.
  • Common Vulnerabilities in E-commerce Environments – educates merchants on vulnerabilities often found in web applications (such as e-commerce shopping carts) so they can emphasize security when developing or choosing e-commerce software and services.
  • Recommendations – provides merchants with best practices to secure their e- commerce environments, as well as list of recommended industry and PCI SSC resources to leverage in e-commerce security efforts.

The document also includes two appendices to address specific PCI DSS requirements and implementation scenarios:

  •  PCI DSS Guidance for E-commerce Environments – provides high-level e-commerce guidance that corresponds to the main categories of PCI DSS requirements; includes chart to help organizations identify and document which PCI DSS responsibilities are those of the merchant and which are the responsibility of any e-commerce payment processor.
  • Merchant and Third-Party PCI DSS Responsibilities – for outsourced or “hybrid” e- commerce environments, includes sample checklist that merchants can use to identify which party is responsible for compliance and specify the details on the evidence of compliance.

The information supplement can be downloaded from the documents library on the PCI SSC website at https://www.pcisecuritystandards.org/security_standards/documents.php.
Merchants who use or are considering use of e-commerce technologies in their cardholder data environment, and any third-party service providers that provide e-commerce services, e- commerce products, or hosting/cloud services for merchants can benefit from this guidance. This document may also be of value for assessors reviewing e-commerce environments as part of a PCI DSS assessment.
As with all PCI Council information supplements, the guidance provided in this document is supplemental and does not supersede or replace any PCI DSS requirements.
“E-commerce continues to be a target for attacks on card data, especially with EMV technology helping drive so much of the face-to-face fraud down in Europe and other parts of the world, said Jeremy King, European director, PCI Security Standards Council. “We are pleased with this guidance that will help merchants and others better understand how to secure this critical environment using the PCI Standards.”
Those interested in learning more about this guidance and how to use it are invited to join the PCI Council for a webinar on February 7 and 14, 2013. Visit the PCI SSC website for more information and to register: https://www.pcisecuritystandards.org/training/webinars.php.
About the PCI Security Standards Council
The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the Council has over 600 Participating Organizations representing merchants, banks, processors and vendors worldwide. To learn more about playing a part in securing payment card data globally, please visit: pcisecuritystandards.org.
Connect with the PCI Council on LinkedIn: http://www.linkedin.com/company/pci-security- standards-council Join the conversation on Twitter: http://twitter.com/#!/PCISSC

3D Merchant Services Powered by CenPOS
2633 NE 26th Ave Metro South FloridaFL33064 USA 
 • 954-942-0483

Global Payments Not Certified PCI-DSS Compliant – Breach Costs Reach $94M

Highlights from the  Global Payments quarterly report  released January 8 2013, reveals that costs related to the 2012 data breach have reached 93.9 million and additional material costs will be incurred in 2013.  The company is still working on PCI DSS certification. pdf The company has not yet been put back on the list of PCI DSS compliant service providers, however, the impact on revenue has been “immaterial”. 

“As a result of this event, certain card networks removed us from their list of PCI DSS compliant service providers. Our removal from certain networks’ lists of PCI DSS compliant service providers could mean that certain existing customers and other third parties may cease using, referring or selling our products and services. Also, prospective customers and other third parties may choose to delay or choose not to consider us for their processing needs. In addition, the card networks could refuse to allow us to process through their networks. To date, the impact on revenue that we can confirm related to our removal from the lists has been immaterial. Also the impact on revenue of customers or other third parties who have failed to renew, terminated negotiations, or informed us they are not considering us at all, where we can confirm it is related to our removal from the lists, has been immaterial.    We continue to process transactions worldwide through all of the card networks. We hired a Qualified Security Assessor, or QSA, to conduct an independent review of the PCI DSS compliance of our systems. Our work to remediate our systems and processes is substantially complete. Our QSA is currently evaluating our remediation work. Once the QSA’s evaluation is complete we will work closely with the networks to return to the list of PCI DSS compliant service providers as quickly as possible. Our failure or a delay in returning to the list could have a material adverse effect on our business, financial condition, results of operations and cash flows.”

In addition to the credit card data breach, the “investigation also revealed potential unauthorized access to servers containing personal information collected from merchants who applied for processing services.” Merchant account applications contain sensitive information for identity theft thieves, including business owner social security numbers and home addresses.

Another potential financial blow is the class action suit related to the ‘intrusion’, as Global Payments has identified the breach. “We have not recorded a loss accrual related to this matter because we have not determined that a loss is probable.”

iPad Mobile payments- important security notice

With a proliferation of newcomers to the market, merchants need to be aware of potential mobile payments security problems. The PCI Security Standards Council recently released new standards for developers as well as guidelines for merchants. One important aspect to ask questions about, is ‘store and forward‘.

If the mobile application enables you to accept credit cards when you cannot connect to the internet, clearly the data resides on the device, which creates a potential security risk.  This issue is addressed in a new Best Practice for Mobile Payments Developers released by the PCI Security Standards Council. Who can access the card information, pending presentment to your processor for an authorization? In what format does that data reside? If the user cannot access, is it possible other malware could access the data?

Editor’s note: Our CenPOS iPad mobile app does not support store on device and forward for presentment later. Merchants must have access to an internet connection. There are multiple options should you need to store payment data with that live connection:

  1. Zero dollar auth- validate the card only, and store data for later billing.
  2. Auth- Get an authorization for a specific sale, but don’t charge yet; store data for later billing.
  3. Repeat sale- Process transaction now, and store payment information for future billing.

In each case above, the credit card information is encrypted and replaced by a random alpha-numeric character, or ‘token’.   The encrypted payment information can never be seen again.
Accepting Mobile Payments with a Smartphone or Tablet  (PDF download from PCI Security Standards Council)

For additional information about mobile payments solutions, please contact Christine.

What is a Visa compliant credit card authorization form?

Do you accept fax order forms from your customers? Are you a business to business company needing to store credit card data on file for recurring billing of variable amounts? The typical fax authorization form does not meet Visa requirements.

Card Acceptance Guidelines for Visa Merchants (2012) PDF download from Visa.com

You won’t find a “fax authorization form” in the guidelines, however, there is much information about receipt requirements.

Transaction Receipt Requirements are referenced on page 495 and Recurring Transactions starts on pg 585. The guidelines vary depending on whether your recurring billing order is from an ecommerce or other method.

Sample of a receipt for a sale from a stored card transaction:

recurring sale receipt compliant

A fax order form for a one time purchase should comply with the  standard receipt requirements. The invoice detail is generally accepted on  a separate page for B2B; the invoice number should be on the receipt.

A recurring billing order form should comply with the recurring rules and standard receipt requirements.

Chargeback prevention tips for business to business, card not present:

  • Deliver a receipt via email to the cardholder immediately upon charging the card. If there is going to be a dispute, resolve the issue quickly.
  • Send an invoice detail.
  • Use EBPP.  If you send an electronic invoice to the cardholder and they click and pay, it’s pretty hard to dispute someone else ordered the items.
  • Bill to and ship to addresses should match unless you have something in writing from the cardholder that they authorize shipping to another address.
  • Get a signed recurring billing authorization form if you’re storing card data.
  • Make sure your receipts have ‘recurring’ or ‘repeat sale’ for recurring billing.
Sample of stored card data authorization to pay form, replacing a fax form.

Fax authorization form compliant

There are too many variables to address all the options for a compliant fax authorization form in this article. For PCI DSS compliance, we recommend you replace all traditional forms with exposed credit card or check data with one that references tokens, an alpha numeric string that replaces the card data and is useless outside your payment processing system, even if stolen.

CenPOS is a universal payment processing platform that provides efficiencies for merchants and their customers, reduces PCI DSS compliance burden, and many other benefits.

WHERE TO BUY

CenPOS is sold through direct agents and resellers. There is also a referral program. Click here to become a CenPOS agent, reseller, or referral partner.  Click here to become a customer or call the hotline at the top of this web page.

 

 

Legal billing and payment technology increases cash flow

Here’s a sneak preview of two innovations that will improve your EBITDA in 2012 with very little effort by your legal staff. The first improves billable time data capture and the second enhances payment acceptance with a flexible PCI Compliant solution, while mitigating risk.

Capture more billable time with a new innovative mobile time tracker that enables you to capture and assign billable time by matter code and client. A key feature is the pop-up on incoming calls; when you hang up, you can immediately assign the call to a client for billing and even enter notes. The length of call is prefilled for you. This data is all accessible back in the office via a web based dashboard.

legal expense record on mobile device

Expense record on mobile device. Assign and submit billable/ reimbursable expenses on the go.

Our  innovative payment gateway works with your existing payment processors, creating numerous efficiencies, increasing cash flow, and reducing the cost of payment acceptance. Partners will have unprecedented access to client billing and payment data based on permissions granted. Clients will have new ways to receive invoices and make payments. Finance staff will have tools to automate processes and control payment processing costs. You’re in control of the most flexible, scalable payment solution available today.

virtual terminal and web payment page for law firm

Image shows example of a custom secure payment page on a law firm web site. When clients select a location, the system automatically routes the transaction to the correct merchant account and related bank account for deposit. Fully configurable for your specific needs, clients can store multiple payment methods and save time for future payments. Future proof and PCI Compliant.

We’ve been too busy bringing clients on board to create comprehensive marketing materials; technology is ready for immediate implementation. Payment Modules include: virtual terminal, batch upload, Electronic Bill Presentment & Payment (EBPP), Dashboard Reporting, report writer, shopping cart and pay page.

Legal Payment Brochure (pdf Download) . This one page document will be updated in the future.

Join clients listed in the 2011 U.S. News – Best Lawyers ‘Best Law Firm’ Rankings. Contact us now to find out why they chose our technology.