Ecommerce stores may be forced to shut down if there is a data breach related to credit card processing, but it all depends on the circumstances. Why did the data breach occur? Where did the breach occur? What steps have been taken to prevent a reoccurance? Did the company meet PCI Security Compliance standards at the time of the breach? Who do you think will force you to shut down your site?

If your company was in PCI compliance, and preventative measures have been taken, it’s doubtful you’d be forced to shut your site down. You’d be protected by Safe Harbor from financial liability.

Who can force you to shut down your site? The card associations or your payment processor are the most likely. The actual site doesn’t need to be closed, but you may not be able to accept credit cards online. You may still be able to accept Paypal, Google, or other payment types, again, depending on the nature of the breach. For example, Paypal etc would take the transaction off your site for secure payment.

Does PCI Compliance allow you to save the track data until you process the card? For example someone gives you a card to process in the beginning of next month, can the track data be stored until then? JL

The answer is yes, but with limitations.

Track data is the information encoded in Track 1 and Track 2 within the magnetic strip, or chip, on the back of a credit card which is read by an electronic reader within the terminal or point-of-sale (POS) system. Track data contains information about the card and the cardholder.

What track data can be collected? When a credit or debit card is swiped, the track data may include customer name, credit card number, expiration date, CVV number, and information used as part of PIN encryption/decryption if a debit card.

What track data can be stored? Merchants may securely store ONLY the customer’s name, credit card number, and expiration date to PCI Data Security standards if desired.

How and where will you store the track data? This is the crux of PCI Data Security and should be your most important consideration. Do you use POS software? Do you know if it is PCI Compliant? Some are, some are not. Even some very big software companies are not, but are ‘working on it’.

A technology solution that I sell ( I work direct for the company) is CenPOS. The data is encrypted, stored off site, meets all current data security standards and the solution is fully PCI Compliant.

Article on prohibited Cardholder Data Storage from Visa.

Merchants who continue to persist in storing credit card data including CVV codes do not meet PCI Compliance standards. It is never Ok to store the CVV code.  One of the most common reasons is for corporate accounts. The merchant has the customer sign a document that says it’s Ok to charge their card for services rendered or hard goods delivered on an ongoing basis. The form contains an area for the customer to enter their card information, including the CVV code.

The merchant should omit storing the CVV code by simply not having a space for the CVV code on the form.  At the time the first transaction is processed, call the customer for the CVV code. If you write it down, securely shred upon completion of the transaction. The purpose of the code is to protect against fraud by validating the card. Once you’ve run an AVS and CVV for card not present, there is no reason to store the CVV again. You already know the customer!

If you file other card data, it should be in a locked cabinet with restricted access. A better alternative might be a secure host based processing solution that offers recurring billing. The host stores encrypted data off site, and never the CVV.

Links for PCI Data Security Standards.

Links to blog articles about PCI Compliance for credit card processing – hit the ‘older articles’ button at the bottom of page for more articles.

According to a survey of small merchants by ControlScan, the National Retail Federation and the PCI Knowledge Base, most small merchants are aware of Payment Card Industry Data Security Standards (PCI DSS), but they feel frustrated and bewildered with the complex requirements.

A key implication of the survey: acquirers, ISOs and other providers serving the industry need to demonstrate leadership and guide merchants along the path to compliance. In fact, the survey indicates that small merchants look first to these organizations for leadership and guidance in this area.

Study findings to be covered in this Webinar include:
Awareness, understanding and acceptance of PCI DSS by small merchants.
Their perception of the risks associated with data breaches.
How well they think they are doing in achieving compliance with the standard.
What they are spending on PCI compliance.
What ISOs and acquirers can do to further compliance among Level 4 merchants.

Title: What Small Merchants Know (and Don’t Know) About PCI Compliance

Date: Wednesday, August 26, 2009

Time: 1:00 PM – 2:00 PM EDT

System Requirements
PC-based attendees
Required: Windows® 2000, XP Home, XP Pro, 2003 Server, Vista

Macintosh-based attendees
Required: Mac OS X 10.4 (Tiger) or newer

Space is limited.
Reserve your Webinar Seat Now at:
What Small Merchants Know (and Don’t Know) About PCI Compliance webinar REGISTRATION

https://www2.gotomeeting.com/register/564913571

There are various levels of PCI Compliance that merchants should be aware of when purchasing new Verifone pin pads or checking the status of older ones. Pin entry devices are also known as pin-pads, and are used for pin-debit credit card transactions. We get a lot of calls asking to board products that a merchant already owns. That’s OK as long as it meets current guidelines. The chart below is a helpful guide to products that meet current and future requirements.

If your unit is not one of these devices, please visit the manufacturer web site to see if there are newer models. If you have an older model not listed here, you’ll need to replace it by July 1, 2010.

Many pin pads cost $75 to $100 new. These must be encrypted and matched for compatibility to whatever your main unit is. For security reasons, there are very few locations in the country with the rights to encrypt. These encryption centers do not deal direct with the merchant, but throuh resellers.

What are Visa’s requirements for implementing Triple DES?
PIN Entry Device TDES Capability Requirements:
• Effective 01 January 2003, all newly deployed ATMs (including replacement devices) must support
TDES.
• Effective 01 January 2004, all newly deployed POS PIN acceptance devices (including replacement
devices) must support TDES.
• Effective 1 July 2010, Cardholder PINs must be TDES encrypted from all Points-of-Transaction to the Issuer.  However, each Visa Region’s TDES dates will supersede the global TDES date whenever the Visa Region’s  date precedes the global date.
Note:  “Must support” means the device has all the necessary hardware and software required for TDES
installed and only requires the loading of a TDES key.

Visa’s Top Five Data Security Vulnerabilities Identified for merchants (click for PDF download).  Why are there so many data breaches? To promote compliance with the Cardholder Information Security Program (CISP) and the Payment Card Industry Data  Security Standard (PCI DSS), Visa has identified the top five vulnerabilities detected in compromises. It’s a great quick list for you to check your own compliance.

How do I determine my merchant tier? What is my merchant level? Can I get lower rates with a different merchant level? What are level 4 PCI Compliance requirements? Merchants are rightfully confused about their merchant level, especially small businesses because many times I have heard a smaller company say. “We renegotiated our rate. Our processor told us our volume has grown so they moved us up to the next level.”

I’ve never actually encountered a company that met the criteria for ‘lower rates’ based on qualifying for a new level. See the threshold level chart. This is where the confusion starts.

As you can see, only the largest companies qualify for special lower interchange rates and it is based on VOLUME meeting a specific threshold level. What happens is the salesperson makes up a story to retain the account, or the merchant processor has their own internal criteria that they use to ‘qualify’ a merchant for different rate levels they use. These are not directly tied to interchange, but rather directly tied to the merchant processor profits.

What most merchants need to be concerned about is what level they are required to meet for PCI Compliance because most of them will never qualify for lower interchange tiers. PCI Compliance transaction volumes do not correlate to Visa interchange threshold levels.

First Data announced a new PCI Compliance fee for all Tier 4 merchants. This bulletin will or already has been placed on merchant statements. Basically, they require all merchants to complete a self assessment survey and all merchants will be subject to a $79 annual compliance fee; non-compliance, including failing to respond, results in additional fees of $19.95 per month.

If you have not already completed one, please go to PCI Security Standards Council, download the
appropriate PCI SSC Self-Assessment Questionnaire, and immediately complete. All level 4 merchants should be in full compliance per the terms of accepting Visa, MasterCard etc. The PCI Data Security Standard Self-Assessment Questionnaire is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS).

This fee will affect over 100,000 merchants because First Data is a huge partner with Independent Service Organizations (ISO’s). Even though you may have a merchant agreement with an ISO, such as First Payment Systems, the agreement will clearly state it is underwritten by First Data or another entity.

First Data Selects SecurityMetrics for PCI Initiative (download press release PDF)

Related Article Non-receipt of PCI Validation fee