Is my pinpad pci compliant? A complete list of approved pin entry devices is maintained at the PCI Security Standards Council web site. Be sure to read the legal conditions and restrictions regarding PCI PED approval as well.

Effective 1 July 2010, all attended POS PIN acceptance device models must have passed testing by a PCI-recognized laboratory and have been approved by Visa.
Effective 1 July 2010, Cardholder PINs must be TDES encrypted from all Points-of-Transaction to the Issuer. However, each Visa Region’s TDES dates will supersede the global TDES date whenever the Visa Region’s date precedes the global date.

Many PED units on the market today, including almost anything over two years old, do not meet this requirement and will have to be replaced.

Those with older pinpad devices that don’t meet the 2010 standard will have to replace them. Merchant services providers are sending out messages now so that merchants will have adequate time review equipment changes they need to make.

PCI PED approved pinpad equipment list

Do not assume that if you bought your pin entry device in the last year that it is compliant. It could have been an older model. Another way to check if yours meets the new compliance standard is to go to the manufacturer web site.

MasterCard launched a web site with free webinars on PCI Compliance education. The PCI 360 Education Program is a complimentary initiative offered by MasterCard to raise awareness and promote the adoption of PCI. Participants can increase their understanding of PCI DSS through a variety of recorded webinar sessions led by payment industry and data security experts.

PCI Compliance – PCI 360 education home page.

First Data Merchants Attain Record PCI Compliance in Just Six Months. Over 100,000 Businesses Secured with SecurityMetrics PCI DSS Compliance Service.

HAGERSTOWN, MD & SALT LAKE CITY — (APRIL 2, 2009)  SecurityMetrics, the world leader in PCI security, today announced that over 100,000 US merchants in First Data’s Merchant Services portfolio enrolled to achieve compliance in SecurityMetrics Payment Card Industry (PCI) Data Security Standard (DSS) Site Certification services.

“SecurityMetrics provides our Level 4 merchants with a simple way to secure credit card payment data, and ultimately, help them better serve their customers’ payment needs and enhance data privacy,” said Carl Mazzola, senior vice president, First Data.

First Data selected SecurityMetrics to facilitate customer compliance with PCI DSS in September 2008. Through the relationship, SecurityMetrics provides First Data’s small to mid-sized merchants with access to the most advanced security tools and PCI expertise available.

As a leading merchant electronic payment services provider, First Data is helping the credit card
industry by providing an inexpensive means for First Data merchants to protect their credit card data. This helps to create consumer confidence at a time when large credit card breaches are happening with more frequency. Other processors and banks need to help their merchants protect their data so our credit card transaction information will remain safe, said Brad Caldwell, SecurityMetrics CEO.

Under the program, SecurityMetrics provides First Data merchants with access to a comprehensive PCI compliance program that includes unlimited live technical support 24 x 7, unlimited manual scanning, weekly reminders and consulting services.

To learn more about how to enroll in SecurityMetrics PCI Compliance Solutions through First Data, contact a representative at 801.705.5665 in North America or 0207.993.8030 in Europe.

About SecurityMetrics

SecurityMetrics, Inc. is a leading provider of Payment Card Industry (PCI) Data Security Standard (DSS) security solutions. SecurityMetrics is certified to perform PCI Scans (ASV), PCI audits (QSA), Payment Application Best Practices audits (QPASP), MasterCard Point of Sale Terminal Security Program audits, penetration tests and forensic analysis. SecurityMetrics also offers a security appliance that includes vulnerability assessment, intrusion detection and intrusion prevention capabilities. SecurityMetrics is a privately held corporation headquartered in Orem, Utah. For more information contact SecurityMetrics at (801) 724-9600 or visit www.securitymetrics.com.

About First Data

First Data powers the global economy by making it easy, fast and secure for people and businesses to buy goods and services using virtually any form of electronic payment.  Whether the choice of payment is a gift card, a credit or debit card or a check, First Data securely processes the transaction and harnesses the power of the data to deliver intelligence and insight for millions of merchant locations and thousands of card issuers in 37 countries. For more information, visit www.firstdata.com.

related article: First Data PCI DSS Compliance Fee for Tier 4 merchants

CenPOS is a technology solution with an intelligent switch that makes your credit cards, checks, loyalty program and alternative payments work better. It is NOT credit card processing. Ideal for mid and large size businesses with a large volume of payment transactions, including check and credit card.

Built by First Payment Systems to help companies more value out of their payment systems and combat the rising cost of electronic payments,  CenPOS only costs a small fraction of the savings and value that is instantly created. If you have the business volume,  you will realize SIGNIFICANT HARD DOLLAR SAVINGS.

What is CenPOS? Although there are many features and benefits, at the heart of the technology is the intelligent switch. It routes payment processing via the least cost method by identifying what it is and knowing the least cost way to process it. This all happens faster than a traditional desktop credit card terminal.

How does CenPOS work? For the retail merchant, a signature capture terminal with USB plug, hooked up to any computer with an internet connection is needed.  Additional information is available by scheduling a demo.

What else does CenPOS do? Please call for more information. The solution offers amazing benefits, including meeting future 2010 PCI Compliance requirements.

How much does CenPOS cost? A small fraction of your transaction costs. If you have the business volume,  you will realize SIGNIFICANT HARD DOLLAR SAVINGS, even after factoring in the cost of any equipment you may need and CenPOS fees. Typical savings are realized within the FIRST MONTH. You do not need to buy terminals from us. You can buy them anywhere or we can obtain them at wholesale cost for you.

Who is CenPOS for? Without revealing confidential information, CenPOS is ideal for brick and mortar retail environments. Installation is typically less than 5 minutes at each location.

How can I find out more about CenPOS? Call Christine at 954-942-0483. I work directly under the company President at First Payment Systems.

ABOUT FIRST PAYMENT SYSTEMS(FPS):
www.firstpaymentsystems.com 305-260-4442.
FPS is dedicated to enabling merchants around the world to accept, process, and reconcile electronic payments, including credit and debit card processing, check authorization as well as solutions for ecommerce, dynamic currency conversion, and multi-currency pricing. FPS offers leading edge solutions from internationally recognized processors and also integrates its own proprietary platforms with top acquirers. While most banks and ISO’s take a generalist approach, accepting every merchant and offering cookie cutter solutions, FPS understands that each market is different and offers distinct solutions for each customer.

ABOUT CenPOS: CenPOS is a processing platform developed by FPS. www.cenpos.com

ABOUT 3D Merchant Services:
www.3dmerchant.com
3D merchant blog
954-942-0483.
3D Merchant Services is the online brand created by FPS independent agent and VP Marketing Christine Speedy to communicate a wide array of payment processing information to merchants and to develop business leads for FPS and CenPOS services. 3D Merchant itself does not offer any direct services to merchants.
TO ORDER CENPOS, CREDIT CARD PROCESSING, CHECK PROCESSING OR OTHER PAYMENT PROCESSING SERVICES, PLEASE CALL Christine AT 954-942-0483. Christine offers CenPOS, and other payment processing services, as an agent of First Payment Systems.

When your read their press release, their is barely a hint that any harm occurred.  But what the press release doesn’t spell out is the data that has been compromised and how it was compromised.

Visa and MasterCard received reports of fraudulent card use by their issuing banks last November and subsequently notified Heartland, according to a Washington Post report. Heartland didn’t even realize they had a problem.

The problem was internal. It was not an external attack, but the result of spyware being placed within their own internal systems.  Heartland’s CEO says a piece of spyware stole payment card data as it passed through the company network. Everyone passes encrypted data to their processor, but what happened to the data once it reached Heartland? Why is this an important difference? We like to think our databases our secure from certain outside hacker attacks into companies that have installed specific systems and software solutions for protection. If an outsider can hack into a secure system that has done everything correctly, then the world of data security is lost.

You really have to read between the lines to figure out what was compromised. Their press release is all about what wasn’t lost. Those behind the breach intercepted and stole the so-called Track 2 data from the magnetic stripe on the back of cards, which is all that’s needed to create counterfeit cards.

IMPLICATIONS FOR CONSUMERS:

If you visited a merchant who uses  Heartland for payment processing, and you have no way of knowing this, your card data may have been compromised. Your card could be cloned and presented for payment to other merchants. Identity theft is not expected to be an issue. Watch your statements for improper activity or replace your card. Heartland has over 250,000 merchants, many of whom are restaurants and hotels. Consumers have no financial liability.

IMPLICATIONS FOR MERCHANTS:

Merchants have no financial liability. Merchants may have to download a software update, though there has been no release of any information related to this from Heartland yet. It’s possible there may be none. If a download is needed, this could be a nightmare with so many merchants needing to simultaneously update. Since many use third party solution in the restaurant industry, the burden shifts to those third party suppliers in some cases.

Do merchants have an obligation to notify customers? No, the data breach is not theirs and they would have no way of knowing personal information about their shoppers.

Should merchants change processors. That’s a personal decision. Read the next section.

IMPLICATIONS FOR HEARTLAND:

What will it cost? If a merchant is non-compliant at the time of a breach, merchants can be fined up to $500,000 per incident and face remediation costs between $90 and $302 per card. With over 100,000,000 transactions monthly, there are probably at least that many cards exposed- do the math. The cost could be astronomical unless they are protected by safe harbor.

Safe Harbor

Visa defines safe harbor as the following:
“Safe harbor provides members protection from Visa fines and compliance exposure in the event its merchant or service provider experiences a data compromise. To attain safe harbor status:

1. A member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation.

2. A member must demonstrate that prior to the compromise their merchant had already met the compliance validation requirements, demonstrating full compliance.”

If they are protected by Safe Harbor, they still must pay to replace all cards.

If they are not protected by Safe Harbor, can they afford the fines and costs? If not, what will happen to the merchants processing with them?

Company Release – 01/20/2009 09:00

No merchant information or cardholder Social Security numbers compromised.

PRINCETON, N.J., Jan. 20 /PRNewswire-FirstCall/ — Payments processor Heartland Payment Systems has learned it was the victim of a security breach within its processing system in 2008. Heartland believes the intrusion is contained.

“We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands,” said Robert H.B. Baldwin, Jr., Heartland’s president and chief financial officer. “We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice.”

No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland’s check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms.

After being alerted by Visa(R) and MasterCard(R) of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland’s network.

Heartland immediately took a number of steps to further secure its systems. In addition, Heartland will implement a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals.

Heartland has created a website – www.2008breach.com – to provide information about this incident and advises cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers. Cardholders are not responsible for unauthorized fraudulent charges made by third parties.

“Heartland apologizes for any inconvenience this situation has caused,” continued Baldwin. “Heartland is deeply committed to maintaining the security of cardholder data, and we will continue doing everything reasonably possible to achieve this objective.”

About Heartland Payment Systems

Heartland Payment Systems, Inc., a NYSE company trading under the symbol HPY, delivers credit/debit/prepaid card processing, payroll, check management and payments solutions to more than 250,000 business locations nationwide.

Heartland is the founding supporter of The Merchant Bill of Rights, a public advocacy initiative that educates merchants about fair credit and debit card processing practices. For more information, please visit www.heartlandpaymentsystems.com and www.MerchantBillOfRights.com.

Forward Looking Statements

This press release may contain statements of a forward-looking nature which represent our management’s beliefs and assumptions concerning future events. Forward-looking statements involve risks, uncertainties and assumptions and are based on information currently available to us. Actual results may differ materially from those expressed in the forward-looking statements due to many factors. Information concerning these factors is contained in the Company’s Securities and Exchange Commission filings, including but not limited to, the Company’s annual report on Form 10- K, or Form 10-Q as applicable. We undertake no obligation to update any forward-looking statements to reflect events or circumstances that may arise after the date of this release.

For More Information:
Nancy Gross
Phone: 215.519.7367
Email: Nancy.Gross@e-hps.com
SOURCE Heartland Payment Systems, Inc.

Las Vegas, Nevada (December 17, 2008) – Shift4 Corporation, a supplier of secure payment processing services, today announced the availability of a podcast titled, “Trying to Protect Payment Data When You Can’t Even Find It All.”

The objective of the podcast was to generate a meaningful conversation between two leading payment card authorities, David Talyor, founder of the PCI Knowledge Base and former security analyst with Gartner, and J.D. Oder, Founder and Chief Technology Officer, Shift4 Corporation.

The podcast discusses Card Information Replacement Technologiessm (CIRT) and how retailers effectively evaluate alternative payment security solutions. “The goal is that if they don’t have it (payment data) then it can’t be stolen. I think the key here is to look at this as a very, very corporate-wide systemic approach and look at all of the data that you’re storing including payment data,” stated in the podcast by J.D. Oder, CTO, Shift4.

The podcast also discusses how an Information Technology department can regain control of their most sensitive data. As David Taylor stated, “The less storage you put in the hands of individual employees, the less likely they are to be able to put data in a whole bunch of places, whether that’s USB sticks or on their PCs or in their email messages that are sitting on their servers. What we really need to do is look at how we reduce the volume of data that is all over the place. Finding and purging it is a necessary thing.”

“Shift4′s podcast produced in partnership with StorefrontBacktalk reflects our commitment to helping merchants learn how they can simplify PCI and achieve Real Security for their payment systems. CIRT, such as Tokenization and Shift4′s PABP compliant 4Go SafeSwipeâ„¢, are complementary to the objectives of the PCI DSS. If implemented properly, these solutions relieve merchants from the burden of storing, processing and transmitting cardholder data. In most cases it is not necessary for merchants to replace their legacy systems in order to utilize Shift4′s Technologies. In this economic climate, Real Security and direct cost savings are equally important to our customers,“ said Randy Carr, Vice President of Marketing, Shift4 Corporation.
About Shift4 Corporation

Shift4, a leading developer of secure financial transaction processing software and services, provides web-based, real-time enterprise payment solutions for leaders in the hospitality, retail, foodservices, auto rental and e-commerce markets. Through connectivity to most major processors, DOLLARS ON THE NET provides both high speed and low cost authorizations and settlements for credit, debit, check, private label and gift card transactions. DOLLARS ON THE NET also includes the ability to access, review and edit transactions prior to settlement, as well as a searchable, 24-month archive of transactions for reporting and charge back defense. For more information, contact John Mann, Vice President of Sales, (702) 597-2480 ext. 43200 or jmann@shift4.com, or visit www.shift4.com.
Media Contacts

Randy Carr
Vice President of Marketing
Shift4 Corporation
702-597-2480 ext. 43300
randy@shift4.com

If you plug a PCI Compliant credit card processing terminal into a VoIP connection, then your processing is no longer compliant.

This explanation attempts to detail why. Traditional phone = analog. Traditional lines use hardware to send data ie the copper line. When using a 2008 compliant credit card terminal, the desktop terminal sends encrypted credit card data from the merchant to the processor and back using analog signals.

VoIP = digital. VoIP traffic flows across the Internet in unencrypted packets, which means anyone that has access to the network between sender and recipient can intercept them. So the desktop terminal may be compliant, but once the data is on the open network, the merchant set up is no longer PCI Compliant. Even though there are optional packages that can be attached to some VoIP networks, they do not meet current PCI compliance standards for the credit card processing industry.

If you attach a magnetic card swipe to your computer the transaction is processed using SSL security. It is not the same as VoIP. SSL uses a cryptogaphic system. It has two keys to encrypt data- a public key known to everyone, and a private key known only to the recipient. The magnetic card reader can be used with many POS systems and a high speed DSL, cable modem or T1 line.

Internet, ecommerce, and virtual terminal transactions all use SSL.

There are important considerations to check for both mag card readers and ecommerce transactions. Each requires a Gateway. The Gateway enables secure, real-time payment processing of credit card transactions. It is not the same as a credit card processor. Most people don’t realize that gateways and ecommerce stores must pass specific information through to the credit card processor to get better rates. Most systems focus on fraud protection, but do not necessarily pass through critical data required to meet specific interchange requirements. Sometimes the store doesn’t pass the data, and sometimes the gateway doesn’t pass the data- it all depends on company capabilities.

I’m not a tech expert but in general, the description above is sufficiently accurate to explain why. Bottom line: Visa & MasterCard officially state there is no acceptable VoIP solution that meets PCI Compliance requirements.