If you plug a PCI Compliant credit card processing terminal into a VoIP connection, then your processing is no longer compliant.

This explanation attempts to detail why. Traditional phone = analog. Traditional lines use hardware to send data ie the copper line. When using a 2008 compliant credit card terminal, the desktop terminal sends encrypted credit card data from the merchant to the processor and back using analog signals.

VoIP = digital. VoIP traffic flows across the Internet in unencrypted packets, which means anyone that has access to the network between sender and recipient can intercept them. So the desktop terminal may be compliant, but once the data is on the open network, the merchant set up is no longer PCI Compliant. Even though there are optional packages that can be attached to some VoIP networks, they do not meet current PCI compliance standards for the credit card processing industry.

If you attach a magnetic card swipe to your computer the transaction is processed using SSL security. It is not the same as VoIP. SSL uses a cryptogaphic system. It has two keys to encrypt data- a public key known to everyone, and a private key known only to the recipient. The magnetic card reader can be used with many POS systems and a high speed DSL, cable modem or T1 line.

Internet, ecommerce, and virtual terminal transactions all use SSL.

There are important considerations to check for both mag card readers and ecommerce transactions. Each requires a Gateway. The Gateway enables secure, real-time payment processing of credit card transactions. It is not the same as a credit card processor. Most people don’t realize that gateways and ecommerce stores must pass specific information through to the credit card processor to get better rates. Most systems focus on fraud protection, but do not necessarily pass through critical data required to meet specific interchange requirements. Sometimes the store doesn’t pass the data, and sometimes the gateway doesn’t pass the data- it all depends on company capabilities.

I’m not a tech expert but in general, the description above is sufficiently accurate to explain why. Bottom line: Visa & MasterCard officially state there is no acceptable VoIP solution that meets PCI Compliance requirements.

PCI is an acronym for Payment Card Industry. PCI Compliance is simply meeting the standards of the Payment Card Industry. Visit our sticky page PCI Compliance links. The terminology you probably really need to know is PCI DSS Compliance.

PCI DSS is a set of comprehensive requirements for enhancing payment account data security created to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

You can get current information about PCI DSS on the PCI Security Standards Council web site.

If every business met all these standards, the problem with data security losses would be minimized and we wouldn’t see the headlines we do today.

Agreement Gives First Data Merchants a Cost Effective Way to Access
Industry-Leading PCI Services

SALT LAKE CITY (SEPTEMBER 16, 2008) – SecurityMetrics today announced that electronic
commerce and payments leader First Data has selected SecurityMetrics to provide PCI services
for their small to mid-sized merchants. By providing the latest security technology coupled with
customer support services for PCI issues, SecurityMetrics helps merchants protect their
organizations from security breaches and simplifies the enrollment process.  SecurityMetrics’ PCI
services result in a reduction of acquirer and merchant liability by limiting risk, reducing fraud, and
increasing consumer credit card confidence in payments.

“We offer First Data’s customers a manner to simplify PCI compliance in one of the most
convenient, secure and cost-effective ways possible,” said Brad Caldwell, SecurityMetrics’ CEO.
“Our approach is to arm the merchant with the knowledge, technology and customer support they
need to assure their customer data is protected – plus the ability to prove it.”

Under the agreement, the companies are working together to provide a complete PCI compliance
program to help small to mid-size merchants gain access to some of the best PCI know-how
available. SecurityMetrics provides a one stop shop for all merchants with unlimited 24 x 7 live
technical support, unlimited manual scanning, weekly resolution reminders, and consulting
services before system upgrades or changes are implemented.

“PCI Compliance may be required in order to take credit cards for purchases, but it is also a good
business practice to protect customer information. This program offers small to mid-size
merchants a new way to streamline PCI compliance so that they can focus more time on serving
customers and expanding their businesses,” said Carl Mazzola, senior vice president, First Data.

To learn more about SecurityMetrics’ PCI Compliance Solutions, contact a representative at
801.705.5665 in North America or 0207.993.8030 in Europe. For more information, see

http://www.securitymetrics.com.

About SecurityMetrics
SecurityMetrics, Inc. is a leading provider of Payment Card Industry (PCI) Data Security Standard
(DSS) security solutions. SecurityMetrics is certified to perform PCI Scans (ASV), PCI audits
(QSA), Payment Application Best Practices audits (QPASP), MasterCard Point of Sale Terminal
Security Program audits, penetration tests and forensic analysis. SecurityMetrics also offers a
security appliance that includes vulnerability assessment, intrusion detection and intrusion
prevention capabilities. SecurityMetrics is a privately held corporation headquartered in Orem,
Utah. For more information contact SecurityMetrics at (801) 724-9600 or visit
www.securitymetrics.com.

About First Data
First Data is a global technology leader in information commerce. The company processes
transaction data of all kinds, harnesses the power of that data and delivers innovations in secure
infrastructure, intelligence and insight for its customers. With operations in 37 countries, First
Data serves more than 5.4 million merchant locations and more than 2,000 card issuers and their
customers. It powers the global economy by making it easy, fast and secure for people and
businesses around the world to buy goods and services using virtually any form of payment. The
company’s portfolio of services and solutions includes merchant transaction processing services;
credit, debit, private-label, gift, payroll and other prepaid card offerings; fraud protection and
authentication solutions; electronic check acceptance services through TeleCheck; as well as
Internet commerce and mobile payment solutions. The company’s STAR Network offers PIN-
secured debit acceptance at 2.1 million ATM and retail locations.  Through First Data’s centers of
excellence, such as security, analytics, customer loyalty and mobile payments, it offers data-
driven commerce solutions for customers around the globe. For more information, visit
www.firstdata.com.

How secure is the credit card data you collect?

In the home repair industry, including alarm systems, air conditioning repair, garage door repairs etc, credit card acceptance has increased dramatically. But how secure is the data collected?

The most common scenario is for the work order to be written up, and the credit card information to then be added to the work order. Sometimes the work order is a carbonless form. The credit card information is then on the customer copy and the merchant copy.

The repairman puts the form in the truck and goes to the next stop. Is the truck locked at ALL TIMES? Or does the driver keep all forms with him in a notebook on each call? If taking on each call, how secure is the information while in the home or business during the repair? Are all forms returned to the home office daily? If not, where are the forms kept until the originals are returned?

The second part of this common scenario is where the data resides- on the work order form. Where are the work orders filed? Who has access?

Creating a policy for Storage of Credit Card Details both on and off your premises is an essential element of PCI Compliance. Your company should have a clear written policy and all employees with access to sensitive information should have the written policy and have had training.

Recommendations:
1. Physical cardholder details must be locked in a secure area, and limited to only those individuals that require access to that data. In addition, access should be restricted to data on a “need to know” basis. If sales orders are kept in an open filing area, then the credit card data collected should not be on the same form.
2. The credit card number should be redacted to include no more than the last four digits. In addition, any Sensitive Cardholder Data should be masked. CVV and PIN data may not be stored.
3. Stored credit card information is to be retained according to data retention policy and only so long as there is a business, legal and/or regulatory purpose.
4. Procedures to follow for masking credit card information when no longer required:
* Blackout credit card number, except last four digits if needed, and any Sensitive Cardholder Data and then photocopy document.
* Cross-cut shred the original immediately.
* Retain, if necessary, copy of document with unreadable credit card information.
* If document design will allow, credit card information should be detached from the form. Immediately cross-cut shred detached credit card information and retain remaining portion.