Merchant Account and Payment Processing Newsletters, events, and marketing collateral. 3D Merchant shares insights with you. Not all newsletters are posted for public viewing.

3D Merchant news ISSUE 5, 2010: Red Flags Rule, American Express merchant fees, Identity theft risk. (PDF download 2.8 mb)

3D Merchant news ISSUE 4, 2010: PCI DSS Compliance, Tokenization & recurring billing, Preventing Credit Card Fraud. (PDF download 2.8 mb)

3D Merchant news ISSUE 3, 2010: May Madness follows April price increases, Data Security- PCI Compliance, Internal Fraud Prevention, PCI Compliance fees. (PDF download 2 mb)

Safe Harbor is a term used to describe the protection of business entities from significant financial liability related to payment processing and data breaches. The law and specific Safe Harbor Protection rules are continually evolving. What’s most important for MERCHANTS to understand is that by maintaining Payment Card Industry Data Security Standards (PCI DSS), also known as PCI Compliance for short, and being able to prove it, you are protecting not only your customer data and reputation, but the financial health of your company.

What is Safe Harbor?
Safe harbor is the outcome of the PCI certification process and provides members protection from fines and compliance exposure in the event of a data compromise. To attain safe harbor status:

• A member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation.
• A member, merchant, or service provider must demonstrate that prior to the compromise their merchant had already met the compliance validation requirements, demonstrating full compliance. Note: It is important to note that the submission of compliance validation documentation, in and of itself, does not provide the member safe harbor status. The entity must have adhered to all the requirements at the time of the compromise.

Below are links to more information on the subject:
Posted on March 10, 2010 by David Navetta A Closer Look at the PCI Compliance and Encryption Requirements of Nevada’s Security of Personal Information Law

Per 2006, this is a published MasterCard statement regarding Safe Harbor: MasterCard will fully exempt acquirers from data security-related noncompliance assessments,  investigative costs, and issuer reimbursement costs if the compromised entity:

• Is found to have been compliant with the Payment Card Industry (PCI) Data Security Standard at the time of the compromise, and
• Was registered on MOL (in the MRP system) as compliant at the time of the compromise.

Visa defines safe harbor as the following:
“Safe harbor provides members protection from Visa fines and compliance exposure in the event its merchant or service provider experiences a data compromise.”

Visa Compliance Fines

If a member, merchant or service provider does not comply with the security requirements or fails to rectify a security issue, Visa may fine the responsible member. Visa may waive fines in the event of a data compromise if there is no evidence of non-compliance with PCI DSS and Visa rules. To prevent fines a member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation. Additionally, a member must demonstrate that prior to the compromise the compromised entity had already met the compliance validation requirements, demonstrating full compliance.

Here’s what’s on our North Carolina Government State Comptroller web site:

What is a Safe Harbor? Safe harbor is an element of Visa’s CISP that provides member banks a potential protection from Visa fines and compliance exposure in the event their merchant experiences a data compromise. MasterCard’s SDP has a similar program called SDP Program Registration. Since a merchant must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation, the safe harbor provision offers little protection.

Visa Cardholder Information Security Program (CISP)
Links to general Visa information, non-specific about Safe Harbor
PCI Security Standards – the official organization with everything you need to know to become compliant, non-specific about Safe Harbor.

3D Merchant security links

Visa’s Top Five Data Security Vulnerabilities PDF download

Did you receive a letter from Security Metrics regarding PCI Compliance? Please follow the steps as appropriate for your business type.

PCI Security Standards Council The granddaddy of everything you need to know for compliance, including form templates.

- Read The PCI DSS New Self-Assessment Questionnaire (SAQ) Summary

- Determine which SAQ validation you need to complete

- if needed, see page 12 in link to submit the CenPOS MasterCard PCI Certification

Complete the appropriate paperwork.

Merchant Account Security Links

Which level merchant am I?

Data Security Compliance Requirements Aligned Across Visa Regions

San Francisco, CA, November 10, 2008

Visa Inc. (NYSE: V) today announced global mandates for compliance with the Payment Card Industry Data Security Standard (PCI DSS), creating a consistent framework for compliance among merchants, service providers and their agents.     

 

The enhancements include a global set of requirements for merchants to validate their compliance with PCI DSS; and for the largest merchants, dates by which they must achieve validation.  Deadlines are also set for large and mid-level merchants to demonstrate that they are not storing certain types of sensitive card data.  Service provider levels and PCI DSS validation requirements have likewise been aligned under a global standard and compliance timeline.  Compliance with PCI DSS will help protect businesses from financial and reputational harm that often results from cardholder data compromises.  Visa data security compliance programs have provided compelling incentives for merchants and agents to properly secure cardholder data. 

The new framework establishes the minimum requirements for Visa Inc. regions.  As an independent company and licensee of Visa International for the business operations in European markets, Visa Europe’s PCI DSS framework requires compliance validation and risk mitigation for Level 1 merchants; however the region will be adhering to a different timeline and process for executing compliance validation. 

“Compliance with PCI DSS is vital to ensuring the integrity of the global payments system,” said Eduardo Perez, head of global data security, Visa Inc.  “Aligning compliance programs across the Visa regions is the latest step in our commitment to safeguarding cardholder data.” 

MERCHANT VALIDATION REQUIREMENTS

Alignment of Merchant Levels and PCI DSS Validation Requirements
A comprehensive set of international security requirements for safeguarding cardholder data, PCI DSS was developed by Visa along with the four other founding payment brands of the PCI Security Standards Council.  Compliance is required of all merchants and any entity that stores, processes or transmits cardholder data. 

Validation of compliance is part of that process, with validation requirements varying for merchants based on factors such as transaction volume.  Visa has globally aligned merchant levels and annual PCI DSS validation requirements as follows: 

Level / Tier 1		Merchant Criteria		Validation Requirements
1		Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region 2		Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) Quarterly network scan by Approved Scan Vendor (“ASV”) Attestation of Compliance Form
2		Merchants processing 1 million to 6 million Visa transactions annually (all channels)		Annual Self-Assessment Questionnaire (“SAQ”) Quarterly network scan by ASV Attestation of Compliance Form
3		Merchants processing 20,000 to 1 million Visa e-commerce transactions annually		Annual SAQ Quarterly network scan by ASV Attestation of Compliance Form
4		Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually		Annual SAQ recommended Quarterly network scan by ASV if applicable Compliance validation requirements set by acquirer

¹ – Compromised entities may be escalated at regional discretion
² – Merchant meeting Level 1 criteria in any Visa country/region that operates in more than one country/region is considered a global Level 1 merchant.  Exception may apply to global merchants if no common infrastructure and if Visa data is not aggregated across borders; in such cases merchant validates according to regional levels.

 Acquirers are responsible for their merchant customers’ compliance and must provide regular compliance status reports to Visa on their Level 1, 2 and 3 merchants at least twice a year. Compliance validation guidelines for Level 4 merchants will be determined by their respective acquirers

Prohibited Data Storage Deadline for Level 1 and 2 Merchants – September 30, 2009
Visa will require confirmation from acquirers by September 30, 2009 that their Level 1 and 2 merchants do not retain sensitive payment card data such as full magnetic stripe (also known as track data), security codes or PIN data after transaction authorization. 

“Hackers are looking for this type of data because of its use in counterfeiting payment cards, and that is why Visa prohibits its storage,” said Perez. 

After the deadline, Visa will impose appropriate risk controls, up to and including acquirer fines for failure to provide an attestation form to Visa confirming that each of the acquirer’s Level 1 and 2 merchants do not retain prohibited data.  The September 30, 2009 deadline does not supersede any applicable earlier regional deadlines and related enforcement programs previously established. 

PCI DSS Compliance Validation Deadline for Level 1 Merchants – September 30, 2010
Visa will require acquirers to provide an Attestation of Compliance for each of their Level 1 merchants demonstrating that each has validated full PCI DSS compliance by September 30, 2010.  After that date, Visa will impose appropriate risk controls, up to and including acquirer fines for failure to provide an attestation form to Visa confirming that each of its Level 1 merchants has validated full PCI DSS compliance.  The September 30, 2010 deadline does not supersede any applicable earlier regional deadlines and related enforcement programs previously established. 

SERVICE PROVIDER VALIDATION REQUIREMENTS

Alignment of Service Provider Levels and PCI DSS Validation Requirements
Effective February 1, 2009, service providers that store, process or transmit Visa cardholder data on behalf of Visa acquirers, issuers, merchants or other service providers will fall into one of two service provider levels:

Level		All Regions		Validation Requirements		Result
1¹		VisaNet processors or any service provider that stores, processes and / or transmits over 300,000 transactions per year		Annual ROC by QSA Quarterly network scan by ASV Attestation of Compliance Form		Included on Visa’s list of compliant Service Providers
2		Any service provider that stores, processes and / or transmits less than 300,000 transactions per year		Annual SAQ Quarterly network scan by ASV Attestation of Compliance Form		Not included on Visa’s list / Confirmation Letter of Receipt2

¹ – Eliminates gateway definition from several existing regional programs
² – May choose to validate as a Level 1 service provider to be included in Visa’s List of Compliant Service Providers

In addition to aligning service provider validation levels globally, Visa will implement a common PCI DSS full compliance validation process for all service providers.  Effective February 1, 2009, Visa will only require submission of an executed Attestation of Compliance Form and the “Executive Summary” section of the service provider’s Report on Compliance (ROC) to demonstrate full PCI DSS compliance as a Level 1 service provider.  Level 2 service providers will submit version D of the Self-Assessment Questionnaire (SAQ).  Issuers and acquirers are responsible for reviewing the accuracy of the SAQ.

A “List of Compliant Service Providers” is available at www.visa.com  to help issuers, acquirers and merchants identify and use PCI DSS compliant service providers. 

“Standardizing compliance requirements better addresses the security risks in our truly global marketplace and is critical to ensuring the future growth of electronic payments worldwide,” Perez concluded.

Summary of Aligned Framework by Date

Effective Date		Globally Aligned Mandate
February 1, 2009		Effective date for globally aligned Service Provider level definitions
September 30, 2009		Acquirers must attest that Level 1 and 2 merchants do not retain prohibited payment card data subsequent to authorization of a transaction
September 30, 2010		PCI DSS compliance validation deadline for Level 1 merchants

About Visa
Visa operates the world’s largest retail electronic payments network providing processing services and payment product platforms. This includes consumer credit, debit, prepaid and commercial payments, which are offered under the Visa, Visa Electron, Interlink and PLUS brands. Visa enjoys unsurpassed acceptance around the world and Visa/PLUS is one of the world’s largest global ATM networks, offering cash access in local currency in more than 170 countries. For more information, visit www.corporate.visa.com.

PCI is an acronym for Payment Card Industry. PCI Compliance is simply meeting the standards of the Payment Card Industry. Visit our sticky page PCI Compliance links. The terminology you probably really need to know is PCI DSS Compliance.

PCI DSS is a set of comprehensive requirements for enhancing payment account data security created to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

You can get current information about PCI DSS on the PCI Security Standards Council web site.

If every business met all these standards, the problem with data security losses would be minimized and we wouldn’t see the headlines we do today.

SoftBrands Technology Solutions Receive Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Best Practices (PABP) Certification. Compliance Demonstrates Commitment to Information Security.

MINNEAPOLIS, SoftBrands, Inc. (AMEX:SBN) , a global upplier of enterprise application software, today announced that its leading hospitality technology solutions have been certified as meeting the Payment Card Industry (PCI) Data Security Standard (DSS) and Payment Application Best Practices (PABP) for credit card processing. Current versions of SoftBrands’ Epitome property management system (PMS), Medallion PMS and Core central reservation system (CRS) are compliant with PCI DSS and PABP requirements, helping to ensure the security of customer information. As a result of receiving PABP validation, SoftBrands is now listed on the Visa web site as a PCI DSS compliant service provider.

“By ensuring that our product development is consistent with the current data security standards established by the payment card industry, SoftBrands is reinforcing our ongoing commitment to providing strong security minded and technologically competitive products to our valued customer base,” said Kelly Stephen, vice president of global products, SoftBrands Hospitality.

SoftBrands’ PMS and CRS solutions were assessed and certified by Trustwave, an independent information security and compliance consultant. This certification includes Epitome.NET PMS version 4.03, Epitome for Windows PMS version 3.04, Medallion PMS version 1047 and Core CRS version 2.7. SoftBrands was added to the list of PCI DSS compliant service providers on Visa’s web site on Nov. 15; that list is available here.

The PCI DSS is a set of comprehensive requirements for enhancing payment account data security. Developed jointly by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International, the PCI DSS is designed to help facilitate the broad adoption of consistent data security measures on a global basis. This multifaceted security standard includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. The comprehensive standard is intended to help organizations proactively protect customer account data.

Visa developed the PABP to assist software vendors in creating secure payment applications that help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data and support overall compliance with the PCI DSS. The requirements for PABP are derived from the PCI DSS.

About SoftBrands Hospitality | SoftBrands Hospitality (www.softbrands.com/hospitality) provides central reservation, property management and business intelligence software that can be centrally managed to support many properties within a hotel chain, as well as less complex offerings that can be installed on site at an independent hotel. SoftBrands distribution service, Karyon, allows hotels to easily manage rates and inventory availability across all four Global Distribution Systems and many other online sources of demand. SoftBrands is committed to the hospitality industry, and is an active member of OTA, HTNG, HSMAI, HFTP, HEDNA, AH&LA, AAHOA & PHMA.

About SoftBrands | SoftBrands, Inc. is a leader in providing software solutions for businesses in the manufacturing and hospitality industries worldwide. The company has established a global infrastructure for distribution, development and support of enterprise software, and has approximately 5,000 customers in more than 100 countries actively using its manufacturing and hospitality products. SoftBrands, which has approximately 800 employees, is headquartered in Minneapolis with branch offices in Europe, India, Asia, Australia and Africa. Additional information can be found at www.softbrands.com.

EDITORS FOOTNOTE: Our team works closely with SoftBrands customers to provide merchant payment processing solutions that minimize chargebacks and reduce overall payment processing costs.