FTC To Study PCI Credit Card Industry Data Security Auditing

Commission Issues Orders to Nine Companies That Conduct Payment Card Industry Screening

March 7, 2016, The Federal Trade Commission has issued ftc pci audit request from 9 companies requiring them to provide the agency with information on how they conduct assessments of companies to measure their compliance with the Payment Card Industry Data Security Standards (PCI DSS).

PCI DSS audits are required by the major payment card issuing companies of retailers and other businesses that process more than 1 million card transactions in a given year, and are intended to ensure that companies are providing adequate protection to consumers’ sensitive personal information.

The nine companies receiving orders from the FTC are: Foresite MSP, LLC; Freed Maxick CPAs, P.C.; GuidePoint Security, LLC; Mandiant; NDB LLP; PricewaterhouseCoopers LLP; SecurityMetrics; Sword and Shield Enterprise Security, Inc.; and Verizon Enterprise Solutions (also known as CyberTrust).

The FTC is seeking details about the assessment process employed by the companies, including the ways assessors and companies they assess interact; copies of a limited set of example PCI DSS assessments, and information on additional services provided by the companies, including forensic audits.

Information collected by the FTC will be used to study the state of PCI DSS assessments.

The Commission is authorized to issue Orders to File a Special Report by Section 6(b) of the FTC Act.  The Commission vote to issue the orders was 4-0.

PCI Compliance email

PCI Compliance, credit card authorization form, and CenPOS bulletin were all in the February 2016 enewsletter. Did you miss it? Subscribe here for payment news.

PCI Compliance Fail

80% of companies FAIL an interim Payment Card Industry Data Security Standards (PCI-DSS) audit. It’s time to admit it- you’re company is one of the many struggling to keep up with new rules.

Have you noticed $19.95 fee sneak back into your merchant statements?

Check your quarterly scans. You may discover a scan failed with a reason related to SSL.  Fight back to stop these monthly fees. Not only is it premature, but the Payment Card Industry Security Standards Council (PCI SSC) changed the migration to date requiring TLS 1.1 encryption or higher from June 2016 to June 2018.


 Credit card authorization forms – a weak link for compliance

“We keep all cardholder data in a locked file drawer and I’m the only one with a key” does not comply with PCI 3.0 standards.
For new best practices, think like a forensic auditor. In the event of a suspected breach, how will you identify who, what, when, how, and maybe even where card data was touched? Without a system to automate logging, the time and cost of an audit will explode.

TIPS.

  • Unprotected data cannot be sent via messaging technologies such as e-mail, instant messaging, chat, etc. (PCI section 4.2)
  • PAN data (card number) cannot be stored unencrypted. (PCI section 3.x)
  • Sensitive authentication data, which includes the security code (CVV/CID), can never be stored. (PCI section 3.2)

Every moment a paper form exists, there’s an opportunity for misuse and identity theft. If your company extends credit, then Red Flags Rules also apply. The FTC can seek both monetary civil penalties and injunctive relief for violations. All told, the expense of a breach could run over a million dollars, uncovered by insurance, plus ongoing lost business due to damaged reputation.


Is your service provider PCI Compliant?

If a third party touches card data, they’re required to register with the card brands and have an annual on-site audit. That includes your payment gateway, caging service, and other software if their payments are not segregated from the applications. Click here to search the Visa service provider database 


Software Updates
Reminder: PCI section 6.1 mandates software security updates be applied within 30 days.  With all the activity lately, that means every month. Windows XP users are automatically non-compliant. Click here for Internet Explorer & other Microsoft CRITICAL updates issued this year


CenPOS Question of the Month

How can we collect cardholder data for B2B card not present customers without our credit card authorization form?

  1. Hosted online pay page
  2. Electronic request for payment (push to email or text)
  3. Electronic bill presentment & payment
  4. All of the above and a PCI Compliant authorization form

PCI Compliant credit card authorization form example: Video

Training & educational videos https://www.youtube.com/user/3Dmerchant/videos

Christine Speedy


WHAT DOES CHRISTINE SPEEDY DO ANYWAY?
Omnichannel payment solutions targeting  middle market ($10M to $1B per year), primarily to technology companies and distributors. With one call, I can provide any gateway, acquirer, or integrated solution.  Best of all, I’m agnostic- you can keep your merchant services or check processors. Call today for a free consultation and for answers about any burning question for business to business.

CenPOS is a processor agnostic end to end payment engine that increases EBITDA virtually instantly. From compliance to automating collections, we solve everyday business problems. Protecting the front door with US EMV certified multi-lane terminals for all processors and the back door with 3-D Secure certified solutions for customer initiated sales. Now in over 140 countries.

Feb 01, 2016 1:04 pm | Christine Speedy

Replacing ICVerify or other legacy software for batch credit card processing? Whether you’re in the cloud, or headed there, methods of payment processing have changed to meet current and future requirements for PCI Compliance and fraud prevention. For service providers, … Continue reading ?

Jan 25, 2016 11:14 am | Christine Speedy

Winter Storm Jonas is a reminder of the importance for business to business companies to accept payments online. What if you have a desktop terminal, but staff is working from home? How can accounts receivable be reached for call in … Continue reading ?

Jan 13, 2016 8:36 am | Christine Speedy

Getting a VeriFone EMV Vx520, FD55, Vx510, Vx570 CAPK expired error message? Visa has extended the EMV key’s expiration date from 12/31/2015 to 2022, and the terminal must be updated. OPTION 1: UPDATE CAPK FILE ONLY via partial download For … Continue reading ?

Jan 12, 2016 2:04 pm | Christine Speedy

Ready to improve PCI Compliance with token billing? Step by step instructions for CenPOS card not present token billing including creating, modifying, and using tokens follows. In the virtual terminal admin, Create a new Role* or Modify an existing role … Continue reading ?

Jan 11, 2016 12:26 pm | Christine Speedy

Need a 3rd party credit card authorization form template? Don’t count on wikiform.org and other internet resources that scrape the internet for free content and then redistribute it. There’s no guarantee that anything published is accurate, legal, or virus free. … Continue reading ?

Calendar Notes
February 5 – out of office, CenPOS training
February 12 – 15 Tampa/ Orlando
February 18 – 24 Atlanta
Contact me for FREE consultation
Monthly: Login to Paymentech Resource online- use it or lose it

About Christine Speedy

Global payment solutions; focused on card not present and omnichannel merchants. Is your integrated solution failing to keep up with technology? Send me an integration referral and I’ll send you a cool gift!

3rd PARTY CREDIT CARD AUTHORIZATION FORM

Need a 3rd party credit card authorization form template? Don’t count on wikiform.org and other internet resources that scrape the internet for free content and then redistribute it. There’s no guarantee that anything published is accurate, legal, or virus free.

3rd party credit card authorization form

January 2016 3rd party credit card authorization form from Wikiform.org

What’s wrong with this form? For starters, according to PCI DSS 3.1 standards, section 4.2, it’s never OK to email cardholder data. That problem alone is so egregious, I won’t go into all the other problems, since the 3D Merchant blog has other articles addressing them. Best practice is to abolish paper credit card authorization forms altogether and replace with alternatives such as online payments or electronic bill presentment and payment. If a signature is desired, get it on the receipt, which contains critical data needed to defend a dispute; combining with signature on the sales order containing product description and confirmation for acceptance of return policy via a checkbox will make chargeback much harder.

What credit card data can a merchant store? PCI Compliance revisited.

There’s a lot of misinformation about collecting and storing credit card data, especially in business to business (B2B) environments for card not present transactions. Best card not present practices and how Payment Card Industry Data Security Standards (PCI DSS) requirement 3, protect stored cardholder data, applies are reviewed in this article.

Getting paid for one time it’s not OK to store cardholder data after authorization. The only cardholder data that may be stored after authorization is the primary account number or PAN (rendered unreadable), expiration date, cardholder name, and service code.

Merchants are not permitted to store full track data, which includes the cardholder number (primary account number or PAN) and expiration date or other sensitive authentication data after authorization.

Per Payment Card Industry Data Security Standards (PCI DSS) Requirement 3, protect stored cardholder data, The only cardholder data that may be stored after authorization is the primary account number or PAN (rendered unreadable), expiration date, cardholder name, and service code.

This applies even if the data is protected by:

Encryption
Password protection
Data scrambling/obfuscation
Masking
Proprietary data formats
Other mechanisms

What’s the exception?
Businesses may have a need to store track data (temporarily) for troubleshooting purposes. Why? Track misreads, network errors, encryption issues, etc. This is not a daily business practice, but a temporary solution. PCI requires documentation Ensure documented procedures include:

Collecting sensitive authentication data only when needed to solve a specific problem
Collecting the minimum amount of data needed to solve the specific problem
Storing any such data in a specific, secure location with limited access
Do not retain more data than needed
Encrypt data when stored/transmitted
Securely delete data immediately when troubleshooting is complete
Include a destruction practice
Verify data cannot be retrieved once troubleshooting is complete

Typical location of card verification value or codes include:

Paper
Databases
Flat files
Log files
Debug files

Systems that commonly store card verification value or code data:

Authorization servers
Web servers
Kiosk

Card verification value or codes are NOT required for recurring card-not-present transactions.? If your system requires you to key enter the CVV each time, this is a red flag. Ensure your systems is sending transactions with the proper flag for unscheduled credential on file. Reasons why you would have to enter every time:
Using a desktop terminal and key entering each time. The transactions are not being sent with correct indicator.
It’s also a PCI DSS requirement that unprotected PANs must not be sent or received via any end-user messaging technologies (such as e-mail, instant messaging, and chat). However, users may not be aware of this, and may be e-mailing PANs internally or even externally without the organization’s knowledge

4 Credit Card Processing Tips for Consultants & Accountants

profits Following several years of regulatory and technology credit card processing changes, 2015 has been another big year of changes. As we close out 2015, what are you advising clients to maximize profits? Every consultant to distributors, especially for building materials, including lumber and millwork, electrical, marble & stone, and plumbing supply, needs to update their merchant services knowledge. These businesses tend to have both a retail and a ‘to the trade’ component, making old solutions potentially outdated, risky, and costly.

  1. EMV liability shift October 2015, shifted liability for counterfeit card, and sometimes lost and stolen card, transaction losses from the issuer to the merchant, if the merchant does not support EMV chip card acceptance. Since businesses never saw this fraud, the financial risk is unknown, but guesses put it in the 1-2% of sales range. The first acquirer (Vantiv) announced penalties effective January 1 if a retail operation does not support EMV chip card transactions. These fees will grow throughout the payment chain in 2016, and be passed down to the merchant. If profit margins are important, EMV compliance is not optional. Between growth in credit card fraud losses and new penalties, distributors need to make the change ASAP.
  2. EMV terminal selection. Retail Distributors fall into two categories: Those who use countertop terminals, and those who use anything else, including mag swipe reader or signature capture terminal. Only the latter are even capable of supporting level 3 data, critical for qualifying for level 3 interchange rates, which makes up more than 95% of credit card processing, or merchant, fees. Yet, the vast majority of recommended EMV solutions are incapable of level 3, and or there is no certification for it. While updating, add NFC for ApplePay and newer payment methods, and P2PE, which encrypts at the terminal head, further mitigating data breach risk.  The best EMV terminal selection for distributors may reduce merchant fees an average of 32% and mitigate data breach risk. Conversely, the wrong choice will directly reduce profit margins. 
  3. PCI Compliance. Internal and external data breaches are a serious growing problem (Lowes and Home Depot both admitted), and best practices are being shared among peers that are ‘risky’ at best. Top areas of concern are paper credit card authorization forms and electronically storing card data (without certified compliant tokenization such as a payment gateway). Both should be eliminated. Online pay pages and other technology solutions have negated the need for employees to ever have access to credit card data, not even for a minute. Has your own company eliminated them?
  4. Quickbooks. For operations that used Intuit Merchant Services because there was no other integrated choice, that’s no longer an issue. Third party integrations empower businesses to use any acquirer. Look for one that supports all payment methods needed (ACH, check, wire, credit card etc). If processing more than $500k annually, fees may drop up to 50%.

CHRISTINE’S RECOMMENDATIONS FOR CLIENT ADVICE TO DISTRIBUTORS:

  • Implement EMV ASAP to avoid penalties and fraud losses.
  • Only implement an EMV solution certified for level 3 processing to maximize profit margins.
  • Get PCI 3.0 Compliant to mitigate risk of financial losses from a data breach- Replace all practices that include credit card access by any employee, even for a minute, with a technology solution.
  • Replace Intuit Merchant Services to maximize profit margins.

Note: this advice is applicable to any business that has a customer base which includes some business to business and retail, even if retail is a small part of the overall payment types accepted.