Are you placing your credit card customers at risk? Acceptance of credit cards carries an immense load of responsibility. As a merchant, you are responsible for maintaining security of credit card information not only for the sake of your customer, but for your business as well. Failure to do so may result in ramifications greater than you realize.
Maintaining the trust of your customers is vital; when they provide you their card information, they expect that you will keep their information secure. This aids in solidifying trust and providing sound customer service.
An increasing amount of small merchants are operating each day without properly securing cardholder information. Are you one of them? Most merchants are unaware that unencrypted card data may be stored without their knowledge.
Businesses that unknowingly harbor unprotected card data usually do so due to improperly configured systems. The simple action by a merchant to keep card information on file for future purchases can place the cardholder’s information at risk without the merchant ever realizing the danger of possible data theft.
A vulnerability scan on your network or system is recommended for all merchants and will comply with PCI DSS5 guidelines. Getting rid of unencrypted data requires a “secure delete” because a regular delete of data still leaves the information in your computer vulnerable for data theft. To securely delete data files, a computer must systematically write new data in the place where old data was stored. Encrypting card numbers and ridding a system of unencrypted data helps prevent criminals from using the information to commit fraud. Sometimes employees store unencrypted data for future purchases because they don’t realize the danger of data theft. Taking orders by phone or via email can also lead to storing unencrypted information. A homegrown shopping cart or billing system may also be susceptible to data theft.
The investment you make to validate the security of your POS system can prevent future issues for your business. By securing and encrypting cardholder information, you are taking a major step in combating the compromise of cardholder data and fines for your business if a data breach is detected. Failure to secure information can result in high-dollar fines imposed by card associations and can place your business at risk.
Protect your Cardholder Data, your Customers, and your Business
- Do not store any cardholder data that is not needed to operate your business.
- Any transaction records (receipts, orders, invoices, etc.) that contain cardholder data, such as the full card number, should be physically secured to prevent unauthorized access to the information.
- Be aware of which individuals have access to your business computers. This includes not only employees, but vendors who may have remote access to your systems. Be cautious of who you allow to access your systems.
- Cardholder data should be destroyed appropriately and responsibly when no longer needed for business purposes.
- An anti-virus program should be installed and updated regularly for any computers at your business used to handle cardholder data or card transactions. Avoid using your business computer for any non-business related activity such as web-surfing or accessing email accounts.
Maintain a Solid Front-Line Defense against Data Theft
If you are a merchant who...
Uses a standalone terminal:
- Verify that the customer receipt and merchant copy do not include the full card number and/or expiration date.
- If your terminal displays the entire card number, contact FiTech by Deluxe®, our trusted merchant services equipment provider, to get this corrected.
Uses an IP based terminal, wireless terminal, or payment application that processes online:
- Ensure your Internet connection is secure by installing a firewall and is properly configured to prevent unauthorized access.
- Vulnerability scans should take place approximately every 3 months by an approved Scan Vendor to ensure your system is secure.
- If specifically using a payment application online, contact the vendor for the application you are using to ensure they follow PA-DSS1 guidelines or visit www.pcisecuritystandards.org/security_standards/vpa/ to ensure the system you are using follows this standard.
- Anti-virus and anti-malware programs should be installed and updated on a regular basis for computers that contain your payment applications.
- Ensure that any IDs and passwords are unique and not easily guessed. Employees should have individual passwords that follow this guideline as well.
- Maintain computers in a secured work area that is not accessible to public view or susceptible to unauthorized use.
Accepts card-not-present transactions (mail/telephone/fax/email/internet):
- The 3-digit number (CVV2) on the back of the card should never be stored regardless of format.
- Avoid requesting the CVV2 number for mail order or billing forms to prevent possible exposure of the secured information.
Who’s doing what to Safeguard Data in the Payment System?2
Everyone plays a major role in upholding the highest information security standards and protecting cardholder data, wherever it resides.
| Role | Responsibility |
|---|---|
| A Merchant Bank (also known as acquiring bank) is a financial institution that establishes accounts for merchants, allowing the merchants the ability to accept payment cards. |
|
| A Merchant is a seller of goods or services that agrees to accept payment cards. |
|
| The Payment Card Industry Security Standards Council (PCI SSC) is an independent organization that maintains responsibility for management of payment card industry security standards including the PCI Data Security Standard (PCI DSS)5, Payment Application Data Security Standard (PA-DSS)1, PIN Transaction Security (PTS). |
|
| A Qualified Security Assessor (QSA) is a third-party security company approved by the PCI SSC to provide compliance validation and data security consulting services. |
|
| An Approved Scan Vendor (ASV) is a third-party security company approved by the PCI SSC to perform network vulnerability scans. |
|
1Payment Application Data Security Standard (PA-DSS) is a set of requirements that are intended to help software vendors develop secure payment applications that support PCI DSS compliance. PA-DSS applies to third-party applications that store, process or transmit payment cardholder data as part of an authorization or settlement. Software applications developed by merchants for in-house use only are exempt from PA-DSS but must comply with PCI DSS.
2Information obtained by Visa and can be found at http://usa.visa.com – titled “Tips and Tools for Small Merchant Businesses”
3Jefferson Bank will be working with a QSA to validate the PCI compliance of all our merchants. In the next several months you will be provided additional information on the validation process. If you have any questions, please contact FiTech by Deluxe® at (844) 822-1281.
4Visa defines Level 4 merchants as those who process less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually.
5The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information. The PCI DSS was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express.
6Self-Assessment Questionnaire (SAQ) is a validation tool for merchants to assist in self-evaluating compliance with the PCI DSS, and is required to be shared with Jefferson Bank.
