• MERCHANT SOLUTIONS
• SOFTWARE DEVELOPERS
• DOWNLOADS
• CAREER OPPORTUNITIES

With many breaches of credit card data already on record and identity theft on the rise, the PCI Data Security Standard has been designed to ensure a high degree of security to protect the cardholder. The Security Council is comprised of a set of 12 mandatory regulations created by the card associations to safeguard consumer card data. As the number of people using credit cards has increased, so has the risk of card data compromise. Compliance with these PCI standards is required for all payment processors, POS payment applications, and merchants of all sizes.

The goal of the PCI Data Security Standard is to protect cardholder data that is processed, stored or transmitted by merchants.

XCharge has a high level of technology and standards which ensures that our merchants are always following the latest PCI compliance regulations. Whether you have a stand-alone environment or an integrated software application, you have peace of mind using XCharge.

Merchants are liable for card data thefts from their businesses, even if only a small number of cards are affected. By signing a credit card processing agreement, merchants agree with the card associations’ requirements for handling credit card data according to the PCI data security standards. Cardholder data security is a shared responsibility and all participants must do their part to prevent fraud.

Card data theft is costly. When a merchant location is determined to be a common point of purchase for stolen card data, the card associations order a forensic audit. This can cost the merchant $15,000. Then, depending on the number of cards affected and whether the merchant took the necessary steps toward PCI compliance, the card association(s) assesses fines that can range from $50,000 to $500,000. Don’t be compromised!

PCI compliance is a new concern and the standards are developing. A PCI Council exists to oversee future compliance developments on behalf of all the card associations (Visa, MasterCard, etc.). The PCI Council has currently set mandatory compliance requirements for all levels of merchants. Some merchants may still be unaware of these new rules and not completely understand the implications for their business. www.pcisecuritystandards.org

Merchants that are not compliant with the PCI standards for the safe handling and storage of card data are at particularly high risk. For example, merchants using older POS systems may be storing prohibited card data. Also, merchants who have not implemented the best practices for maintaining a secure network, even if they are using a PCI compliant POS system, are also at increased risk. Eighty-five percent of compromises occur at "card present" environments.

Use a PABP (PA DSS)-validated POS system or payment application like XCharge. If you are not sure if the system you are using is PCI compliant, check Visa’s online listing of PABP-validated systems, or contact XCharge for assistance.

We assist our merchants by keeping them informed about all types of security risks. All merchants and processors must submit an annual scan report, which must be completed by a PCI approved ASV. Businesses with larger flows must do an annual on-site assessment completed by a PCI approved QSA and submit the findings to each acquirer. Businesses with smaller transaction flows may be required to submit an annual Attestation within the SAQ.

Annually, merchants should request a certificate of compliance from vendors. PCI compliance is required for any business that accepts payment cards – even if the quantity of transactions is just one. Many merchants think PCI is too hard, but remember, your business is at risk. The business risks and ultimate costs of non-compliance, however, can vastly exceed implementing PCI DSS – such as fines, litigation, legal fees, decreases in stock equity, and especially lost business. Merchants should ask their POS vendors if their system is PCI PA-DSS certified, if the application stores credit card data, and if they will document the list of files and their contents that the application writes to insure credit card data is not written or stored.

Merchants cannot be certified under PCI DSS if their POS application compromises any of the PCI DSS requirements. Merchants are not PCI DSS compliant just because they implement a PA-DSS application.

Always remember to:

• Maintain a network services management plan - Determine access levels for your particular programs; assign someone in charge of updating and maintaining security, and establish guidelines on how security updates will be processed.
• Change/update passwords on a regular basis - Changing passwords every 90 days is a simple practice that deters fraudulent activity. Passwords should be kept secure and never given out to other individuals. Use passwords that are at least eight characters and are a random combination of letters, numbers and symbols rather than common words, names, birthdates, etc.
• Be aware of fraudulent devices - These are devices thieves use to record and track data that they can use to make new fraudulent credit cards. Thieves may lure employees to swipe customers’ credit cards in the device in return for money. Be alert.

Security is a never-ending race against potential attackers. As a result, it is necessary to regularly review, update and improve the security requirements used to evaluate PIN Entry Devices. If you use a stand-alone terminal or other hardware for payment processing, there are new guidelines to follow as well. Most PED devices are no longer compliant and will need to be replaced in 2010. If these devices are not configured and managed correctly, they can provide an easy entry point for unauthorized intruders to gain access.

XCharge offers approved PED (PIN Entry Device) hardware that meets the PCI Security Council Regulations. Each of our POS peripherals features sophisticated technology that complies with the latest Payment Card Industry requirements for security and fraud protection. Allow your customers to make PIN-based payments, initiate their own transactions or swipe their cards for contactless payments with our peripherals. XCharge’s POS Peripherals help increase customer satisfaction at your merchant locations.

Visa’s top five data security vulnerabilities leading to compromise:

• Storage of sensitive cardholder data, including track data, Card Verification Value 2 (CVV2), and Personal Identification Numbers (PINs) or PIN blocks
• Missing or outdated security patches
• Using vendor-supplied default settings and passwords
• Insecure website code
• Unnecessary and vulnerable services on servers

www.visa.com

Invest in your future by improving the productivity and efficiency of your business!

Explaining the acronyms

Merchant levels explained

These are the levels assigned to merchants based on Visa transaction volume over a 12-month period.

XCharge delivers technology and security like no other! - When you sign up with XCharge payment processing, there are no compromises. Our software provides you with fast, reliable and secure payment processing. XCharge is recognized on Visa’s List of Validated Payment Applications. It provides you with peace of mind knowing that your software or hardware is always current with technology and Payment Card Industry compliance regulations.