An Introduction to PCI Compliance and PCI Security Standards

Shannon Andrade |

May 31, 2012

Credit Card Security

Credit Card Security Information

The credit card processing industry has been in the news quite a bit over the past several years due to security breaches and data theft. You may have read or seen news reports of some of the larger breaches such as those that recently occurred to Hannaford, Dave & Busters, TJX and Heartland. Thieves were able to steal credit card information from the above businesses and use it to make fraudulent purchases and produce fake credit cards.

Although these are some of the publicized breaches in the news, smaller merchants face a much higher risk of having their customers’ credit card information stolen from them and are being targeted by criminals. This would be very harmful as your customers will hold your business responsible and will likely take their business elsewhere and might file lawsuits to recover damages. Additionally, Visa and MasterCard would likely impose heavy fines and fees on any merchant that loses credit card information.

It is every merchant’s responsibility to protect the credit card information they handle. Those that do not are subject to fines, penalties, processing restriction and litigation.

What is PCI DSS?

To combat these escalating breaches, the card associations (Visa, MasterCard, AMEX and Discover) have developed security guidelines to protect cardholders, merchants and acquiring banks. These guidelines were all combined and the Payment Card Industry Data Security Standard (PCI DSS) was formed.

When these requirements are followed, the chances of a security breach resulting in sensitive cardholder data loss are greatly reduced.

How to become PCI DSS Compliant

For merchants that process less than 6 million transactions of either Visa or MasterCard annually:

Dial-up terminal merchants

Merchants using dial-up terminals like the ones made by Verifone, Hypercom, Lipman/Nurit and Ingenico just need to fill out Self-Assessment Questionnaire type B.

Dial-up terminals are programmed by the merchant account provider with the processor’s application and comply with all PCI DSS requirements. These terminals do not store prohibited data such as track data or the card-validation code (3 or 4 digit number on the front or the back of the card) sometimes used for key entered transactions.

Virtual terminal merchants

Merchants using web based virtual terminals just need to fill out Self-Assessment Questionnaire type A. Some of the most common compliant virtual terminals are Authorize.Net and MerchantWARE (Smart Payments Server).

Virtual terminal users must ensure that the virtual terminal provider they are using is either PABP or PA-DSS validated. When a virtual terminal undergoes validation, the gateway is audited to ensure that all PCI DSS requirements are followed. This includes the safe and proper storage of allowed cardholder information and secure communication between the user and gateway.

  • To view all PABP validated payment applications click here.
  • To view all PA-DSS validated payment applications click here.

 

Completing validation

For further information on how to become PCI DSS validated, please contact Merchant Warehouse at 800-941-6557.

For more information about PCI DSS please visit the official website.