How to keep your cardholder data safe.
In a world that is becoming increasingly digital, it makes sense that digital, or cybercrimes, are growing. Apart from identity theft, which is when a criminal uses someone else’s personal details such as their date of birth, social security number, first and last name, and other personally identifiable information to fraudulently establish lines of credit. This is not only a headache for the victim spending countless hours on the telephone with the three major credit bureaus to clean this up, but it’s also illegal.
But what happens when a credit card number is compromised? There are hundreds of pages which regulate how credit card information is collected, transmitted, and stored in both electronic and physical environments. These regulations are created, maintained, and published by a group called Payment Card Industry Data Security Standards (PCI-DSS).
In order to become PCI-compliant, a provider, like a gateway or merchant service provider, must undergo a series of tests and implement certain policies and procedures. This process includes, but is not limited to, physical security of where the servers are located, firewalls that are properly maintained with adequate redundancies to prevent unauthorized access of the data, compartmentalization of the networks where the secure server resides compared to operational support servers and restricted access to only essential and authorized personnel. There’s no reason the receptionist or the intern picking up the lunch orders needs access to the server room, for example.
Once a provider is PCI-certified, it shows that they’ve gone through the process of being audited and they have established the appropriate policies and procedures to secure cardholder data. This is the type of provider you want handling your transactions and it’s important that you partner with a service provider who only works with PCI-certified entities.
Having a comprehensive compliance program is the only way to ensure everything that can be done, is being done, in order to prevent a breach of sensitive data, such as full credit card numbers.
Every merchant must be PCI-compliant to a degree and a Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AOC) must be completed annually. Depending on how you conduct business – whether it’s face-to-face with a credit card terminal in a retail store front, or over the phone with an employee entering credit card numbers into a physical terminal, or virtual terminal, all the way up to running a website where the cardholder is responsible for entering the credit card information themselves – will determine what sort of PCI compliance is required.
Credit Card Privacy Protection
Of course, running a retail storefront where a credit card is swiped or inserted for the EMV chip to be read, or even contactless payments such as Apple Pay, is going to be the easiest to secure. The receipts that the credit card terminal prints only print with truncated card numbers, meaning that usually only the last four of the card number are printed on both the customer’s copy as well as the merchant’s copy. Sometimes, the bank identity number, or BIN, are also printed. The BIN is the first six digits of the credit card; long-gone are the days where the full card number is printed on even the store’s copy of the receipt. If, for some reason, the terminal malfunctions and loses the day’s transaction data, the merchant will have to call their merchant service provider to get the full credit card numbers to re-run the lost transaction and even then, the merchant service provider will typically run those transactions on their end as transmitting full card numbers, along with expiration dates, to someone who doesn’t have the proper PCI certification, would be a violation of PCI DSS.
As for mail-order/telephone-order, or MOTO, merchants, when a customer calls or faxes an order in, an employee of the merchant would enter the credit card number either into a virtual terminal available through a PCI-certified gateway or a physical terminal. At which point, the fax copy of the order form must be destroyed to PCI DSS specifications, crumpling it into a ball and tossing it in the trash would be a prime example of a violation of PCI DSS.
If a MOTO merchant experiences a technical malfunction and for some reason the transaction data is lost and the transaction is not completed, it’s a little easier for the merchant to re-enter the information. Typically, a MOTO merchant is providing a tangible product which means they should have the cardholder’s name, address, and telephone number recorded with the order. The merchant can call their customer back and explain there was a problem placing the order and that they require the payment details again, as the credit card number is not stored and is truncated in their virtual terminal once the order is placed. If the merchant is providing a service, however, and for some reason, contact information is not retained, then similar to a retail environment, the merchant would need to call the merchant service provider to re-run the transaction on their end.
Lastly, the electronic commerce, or internet merchant. This is where a merchant maintains a website which offers tangible products, or access to a service, and the cardholder is the one entering his or her payment information during the checkout process. Even the electronic commerce merchants must be PCI-compliant even if they never touch a credit card or see credit card numbers. The payment processing page, that is, the page where the credit card number, expiration date, and card verification value (CVV) number is entered, must be encrypted with secure socket layer (SSL) technology. Typically, an SSL certificate can be purchased from your domain registrar or hosting company. This certificate ensures that that the credit card number and other data entered on the payment page are encrypted from the customer’s computer all the way to the gateway’s server where the information is received, decrypted, and presented to the bank networks for authorization – all in a matter of milliseconds.
Online Transaction Awareness
Since there are varying methods of accepting credit cards online, a merchant may or may not be subject to port scanning and penetration testing. Typically, if the merchant is not hosting the payment page, the actual page where the credit card information is entered, they will not need to be scanned. However, some merchants prefer to host their own payment page, which is perfectly acceptable, so long as the appropriate measures are taken, such as implementing and maintaining the latest versions of software for servers, as well as closing vulnerable and unnecessary ports and maintaining security software and firewalls.
Not only is PCI compliance mandatory with every merchant account, regardless of how credit card information is collected, entered, and processed, it also lessens the fines, which can range anywhere from $50 up to $50,000 depending on the severity of the data breach and how much data was compromised. Fines for PCI non-compliance and data breaches are levied by the card associations, Visa and MasterCard, as well as the acquiring bank where the merchant account was opened. Being PCI compliant is typically mandated in the merchant agreement and the merchant service provider will often impose a non-compliance fee every month the merchant account is not compliant.
Becoming PCI compliant is easy, and usually free as most merchant service providers have partnered with certified PCI vendors and assessors. It only takes a few moments, once a year, to complete the self-assessment questionnaire and it provides you, your customers, and your merchant service provider with the peace of mind knowing that you’re doing everything you can to ensure your customer’s cardholder data is properly transmitted, stored, and is only accessible to authorized personnel.
Return to Blog
* Created by