» Merchant Resources
» PCI Data Security
» Merchant Memos

PCI DSS

Payment Card Industry Data Security
Data security issues continue to become more prevalent and capture news headlines. It is important that merchants implement proper safeguards to prevent fraud. The primary threat has to do with your POS system connected to the internet and your network environment.

Payment Card Industry Data Security Standard (PCI DSS) prohibits the storage of the full contents of any magnetic-stripe, CVV2 or PIN data.  Storage of this type of data is in violation of (PCI DSS) and the card company operating regulations. 

Restaurants are at high risk of being compromised. Approximately 62% of known compromises last year involved a restaurant, with nearly all compromises involved data that should not be stored by merchants. This is the largest percentage of incidents among merchant groups. 

If your POS system is connected to the Internet, hackers can compromise computer networks within your location to steal cardholder data!!  Don't think it will not happen to you.  Merchants just like you are getting compromised and it is putting their business at risk.  Please protect yourself, your business and your customers data.

It is very important to secure any type of PC based point of sale payment system used to accept credit and debit cards. Merchants using any processing software that processes transactions via the internet should follow all recommended best practices including changing default passwords, changing passwords periodically and the appropriate use of firewalls to reduce the potential of external access being gained to the software.

Please act now to secure your system and comply with the Payment Card Industry Data Security Standards.  Additional, comprehensive information can be obtained at https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml .

Visa's Payment Application Best Practices (PABP). A list of PABP-validated applications is available at www.visa.com/cisp . A list of PA-DSS validated applications is available at: www.pcisecuritystandards.org/security_standards/vpa/.

ALERT! The Financial Risk of a Breach
If full mag-stripe data is stored on your system's hard drive or log files and this data is stolen from your system, criminals can manufacturer counterfeit cards and use these counterfeit cards at stores to buy electronics, jewelry, etc. and  you are responsible for these fraudulent card sales performed at other stores!  These compliance chargebacks can quickly add up in the tens, even hundreds, of thousands of dollars.  So until the card acceptance rules change (which Vantage is strongly lobbying for) your business is not only responsible for chargebacks on sales you make but for chargebacks on fraudulent sales made at other merchants with stolen card data from your system! 

A hacker can mine cardholder data from your system for days, weeks, or months, then wait a year or more before using the stolen data.  Once the stolen cards are used, a sophisticated “Compromised Account Management System” will track them back to a common place of purchase.   As the rules & regulations now stand, once your business has been identified as the compromised location, YOU are responsible for the costs of a POS forensics exam, remediation, mandated security monitoring, fines and chargebacks!

Prioritized Approach for the PCI DSS v1.2 Resource

The Payment Card Industry Security Standards Council (PCI SSC) has released a new resource for achieving PCI DSS Compliance.  This new resource is referred to as the Prioritized Approach and it is intended to provide best practices that will help merchants identify and reduce risk to sensitive data.  The tool groups together the requirements of PCI DSS v1.2 into six key milestones for merchants to consider in achieving their PCI DSS compliance. It also offers guidance on how to focus PCI DSS implementation efforts in a way that expedites the security of cardholder data. 

Additional benefits of the Prioritized Approach are:

• An increased awareness of cardholder data security
• ssistance for businesses to identify highest risk targets
• The creation of a common language around PCI DSS implementation efforts
• Enabling merchants to demonstrate progress on compliance process

For additional information on Prioritized Approach, please visit: https://www.pcisecuritystandards.org/education/prioritized.shtml

Prioritized Approach for the PCI DSS v1.2

Additional Resources
Vantage has launched a series of online security training courses. We strongly encourage you to use the information, tools and resources available. Education and due diligence are the keys to protecting your business.

• http://training.vantagecard.com

PCI Compliance course brochure
Assess your Vulnerabilities course brochure

Review the following Reference Tools for security audit procedures, self-assessment questionnaires, a list of validated payment applications and more…

• www.pcisecuritystandards.org
• www.visa.com/cisp

The best place to start is to check your POS software version number against the certified payment application list available at www.visa.com/pabp, where you will find a list of validated payment applications (make sure your POS is on the list) and best practices. We also recommend you review these PDF documents:

PCI Quick Reference Guide
PCI DSS FAQs
Visa Merchant Security Guide
Visa_Keep_Data_Security_on_the_menu
The Payment Card Industry (PCI) Data Security Standard

It is critical that you ensure that you do not use payment applications known to retain prohibited data elements and that you take corrective action to address any identified deficiencies because these applications are at risk of being compromised.

Protect yourself… Payment Application Best Practices

• Upgrade to a secure Payment Application immediately.  Get a certification letter from your POS vendor that your specific payment application version is PCI compliant for your records
• In addition to upgrading your payment application, any old storage of prohibited data must be securely deleted from all systems, databases and log files. 
• Enforce network security on your POS.  Insecure networks connected to the internet are prime candidates for  attacks. 
• Secure remote management applications like PCAnywhere.  Turn on your remote management software ONLY when needed.
• Don't store it if you don't need it… and avoid fines, lawsuits and bad press. Take steps to protect your customer's data if you do store it to meet data security compliance standards.
• Skimming fraud can be addressed with new Pay at the Table solutions.
• Process your card payments using a credit card terminal not tied to your POS.

The primary threat has to do with your POS system and network environment. You can upgrade your POS software version and firewall and then constantly monitor your IT network. But this is not your only option. An inexpensive alternative is to process your card payments using a credit card terminal not tied to your POS. Stand alone credit card terminals are PCI compliant and are not at risk from a hacker. These units are small with built in thermal printers and offer high speed IP connections with dial back up. You can even tie multiple units together without a network for a single batch settlement. Separating the payment technology from the rest of your POS functionality offers a low tech way of meeting pressing security concerns. All it takes is to reconcile the POS sales report with your card terminal's batch report, which, unlike IT, is a skill set that most of us have. By separating the payment component from your POS, you can avoid the threats from hackers compromising your POS network, as well as costly upgrades to your POS and ongoing validation procedures and security scans to ensure your POS system, firewall and network are secure.

What to Do If Compromised

In the event of a security incident, merchants must take immediate action to investigate the incident and limit the exposure of cardholder data. Please notify us right away. The following steps used in conjunction with the instructions in Visa's What to Do If Compromised document should be adhered to in the event of a security incident. These steps include:

• Immediately contain and limit the exposure
• Isolate compromised systems (do not log on to or access systems)
• Preserve evidence for forensic investigation
• Work with your internal information security and incident response team
• Keep a log of all actions taken and follow the chain of custody control
• Be on high alert and monitor traffic on all systems with cardholder data
• Notify local law enforcement
• Consult with your legal department regarding state and federal notification laws