PCI Compliance Fail
80% of companies FAIL an interim Payment Card Industry Data Security Standards (PCI-DSS) audit
. It's time to admit it- you're company is one of the many struggling to keep up with new rules.
Have you noticed $19.95 fee sneak back into your merchant statements?
Check your quarterly scans. You may discover a scan failed with a reason related to SSL. Fight back to stop these monthly fees. Not only is it premature, but the Payment Card Industry Security Standards Council (PCI SSC) changed the migration to date requiring TLS 1.1 encryption or higher from June 2016 to June 2018.
Credit card authorization forms – a weak link for compliance
“We keep all cardholder data in a locked file drawer and I’m the only one with a key”
does not comply with PCI 3.0 standards.
For new best practices, think like a forensic auditor. In the event of a suspected breach, how will you identify who, what, when, how, and maybe even where card data was touched? Without a system to automate logging, the time and cost of an audit will explode.
- Unprotected data cannot be sent via messaging technologies such as e-mail, instant messaging, chat, etc. (PCI section 4.2)
- PAN data (card number) cannot be stored unencrypted. (PCI section 3.x)
- Sensitive authentication data, which includes the security code (CVV/CID), can never be stored. (PCI section 3.2)
Every moment a paper form exists, there’s an opportunity for misuse and identity theft. If your company extends credit, then Red Flags Rules also apply. The FTC can seek both monetary civil penalties and injunctive relief for violations. All told, the expense of a breach could run over a million dollars, uncovered by insurance, plus ongoing lost business due to damaged reputation.
Is your service provider PCI Compliant?
If a third party touches card data, they’re required to register with the card brands and have an annual on-site audit
. That includes your payment gateway, caging service, and other software if their payments are not segregated from the applications. Click here to search the Visa service provider database
Reminder: PCI section 6.1 mandates software security updates be applied within 30 days. With all the activity lately, that means every month. Windows XP users are automatically non-compliant
. Click here for Internet Explorer & other Microsoft CRITICAL updates issued this year
CenPOS Question of the Month
How can we collect cardholder data for B2B card not present customers without our credit card authorization form?
- Hosted online pay page
- Electronic request for payment (push to email or text)
- Electronic bill presentment & payment
- All of the above and a PCI Compliant authorization form
PCI Compliant credit card authorization form example: Video
Training & educational videos https://www.youtube.com/user/3Dmerchant/videos
WHAT DOES CHRISTINE SPEEDY DO ANYWAY?
Omnichannel payment solutions targeting middle market ($10M to $1B per year), primarily to technology companies and distributors. With one call, I can provide any gateway, acquirer, or integrated solution. Best of all, I'm agnostic- you can keep your merchant services or check processors. Call today for a free consultation and for answers about any burning question for business to business
CenPOS is a processor agnostic end to end payment engine that increases EBITDA virtually instantly. From compliance to automating collections, we solve everyday business problems. Protecting the front door with US EMV certified multi-lane terminals for all processors and the back door with 3-D Secure certified solutions for customer initiated sales. Now in over 140 countries.