Over the past few weeks, we have seen an increasing number of transactions that are processed remotely, via an API, from eastern Europe and other far reaches of our world. These attempts to process credit card information may have resulted in some approved sales that you may or may not recognize or make much sense in the grand scheme of things as they relate to your normal billing amounts. Your accounts have not been directly impacted, however, with the possibility of transactions that have been completed being put into dispute status with the processor, we are urging you to take immediate action and update information on your account immediately.
In an effort to minimize the possibility of fraudulent transactions being processed, we have implemented a merchant PIN system that will require all transactions to be accompanied by the PIN in order for the transaction to process and settle. It is possible to have the PIN added to your account immediately, however, if you have a website that accepts payments in addition to simply using the virtual terminal, you will need to have your web programmer insert a line of code into your shopping cart/payment pages that has the PIN so that transactions from your website will be able to be processed, as usual. This process should limit the chance that payments are made to you in a fraudulent manner and help to make your site more secure. Should you simply be using the virtual terminal as a stand-alone system, entering the PIN will not modify any of your normal processing routine, but will prevent any API (outside sources) attempting to see if your account is legitimate from being able to even process any charges.
To update your account and have a PIN generated for your protection, please login to your Merchant Partners virtual terminal system using your account credentials and on the left column, please look for the box that says "FRISK(TM) Management" and click on the "Configure Options" link. Once there, scroll down to the very bottom of the page to the last section called "API Controls" and click on the "Edit" link to the right of the "Merchant PIN" field. On that screen, you will need to click on the "Generate New PIN" button and in the bottom section called "Merchant PIN for Transaction Processing," please select the "Require Merchant PIN for transaction processing" radio button and finally hit update. A PIN will now have been generated for you and your account is now updated. Please remember that if you have a website, your website sales/donations will NO LONGER FUNCTION OR ACCEPT PAYMENTS until the PIN has been inserted into the payment pages on your website. Instructions for inserting this PIN into your website are available through the Integration Guide on the Merchant Partners' website.
Should you have any questions related to this update, please feel free to contact us at 201-645-0132. If you have already updated your account(s) with us to have the PIN generated and active, please disregard this message.
Thank you again for your continued business and we look forward to continuing to service your account with us for many years to come.
Best regards,
Credit Cards, NJ
p. 201.645.0132
Friday, March 26, 2010
Wednesday, March 3, 2010
PCI Compliance
Over the past few months, there has been much talk about new fees popping up on people's statements. These fees have been called a variety of names but they are mostly all for a newer initiative on behalf of Visa & MasterCard. That initiative is called PCI and is something that is meant to secure your business and your customer's credit card information.
Below are some frequently asked questions concerning PCI and what it may mean for you:
1. What is PCI? The Payment Card Industry Data Security Standard (PCIDSS) is a set of regulations detailing security requirements for merchants and merchant service providers regarding the storing, processing and transmission of cardholder data. They are a combination of technical and operational requirements intended to prevent credit card fraud, hacking and various other security vulnerabilities. This standard is meant to safeguard consumer data as well as provide a more secure processing environment at every merchant location. This is a global initiative being implemented across the industry.
2. Why is it important? The last decade has seen some of the worst compromises of consumer data in history. Fortunately, CCNJ’s network of processors' systems have never been breached, but we must embrace the PCI standards and take a proactive approach in order to provide the highest level of security for our customers’ payment information. The process is not limited to CCNJ and our partners; it requires the compliance and best practices on the merchant level as well, including the use of PCI compliant credit card terminals. In this technological age, it is critical that we maintain maximum protection of consumer data and specifically credit and debit card numbers.
3. What do I need to do? Most importantly, you need to keep educated about the PCI standards and how to remain compliant. Our goal is to help you stay up to date and part of the purpose of this blog post is to help you remain educated. However, there is only so much CCNJ can do on your behalf. The majority of PCI compliance relies on our merchants using best practices and keeping themselves educated. Together we can make sure that our customers’ payment information is as safe and secure as possible.
4. If I do nothing, is that okay? The major credit card networks have implemented substantial fines and penalties for failing to remain PCI compliant. The consequences can be tremendous, especially in the event of a cardholder compromise.
5. Is this why I was charged a PCI fee? Virtually all processors are now assessing PCI fees. The expense of PCI compliance for CCNJ and our processing partners goes well beyond creating a blog post - there are websites that have been setup to provide Self Assessment Questionnaires (SAQs), and, in addition to the expense of remote PCI system scans, these guidelines have required us to make substantial upgrades to our partners' processing systems, implement new security protocols and hire additional employees. It is becoming increasingly rare to find any processor not implementing an annual PCI fee to cover these expenses. If the fee is not directly labeled as a “PCI fee”, these costs are most likely being paid under the pretext of another type of fee. CCNJ has tried to keep its PCI fee as small as possible while still enabling us to recuperate the expenses we have incurred in order to comply with the PCI standards and it is important to note that our charges have been substantially less than most other processors.
6. If I pay the fee, am I 100% covered? No although the annual PCI assessment covers a substantial portion of the expense as described above, it is up to each and every merchant to ensure that best practices are being followed to maintain a completely secure payment environment
Below are some frequently asked questions concerning PCI and what it may mean for you:
1. What is PCI? The Payment Card Industry Data Security Standard (PCIDSS) is a set of regulations detailing security requirements for merchants and merchant service providers regarding the storing, processing and transmission of cardholder data. They are a combination of technical and operational requirements intended to prevent credit card fraud, hacking and various other security vulnerabilities. This standard is meant to safeguard consumer data as well as provide a more secure processing environment at every merchant location. This is a global initiative being implemented across the industry.
2. Why is it important? The last decade has seen some of the worst compromises of consumer data in history. Fortunately, CCNJ’s network of processors' systems have never been breached, but we must embrace the PCI standards and take a proactive approach in order to provide the highest level of security for our customers’ payment information. The process is not limited to CCNJ and our partners; it requires the compliance and best practices on the merchant level as well, including the use of PCI compliant credit card terminals. In this technological age, it is critical that we maintain maximum protection of consumer data and specifically credit and debit card numbers.
3. What do I need to do? Most importantly, you need to keep educated about the PCI standards and how to remain compliant. Our goal is to help you stay up to date and part of the purpose of this blog post is to help you remain educated. However, there is only so much CCNJ can do on your behalf. The majority of PCI compliance relies on our merchants using best practices and keeping themselves educated. Together we can make sure that our customers’ payment information is as safe and secure as possible.
4. If I do nothing, is that okay? The major credit card networks have implemented substantial fines and penalties for failing to remain PCI compliant. The consequences can be tremendous, especially in the event of a cardholder compromise.
5. Is this why I was charged a PCI fee? Virtually all processors are now assessing PCI fees. The expense of PCI compliance for CCNJ and our processing partners goes well beyond creating a blog post - there are websites that have been setup to provide Self Assessment Questionnaires (SAQs), and, in addition to the expense of remote PCI system scans, these guidelines have required us to make substantial upgrades to our partners' processing systems, implement new security protocols and hire additional employees. It is becoming increasingly rare to find any processor not implementing an annual PCI fee to cover these expenses. If the fee is not directly labeled as a “PCI fee”, these costs are most likely being paid under the pretext of another type of fee. CCNJ has tried to keep its PCI fee as small as possible while still enabling us to recuperate the expenses we have incurred in order to comply with the PCI standards and it is important to note that our charges have been substantially less than most other processors.
6. If I pay the fee, am I 100% covered? No although the annual PCI assessment covers a substantial portion of the expense as described above, it is up to each and every merchant to ensure that best practices are being followed to maintain a completely secure payment environment
Some best practices to ensure that you remain PCI compliant:
1. Cardholder Privacy - Full credit card numbers should never be stored in plain text. Ensure that your terminal is truncating card numbers and only showing the last four digits on receipts. Additionally, Visa® and MasterCard® regulations prohibit merchants from recording personal information on the sales receipt/draft. This information in conjunction with the account numbers listed on the sales draft could be used to commit fraud. Keep cardholder account and personal information separate and under tight security. Release of this information is only permitted to our processing partners or authorized law enforcement officials. It is extremely critical that CVV2 card validation numbers are not written, recorded or stored electronically nor manually under any circumstances. Also, credit card numbers or cardholder account information should never be transmitted via email or unsecured gateways.
2. Complete Self Assessment Questionnaires - The Self Assessment Questionnaires offered on our processing partners' sites should be completed on a regular basis.
3. Ensure Your Website Is Secure - If you have an e-Commerce website, IP terminal or POS system, complete a system scan as soon as possible.
4. Use Compliant Equipment - If you are using an older credit card terminal, check with CCNJ to make sure it is compliant with the new regulations. Any terminals recently deployed from CCNJ should be fully compliant.
5. Do Not Log PIN Blocks - Although PINs are protected in an encrypted or enciphered form within a transaction message, they must not be retained in transaction journals or logs subsequent to PIN transaction processing. Many processing environments have programs that actively overwrite or mask PIN blocks; however, any processor of PIN-based transactions must evaluate all inbound and outbound PIN-based messages to ensure there is no systematic logging of PIN blocks within any systems. In addition, any temporary logging function for transaction research or troubleshooting must include the active removal of PIN blocks. This requirement helps prevent harvesting and subsequent attacking of any large repository of logged encrypted PINs.
6. Always Maintain Secure Key Loading Procedures - When POS PEDs and host security modules are first initialized, they must be securely loaded with encryption keys. Regardless of the type of tamper-resistant security modules being initialized, the principals of split knowledge and dual control must be in place at all times to maintain the secrecy of the key being entered. In addition, merchants must have established procedures that prohibit any one person from having access to all components of a single encryption key.
7. Only Use Keys for a Single Purpose – To limit the magnitude of exposure should any key be compromised, encryption keys must be used only for their intended purpose. This applies to all keys used in POS PED and network processor links. Production keys must never be shared or substituted within an entity’s test system. All master keys or hierarchy keys used in any production or test environment must be unique and separate for each environment. Use of any production key in a test system is a high-risk violation. Any production key exposed in the test system or any key that has been encrypted using such exposed keys should be considered compromised and be replaced.
8. Ensure All Devices Have Unique Keys – Cryptographic keys resident within a PED must be unique to that device. This includes initialization keys (often called A and B keys), key-exchange keys (often called communication keys), and PIN-encryption keys. By ensuring that these keys are unique to each device, a merchant can make sure their PEDs are unattractive targets for an attack. This is because a unique key that has been “cracked” exposes only those PINs that were actually entered at the particular device attacked. Conversely, compromise of a key used for a large number of devices could expose all PINs entered at all of those devices. When validating compliance with this requirement, technical staff should also look for weak keys (known as default, predictable, or simple keys).
With a little education and some good fashioned elbow grease, we should be able to see a tremendous success and stop the thieves in their tracks. Here's to some good security and Good Selling.
Some portions of this post are made available courtesy of United Bank Card.
Subscribe to:
Posts (Atom)