XCharge® Payment Processing

PCI Compliancy FAQ’s...

Click on "+" to expand topic section or click here to expand all.

What is PCI Compliancy?

With many breaches of credit card data already on record and identity theft on the rise, the PCI Data Security Standard has been designed to ensure a high degree of security to protect the cardholder. The Security Council is comprised of a set of 12 mandatory regulations created by the card associations to safeguard consumer card data. As the number of people using credit cards has increased, so has the risk of card data compromise. Compliance with these PCI standards is required for all payment processors, POS payment applications, and merchants of all sizes.

The goal of the PCI Data Security Standard is to protect cardholder data that is processed, stored or transmitted by merchants.

XCharge has a high level of technology and standards which ensures that our merchants are always following the latest PCI compliance regulations. Whether you have a stand-alone environment or an integrated software application, you have peace of mind using XCharge.

Why are Merchants Liable?

Merchants are liable for card data thefts from their businesses, even if only a small number of cards are affected. By signing a credit card processing agreement, merchants agree with the card associations’ requirements for handling credit card data according to the PCI data security standards. Cardholder data security is a shared responsibility and all participants must do their part to prevent fraud.

Card data theft is costly. When a merchant location is determined to be a common point of purchase for stolen card data, the card associations order a forensic audit. This can cost the merchant $15,000. Then, depending on the number of cards affected and whether the merchant took the necessary steps toward PCI compliance, the card association(s) assesses fines that can range from $50,000 to $500,000. Don’t be compromised!

Do We Need to Stay Informed?

PCI compliance is a new concern and the standards are developing. A PCI Council exists to oversee future compliance developments on behalf of all the card associations (Visa, MasterCard, etc.). The PCI Council has currently set mandatory compliance requirements for all levels of merchants. Some merchants may still be unaware of these new rules and not completely understand the implications for their business. www.pcisecuritystandards.org

Is My Business at Risk?

Merchants that are not compliant with the PCI standards for the safe handling and storage of card data are at particularly high risk. For example, merchants using older POS systems may be storing prohibited card data. Also, merchants who have not implemented the best practices for maintaining a secure network, even if they are using a PCI compliant POS system, are also at increased risk. Eighty-five percent of compromises occur at "card present" environments.

How do I Protect My Business?

Use a PABP (PA DSS)-validated POS system or payment application like XCharge. If you are not sure if the system you are using is PCI compliant, check Visa’s online listing of PABP-validated systems, or contact XCharge for assistance.

We assist our merchants by keeping them informed about all types of security risks. All merchants and processors must submit an annual scan report, which must be completed by a PCI approved ASV. Businesses with larger flows must do an annual on-site assessment completed by a PCI approved QSA and submit the findings to each acquirer. Businesses with smaller transaction flows may be required to submit an annual Attestation within the SAQ.

Annually, merchants should request a certificate of compliance from vendors. PCI compliance is required for any business that accepts payment cards – even if the quantity of transactions is just one. Many merchants think PCI is too hard, but remember, your business is at risk. The business risks and ultimate costs of non-compliance, however, can vastly exceed implementing PCI DSS – such as fines, litigation, legal fees, decreases in stock equity, and especially lost business. Merchants should ask their POS vendors if their system is PCI PA-DSS certified, if the application stores credit card data, and if they will document the list of files and their contents that the application writes to insure credit card data is not written or stored.

Merchants cannot be certified under PCI DSS if their POS application compromises any of the PCI DSS requirements. Merchants are not PCI DSS compliant just because they implement a PA-DSS application.

Always remember to:

  • Maintain a network services management plan - Determine access levels for your particular programs; assign someone in charge of updating and maintaining security, and establish guidelines on how security updates will be processed.
  • Change/update passwords on a regular basis - Changing passwords every 90 days is a simple practice that deters fraudulent activity. Passwords should be kept secure and never given out to other individuals. Use passwords that are at least eight characters and are a random combination of letters, numbers and symbols rather than common words, names, birthdates, etc.
  • Be aware of fraudulent devices - These are devices thieves use to record and track data that they can use to make new fraudulent credit cards. Thieves may lure employees to swipe customers’ credit cards in the device in return for money. Be alert.

What is Approved PED Hardware?

Security is a never-ending race against potential attackers. As a result, it is necessary to regularly review, update and improve the security requirements used to evaluate PIN Entry Devices. If you use a stand-alone terminal or other hardware for payment processing, there are new guidelines to follow as well. Most PED devices are no longer compliant and will need to be replaced in 2010. If these devices are not configured and managed correctly, they can provide an easy entry point for unauthorized intruders to gain access.

XCharge offers approved PED (PIN Entry Device) hardware that meets the PCI Security Council Regulations. Each of our POS peripherals features sophisticated technology that complies with the latest Payment Card Industry requirements for security and fraud protection. Allow your customers to make PIN-based payments, initiate their own transactions or swipe their cards for contactless payments with our peripherals. XCharge’s POS Peripherals help increase customer satisfaction at your merchant locations.

What are Security Vulnerabilities?

Visa’s top five data security vulnerabilities leading to compromise:

  • Storage of sensitive cardholder data, including track data, Card Verification Value 2 (CVV2), and Personal Identification Numbers (PINs) or PIN blocks
  • Missing or outdated security patches
  • Using vendor-supplied default settings and passwords
  • Insecure website code
  • Unnecessary and vulnerable services on servers

www.visa.com

Invest in your future by improving the productivity and efficiency of your business!

What do the Acronyms Mean?

Explaining the acronyms

ACRONYM DESCRIPTION
CISP Cardholder Information Security Program
PABP Visa’s Payment Application Best Practices
PCI Payment Card Industry
PCI SSC Payment Card Industry Security Standards Council, LLC. Members consist of VISA, MasterCard, American Express, Discover, and JCB.
PCI DSS Payment Card Industry Data Security Standard – Applies to merchants.
PCI PA-DSS Payment Card Industry Payment Application Data Security Standard – Applies to manufacturers of software systems that accept electronic payments.
PCI PED Payment Card Industry PIN Entry Devices – Applies to companies that manufacture devices that accept personal identification number (PIN) entry for all PIN-based transactions. Merchants should use only certified PED devices.
QSA Qualified Security Assessor – QSAs are companies that assist organizations in reviewing the security of its payments transaction systems and have trained/certified personnel and processes to assess and validate compliance with both PCI DSS and PA-DSS. TrustWave is an ASV – Approved Scanning Vendor – Certified companies that provide commercial software tools to perform certified vulnerability scans of systems.
SAQ Self-Assessment Questionnaire – A required validation tool for merchants and service providers who are not required to do on-site assessments for PCI DSS compliance. There are four different SAQs targeted to various business types (i.e. card present, card not present, etc.)
ROV Reports of Validation – A central repository for PA-DSS approved applications.

Merchant Levels Explained

Merchant levels explained

These are the levels assigned to merchants based on Visa transaction volume over a 12-month period.

LEVELS MERCHANT CRITERIA COMPLIANCE REQUIREMENTS
Level 1 Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region Annual completion of the Report on Compliance (“ROC”) by a Qualified Security Assessor ("QSA"), quarterly network scan by Approved Scan Vendor ("ASV"), Attestation of Compliance Form
Level 2 Merchants processing 1 million to 6 million Visa transactions annually (all channels) Annual completion of the Self-Assessment Questionnaire (“SAQ”), quarterly network scan by ASV, Attestation of Compliance Form
Level 3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually Annual completion of the SAQ, quarterly network scan by ASV, Attestation of Compliance Form
Level 4 Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually Annual completion of the SAQ recommended, quarterly network scan by ASV (if applicable), compliance validation requirements set by acquirer

Delivering Technology

XCharge delivers technology and security like no other! - When you sign up with XCharge payment processing, there are no compromises. Our software provides you with fast, reliable and secure payment processing. XCharge is recognized on Visa’s List of Validated Payment Applications. It provides you with peace of mind knowing that your software or hardware is always current with technology and Payment Card Industry compliance regulations.

To ensure your software or hardware meets PCI Compliancy regulations, call XCharge at 800.637.8268!

PCI ASSURE
   
     
OpenEdge, a division of Global  Payments   © 2015 OpenEdge, a division of Global Payments.

OpenEdge, a division of Global Payments, operates through the following entities: Accelerated Payment Technologies is a registered ISO and MSP of HSBC Bank, National Association, Buffalo, NY, a registered ISO and MSP of Wells Fargo Bank, N.A., Walnut Creek, CA, and a registered ISO/MSP of Synovus Bank, Columbus, GA. Accelerated Payment Technologies™, A Division of Global Payments. All rights reserved. Payment Processing, Inc. is a registered ISO of Wells Fargo Bank, N.A., Walnut Creek, CA; and National Bank of Canada, Montreal, QC. PayPros® is a registered trademark of Global Payments, Inc.
Customer Care Phone: (800) 338-6614 click here for support. Email: info@openedgepay.com

Privacy Policy