August Newsletter 2008 (DOC) by shitingting


									NTC Texas - Money Matters

August 2008 Newsletter

Featured Article
Understanding Payment Card Industry Compliance.

The Payment Card Industry (PCI) consists of the five major credit card brands: Visa, MasterCard, American Express,
Discover Card and JCB International. The purpose of the PCI Data Security Standard (PCI DSS), is to help a business
or organization assure their customers that their credit card data/account information and transaction information
is safe from hackers or any malicious system intrusion. It was created due to the high number of security data
breaches in the past few years in organizations such as TJX, Bank of America, Citigroup and others. While the focus
is on larger companies the majority of security breaches occur in small businesses. The PCI DSS has Validation
Requirements. To understand the Validation Requirements a business must first know their merchant level.
Merchants are broken into the four levels listed below.

The current Visa and MasterCard merchant levels

            Level 1- more than 6 million in transactions annually across all channels, including eCommerce and
             any merchant that has experienced a breach
            Level 2- transactions totaling 1 million to 6 million per year.
            Level 3- transactions totaling 20,000 to 1 million per year
            Level 4- e-commerce transactions totaling up to 20,000 per year and all other merchants, regardless
             of acceptance channel, processing up to 1 million Visa or MasterCard transactions per year.

The current Visa and MasterCard validation requirements are as follows:

            Level 1-Visa/MasterCard-- Annual onsite review by merchant's internal auditor or a Qualified Security
             Assessor (QSA) or Internal Audit if signed by Officer of the company, and a quarterly network security
             scan with an Approved Scanning Vendor (ASV).
            Level 2- Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network
             security scan with an approved ASV.
            Level 3- Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network
             security scan with an approved ASV.
            Level 4- Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network
             security scan with an approved ASV. Submit summary of PCI compliance plan. If a breach has been
             reported, or found, Visa reserves the right to move the Level 4 merchant to a Level 1. If so, the Level
             4 merchant must abide by the Level 1 validation requirements

The repercussions a merchant can face if their security is breached is fines up to $500,000 per incident,
Remediation costs estimated at $90 to $302 per record, Potential customer lawsuits, Company reputation and
brand damage.
There are two types of risks when dealing with data breaches: the internal risk of an employee gaining access to
information they shouldn’t have and the external risk of a “hacker.” Like water a hacker will follow the path of
least resistance. Usually most small businesses do not have the technical expertise, nor the IT Staff, to properly
secure card holder data. Cardholder data such as the account number, cardholder name, expiration date and
service code may be stored, however the information must be protected. Authentication data such as the
magnetic strip, CVV (Card Verification Value) and Pin data may not be stored. Merchants storing this information
are not PCI DSS compliant and could be penalized with fines and remediation costs.
Merchants can be proactive by ensuring that prohibited information is being purged after authorization. If
businesses need to store name, credit card number and expiration date, then it needs to be secured either
NTC Texas - Money Matters

August 2008 Newsletter

internally or stored remotely. Merchants can take steps on their own, via PCI DSS guidelines, to alleviate any
security loopholes.

       Install and maintain a firewall configuration to protect data
       Use and regularly update anti-virus software
       Assign a unique ID to each person with computer access
       Do not use vendor-supplied defaults for system passwords and other security parameters.
       Change user passwords every 90 days
       Protect stored data
       Encrypt transmission of cardholder data and sensitive information across public networks
       Develop and maintain secure systems and applications
       Restrict access to data by business need-to-know
       Restrict physical access to cardholder data
       Track and monitor all access to network resources and cardholder data
       Regularly test security systems and processes
       Maintain a policy that addresses information security

Product Spotlight
IP Terminals - Dual service for IP & Dial up.
With IP Terminals merchants can process transactions in 3-5 seconds without the cost of a dedicated phone line.
Dial backup ensures that you can always process transactions, even if your Internet connection is unavailable.
Eliminate the cost of a dedicated phone line by leveraging your existing internet line. High-speed communications
module supports DSL, cable and other IP-based communications. IP Terminals meet all latest security standards in
the industry. They are extremely fast terminals that support a full range of payment types including credit, debit,
gift cards and Dynamic Currency Conversion through one easy-to-use solution.

Tech Tip
AVS-Address Verification System.

The (AVS Address Verification System) system allows the Merchant to enter in specific details about the Customer
such as zip code and address, in order to make the transaction more secure, therefore qualifying for lower rates.
The AVS is not something that can be purchased, it is part of a processing network. Merchants accepting online,
phone, or mail transactions should always use AVS. By using the Address Verification System, a merchant can
protect both the customer and himself from counterfeit charges. AVS will verify whether the address provided by
the cardholder matches the billing address. AVS keeps a transaction from downgrading (qualifying at a higher rate)
to a Non-qualified Transaction.

Did You Know
       Card Security Code (CSC), sometimes called Card Verification Value (CVV), Card Verification Value Code
        (CVVC), Card Verification Code (CVC), or Verification Code (V-Code or V Code) is a security feature
        designed to increase protection against credit card fraud.

       CVC1 or CVV1 is encoded on the magnetic stripe of the card and used for transactions in person.
NTC Texas - Money Matters

August 2008 Newsletter

       CVV2 or CVC2- This CSC (also known as a CCID or Credit Card ID) is for "card not present" transactions
        occurring over the Internet, by mail, fax or over the phone

       Many Card issuers will decline a transaction if the CVV2 or CVC2 is not provided

       CVV2 is most often confused with Address Verification Service (AVS) which can be used to qualify for
        lower credit card rates

About NTC Texas
 A provider of Elavon Payment Partner, NTC Texas enables your business with all the transactional capabilities of
 the processing network rated #1 by MasterCard for reliability and availability. Whatever size your business is
 now, together, we can make it grow.
           Healthcare Providers
           Retailers
           Veterinarians
           Web Developers
           eCommerce/eBusiness
           Legal
           Assisted Living & Nursing Homes
           Day Care Centers
           Salons/Spas
           Restaurants
           Entertainment
           Travel & Lodging
           Not -for-profit
           Business-to-Business
           Government & Utility

To top