Credit Card Fraud Prevention for Merchants » PCI Compliance

PCI For Dummies

Tom — Wed, 08 Sep 2010 16:05:26 +0000

ALL merchants MUST be PCI compliant by October. PCI isn’t as mysterious as it sounds. PCI for Dummies explains it.

The vendor is making it available FREE but only for a limited time. The last time this was available it was only for a week. You can’t beat the price so why not grab it now!
Similar Posts:

Another PCI to Worry About

Tom — Fri, 25 Jun 2010 16:36:23 +0000

If you have a POS terminal with a PIN pad there’s another PCI that will affect you. It’s called PCI PTS – PCI PIN Transaction Security. It’s aimed at PIN pad devices but brick and mortar merchants need to know about it.

If you’re planning on buying a new PIN pad device between now and May of 2011, choose wisely. It may not be compliant when the new standards come into play.

For some details on this new problem, there’s a good article over at Evan Schuman’s Storefront Backtalk. It has some good references including where to find a list of approved devices.

Go on over and give it a read!

Similar Posts:

Card Breach Victim Gets Twenty Years ‘Probation’

Tom — Thu, 24 Jun 2010 15:05:46 +0000

Think PCI compliance isn’t important? Dave & Busters restaurant chain got 20 years of ‘probation’ for being a non-compliant victim.

Dave & Buster’s is one of a long list of merchants that was hacked by Albert Gonzales. Gonzalez is currently spending 20 years in Federal prison for his part in a string of data breaches that resulted in the compromise of over 170 million credit and debit cards. Dave & Buster’s only had 130,000 card numbers stolen.

An article in Evan Schuman’s Storefront Backtalk reported this morning that, as a result of that breach, Dave & Buster’s must submit to no less than 20 years of scrutiny by the Federal Trade Commission.

You read that right. The FTC has ruled that the restaurant chain “engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its computer networks.” In other words, they were not PCI compliant. As a result, Dave & Buster’s will spend the next 20 years reporting their compliance standards to the FTC.

The price of being a victim of a crime.
Similar Posts:

A bit of good news for PCI compliance – but only in Washington

Tom — Thu, 13 May 2010 11:55:40 +0000

One of my big problems with PCI compliance is that it means nothing. The card brands will come in after the fact and find something, anything, to claim that the merchant wasn’t compliant when the breach occurred. That puts everything on the merchant. As always, the merchant is the low man on the hill, and we all know which way on the hill the stuff runs. If you don’t believe me, ask any PCI compliant merchant that was breached. That’s why the brands claim that no PCI compliant merchant was ever breached. They find something.

The fact is that a merchant can spend huge sums of money to become PCI compliant but it doesn’t give them safe harbor. Until now. But only in the State of Washington.

A new law signed by Washington’s Gov. Chris Gregoire finally gives a break to the State’s merchants. If they are compliant, they are protected from the card brands. The Washington law mandates that if a merchant is certified as PCI compliant by an annual assessment, that compliance is non-revocable for a year. The processors and issuing banks cannot go after the merchant for losses.

The law isn’t perfect, of course. They seldom are. There is no mention of consumer losses. We know that consumers suffer no direct monetary losses from credit card breaches but they do suffer lost time and aggravation in trying to get things straightened out. We can assume the merchant won’t have protection from them.

Still, the Washington law is pro merchant and a big step in the right direction. If nothing else, it gives the merchant some justification for the resources expended in getting compliant.

Now can Federal lawmakers get on board? Similar Posts:

Anther data breach victim Part 2

Tom — Mon, 04 Jan 2010 20:49:39 +0000

In my last post I gave a few details about Albert Gonzalez and his well-planned breaches of TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority and Dave & Buster’s, Heartland Payment Systems, Hannaford Brothers supermarket chain, 7-Eleven, and Target. That’s no small task and it has serious implications for online merchants that go well beyond the vast numbers of cards.

Small merchants are NOT immune to data breaches

What concerns me more about all the publicity surrounding this Gonzalez thing is that small merchants will look at the names of all the large retailers that were breached and think it can never happen to them. Wrong. It can. It does. The only reason we’re hearing so much about this one is the fact that they were large retailers and the perpetrator got caught. Don’t think for a minute that small merchants aren’t hacked. They are! But when they are, it won’t make any headlines. These are the hacks that the Secret Service, the FBI and even local law enforcement just don’t get involved with.

Albert Gonzalez is behind bars and may not be masterminding any more breaches for a while, but he wasn’t alone and he won’t be the last. And there’s a lot of small-time crooks out there with just as much know-how. We’re not going to see the end of data breaches any time soon and PCI compliance is an absolute must.

PCI compliance issues

Although we’ll probably never know for certain, most of the breached entities continue to argue that they were PCI compliant at the time of the on-going breaches. At the same time, the PCI Security Standards Council continues to argue that no compliant site has ever suffered a breach. One of them is wrong but one thing is clear; merchants had better be compliant. Being able to certify compliance is the only thing that might save a small merchant from certain death if a breach occurs. And if a merchant isn’t compliant by October, it’s certain death anyhow.

For those merchants that aren’t compliant, especially the small merchants that comprise 70% of Merchant911 members, the thought of getting there is daunting. That’s understandable but it doesn’t change the fact that all merchants must be compliant by October of 2010. You should be compliant already.
Similar Posts:

Free E-book: PCI Compliance for Dummies

Tom — Sat, 26 Dec 2009 16:54:57 +0000

If you’ve been following this blog you’ve heard me say that ALL merchants MUST be PCI compliant. We may not like it but it’s a fact. In October of 2010 if you are not compliant your processor will shut you down, no questions asked.

Complying with the PCI Data Security Standard may seem like a daunting task for merchants. This book is a quick guide to understanding how to protect cardholder data and comply with the requirements of PCI – from surveying the standard’s requirements to detailing steps for verifying compliance.

PCI Compliance for Dummies arms you with the facts, in plain English, and shows you how to achieve PCI Compliance. In this book you will discover:

What the Payment Card Industry Data Security Standard (PCI DSS) is all about

The 12 Requirements of the PCI Standard

How to comply with PCI

10 Best-Practices for PCI Compliance

How QualysGuard PCI simplifies PCI compliance

Download this E-book for free while it’s still available!

This is a limited time offer from

Similar Posts:

Here’s a way to fight back

Tom — Thu, 03 Dec 2009 14:36:08 +0000

Some restaurants in Louisiana and Mississippi had their POS system hacked, apparently by a Romanian with nefarious intentions. Now they are suing the manufacturer of the system for not making it secure under the PCI standards. It seems that the POS system was storing mag stripe data after the transactions completed. That is a serious a PCI compliance violation.

The restaurants are suing and they are suing for millions. Although the suit was filed back in March, the U.S. District Court in Louisiana just granted the lawsuit class status. That opens the door for other merchants to join the lawsuit. I’m not a lawyer but it seems to me that if these plaintiffs prevail, it’s clearly good news for merchants. And since the industry insists that it’s the merchant’s responsibility to make sure their systems and their providers are compliant, it follows that these plaintiffs have a good case.

If you’re interested, you can read the court filing. Additional background on the suit is at wired.com.Similar Posts:

PCI Hard to Justify?

Tom — Mon, 14 Sep 2009 18:05:43 +0000

Over at Storefront Backtalk, Evan Schuman opined that PCI compliance is hard to justify. I have a great deal of respect for Evan. He’s a good writer and he knows his stuff. But on this one, I have to disagree. He might have a good point regarding the TJX and Heartland Payment Systems of the world, but not for the average small merchant.

It’s certainly true that there is no Return On Investment (ROI) for getting into compliance. For large merchants, it can be a very time consuming and expensive proposition and it doesn’t put a single dime into their receivables column. And I suppose that Evan is right in his thinking that $525,000 is nothing more than a nuisance payment for the $19 billion retail chain.

But for a huge number of small merchants, PCI compliance is fast and easy. Merchants that outsource their payment process in its entirety need only spend 20-30 minutes filling out the SAQ-A and they are good to go. To me, that’s a no-brainer.

Look at it this way. There is no ROI on car insurance or health insurance. You pay and pay and pay again. You sometimes wonder why you do it. Then one day you have an accident or you get sick and you begin to see the advantage. What could have cost you thousands, even tens of thousands, of dollars may only costs you a deductible. All of a sudden all those payments make perfect sense.

Think of PCI compliance as an insurance policy. You could go for 20 more years and never get victimized by a hacker, but don’t count on it. It could happen tomorrow. It WILL happen tomorrow to someone. When it does, your compliance might make the difference between business as usual and shutting your doors. Why would small merchants want to put themselves at risk of going out of business when a few minutes of their time could prevent it?

Remember that ALL merchants MUST be PCI compliant. If you do less than 20,000 V/MC e-commerce transactions annually and less than 1,000,000 transactions across channels AND you outsource your payment process, then compliance costs you nothing. Why would you not want to do it.

Of course, all this doesn’t even matter after October 2010. If you’re not compliant by then, you can expect that your acquirer will shut you down anyhow.

Wake up merchants. You need to be PCI compliant. It’s not an option.
Similar Posts:

PCI Compliance – Do it or cease doing business

Tom — Wed, 02 Sep 2009 11:25:28 +0000

It doesn’t get any simpler than this, dear reader. By October 2010 any merchant that is not PCI compliant will be de-certified and must stop accepting cards.

I told you it was coming and now, according to an article in ecommerceguide.com it’s here. Starting next month there will be a year-long effort by processors to de-certify (essentially close down) any Level 4 merchants that are not PCI compliant. Level 4 Merchants are defined as those with fewer than 20,000 Visa transactions, and fewer than 1,000,000 total transactions per year. Most small vendors will fall into this category.

This will have far-reaching effects on a significant portion of on-line business as we know it. Any on-line store that processes cards on their own site will feel a major impact. For example, if you have an online store with on-site processing that is hosted in an inexpensive shared or “virtual” hosting environment you will not be able to pass PCI standards.

And I would remind you that ALL merchants who accept credit cards must be PCI compliant. It doesn’t matter if you do business on-line, by phone or mail, or in person. The steps you need to take towards compliance are different but if you accept credit cards you must be compliant. I’ll say that again. If you accept credit cards you must be PCI compliant. And you will be compliant by October of 2010 or you will no longer be able to accept credit cards as a form of payment. It’s not an option.

I can’t make it any plainer than that. As a merchant, it’s PCI compliance or die. As a merchant advocate I have mixed feelings on this. I’d venture to say that most Merchant911.org members know how to protect themselves from fraudulent transactions but that doesn’t mean that they shouldn’t protect their customers and other merchants from being victims. On the other hand, the concept of a huge volume of paperwork and quarterly scans at $99 a year is going to put a significant number of small merchants out of business. That’s sad.
Similar Posts:

ALERT RE: businessownersonline.com

Tom — Thu, 27 Aug 2009 01:48:29 +0000

I just came across a website belonging to Buzz Media, Inc. using the domain of businessownersonline.com. For a company that claims to represent online business, they are a bit lax about collecting credit card information.

Their signup form is not secure. If you manually go to the HTTPS version of the URL, you find that they do have a security certificate issued by Equifax but they are not providing a link to the secure version of the page.

I would recommend that you steer clear of businessownersonline.com until they address the issue. I have contacted them for an explanation. The site claims to be built and powered by MemberGate so it’s possible that businessownersonline has no idea that the problem exists.

UPDATE – 29 August: I checked the signup page today. It now loads the secure version. I guess they received the contact that I sent but they have not yet responded. Kudos for the fast fix.Similar Posts: