If you have a POS terminal with a PIN pad there’s another PCI that will affect you. It’s called PCI PTS – PCI PIN Transaction Security. It’s aimed at PIN pad devices but brick and mortar merchants need to know about it.

If you’re planning on buying a new PIN pad device between now and May of 2011, choose wisely. It may not be compliant when the new standards come into play.

For some details on this new problem, there’s a good article over at Evan Schuman’s Storefront Backtalk. It has some good references including where to find a list of approved devices.

Go on over and give it a read!

Similar Posts:

• Card Breach Victim Gets Twenty Years ‘Probation’
• PCI Hard to Justify?
• PCI has ROI?
• A bit of good news for PCI compliance – but only in Washington
• PCI Recognition Isn’t PCI Compliance

One of my big problems with PCI compliance is that it means nothing. The card brands will come in after the fact and find something, anything, to claim that the merchant wasn’t compliant when the breach occurred. That puts everything on the merchant. As always, the merchant is the low man on the hill, and we all know which way on the hill the stuff runs. If you don’t believe me, ask any PCI compliant merchant that was breached. That’s why the brands claim that no PCI compliant merchant was ever breached. They find something.

The fact is that a merchant can spend huge sums of money to become PCI compliant but it doesn’t give them safe harbor. Until now. But only in the State of Washington.

A new law signed by Washington’s Gov. Chris Gregoire finally gives a break to the State’s merchants. If they are compliant, they are protected from the card brands. The Washington law mandates that if a merchant is certified as PCI compliant by an annual assessment, that compliance is non-revocable for a year. The processors and issuing banks cannot go after the merchant for losses.

The law isn’t perfect, of course. They seldom are. There is no mention of consumer losses. We know that consumers suffer no direct monetary losses from credit card breaches but they do suffer lost time and aggravation in trying to get things straightened out. We can assume the merchant won’t have protection from them.

Still, the Washington law is pro merchant and a big step in the right direction. If nothing else, it gives the merchant some justification for the resources expended in getting compliant.

Now can Federal lawmakers get on board? Similar Posts:

• Anther data breach victim Part 2
• Heartland PCI Compliance Revalidated
• Free E-book: PCI Compliance for Dummies
• PCI Hard to Justify?
• PCI Compliance – Do it or cease doing business

If you’ve been following this blog you’ve heard me say that ALL merchants MUST be PCI compliant. We may not like it but it’s a fact. In October of 2010 if you are not compliant your processor will shut you down, no questions asked.

Complying with the PCI Data Security Standard may seem like a daunting task for merchants. This book is a quick guide to understanding how to protect cardholder data and comply with the requirements of PCI – from surveying the standard’s requirements to detailing steps for verifying compliance.

PCI Compliance for Dummies arms you with the facts, in plain English, and shows you how to achieve PCI Compliance. In this book you will discover:

Download this E-book for free while it’s still available!

This is a limited time offer from

Similar Posts:

• Merchants Struggle to Comply With PCI Security
• Version 1.2 of the PCI DSS is Official
• The Legal Implications, Risks and Problems of the PCI Data Security Standard
• PCI For Dummies
• Heartland PCI Compliance Revalidated

Over at Storefront Backtalk, Evan Schuman opined that PCI compliance is hard to justify. I have a great deal of respect for Evan. He’s a good writer and he knows his stuff. But on this one, I have to disagree. He might have a good point regarding the TJX and Heartland Payment Systems of the world, but not for the average small merchant.

It’s certainly true that there is no Return On Investment (ROI) for getting into compliance. For large merchants, it can be a very time consuming and expensive proposition and it doesn’t put a single dime into their receivables column. And I suppose that Evan is right in his thinking that $525,000 is nothing more than a nuisance payment for the $19 billion retail chain.

But for a huge number of small merchants, PCI compliance is fast and easy. Merchants that outsource their payment process in its entirety need only spend 20-30 minutes filling out the SAQ-A and they are good to go. To me, that’s a no-brainer.

Look at it this way. There is no ROI on car insurance or health insurance. You pay and pay and pay again. You sometimes wonder why you do it. Then one day you have an accident or you get sick and you begin to see the advantage. What could have cost you thousands, even tens of thousands, of dollars may only costs you a deductible. All of a sudden all those payments make perfect sense.

Think of PCI compliance as an insurance policy. You could go for 20 more years and never get victimized by a hacker, but don’t count on it. It could happen tomorrow. It WILL happen tomorrow to someone. When it does, your compliance might make the difference between business as usual and shutting your doors. Why would small merchants want to put themselves at risk of going out of business when a few minutes of their time could prevent it?

Remember that ALL merchants MUST be PCI compliant. If you do less than 20,000 V/MC e-commerce transactions annually and less than 1,000,000 transactions across channels AND you outsource your payment process, then compliance costs you nothing. Why would you not want to do it.

Of course, all this doesn’t even matter after October 2010. If you’re not compliant by then, you can expect that your acquirer will shut you down anyhow.

Wake up merchants. You need to be PCI compliant. It’s not an option.
Similar Posts:

• PCI Compliance – Do it or cease doing business
• PCI For Dummies
• The Legal Implications, Risks and Problems of the PCI Data Security Standard
• Heartland PCI Compliance Revalidated
• Anther data breach victim Part 2

It doesn’t get any simpler than this, dear reader. By October 2010 any merchant that is not PCI compliant will be de-certified and must stop accepting cards.

I told you it was coming and now, according to an article in ecommerceguide.com it’s here. Starting next month there will be a year-long effort by processors to de-certify (essentially close down) any Level 4 merchants that are not PCI compliant. Level 4 Merchants are defined as those with fewer than 20,000 Visa transactions, and fewer than 1,000,000 total transactions per year. Most small vendors will fall into this category.

This will have far-reaching effects on a significant portion of on-line business as we know it. Any on-line store that processes cards on their own site will feel a major impact. For example, if you have an online store with on-site processing that is hosted in an inexpensive shared or “virtual” hosting environment you will not be able to pass PCI standards.

And I would remind you that ALL merchants who accept credit cards must be PCI compliant. It doesn’t matter if you do business on-line, by phone or mail, or in person. The steps you need to take towards compliance are different but if you accept credit cards you must be compliant. I’ll say that again. If you accept credit cards you must be PCI compliant. And you will be compliant by October of 2010 or you will no longer be able to accept credit cards as a form of payment. It’s not an option.

I can’t make it any plainer than that. As a merchant, it’s PCI compliance or die. As a merchant advocate I have mixed feelings on this. I’d venture to say that most Merchant911.org members know how to protect themselves from fraudulent transactions but that doesn’t mean that they shouldn’t protect their customers and other merchants from being victims. On the other hand, the concept of a huge volume of paperwork and quarterly scans at $99 a year is going to put a significant number of small merchants out of business. That’s sad.
Similar Posts:

• PCI Hard to Justify?
• PCI For Dummies
• Heartland PCI Compliance Revalidated
• The Legal Implications, Risks and Problems of the PCI Data Security Standard
• Anther data breach victim Part 2

The National Retail Federation just released the result of a survey of PCI Level 4 merchants. The survey seemed to have some flaws in that we couldn’t tell where in the broad Level 4 bracket the respondents were, but one thing is clear. While 70% of the merchants know about PCI, the percentage of those understanding it is a lot smaller. That isn’t surprising. Unfortunately, if they don’t understand it, they probably aren’t compliant either.

PCI compliance is a bit confusing but taking it step by step can make it a lot easier. The first step is to determine if you must be compliant. The answer is always yes.

All merchants are required to comply with the Payment Card Industry Data Security Standard. Merchants that store, process or transmit account data may also be required to validate compliance with their acquirer. For a merchant to be considered compliant, any Service Providers that store, process or transmit account data on behalf of the merchant must also be compliant.

There are three key phrases there. All merchants are required to comply. There is nothing separating on-line and brick and mortar stores. Further, if you store, process or transmit card data, you may have to validate your compliance. My guess is that if you’re a merchant, you accept cards so you probably have to validate your compliance with your acquirer. Lastly, the most important thing to understand is that all your service providers must also be compliant. That means your processor, your gateway and your shopping cart.

You need to determine which level of requirements that you fall under. That one is easy. You can ask your processor or better yet, check with the card brands. MasterCard has their PCI Levels defined here and Visa has them here. The good news is that they’re essentially the same. Either of these links will tell you which of the four levels you fall under and what you need to do.

Now that you know that you must comply with PCI DSS standards, It’s up to you to get there. At the very least, you’ll need to complete the Self Assessment Questionnaire (SAQ.) There are several versions of the SAQ but you can find everything you need to know by reading the SAQ Overview

If you need to have the quarterly scans done, they aren’t very expensive. Merchant911 recommends these folks, or you can find one at the Security Standards Council website.

There is no ROI on PCI compliance until your hacked. But then again, there is no ROI on car insurance until you crash. You shouldn’t be without either of them.
Similar Posts:

• Free E-book: PCI Compliance for Dummies
• PCI Compliance – Do it or cease doing business
• PCI Compliance is Coming for Small Merchants
• Merchants Struggle to Comply With PCI Security
• Nevada says PCI is Law

Seven merchant organizations have gotten together and issued a proposal to the PCI Security Standards Council that would both increase security and reduce some of the stress on merchants that are trying to comply with the standards.

The Council is listening. Bob Russu, General Manager of the PCI Security Standards Council is actively soliciting input from merchants before the next revision of the standard that is due in September of next year.

The timeline for the update and feedback phases can be found here. Merchant911 urges all merchants, on-line or not, to contact the PCI Council with suggestions and concerns. Now is the chance to be heard! Full contact information can be found on their website.

Reference:

Merchants Struggle to Comply With PCI Security In Economy – Network World
Similar Posts:

• Free E-book: PCI Compliance for Dummies
• PCI Compliance is Coming for Small Merchants
• Version 1.2 of the PCI DSS is Official
• Nevada says PCI is Law
• ALERT RE: businessownersonline.com

Yesterday, members of the National Retail Foundation and others appeared before Congress, specifically the House Homeland Security Committee and blasted the PCI data security standards. Dave Hogan, Sr. VP and CIO called it “a tool to shift risk off the banks’ and credit card companies’ balance sheets and place it on others.” The CIO for Michaels Stores backed up that claim by pointing out that financial institutions do not accept encrypted transactions.

In response, Robert Russo, director of the PCI Data Security Standards Council, regurgitated the standard line: . “We have never found a breached entity to be in full compliance at the time of breach.”

Retailers: Credit card data inadequately protected | Politics and Law – CNET News

FOLLOW UP to the post

The recordings of the hearing are now posted on the Homeland Security website

In addition, you can find a lot of comments on twitter by clicking this link.
Similar Posts:

• Credit Card Data Breach at Heartland Payment Systems
• Version 1.2 of the PCI DSS is Official
• Anther data breach victim Part 2
• The Last of the Heartland Breach
• Merchants Struggle to Comply With PCI Security

The legal implications of PCI compliance are overwhelming, but as E-commerce merchants we’d better be aware of them. Our very existence can depend on it. The problem is that most of us can’t make a lot of sense out of it all. It’s an extremely complex series of contractual obligations, technicalities and legal-speak.

I don’t usually send readers away from my blog, but in this case, someone else can explain it much better than I can. In this case, that someone is David Navetta , Esq. Mr. Navetta is President and Managing Member of InfoSecCompliance LLC, and maintains a blog called InfoSecCompliance. He’s written a somewhat lengthy, but very informative piece on PCI and the serious legal challenges and risks for retailers.

Along with PCI compliance comes the separate security requirements of each of the card brands to further complicate the issue. But I’ll let him tell you about it…

InfoSecCompliance Blog: The Legal Implications, Risks and Problems of the PCI Data Security Standard

You can download the information on a PDF also!

Technorati Tags:
E-Commerce legal issues, PCI DSS, PCI Compliance

Similar Posts:

• PCI Hard to Justify?
• PCI Compliance – Do it or cease doing business
• Heartland PCI Compliance Revalidated
• PCI For Dummies
• Free E-book: PCI Compliance for Dummies

As promised in my last entry, it’s time for a recap of the Heartland Payment Systems data breach. I’m hoping this will be the last time I have to mention Heartland. It will be unless there is a major revelation to the whole story.

How it happened

According to all reports, including those from Heartland, the data breach happened at the one point in the on-line payment process where data is not encrypted – the passing of the data from the processor to the processing network. The weakest link was exploited. Heartland claims to have been PCI compliant at the time the breach was discovered and their were some reports that Visa had confirmed that claim. But Heartland also said that no records were being breached at the time of discovery. We’ll take a look at the PCI thing in a minute.

The number of records breached

We’ll never know the actual numbers of records affected by the breach. The whole Heartland mess is shrouded in corporate secrecy, but here’s what we do know. Bank Info Security is reporting that over 600 institutions had card accounts breached. It’s important to note that these are only reported and confirmed numbers. There could be hundreds, if not thousands, more. Remember that Heartland processes payments for 175,000 merchants at the rate of over 100 million transactions per month and this breach was on-going for 6 months.

Of the 600 reporting entities, only 180 reported the number of accounts that were affected for a total of 1,063,040 cards. We can only guess on the actual numbers but, in the end, the real numbers are probably staggering. Initial speculation that this was the largest data breach ever could certainly be accurate.

Heartland’s public reaction

Once Heartland had confirmed Visa’s suspicions of a data breach, they went on the defensive almost immediately. No surprise there. They created a website that was supposed to keep cardholders and merchants informed. What that website turned out to be was, in my opinion, nothing more than another sales site. I can’t fault a company for wanting to mitigate damages caused by an incident of this magnitude; any of us would. But the site hardly kept us informed of anything related to the breach. It was just an attempt to tell the public about all the good at Heartland. I wasn’t impressed.

The PCI implications

As I noted earlier, Heartland claimed to be in full compliance of the PCI DSS standards at the time the breach was discovered. It makes for a nice PR bit but I see it as irrelevant. PCI compliance is a snapshot in time. Since the breach was on-going from May through October, there was plenty of opportunity for them to be out of compliance. Apparently Visa thought so too. Heartland has been removed from the official list of compliant processors. Interestingly, they are still permitted to do business, and that raises some questions.

You’ll hear the CEO of a breached credit card processor plead “But we were PCI DSS compliant” and simultaneously you will hear the PCI council say that “No PCI compliant processor has ever been breached.” Both of these statements can’t be correct.

Were they out of compliance only during the actual times that the data was being siphoned? Were they, perhaps, complaint and Visa (and the others) discovered a flaw in the PCI standard that allowed the bad guys in anyhow? Were they blatantly out of compliance but Visa made an exception and allowed Heartland to continue because they couldn’t afford not to? We’ll never know, but don’t be surprised if you see some revisions to the PCI standard in the near future.

The fallout

Heartland will be paying for this breach for a long time, not only in dollars but in trust, image, and all the rest. There are already lawsuits by the dozens for both actual and punitive damages. Lawsuits, as we all know, can be filed by anyone for anything and winning them is the only real tale. They will go on for years and even in the unlikely event that Heartland prevails in every one of them, their legal and administrative costs are sure to be in the millions.

The Card Companies (The Associations) are now fining the acquirers as a result of the losses. That may sound a bit strange but the reasoning is simple. The Associations don’t have a contractual relationship with Heartland; they have one with the acquirers who, in turn, have a contractual agreement with Heartland and will pass the fines on to them. The path of least resistance from Visa to Heartland is through the acquirer.

There you have the bottom line. Millions of cards, millions of dollars, and a lot of secrecy. Nothing changesSimilar Posts:

• Credit Card Data Breach at Heartland Payment Systems
• Heartland PCI Compliance Revalidated
• Heartland breach costs at $12.6M – and counting
• Top Fraud Incidents of 2008
• Anther data breach victim Part 2