|You are not authorized to post a reply.
|04/20/2010 5:54 AM
|18 RETAIL SHIPPING NEWS | j u n e 2 0 0 9
PCI COMPL What is PCI Compliance?
PCI is actually referring to PCI DSS
which stands for Payment Card Industry
Data Security Standard. The PCI
DSS is maintained and promoted by
the PCI Security Standards Council
(PCI SSC). The PCI SSC was founded
by MasterCard Worldwide, Visa, Inc.,
American Express, Discover Financial
Services, and JCB International.
PCI DSS is a set of standards and
guidelines designed to help protect
personal (consumer) informat ion
and to help ensure that payment card
transactions are performed securely.
These standards are enforced by the
PCI Security Standards Council.
Who does PCI
Compliance apply to?
PCI Compliance is mandatory for all
merchants who in any manner receive,
transmit, store, handle or manage
cardholder data. So in other words, if
you accept credit card payments, then
you must be PCI Compliant. There
are no exceptions.
Merchants are classified into 4 levels
by the card issuers based on transaction
volume (See Table 1.1). These
levels determine the PCI DSS compliance
reporting but do not affect the
PCI DSS security requirements. Most,
if not all merchants in the Retail Shipping
industry are classified as Level 4.
Merchants also are categorized into 5
SAQ (Self-Assessment Questionnaire)
Validation types which are based on
how cards are processed and how the
card data is handled (See Table 1.2).
Level 4 merchants are required to perform
an annual Self-Assessment Questionnaire
(SAQ). The questionnaire
that is used is determined by the SAQ
validation type. If you are an SAQ Validation
type 4 or 5, a quarterly vulnerability
scan by a PCI SSC Approved
Scanning Vendor (ASV) is also required.
This scan will remotely check
internet connections for vulnerabilities.
Even though all merchants are required
[ PAYME N T CAR D I N D U S T RY ]
PCI LEVEL Annual Number of Transactions (Visa® or MC®)
N / a
N / a
2 0 , 0 0 0 o r Mo r e
U n d e r 2 0 , 0 0 0
all Channels Combined (e-Commerce, retail, phone, mail, etc.)
6 , 0 0 0 , 0 0 0 o r Mo r e
1 , 0 0 0 , 0 0 0 - U p t o 6 , 0 0 0 , 0 0 0
N / a
U n d e r 1 , 0 0 0 , 0 0 0
Card-not-present (e-commerce or mail/telephone-order)
merchants, all cardholder datra functions outsourced. This would
never apply to face-to-face merchants.
2 Imprint-only merchants with no electronic cardholder data storage. B
3 Stand-alone terminal merchants, no electronic cardholder data storage. B
Merchants with POS systems connected to the Internet, no
electronic cardholder data storage.
all other merchants (not included in Types 1-4 above) and all
service providers defined by a payment brand as eligible to
complete an SaQ.
heard of PCI
think they are
or think it
does not apply
to them. PCI
with if you
can put the
Note: Self-Assessment Questionaires can be found at: www.pcisecuritystandards.org/saq/index.shtml
to be PCI Compliant, Level 4 merchants
are not currently required to prove it to
anybody unless their credit card processor
has already started requiring proof of compliance.
However, that will be changing
soon. Each payment processor will eventually
require their merchant customers to
prove PCI compliance.
What are the consequences
If a business’ customer cardholder data is
compromised and the merchant is not in
compliance with PCI DSS standards, penalties
can include fines up to $500,000 per
incident, customer lawsuits, and, in some
cases, the loss of the ability to accept payment
cards. Forrester Research estimates
that a security breach can cost a company
between $90 and $305 per lost record.
The card processor for a tiny Mexican restaurant,
hit by robbers who stole a whopping
10 to 15 receipts that displayed credit
c a rd number s , wa s re c ent ly f ined the
equivalent of $83.50 for each card because
the data was not properly secured.
In an effort to encourage PCI compliance,
processors may start charging higher processing
fees to merchants that are not PCI
What should a typical Retail
Shipping Store do?
First, let’s talk about things you should
change in your store operations.
1. Never retain the cardholder verification
values or codes (CVV codes). CVV codes
are the 3 or 4 digit security code imprinted
on the payment card.
2. Never store the PIN (Personal Identification
Number) or the full contents of the
3. If you must store customer credit card information
and do so on paper, use a locked
file drawer, safe, or room and limit access
to those that have a business need for access.
As soon as the business need for that
information expires, then securely destroy
the records. For example, use a cross-cut
shredder or shredding service.
4. If you electronically store customer credit
card information on a computer in your
business, then you may want to eliminate
this practice. PCI SAQ Questionnaire D is
required in this case and is much harder to
complete. If you do store customer credit
card information, then use a PCI compliant
service that will store that data for you
and will allow you to charge your customers’
credit card when necessary. Also, an
option is to use a PA-DSS (Payment Application
Data Security Standard) compliant
5. If you process credit cards with a standalone
terminal, make sure that it is up to
date and does not print receipts that show
credit card numbers. At most, it should
only show the first 6 digits and last 4 digits
of the customer’s credit card number.
6. If you are processing credit cards via
PC based payment software such as PCCharge,
ICVerify, etc., make sure that
you are using a PA-DSS (Payment Application
Data Security Standard) compliant
payment application. This is required
even if your payment application does not
store sensitive credit card data. To see if
your application is PA-DSS compliant go
security_standards/vpa/. Make sure that
your payment application version is on the
list, or verify with your payment application
vendor that the version you are using
is PA-DSS compliant. If you are using
a web-based payment application, check
BY RUTLEDGE SCARBOROUGH M Y T H S
MYTH: don’t store cardholder data on my
computers so PCI compliance does not apply to
FACT: All businesses that accept credit card payments
are required to be PCI compliant.
I use a telephone-connected dumb terminal so
PCI compliance does not apply to me.
All businesses that accept credit card payments are
required to be PCI compliant, even if you do not use
computers at all in your credit card processing.
My business is very small so PCI compliance
does not apply to me.
Every merchant has to comply with all the
requirements regardless of their size. The only
difference is how you validate compliance.
PCI only applies to my e-commerce transactions.
PCI applies to all merchants that accept credit cards,
even if you use a manual imprinter.
Using PCI Compliant software makes my
Using PA-DSS compliant software will help with
your PCI compliance efforts, but it does not, by
itself make your business compliant.
The credit card companies require me to keep
This is absolutely false. In fact, the credit card
companies are trying to discourage merchants
from retaining cardholder data.
What you do need to keep is payment information
including the transaction date, amount, and the
last 4 digits of the card (which is not considered
“cardholder data”). If your customer disputes
a transaction, this will be all you need to work
with your processor to resolve the disputed
transaction. You should follow the rule: “If you
don’t need it, don’t keep it.”
CON T INU E D O N PAGE 21
www. r s c e n t r a l . o r g | R E TAI L SHI P P ING NEWS 21
with the payment application service
provider to ensure that the service
provider is PCI compliant.
7. Do not send credit card numbers via
email unless secure encryption is used.
8. If you provide wireless access to
the public, you must add a firewall
between the wireless network and any
computers involved in any credit card
activities. If you have any wireless
routers on your network, make sure to
enable encryption using WPA [or better]
9. Anti-virus software should be installed
on all computers and set to “always
10. Use a hardware firewall for your
entire network and use a software firewall
on each computer.
11. Never use default passwords for
your operating system, POS applications,
dial-up access, routers, etc.
12. Develop an Information Security
Policy for your company that covers
credit card data security requirements.
It should cover daily procedures on
handling cardholder data and methods
for protecting cardholder data.
Educate your employees on your company
Information Security Policies
How Do You Officially
Become PCI Compliant?
The following steps are required for
your business to become PCI compliant.
Your credit card processor can do a
lot to help accomplish these steps. Also
there are firms that for a fee will help
you obtain PCI compliance. Just keep
in mind that no one can do it completely
for you. Ultimately each merchant is
responsible for ensuring that proper
procedures and processes are in place
to meet PCI DSS requirements.
• Identify your Validation Type as defined
by PCI DSS (see table 1.2)
• Complete the Self-Assessment Quest
ionna i re (SAQ-A, B, C, or D) a s
determined by your validation type.
Complete the Questionnaire according
to the instructions in the Self-Assessment
and Guidelines. Refer to https://www.
• If your business is a SAQ validation Type
4 or 5, obtain a scan from a PCI SSC
Vendor (ASV). Note:
Sc anning vendor s
will usually assist with
the completion of the
scan is required to be
• Complete the Attestation
(www.pci secur it ystandards.
• S u b m i t t h e S AQ,
evidence of a passing
scan (if applicable),
and the Attestation
of Compliance, along
wit h any other requested
to your acquirer.
It is important to note that the submission
of compliance validation
documentation, in and of itself, does
not provide the merchant protection.
The merchant must adhere to all the
requirements at all times.
In conclusion, PCI compliance is a
requirement, but it is also a good business
practice. By following the steps in
the PCI DSS you will be able to provide
peace of mind to yourself and to your
customers, knowing that cardholder
data is as safe and secure as possible.
Spanky’s Marshside – A restaurant
in Brunswick, GA, discovered that
cyber-thieves had been pilfering
customer card data from their POS
system for six months or more. They
had no idea that their POS was storing
customer’s credit card data on their
The eatery was required to have a
forensic audit to determine the extent
of the breach which cost $10,000,
according to Carla Yarborough, coowner
of the 30-year-old eatery. Also
the credit card processor started
retaining part of the credit card
charges for the eatery to ensure that
any fines and penalties would be paid.
So far this ordeal has cost $110,000
and it is not over yet. The restaurant
expects that it will be another year
before all issues surrounding the
security breach will be resolved.
Lodi Beer – A microbrewery and restaurant
in California had unknowingly stored 11,728
credit card records including track data in
their point of sale system. Track data from
the credit card’s magnetic strip must not be
stored. When that data was breached, Visa
and MasterCard fined Abanco, the restaurant’s
merchant account processor, $27,000.
Abanco then in turn passed that fine onto the
restaurant. In addition to the fines, this merchant
has spent over $50,000 in audit fees,
remediation costs, legal fees, upgrades, etc.
Data breac h
C A S E S T U D I E S
46% of retail shipping centers
that think they are
are in fact not.
RUT SCARBOROUGH – RS ASSOCIATES
Rut has a mechanical engineering degree from
Clemson University and wrote software for the
nuclear power industry for twenty years with
Duke Energy. Rut has owned a chain of retail
shipping stores and has developed training
manuals & training videos for this industry.
CON T INU E D F ROM PAGE 19
|You are not authorized to post a reply.