Credit Card Data Security – PCI Compliance
Risks Associated with Storing Credit Card Data
Many payment industry experts say poor handling of credit card data by merchants is the primary way sensitive cardholder data falls in to the wrong hands. Given the of value of transactions that pass through the credit card networks on a daily basis the credit card industry is taking this issue seriously.
Over the past few years, the industry has developed a series of mandatory security standards — known as the Payment Card Industry (PCI) Data Security Standards – for merchants, processors, manufacturers of PIN entry devices and software application developers that deal with payments. These standards cover all aspects of security from maintaining a secure network to securing cardholder data to regularly auditing a businesses internal IT network.
The cost of noncompliance with any of these standards can be significant:
ü Merchants could lose their merchant accounts,
ü Merchants could be fined,
ü Merchants could be held liable for financial losses.
Despite the potential for negative consequences, most merchants remain non-compliant and/or are not clear on what is required to be deemed compliant by the Payment Card Industry.
Compliance problems commonly relate to data storage issues, as merchants are prohibited from storing the entire contents of the magnetic strip on the back of payment cards and must encrypt any stored and transmitted data to prevent hackers from stealing entire sequences of card numbers.
Many merchants also lack compliance in terms of which employees have access to data, as the standards mandate need-to-know access, so that unauthorized employees shouldn’t be able to access consumer’s payment data.
Outsource Data Storage with Paytelligence
Paytelligence all but eliminates the risk of handling cardholder data because sensitive card information (15 or 16 digit number) is stored remotely in very secure, PCI Compliant facilities. Paytelligence uses a global identifier which is uniquely linked to a merchant, the Paytelligence application and the cardholder to replace the actual card number within Accpac. Accpac users simply see a properly truncated (masked) credit card number when processing transactions; there is no requirement to ever see the full card number when running a transaction.
Not only does this approach significantly reduce the risk of storing cardholder data, but it can also significantly lower the costs of PCI Compliance Audits.
According to payment brand rules, all merchants and their service providers are required to comply with the PCI Data Security Standard in its entirety. There are five Self Assessment Qualification (SAQ) Validation categories, shown briefly in the table below.
|
SAQ Validation Type |
Description |
SAQ: V1.2 |
|
1 |
Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. |
|
|
2 |
Imprint-only merchants with no electronic cardholder data storage |
|
|
3 |
Stand-alone terminal merchants, no electronic cardholder data storage |
|
|
4 |
Merchants with POS systems connected to the Internet, no electronic cardholder data storage |
|
|
5 |
All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ. |
The higher the SAQ Validation Type the greater the cost implications related to compliance.
Paytelligence outsources cardholder data and therefore should enable a merchant to qualify at the lowest level (Type A); however, it is always best to double check with your merchant provider to confirm this.