Data Security Archives -

It’s another busy Saturday at Barney’s Barbershop. Matt’s scurries to the front desk to ring up Joelle’s last customer. Suddenly, a “Lost / Stolen Card” error message flashes on the terminal. Matt’s heart begins racing. His palms now sweaty. What is he to do?

Though we’ve made significant strides to curb fraudulent activity with new payment technologies like EMV, fraud can, and still does, happen.

The good news is that there are proactive steps you and your staff can take to minimize your risk and effectively manage these situations.

So, what should Matt do?

If you or a staff member suspect fraud, like Matt, a Code 10 call should be made.

But First, What’s a Code 10 Authorization Request?

A Code 10 Authorization Request is a preventive tool used by merchants to verify additional payment card information, while, at the same time, alerting the card issuer of possible fraudulent activity.

Think of a Code 10 call as an added layer of prevention for your business that should only be used when suspicious behavior or unusual requests are evident.

Whether you sell products and services face-to-face, like Matt — or over the phone, by mail or online — you can employ a Code 10 Authorization to verify additional information on a suspicious transaction.

In other words, a Code 10 can be used in both card-present and card-not-present transaction environments.

When Should a Code 10 Authorization Request be Made?

You should act on your suspicions when the details around a transaction seem unusual.

Examples of suspicious activity in a card-present environment:

A customer swipes or inserts their card in the payment terminal, and an error message reading “Pick Up Card” or “Lost / Stolen Card” appears on the payment device.
A customer provides a card where the security code or expiration date have been manipulated.
The signature on the card and the receipt don’t match.

Examples of suspicious activity in a card-not-present environment:

An order is placed by a relay call, an operator-assisted telephone call, typically used by someone who is hearing impaired. While this is a valid service, criminals have been known to use the service to place fraudulent orders.
A customer orders a large quantity of the same or similar item. Also, be cautious of large bulk orders with a shipping address of an apartment or self-storage unit.
A customer provides multiple card numbers for the same purchase. You should also be leery of multiple card numbers that are only different by the few last numbers.
A customer requests overnight delivery, without regard to costs.
A customer requests immediate processing of the order and wants the tracking number used for the shipment ASAP.
A customer places a phone order, requests immediate processing of the order, and then advises they will have someone come to the store location to pick-up the product.
A customer requests delivery to an alternate address, other than the billing address, or the customer requests shipment to a freight forwarder. Criminals are known to use U.S.-based re-shippers to avoid detection of foreign shipments.
A customer requests merchandise you do not sell. The most common requests are for cell phones and laptop computers.

How Do You Make a Code 10 Authorization Request?

If you suspect fraud, the very first thing to do is remain calm, then follow these simple instructions:

1. Retain the card in question and let the customer know that you need to make a phone call for additional authorization.

2. Call 1-800-725-1243 and ask to be transferred to the Voice Authorization department.

3. Choose the prompt for ‘Code 10’. You will be transferred to a voice authorization representative who will ask you a series of yes/no questions to verify the cardholder information during your call.

If the cardholder information cannot be verified by the voice authorization representative, the information will then be forwarded to an investigator for further research. You will receive the results of the investigation within 24-72 hours.

4. Follow the representative’s instructions. In some instances, you may be asked to retain the card and call law enforcement. Only proceed if it is safe to do so. Otherwise, process the transaction and contact the card processor as soon as the customer leaves the site.

Your Best Line of Defense

Matt remembered he and his team had recently reviewed the protocol for situations like this. With that, he breathed a sigh of relief, then calmly made a Code 10 call. Matt answered the representative’s questions in a normal tone and followed their instructions.

Like Matt and his team, it’s important to review these steps with staff, so they manage these situations in the most effective manner. Also, be sure to keep the contact information for reporting fraud easily accessible to all employees.

It’s worth noting that Code 10 Authorization calls can also serve as part of your chargeback prevention plan. For more tips on preventing fraudulent transactions in card-present and card-not-present environments, see the articles: 7 Ways to Proactively Prevent Credit Card Chargebacks and How to Prevent In-Person & Online Fraudulent Transactions That Can Result in Chargebacks.

Share this article:

Blog

PCI Data Security: The #1 Misconception That Can Harm Your Business and Its Reputation

Constellation Payments | October 18, 2018March 11, 2019

There’s a common misconception about PCI compliance, that, if not addressed, can seriously harm the very business and professional image you’ve worked so hard to build.

The misconception? That your business does not need to become PCI compliant and renew its certification each year.

It’s easy to see how this misconception could come about. Most small businesses use a business management software, and work with third-party merchant services provider, like Constellation Payments, to help run their business.

Yes, the software provider is PCI-certified, and the merchant services provider is also PCI-certified.

However, working with PCI-certified vendors does not exempt a business from having to show their own compliance. All businesses that participate in the payment transaction process must adhere to PCI compliance standards. The process includes more than running payments through your software.

The payment transaction process includes how credit card and debit card payment information is handled at the front desk in fitness clubs and gyms, at the counter in salons and spas, on a tablet for on-the-go businesses like personal training, at the register in a retail store, and so on.

How Do I Get My Business PCI-Certified?

To become PCI-certified, your business must complete the self-assessment questionnaire annually.

Fortunately, there are many resources to help with PCI certification – ones that make it a relatively pain-free process.

At Constellation Payments, as part of our solution, each merchant is enrolled in the PCI Plus Protection Program that’s provided by well-known Quality Security Assessor, Sysnet.

What’s great about this program is that you get hands-on help. The team at Sysnet will guide you through the entire process to help you complete your self-assessment questionnaire (SAQ). And they’ll confirm all answers.

Once the questionnaire is completed, you’ll be able to download your validation certificate and then send the certificate to your merchant processor to have on file.

What Happens if My Business Isn’t PCI-Certified?

1. You could lose the ability to accept credit cards.

If there are possible breaches of card association regulations, the card brands could revoke your right to process credit cards.

2. You could get hit with a big financial loss.

Non-PCI-compliant merchants can face fines of up to $500,000.00 in the event of a data breach.

In addition, PCI non-compliance can result in penalties ranging from $5,000 to $100,000 per month by the credit card companies. These penalties depend on the volume of clients, the volume of transactions, the level of PCI-DSS that the company should be on, and the time that the company has been non-compliant. For example, the penalties for a Level 1 company that has not met the requirements for more than 7 months, could reach up to $100,000 monthly.

Merchant level identification is based on the total volume of transactions per year. See VISA’s site for detail on each level and level requirements.

3. You could lose clients and business.

All it takes is one data breach – no matter its size – to damage your business financially and inflict irreparable damage to your business reputation.

4. You’ll be subject to monthly non-compliance fees.

US businesses that have not completed their annual self-assessment questionnaire, and have not demonstrated PCI-DSS compliance, are subject to a $59.99 per month non-compliance fee.

At Constellation Payments, this fee is meant as an incentive to complete your PCI compliance self-assessment questionnaire to ensure you’re handling and processing credit and debit card payments in a safe and secure manner. Once a merchant has completed their questionnaire demonstrating compliance, the fee drops to $0.

The Benefits Beyond Data Security

Being PCI compliant doesn’t just ensure your business is following the rules and regulations. PCI compliance also helps your business growth and reputation. Knowing your systems are secure, consumers can trust you with their sensitive information and have confidence that their information is safe and protected.

Confident customers that trust you are more likely to do business with you again and become loyal, repeat shoppers. They’re also likely to recommend you to their friends.

Another key benefit of compliance: it improves your reputation with acquirers (banks and financial institutions that process credit and debit cards on your behalf).

Compliance also improves your reputation with payment brands such as VISA and MasterCard.

The Small Time Investment to Become PCI Compliant is Well Worth the Big Gains in Consumer Confidence and Peace of Mind

While it does take some time and effort to become PCI-compliant, it’s well worth it to gain customer trust and confidence — and avoid catastrophic data breaches that can destroy your business.

Not PCI compliant? Make today the day you become certified to protect your livelihood.

Or as the PCI Security Standards Council website so aptly states, “You’ve worked hard to build your business — make sure you secure your success by securing your customers’ payment card data.”

Share this article:

Blog

The Equifax Hack: What You Need to Know, Steps to Keep Customer Data Safe

Constellation Payments | October 12, 2017December 19, 2018

By now we’ve all heard the story of how 143 million Americans (roughly half the US population) had their personal data compromised due to a breach at Equifax. It’s reasonable to be concerned about the security of your personal accounts. But what about your customers’ sensitive financial data?

With so many people affected, consumers are being inundated with admonitions to update their passwords, freeze their credit reports, and reconsider to whom they entrust their data.

Facing Facts

Whether you sell Point of Sale (POS) software or use it to run your business, it’s time to face facts. After all, if one of the largest custodians of consumer identity data can be hacked, POS software companies and the companies that use that software should assume the worst about their own vulnerability.

Fact 1: This breach was avoidable.

Equifax failed to implement a patch provided by a software vendor/partner for a known vulnerability discovered months prior to being exploited at Equifax.

Key Takeaway / Action Item

Remain vigilant and create mechanisms that ensure your software and any plugins, extensions, or API-connected applications are updated as soon as possible.

Automate where feasible. There are some risks to automated updates, including the possibility that an update could cause a system failure. Only you can determine if automation is right for your company, but it should at least be considered.

Many of North America’s largest POS software brands trust Constellation Payments as their gateway specifically because integration with our PCI Level 1 compliant gateway reduces PCI scope for them and their users.

Fact 2: Equifax fumbled the ball, fumbled the recovery of the ball, and fumbled the recovery of the fumbled recovery of the ball.

Equifax discovered the breach on July 29^th, yet didn’t announce it until September 7^th. They sent affected customers to a website that looked like a phishing site, and the mechanism for determining whether someone was a victim of the hack was easily spoofed by several security pros who entered dummy data; only to be told their dummy identities were likely compromised.

Finally, Equifax made the egregious decision to try to sell credit monitoring to those that received the bad news, making Equifax seem at best, callous and uncaring, and at worst, opportunistic and sleazy.

Key Takeaway / Action Item

Have a breach plan before you have a breach. Who would you call if this happened tomorrow? What would be the best, most effective measures to take upon learning that your company’s data was now available to anyone willing to purchase it on the dark web? Are there PR firms, Law Firms and Cybersecurity Firms you should have on speed dial?

One thing’s for certain the old saying that “a failure to plan is a plan to fail” never felt more fitting than it does in the case of Equifax.

Recommended reading: Check out: Your Cyber Incident Response Exercise. The article takes you through key questions and scenarios that should be discussed and documented with your team before a breach occurs. This preparation is invaluable. Having a plan in place will help you and your team properly respond to a breach in an organized manner, as opposed to being backed against the wall in a “what should I do …”, frenzied state during an actual breach.

Fact 3: Equifax put revenues ahead of security.

Financial disclosure documents show Equifax’s annual overhead had not increased in several years, while profits had increased steadily. It’s been speculated that Equifax may have been slow to fix the patch, because it would be very expensive, and might influence earnings. It seems obvious that a company with as much to protect as Equifax should be increasing its security budget steadily year after year.

Key Takeaway / Action Item

Dedicate a budget to cybersecurity, choose partners who have done the heavy lifting for you, review the budget and your plan at least once a year, and never settle for the minimum protections when it comes to sensitive customer data.

Bottom Line – Prevent, Prepare and Invest

Ensuring the security of your customers’ sensitive data should always be a top priority. Your customers trust you with their payment information. You should do whatever it takes to maintain that trust. Take the time to put proper security mechanisms in place.

Should a breach occur, know how to respond. A cyber incident response plan that can be used throughout your organization is something all businesses should have.

Lastly, never cut corners on data protection just to save some money. In the long run, it could cost you the business you’ve worked so hard to build.

Monitor image courtesy of Pixabay.com.

Share this article:

Blog

Cybersecurity Operations: Is Your Business Complying with These PCI-DSS Requirements?

Dominic Genzano | July 5, 2017December 19, 2018

Did you know that the Payment Card Industry Data Security Standard (PCI-DSS) requires that specific cybersecurity operations procedures be conducted on a periodic basis?

Depending on whether you’re a merchant or a service provider — and the nature of how you deal with credit cards — these mandatory procedures may include (but are not limited to):

DAILY

Security log reviews

MONTHLY

Patching of software and system components

QUARTERLY

Internal and external vulnerability scans

SEMI-ANNUAL

Firewall rule reviews

ANNUAL

Internal and external penetration testing (Also called pen testing: the practice of testing a computer network, web application or computer system to uncover vulnerabilities)
Security policy updates
Incident response testing
(see article: Your Cyber Incident Response Exercise)
Security awareness training
(see article: Step Up Employee Cybersecurity Training with These 3 Resources)

Many of the operations processes required by the PCI-DSS are not only required to be executed according to the specified period, but also when a change to the environment compels an update, such as a penetration test of a new application or vulnerability scan of a new technology environment.

Take Note! Maintaining Records is a Must

The challenge from a compliance perspective is that these procedures must not only be executed, but records must be maintained because you will need to be able to demonstrate that these procedures have taken place if audited or the subject of a breach investigation.

The PCI-DSS requires that these operations processes be executed according to documented procedures, and that the records demonstrate that these procedures were followed. Moreover, if an annual PCI-DSS assessment discovers that the execution of a periodic operations process was missed at some point over the last 12 months, that is potential grounds for your organization being deemed non-compliant.

Prepare to Succeed

**“For every minute spent organizing, an hour is earned.” ~ Benjamin Franklin**

It is simply not feasible to meet these PCI-DSS requirements without a formal cybersecurity operations program. Your organization needs to develop a plan for this program.

Step 1: List the periodic cybersecurity operations tasks required, with the required frequency.

Step 2: Document the procedures for the execution of each task.

Step 3: Assign personnel to execute the procedures and document the results.

Step 4: Assign one or more different personnel to review the records to make sure the procedures are being done.

As you go through this exercise, you’ll likely discover that you aren’t sure how to interpret a particular operations requirement, or that you don’t have sufficient personnel to execute the procedures according to the prescribed frequency.

If that is the case, you may need to contract outside assistance to work with you to develop some of the procedures, or to handle some of the operations tasks. Maybe you’ll need to hire more personnel or reassign existing personnel away from lower priorities.

You won’t know until you develop the plan. And you won’t achieve PCI-DSS compliance without a formal cybersecurity operations program.

Dominic Genzano is the CEO and Founder of STIGroup, an Information Security Consulting firm that provides a full suite of Information Security services. In his role, Dominic leads the continued development of the CyberSecurity services strategy. As an established cybersecurity industry expert, and a principal consultant of STIGroup, he has led significant security initiatives for major private corporations and public sector entities. Dominic can be reached at dom@stig.net.

Share this article:

Blog

What Every Business Needs to Know About PCI Compliance (10 FAQs Answered)

Jennifer Sumii | May 26, 2017December 19, 2018

It seems that every day we hear more and more about data security breaches, foreign cyber-attacks, and consumer warnings about how to protect yourself from falling victim to fraud.

Now more than ever, it’s important to stay ahead of the curve and ensure you have the basics down when it comes to protecting your business’ sensitive payment data.

Below are the most frequently-asked PCI-related questions we receive from channel partners and merchants, along with answers. If you have a question that isn’t listed, please comment below or send an email to support@csipay.com.

What is PCI-DSS?

The Payment Card Industry Data Security Standard (PCI-DSS) — commonly referred to as just PCI — is a set of standards designed to ensure that all organizations that accept, process, store or transmit credit card information maintain a secure environment.

What Businesses are Required to Be PCI-Compliant?

ALL BUSINESSES that participate in the payment transaction process are expected to adhere to the PCI compliance standards. This includes:

Businesses of all sizes
Point of sale providers
Gateway providers
Financial institutions
Payment processors and acquirers
Hardware and software developers

My Software Provider is PCI-Certified. Do I Need to Maintain PCI Compliance Myself?

Yes. Working with a software provider that is PCI-certified, or a merchant services provider, like Constellation Payments, that is PCI-certified, does not exempt a business from having to show compliance.

Businesses handle credit card information at their front desks and kiosks every day. All businesses are part of the payment transaction flow and therefore required to comply and show compliance through a certification process.

All the entities listed above must demonstrate and validate compliance.

How Do I Become PCI-Certified?

1) Review the 12 PCI-DSS requirements on the Constellation Payments website. This list can be used as a checklist for assessing your IT assets and business processes.

2) Complete the self-assessment questionnaire (SA Q) and confirm all answers.

Businesses with Constellation Payments will be provided with step-by-step instructions on how to register with a Qualified Security Assessor (QSA), such as Sysnet.

3) Download your validation certification.

4) Send the certificate to your merchant processor to have on file.

How Often Do I Need to Complete the PCI Questionnaire?

You are required to complete the PCI questionnaire every year to stay compliant.

Who Can Help Me with my PCI Compliance Validation?

At Constellation Payments, we’ll guide you through the entire process to make sure your PCI compliance certification experience is smooth and easy.

We have partnered with well-known Qualified Security Assessors to provide all businesses with a PCI toolkit to help with the annual PCI compliance validation process.

Are There Additional Services Available to Assist with PCI Compliance?

Yes. We have an enhanced PCI solution, called PCI Plus, available to all businesses.

PCI Plus offers a white-glove approach to PCI compliance. Through the solution, you receive:

An interactive customer PCI validation experience
File Integrity Monitoring (FIM)
Anti-Virus Protection (AV)
Unauthorized Device Monitoring

These are just a few of the benefits. To learn more, email support@csipay.com or call 888.244.2160.

What’s a Security Vulnerability Scan?

A vulnerability scan identifies security issues such as storing of any credit card data, misconfigured networks or outdated versions of software.

Who Needs to Complete a Security Vulnerability Scan and How Often Does the Scan Need to be Completed?

Businesses that have external-facing IP (Internet Protocol) addresses that connect to their cardholder data are required to complete a quarterly vulnerability scan by an Approved Scanning Vendor. If vulnerabilities are found, the business is required to go through a remediation process to fix the vulnerabilities.

What is Breach Security Coverage?

Maintaining PCI compliant status will help to reduce the risk of a data security breach, but it doesn’t guarantee a breach event won’t occur.

The penalties for a data security breach can have a devastating financial impact to a business.

Our PCI program solution at Constellation Payments includes data breach coverage, which provides some financial relief to businesses that experience a data security breach.

In the event of a breach, you should contact the Constellation Payments’ Support team who will then work with Elavon to log the event and work with risk/loss prevention to start the investigative process.

Jennifer Sumii is Manager of Partner Relations for Constellation Payments. Within her role, she oversees critical company partnerships, including partners with custom integrations, large core processing accounts, and processor or origination companies. Her background includes extensive processing and banking experience, specifically FI/ISO/ICA relationship management, corporate and commercial banking relationship management, national account management, and new ISO/MSP implementation and training. You can reach Jennifer at jsumii@csipay.com.

Share this article:

Blog

Your Cyber Incident Response Exercise

Dominic Genzano | March 3, 2017December 19, 2018

The Payment Card Industry Data Security Standard (PCI-DSS) requires organizations that accept credit card payments to:

“Create an incident response plan to be implemented in the event of a system breach”
“Review and test the plan” (minimally on an annual basis)
“Provide appropriate training to staff with security breach responsibilities”
“Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments”

Most organizations that accept credit card payments aren’t in the business of cybersecurity. The idea of a data breach is difficult to grasp.

What are the ways that it could happen? How can you guard against it? How would you know if a breach happened? What would you do about it if you knew a breach had occurred? What would be the consequences to your business?

Required Cybersecurity Controls

The PCI-DSS requires that your organization implement a specific set of cybersecurity controls, based on how your organization deals with credit card information. These cybersecurity controls are intended to prevent a security breach that would put credit card information at risk, and allow you to detect a breach should it occur.

But data breaches happen every day, and often go undetected for extended periods of time, even when the required cybersecurity controls are in place.

In many cases, organizations are completely unaware that a data breach may have occurred until their merchant bank or payment processor contacts them to inform them that fraud was reported for a large number of credit cards that were recently used to transact with their business.

Your Organization’s Vital Incident Response Test

The incident response test required by the PCI-DSS, if conducted properly, provides your organization with:

1. Invaluable preparation to respond to a suspected or confirmed breach

2. An effective means of continually improving your organization’s cybersecurity program to prevent a breach from occurring in the first place

In the context of PCI certification, and general cybersecurity best practices, an “incident response test” is essentially a tabletop exercise: a meeting where a few potential breach scenarios are discussed in some detail with the relevant members of your organization, and potentially third-party service providers who would be involved in the case of a breach.

What Would You Do If …

The exercise of discussing potential breach scenarios is vital because you don’t want the first time your organization asks “what should I do if …” to be during an actual breach. These scenarios must be discussed among the team before a breach occurs, at a ’safe distance’ from an actual event so that the members of your team can think clearly.

Questions come up during such exercises that change your perspective and allow your organization to significantly improve your incident response capability with relatively small investments of time and money:

Who are you required to notify? Banks, processors, business partners, customers?
Are you sure that you have the correct contact information?
What would you tell them?
Where would you find the information you need from the systems to find out what happened?
Would you understand what you were looking at?
How would you determine the extent of the breach, or even make certain that there was a breach?
Do you have the tools that you would need to even try any of this?
If the response to such a breach is outside of your capabilities, who would you call? Do you have an arrangement in place to get the help when you need it?

These can be scary questions of course, but it’s better to ask them now, and to have thought them through to a reasonable degree ahead of time so that you can be prepared to act decisively and responsibly, even if that just means knowing who to call.

This is the intent of the incident response planning and testing requirements of the PCI-DSS: to prepare your organization as best as possible to minimize the damage of a security breach, thereby (hopefully) minimizing the amount of credit card information put at risk.

Taking Proactive Steps

The real value of a cyber incident response exercise is when the questions start to move in a proactive direction:

How would you detect such a breach?
How can you alter your security monitoring processes to detect such breach activity faster?
Now how can you adjust existing security controls, or implement new ones, to better prevent such a breach from occurring in the first place?

These are the types of questions that result in the continued improvement of your cybersecurity program, and take you past just ‘checking the box’ for your PCI-DSS certification, to a place where you are actually protecting your information.

Even if you work with a company like Constellation Payments for payment processing/merchant services that reduces your PCI scope, your organization should conduct an incident response test to ensure that the proper safeguards are in place at the organization/employee level.

I hope this article gives you a good starting point to develop your own incident response test. If you have any questions on performing an incident response test at your organization, or questions around cybersecurity, feel free to reach out to me at dom@stig.net.

Dominic Genzano is the CEO and co-founder of STIGroup, an Information Security Consulting firm that provides a full suite of Information Security services. In his role, Dominic leads the continued development of the CyberSecurity services strategy. As an established cybersecurity industry expert, and a principal consultant of STIGroup, he has led significant security initiatives for major private corporations and public sector entities. Dominic can be reached at dom@stig.net.

Share this article:

Blog

The Data Security Solution Every Member Management Software Vendor Should Have in Place

Constellation Payments | June 7, 2016September 17, 2018

We work with a lot of software vendors in the member management space.

Their customers — gym owners, personal trainers, association managers — use software like EZFacility, myVolo and 123Signup to streamline business operations and automate key tasks.

One of the most critical needs for these business professionals — due to the nature of their operation — is the need to have secure payment processing integrated with their software.

These fitness professionals and association executives need to have the ability to process recurring credit and ACH payments through their software on a continual basis, so that they can charge for items like fitness memberships, association dues, and personal training session packages.

Rather than input the member’s credit or bank draft account each and every month when a membership payment is due, the software needs to store the account information for ongoing use. Problem is … storing sensitive payment data leaves the data at great risk of being stolen.

That’s where tokenization comes in.

What is Tokenization?

Much like emptying a treasure chest of its valuables, tokenization replaces a cardholder’s primary account number (credit card number) or bank account number with a long string of random numbers that is useless to a thief if stolen.

That long string of random numbers, the token, is used when processing payments. The customers’ actual payment data is sent to a highly-secure encryption appliance and stored, eliminating the need for the merchant to store the payment data on their internal network.

In other words, fitness gyms, associations and other membership-based businesses can go about their business — processing payments the first of every month or whatever their cycle. At the time of payment, the token is retrieved and used for transactions in lieu of the cardholder’s primary account number/credit card number or bank account number.

More Benefits to Tokenization:

1. Because merchants don’t have to store the sensitive data themselves, their Payment Card Industry (PCI) requirements are reduced, which ultimately means less questions on the merchant’s annual PCI survey, reduced liability and reduced costs associated with PCI compliance.

2. Tokenization protects businesses from internal theft — from employees, suppliers, vendors or anyone else connected to the software and its data.

How is Tokenization Different than Encryption?

Encryption masks data using an algorithm to scramble credit card data so that it can’t be read by anyone without a proper key. However, unlike tokenization, that data is on the company’s internal network. So while hacking and being able to use encrypted payment data is minimal, there is still a hole and hackers could potentially reverse-engineer the data to reveal credit card information.

The Best Course of Action …

The tokenization technology we use with our software partners employs state-of-the-art encryption, utilizing a multiple-authority architecture, public-key cryptography and a FIPS 140-2 Level 3 certified Hardware Security Module to store private keys.

At Constellation Payments, we strongly advocate a 3-prong data security approach that includes 1) tokenization AND ALSO 2) point-to-point encryption to encrypt data from the moment it enters the point of sale software and 3) EMV technology to reduce card fraud resulting from counterfeit, lost or stolen cards.

This layered data security method is the best course of action for all software that includes point of sale and recurring membership and/or subscription-based payment processing capabilities.

If you have any questions about our tokenization process, or how Constellation Payments can assist you by delivering payment processing solutions integrated with your point of sale software, feel free to give us a call at 888.248.7060 or send an email to sales@csipay.com.

Angela Summa is the Vice President of Constellation Payments. She is responsible for business development, implementation, channel partner support, and merchant support. Her goal is to ensure businesses offer the highest level of payment processing security and ease of processing to customers. You can reach Angela by sending an email to asumma@csipay.com.

Image Courtesy of Pixabay