Tag: PCI-DSS

Blog

PCI Data Security: The #1 Misconception That Can Harm Your Business and Its Reputation

Constellation Payments |

There’s a common misconception about PCI compliance, that, if not addressed, can seriously harm the very business and professional image you’ve worked so hard to build.

The misconception? That your business does not need to become PCI compliant and renew its certification each year.

It’s easy to see how this misconception could come about. Most small businesses use a business management software, and work with third-party merchant services provider, like Constellation Payments, to help run their business.

Yes, the software provider is PCI-certified, and the merchant services provider is also PCI-certified.

However, working with PCI-certified vendors does not exempt a business from having to show their own compliance. All businesses that participate in the payment transaction process must adhere to PCI compliance standards. The process includes more than running payments through your software.

The payment transaction process includes how credit card and debit card payment information is handled at the front desk in fitness clubs and gyms, at the counter in salons and spas, on a tablet for on-the-go businesses like personal training, at the register in a retail store, and so on.

How Do I Get My Business PCI-Certified?

To become PCI-certified, your business must complete the self-assessment questionnaire annually.

Fortunately, there are many resources to help with PCI certification – ones that make it a relatively pain-free process.

At Constellation Payments, as part of our solution, each merchant is enrolled in the PCI Plus Protection Program that’s provided by well-known Quality Security Assessor, Sysnet.

What’s great about this program is that you get hands-on help. The team at Sysnet will guide you through the entire process to help you complete your self-assessment questionnaire (SAQ). And they’ll confirm all answers.

Once the questionnaire is completed, you’ll be able to download your validation certificate and then send the certificate to your merchant processor to have on file.

What Happens if My Business Isn’t PCI-Certified?

1. You could lose the ability to accept credit cards.

If there are possible breaches of card association regulations, the card brands could revoke your right to process credit cards.

2. You could get hit with a big financial loss.

Non-PCI-compliant merchants can face fines of up to $500,000.00 in the event of a data breach.

In addition, PCI non-compliance can result in penalties ranging from $5,000 to $100,000 per month by the credit card companies. These penalties depend on the volume of clients, the volume of transactions, the level of PCI-DSS that the company should be on, and the time that the company has been non-compliant. For example, the penalties for a Level 1 company that has not met the requirements for more than 7 months, could reach up to $100,000 monthly.

Merchant level identification is based on the total volume of transactions per year. See VISA’s site for detail on each level and level requirements.

3. You could lose clients and business.

All it takes is one data breach – no matter its size – to damage your business financially and inflict irreparable damage to your business reputation.

4. You’ll be subject to monthly non-compliance fees.

US businesses that have not completed their annual self-assessment questionnaire, and have not demonstrated PCI-DSS compliance, are subject to a $59.99 per month non-compliance fee.

At Constellation Payments, this fee is meant as an incentive to complete your PCI compliance self-assessment questionnaire to ensure you’re handling and processing credit and debit card payments in a safe and secure manner. Once a merchant has completed their questionnaire demonstrating compliance, the fee drops to $0.

The Benefits Beyond Data Security

Being PCI compliant doesn’t just ensure your business is following the rules and regulations. PCI compliance also helps your business growth and reputation. Knowing your systems are secure, consumers can trust you with their sensitive information and have confidence that their information is safe and protected.

Confident customers that trust you are more likely to do business with you again and become loyal, repeat shoppers. They’re also likely to recommend you to their friends.

Another key benefit of compliance: it improves your reputation with acquirers (banks and financial institutions that process credit and debit cards on your behalf).

Compliance also improves your reputation with payment brands such as VISA and MasterCard.

The Small Time Investment to Become PCI Compliant is Well Worth the Big Gains in Consumer Confidence and Peace of Mind

While it does take some time and effort to become PCI-compliant, it’s well worth it to gain customer trust and confidence — and avoid catastrophic data breaches that can destroy your business.

Not PCI compliant? Make today the day you become certified to protect your livelihood.

Or as the PCI Security Standards Council website so aptly states, “You’ve worked hard to build your business — make sure you secure your success by securing your customers’ payment card data.”

Share this article:

Blog

Cybersecurity Operations: Is Your Business Complying with These PCI-DSS Requirements?

Dominic Genzano |
Cybersecurity Operations: Is Your Business Complying with These PCI-DSS Requirements? photo

Did you know that the Payment Card Industry Data Security Standard (PCI-DSS) requires that specific cybersecurity operations procedures be conducted on a periodic basis?

Depending on whether you’re a merchant or a service provider — and the nature of how you deal with credit cards — these mandatory procedures may include (but are not limited to):

DAILY

  • Security log reviews

MONTHLY

  • Patching of software and system components

QUARTERLY

  • Internal and external vulnerability scans

SEMI-ANNUAL

  • Firewall rule reviews

ANNUAL

Many of the operations processes required by the PCI-DSS are not only required to be executed according to the specified period, but also when a change to the environment compels an update, such as a penetration test of a new application or vulnerability scan of a new technology environment.

Take Note! Maintaining Records is a Must

The challenge from a compliance perspective is that these procedures must not only be executed, but records must be maintained because you will need to be able to demonstrate that these procedures have taken place if audited or the subject of a breach investigation.

The PCI-DSS requires that these operations processes be executed according to documented procedures, and that the records demonstrate that these procedures were followed. Moreover, if an annual PCI-DSS assessment discovers that the execution of a periodic operations process was missed at some point over the last 12 months, that is potential grounds for your organization being deemed non-compliant.

Prepare to Succeed

For every minute spent organizing, an hour is earned.” ~ Benjamin Franklin

It is simply not feasible to meet these PCI-DSS requirements without a formal cybersecurity operations program. Your organization needs to develop a plan for this program.

Step 1: List the periodic cybersecurity operations tasks required, with the required frequency.

Step 2: Document the procedures for the execution of each task.

Step 3: Assign personnel to execute the procedures and document the results.

Step 4: Assign one or more different personnel to review the records to make sure the procedures are being done.

As you go through this exercise, you’ll likely discover that you aren’t sure how to interpret a particular operations requirement, or that you don’t have sufficient personnel to execute the procedures according to the prescribed frequency.

If that is the case, you may need to contract outside assistance to work with you to develop some of the procedures, or to handle some of the operations tasks. Maybe you’ll need to hire more personnel or reassign existing personnel away from lower priorities.

You won’t know until you develop the plan. And you won’t achieve PCI-DSS compliance without a formal cybersecurity operations program.

Dominic Genzano is the CEO and Founder of STIGroup, an Information Security Consulting firm that provides a full suite of Information Security services. In his role, Dominic leads the continued development of the CyberSecurity services strategy. As an established cybersecurity industry expert, and a principal consultant of STIGroup, he has led significant security initiatives for major private corporations and public sector entities. Dominic can be reached at dom@stig.net.

Share this article:

Blog

What Every Business Needs to Know About PCI Compliance (10 FAQs Answered)

Jennifer Sumii |
What Every Business Needs to Know About PCI Compliance (10 FAQs Answered) photo

It seems that every day we hear more and more about data security breaches, foreign cyber-attacks, and consumer warnings about how to protect yourself from falling victim to fraud.

Now more than ever, it’s important to stay ahead of the curve and ensure you have the basics down when it comes to protecting your business’ sensitive payment data.

Below are the most frequently-asked PCI-related questions we receive from channel partners and merchants, along with answers. If you have a question that isn’t listed, please comment below or send an email to support@csipay.com.

What is PCI-DSS?

The Payment Card Industry Data Security Standard (PCI-DSS) — commonly referred to as just PCI — is a set of standards designed to ensure that all organizations that accept, process, store or transmit credit card information maintain a secure environment.

What Businesses are Required to Be PCI-Compliant?

ALL BUSINESSES that participate in the payment transaction process are expected to adhere to the PCI compliance standards. This includes:

  • Businesses of all sizes
  • Point of sale providers
  • Gateway providers
  • Financial institutions
  • Payment processors and acquirers
  • Hardware and software developers

My Software Provider is PCI-Certified. Do I Need to Maintain PCI Compliance Myself?

Yes. Working with a software provider that is PCI-certified, or a merchant services provider, like Constellation Payments, that is PCI-certified, does not exempt a business from having to show compliance.

Businesses handle credit card information at their front desks and kiosks every day. All businesses are part of the payment transaction flow and therefore required to comply and show compliance through a certification process.

All the entities listed above must demonstrate and validate compliance.

How Do I Become PCI-Certified?

1) Review the 12 PCI-DSS requirements on the Constellation Payments website. This list can be used as a checklist for assessing your IT assets and business processes.

2) Complete the self-assessment questionnaire (SA Q) and confirm all answers.

Businesses with Constellation Payments will be provided with step-by-step instructions on how to register with a Qualified Security Assessor (QSA), such as Sysnet.

3) Download your validation certification.

4) Send the certificate to your merchant processor to have on file.

How Often Do I Need to Complete the PCI Questionnaire?

You are required to complete the PCI questionnaire every year to stay compliant.

Who Can Help Me with my PCI Compliance Validation?

At Constellation Payments, we’ll guide you through the entire process to make sure your PCI compliance certification experience is smooth and easy.

We have partnered with well-known Qualified Security Assessors to provide all businesses with a PCI toolkit to help with the annual PCI compliance validation process.

Are There Additional Services Available to Assist with PCI Compliance?

Yes. We have an enhanced PCI solution, called PCI Plus, available to all businesses.

PCI Plus offers a white-glove approach to PCI compliance. Through the solution, you receive:

  • An interactive customer PCI validation experience
  • File Integrity Monitoring (FIM)
  • Anti-Virus Protection (AV)
  • Unauthorized Device Monitoring

These are just a few of the benefits. To learn more, email support@csipay.com or call 888.244.2160.

What’s a Security Vulnerability Scan?

A vulnerability scan identifies security issues such as storing of any credit card data, misconfigured networks or outdated versions of software.

Who Needs to Complete a Security Vulnerability Scan and How Often Does the Scan Need to be Completed?

Businesses that have external-facing IP (Internet Protocol) addresses that connect to their cardholder data are required to complete a quarterly vulnerability scan by an Approved Scanning Vendor. If vulnerabilities are found, the business is required to go through a remediation process to fix the vulnerabilities.

What is Breach Security Coverage?

Maintaining PCI compliant status will help to reduce the risk of a data security breach, but it doesn’t guarantee a breach event won’t occur.

The penalties for a data security breach can have a devastating financial impact to a business.

Our PCI program solution at Constellation Payments includes data breach coverage, which provides some financial relief to businesses that experience a data security breach.

In the event of a breach, you should contact the Constellation Payments’ Support team who will then work with Elavon to log the event and work with risk/loss prevention to start the investigative process.


Jennifer Sumii is Manager of Partner Relations for Constellation Payments. Within her role, she oversees critical company partnerships, including partners with custom integrations, large core processing accounts, and processor or origination companies. Her background includes extensive processing and banking experience, specifically FI/ISO/ICA relationship management, corporate and commercial banking relationship management, national account management, and new ISO/MSP implementation and training. You can reach Jennifer at jsumii@csipay.com.

Share this article:

Blog

Your Cyber Incident Response Exercise

Dominic Genzano |

The Payment Card Industry Data Security Standard (PCI-DSS) requires organizations that accept credit card payments to:

  • “Create an incident response plan to be implemented in the event of a system breach”
  • “Review and test the plan” (minimally on an annual basis)
  • “Provide appropriate training to staff with security breach responsibilities”
  • “Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments”

Most organizations that accept credit card payments aren’t in the business of cybersecurity. The idea of a data breach is difficult to grasp.

What are the ways that it could happen? How can you guard against it? How would you know if a breach happened? What would you do about it if you knew a breach had occurred? What would be the consequences to your business?

Required Cybersecurity Controls

The PCI-DSS requires that your organization implement a specific set of cybersecurity controls, based on how your organization deals with credit card information. These cybersecurity controls are intended to prevent a security breach that would put credit card information at risk, and allow you to detect a breach should it occur.

But data breaches happen every day, and often go undetected for extended periods of time, even when the required cybersecurity controls are in place.

In many cases, organizations are completely unaware that a data breach may have occurred until their merchant bank or payment processor contacts them to inform them that fraud was reported for a large number of credit cards that were recently used to transact with their business.

Your Organization’s Vital Incident Response Test

The incident response test required by the PCI-DSS, if conducted properly, provides your organization with:

1. Invaluable preparation to respond to a suspected or confirmed breach

2.  An effective means of continually improving your organization’s cybersecurity program to prevent a breach from occurring in the first place

In the context of PCI certification, and general cybersecurity best practices, an “incident response test” is essentially a tabletop exercise: a meeting where a few potential breach scenarios are discussed in some detail with the relevant members of your organization, and potentially third-party service providers who would be involved in the case of a breach.

What Would You Do If …

The exercise of discussing potential breach scenarios is vital because you don’t want the first time your organization asks “what should I do if …” to be during an actual breach. These scenarios must be discussed among the team before a breach occurs, at a ’safe distance’ from an actual event so that the members of your team can think clearly.

Questions come up during such exercises that change your perspective and allow your organization to significantly improve your incident response capability with relatively small investments of time and money:

  • Who are you required to notify? Banks, processors, business partners, customers?
  • Are you sure that you have the correct contact information?
  • What would you tell them?
  • Where would you find the information you need from the systems to find out what happened?
  • Would you understand what you were looking at?
  • How would you determine the extent of the breach, or even make certain that there was a breach?
  • Do you have the tools that you would need to even try any of this?
  • If the response to such a breach is outside of your capabilities, who would you call? Do you have an arrangement in place to get the help when you need it?

These can be scary questions of course, but it’s better to ask them now, and to have thought them through to a reasonable degree ahead of time so that you can be prepared to act decisively and responsibly, even if that just means knowing who to call.

This is the intent of the incident response planning and testing requirements of the PCI-DSS: to prepare your organization as best as possible to minimize the damage of a security breach, thereby (hopefully) minimizing the amount of credit card information put at risk.

Taking Proactive Steps

The real value of a cyber incident response exercise is when the questions start to move in a proactive direction:

  • How would you detect such a breach?
  • How can you alter your security monitoring processes to detect such breach activity faster?
  • Now how can you adjust existing security controls, or implement new ones, to better prevent such a breach from occurring in the first place?

These are the types of questions that result in the continued improvement of your cybersecurity program, and take you past just ‘checking the box’ for your PCI-DSS certification, to a place where you are actually protecting your information.

Even if you work with a company like Constellation Payments for payment processing/merchant services that reduces your PCI scope, your organization should conduct an incident response test to ensure that the proper safeguards are in place at the organization/employee level.

I hope this article gives you a good starting point to develop your own incident response test. If you have any questions on performing an incident response test at your organization, or questions around cybersecurity, feel free to reach out to me at dom@stig.net.

Dominic Genzano is the CEO and co-founder of STIGroup, an Information Security Consulting firm that provides a full suite of Information Security services. In his role, Dominic leads the continued development of the CyberSecurity services strategy. As an established cybersecurity industry expert, and a principal consultant of STIGroup, he has led significant security initiatives for major private corporations and public sector entities. Dominic can be reached at dom@stig.net.

Share this article:

Blog

Quick Guide to PCI Compliance: What You Need to Know, Steps You Need to Take

Constellation Payments |

Every industry has its share of specific terms, acronyms and abbreviations. There’s certainly no shortage of them in the world of payments.

One that you’ve likely come across on a regular basis — and one of extreme importance to your business — is PCI-DSS.

PCI-DSS stands for Payment Card Industry Data Security Standard. It’s a set of requirements created to keep customer payment card data secure. All companies that process, store or transmit credit card information are required to comply with PCI-DSSContinue reading “Quick Guide to PCI Compliance: What You Need to Know, Steps You Need to Take”

Share this article: