GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

The FTC nabs MPI: A cautionary tale for ISOs


Industry Update

Visa's changes muddy interchange waters

Cynergy finds synergy in Abanco gateway

Visa may publish list of registered ISOs


Bart Kohler

Deterring ATM ram raids

Tracy Kitten


Forging ahead with PCI PED

Bulent Ozayaz


Street SmartsSM:
The POS system buzz

Dee Karawadra
Impact PaySystem

PCI priority: No agent left behind

Michael Petitti

All-star processing – Part II: Retaining your MVPs

Marcelo Paladini
Cynergy Data

Card Association rules to work by – Part II

David H. Press
Integrity Bankcard Consultants Inc.

Steer clear of sales pitfalls

J. David Siembieda
CrossCheck Inc.

E-wallets: Worth the risk?

Theodore F. Monroe et al.
Attorneys at Law

Company Profile

Amacai Information Corp.

New Products

Holy grail in a Bluetooth card reader

MagneSafe P55 card reader
MagTek Inc.

Kiosk revs up fast food delivery

iOrder food service kiosk


Prepare for the worst, plan for the best



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

May 14, 2007  •  Issue 07:05:01

previous next

PCI priority: No agent left behind

By Michael Petitti

AmbironTrustWave investigated approximately 200 payment card compromises recently. We learned that in 57% of instances studied, reliance on third-party products or services may have exposed merchants or service provider systems to cardholder data theft.

Additionally, we found that flawed software-based payment applications may have contributed to 72% of compromises.

As the card Associations continue to educate the industry on the importance of data security, they preach caution and due diligence to merchants, especially in regard to working with third-party vendors.

In addition, acquiring banks have begun reaching out to smaller merchants about data security. As merchants become more aware of the issues, their demand for products and services that sustain compliance with the Payment Card Industry (PCI) Data Security Standard will increase.

Become a PCI expert

As an ISO or merchant level salesperson (MLS), you need to understand PCI to ensure the security of your business, protect yourself should your customer data be breached and differentiate your company in a crowded marketplace.

The primary objective of PCI is to prevent the exposure of cardholder data to unauthorized parties such as hackers seeking credit card information for fraudulent purposes. PCI consists of 12 requirements and multiple subrequirements to guide the building and maintenance of secure payment card networks.

Each card brand (American Express Co., Discover Financial Services LLC, JCB International Co. Ltd., MasterCard Worldwide and Visa U.S.A.) demands that any entity processing, storing or transmitting cardholder information comply with all PCI requirements.

While PCI is an industry-accepted, global standard for protecting cardholder data, each card brand oversees its own enforcement of compliance with the standard. They issue separate penalties for noncompliance and events in which payment card data is compromised.

Given the ubiquity of payment card processing technology and services (evidenced in part by the spread of free equipment offers advertised in industry publications) PCI offers you an opportunity to distinguish yourself.

As the statistics from the Ambiron study illustrate, third parties involved in payment card acceptance services sometimes lack basic understanding of data security. If you can offer guidance to merchants in meeting PCI requirements, you will set your business apart.

Showing your concern for the security of your customers' payment card environments will strengthen existing relationships and lead to new business.

Evaluate your offerings

The first step in building a reputation as a resource for PCI information is ensuring that your offerings support PCI compliance. Otherwise you risk running afoul of the best data security practices you intend to preach. Begin by answering the following questions:

Visa's PABP, similar in nature to PCI, guides software developers in creating secure payment applications. PABP-adherent applications are noted on Visa's list of validated payment applications, located at They support merchants' efforts in complying with PCI and securing cardholder information.

In addition to using PABP-adherent payment applications and securing their payment card environments (as required by PCI), merchants must use service providers from Visa's list of compliant service providers. This list is also located at

Visa defines a service provider as any organization that "enable[s] payment transactions (e.g., authorization or settlement) between merchants and processors."

Be credible

Should one of your customers experience a compromise, your liability, of course, depends on your contract with that merchant.

By offering solutions that support PCI compliance, you can demonstrate due diligence and avoid being held liable for penalties and fines that a compromised entity may attempt to pass on to you. But more importantly, offering PCI-compliant and PABP-adherent solutions bolsters your credibility as a data security resource for your customers.

Complying with PCI requires more than choosing secure payment applications and Visa-validated processing services. Future articles in this series will cover additional PCI-related considerations, including how to discuss PCI with merchants and resources for helping your clients get started on the path toward a secure payment card environment.

Michael Petitti is Senior Vice President of Marketing for AmbironTrustWave and is responsible for all of the company's marketing initiatives. Michael serves on the Electronic Transactions Association's Strategic Leadership Networking Forum Program Planning Committee. Call him at 312-873-7291, or e-mail him at

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Board Studios