GS Logo
The Green Sheet, Inc

Please Log in

Banner Ad
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

The FTC nabs MPI: A cautionary tale for ISOs

News

Industry Update

Visa's changes muddy interchange waters

Cynergy finds synergy in Abanco gateway

Visa may publish list of registered ISOs

Features

AgenTalkSM:
Bart Kohler

Deterring ATM ram raids

Tracy Kitten
ATMmarketplace.com

Views

Forging ahead with PCI PED

Bulent Ozayaz
VeriFone

Education

Street SmartsSM:
The POS system buzz

Dee Karawadra
Impact PaySystem

PCI priority: No agent left behind

Michael Petitti
AmbironTrustWave

All-star processing – Part II: Retaining your MVPs

Marcelo Paladini
Cynergy Data

Card Association rules to work by – Part II

David H. Press
Integrity Bankcard Consultants Inc.

Steer clear of sales pitfalls

J. David Siembieda
CrossCheck Inc.

E-wallets: Worth the risk?

Theodore F. Monroe et al.
Attorneys at Law

Company Profile

Amacai Information Corp.

New Products

Holy grail in a Bluetooth card reader

MagneSafe P55 card reader
MagTek Inc.

Kiosk revs up fast food delivery

iOrder food service kiosk
VeriFone

Inspiration

Prepare for the worst, plan for the best

Departments

Forum

Resource Guide

Datebook

Skyscraper Ad

The Green Sheet Online Edition

May 14, 2007  •  Issue 07:05:01

previous next

PCI priority: No agent left behind

By Michael Petitti

AmbironTrustWave investigated approximately 200 payment card compromises recently. We learned that in 57% of instances studied, reliance on third-party products or services may have exposed merchants or service provider systems to cardholder data theft.

Additionally, we found that flawed software-based payment applications may have contributed to 72% of compromises.

As the card Associations continue to educate the industry on the importance of data security, they preach caution and due diligence to merchants, especially in regard to working with third-party vendors.

In addition, acquiring banks have begun reaching out to smaller merchants about data security. As merchants become more aware of the issues, their demand for products and services that sustain compliance with the Payment Card Industry (PCI) Data Security Standard will increase.

Become a PCI expert

As an ISO or merchant level salesperson (MLS), you need to understand PCI to ensure the security of your business, protect yourself should your customer data be breached and differentiate your company in a crowded marketplace.

The primary objective of PCI is to prevent the exposure of cardholder data to unauthorized parties such as hackers seeking credit card information for fraudulent purposes. PCI consists of 12 requirements and multiple subrequirements to guide the building and maintenance of secure payment card networks.

Each card brand (American Express Co., Discover Financial Services LLC, JCB International Co. Ltd., MasterCard Worldwide and Visa U.S.A.) demands that any entity processing, storing or transmitting cardholder information comply with all PCI requirements.

While PCI is an industry-accepted, global standard for protecting cardholder data, each card brand oversees its own enforcement of compliance with the standard. They issue separate penalties for noncompliance and events in which payment card data is compromised.

Given the ubiquity of payment card processing technology and services (evidenced in part by the spread of free equipment offers advertised in industry publications) PCI offers you an opportunity to distinguish yourself.

As the statistics from the Ambiron study illustrate, third parties involved in payment card acceptance services sometimes lack basic understanding of data security. If you can offer guidance to merchants in meeting PCI requirements, you will set your business apart.

Showing your concern for the security of your customers' payment card environments will strengthen existing relationships and lead to new business.

Evaluate your offerings

The first step in building a reputation as a resource for PCI information is ensuring that your offerings support PCI compliance. Otherwise you risk running afoul of the best data security practices you intend to preach. Begin by answering the following questions:

Visa's PABP, similar in nature to PCI, guides software developers in creating secure payment applications. PABP-adherent applications are noted on Visa's list of validated payment applications, located at www.visa.com/cisp. They support merchants' efforts in complying with PCI and securing cardholder information.

In addition to using PABP-adherent payment applications and securing their payment card environments (as required by PCI), merchants must use service providers from Visa's list of compliant service providers. This list is also located at www.visa.com/cisp.

Visa defines a service provider as any organization that "enable[s] payment transactions (e.g., authorization or settlement) between merchants and processors."

Be credible

Should one of your customers experience a compromise, your liability, of course, depends on your contract with that merchant.

By offering solutions that support PCI compliance, you can demonstrate due diligence and avoid being held liable for penalties and fines that a compromised entity may attempt to pass on to you. But more importantly, offering PCI-compliant and PABP-adherent solutions bolsters your credibility as a data security resource for your customers.

Complying with PCI requires more than choosing secure payment applications and Visa-validated processing services. Future articles in this series will cover additional PCI-related considerations, including how to discuss PCI with merchants and resources for helping your clients get started on the path toward a secure payment card environment.

Michael Petitti is Senior Vice President of Marketing for AmbironTrustWave and is responsible for all of the company's marketing initiatives. Michael serves on the Electronic Transactions Association's Strategic Leadership Networking Forum Program Planning Committee. Call him at 312-873-7291, or e-mail him at mpetitti@atwcorp.com.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | IRISCRM.COM | Humboldt Merchant Services