|
The Card Associations Come Together
Over the last few years there have been a
variety of initiatives brought forth by each of
the different card networks. Visa’s Cardholder
Information Security Program (CISP),
MasterCard’s Site Data Protection (SDP),
American Express’ Data Security Operating
Policies (DSOP) and Discover’s Information
Security and Compliance (DISC) regulations. In
December of 2004, the Card Associations came
together to create a single security program to
set a single standard for Merchants to comply
with: the Payment Card Industry Data Security
Standards (PCI DSS).
PCI DSS focuses on six areas of operation
- Build and
maintain a secure network
- Protect
cardholder data
- Maintain a
vulnerability management program
- Implement
strong access control measures
- Regularly
monitor and test networks
- Maintain an
information security policy
For most Merchants, in order to certify to the
PCI DSS standards, you must complete a detailed
self-assessment form and receive quarterly
network scans from an independent auditor. For
bigger Merchants (6 million transactions
annually or above), the regulations require a
detailed onsite assessment. Even Merchants who
process less than 20,000 transactions annually
are required to comply with the regulations,
even though they are not currently required to
be validated by the Card Associations.
Certification and compliance guidelines for
smaller Merchants are dictated by its Merchant
Bank.
What Is CISP ?
When customers
offer their bankcard at the point of sale, over
the Internet, on the phone, or through the mail,
they want assurance that their account
information is safe. That’s why Visa USA has
instituted the Cardholder Information
Security Program (CISP). Mandated since
June 2001, CISP is intended to protect Visa
cardholder data–wherever it resides–ensuring
that members, merchants, and service providers
maintain the highest information security
standard.
In 2004, the CISP
requirements were incorporated into an industry
standard known as Payment Card Industry (PCI)
Data Security Standard resulting from a
cooperative effort between Visa and MasterCard
to create common industry security requirements.
Visa USA maintains CISP as the managing program
for data security compliance endorsing the PCI
Data Security Standard.
What Is PABP ?
You can read lots
more about Payment Application Best Practices by
clicking the link below. You can also see
which software packages are certified
currently. Please note that FreePOS interfaces
with X-Charge by CAM Commerce, CreditLine by 911
Software and ICVerify.
www.visa.com/cisp
Are You Okay?
Every payment
processing application should be certified. If
you are using a certified version of X-Charge,
CreditLine or ICVerify you are in great shape
from a software standpoint.
It should be
noted, however, that certification expires
after one year. So you must continually
upgrade your software if you wish to maintain
full compliance.
I Purchased A
____ POS System & Now The Company I Purchased
The POS System From Is Telling Me That I Must
Upgrade Or I'll Be In Violation Of The Law.
Help!
To be in full
compliance with the PCI guidelines is an
expensive & time consuming process. Regular
audits, software upgrades & rule changes that
are difficult to predict all contribute to a
very perplexing landscape. Needless to say:
Be very careful to get a second opinion if a
sales person (who has a vested financial
interest in "your compliance") tells you to
upgrade.
What Happens
If You Don't Comply?
You could be
fined or you could lose your ability to accept
credit cards.
Should I Close
My Business Until I Get Certified?
NO. These
penalties are reserved for credit card database
security mistakes that result in multiple
accounts being high-jacked. If a single person
uses a stolen credit card in your establishment,
the worst case is going to be a charge-back by
the rightful owner of the card.
If I Change Processors Will That Help?
NO. But some
unethical card reps are telling merchants untrue
things like this just to get more business.
|
