credit card processing

The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 mandatory regulations created by the card associations to safeguard consumer card data. As the numbers of people using cards for payments has increased, so has the risk of card data compromise. Compliance with these PCI standards is now required for all payment processors, POS payment applications and merchants of all sizes.

We help our POS reseller partners understand their role in helping merchants comply with PCI standards. Our reseller partners are our merchants’ information technology experts. Merchants rely heavily on them to set up security-compliant POS systems and configure system networks for secure operations. Resellers’ long-term merchant relationships position them to know which merchants may need extra attention in complying with security standards.

The PCI standards focus on how to protect card data and network security. We work with all of our POS partners to help merchants with both. We help developers through every step of the integration process to ensure their payment application is PCI compliant. Many of our developer partners have gone the extra mile to become PABP validated and listed on Visa’s website.

We make sure our reseller partners have everything they need to discuss PCI compliance easily and intelligently with merchants. We provide easy access to information, tools and resources on our customized MercuryView™ partner portal.

Watch a video about a merchant card data compromise

Produced by the Retail Solutions Providers Association (RSPA), this video, Payment Card Industry: Security Compliance "Are You at Risk?" provides a candid, 12-minute look at the facts surrounding PCI compliance and the impacts of card data compromise

Remote access software safety

Many of our partners use remote access programs to enable prompt customer service for their merchants. We offer a few reminders about the safe use of remote access software. If not configured and managed correctly, it can provide an easy entry point for unauthorized intruders to gain access to the POS system, and potentially to private customer data.

1. Limit the number of people that can access the system remotely. Only allow and provide remote access to those who have a strong business need. This typically includes the POS system vendor/reseller for remote service and may also include owners, management and administrators of the merchant location.
2. Do not share remote access credentials. Ensure that each user with remote access has a unique username and password.
3. Disable remote access user accounts when no longer needed.
4. Never leave remote access software on and "listening" for incoming connections. It is always best to select a remote access package that requires a user at the merchant site to start or log on to initiate a remote access session.

Merchant levels and compliance requirements

What do they mean by level 1, 2, 3, 4 merchants? These are the levels assigned to merchants based on Visa transaction volume over a 12-month period.

Compliance requirements by level
Level 1
Annual onsite PCI DSS assessment by merchant’s internal auditor or qualified security assessor, or an internal audit, signed by an officer of the company, in addition to a quarterly network security scan done by an approved scanning vendor.

Level 2
Completion of PCI DSS self-assessment questionnaire annually, and a quarterly network security scan done by an approved scanning vendor.

Level 3
Completion of the PCI DSS self-assessment questionnaire annually and a quarterly network security scan done by an approved scanning vendor. As of 10/01/08, all newly boarded merchants must use a PABP compliant application.

Level 4
Completion of the PCI DSS self-assessment questionnaire annually and a quarterly network security scan done by an approved scanning vendor. As of 10/01/08, all newly boarded merchants must use a PABP compliant application.

What are all those acronyms?

PCI DSS (Payment Card Industry Data Security Standards) – A security standard, implemented by the PCI Security Standards Council for all card brands, to protect cardholder data. It includes requirements for security management, policies, procedures, network architecture, software design, and other protective measures to help facilitate the broad adoption of consistent data security measures. www.pcisecuritystandards.org

PCI Security Standards Council – A council founded by American Express, Discover, JCB, MasterCard Worldwide, and Visa International to enhance payment account data security by fostering broad adoption of the PCI Security Standards. www.pcisecuritystandards.org

*PABP (Payment Application Best Practices) – A set of requirements a developer’s point-of-sale payment application must comply with to be considered secure. For a list of POS system developers validated by an independent, Visa-certified security assessor, go to www.visa.com/pabp

*PA DSS (Payment Application Data Security Standard) – PABP is evolving to PA DSS with the PCI Security Council’s adoption and management of Visa’s PABP program, making it industry wide.

PCI PED (Payment Card Industry PIN Entry Device) – This standard complements the PCI-DSS. It outlines the rules and regulations governing the approval of security for PIN Entry Devices (PED). It’s designed for PIN Pad manufacturing, setup, and use. It can be considered complementary to the PCI-DSS. By following this document, those companies and entities that focus primarily on PEDs can more easily and effectively validate the security of their products. Some card associations such as Visa require the use of PED approved devices. However, there’s a matrix of PED certification versions and corresponding dates governing their deployment and use. The PCI PED is periodically updated and with each revision, gets a new version number (i.e. PCI PED v 1).

Note – Originally, the PED security standard was created by Visa and approved devices were referred to as “Visa PED Approved Devices”. Later, it was adopted by the PCI Council and named “PCI PED.”