MPS — Mercury Payment Systems

Smart Payment Processing

This site is for U.S. Customers. We also serve clients in Canada.

Our knowledge-based environment helps all of our business partners – merchants, POS developers and resellers – understand and implement best practices for assuring card data security.  We work with our reseller partners, in particular, to provide a clear road map to card data security compliance for our mutual merchants.    

The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 mandatory regulations created by the card associations to safeguard consumer card data. As the numbers of people using cards for payments has increased, so has the risk of card data compromise. Compliance with these PCI standards is now required for all payment processors, POS payment applications and merchants of all sizes.

The PCI standards focus on how to protect card data and network security.

We work with our POS partners to help merchants with both. We help developers through every step of the integration process to ensure their payment application is PCI compliant. Many of our developer partners have become PABP validated and listed on Visa’s website.  Our reseller partners help merchants choose compliant POS systems, or upgrade software to a compliant version. They also provide expert service in configuring secure merchant networks.

Watch a video about a merchant card data compromise
Produced by the Retail Solutions Providers Association (RSPA), this video, Payment Card Industry: Security Compliance "Are You at Risk?" provides a candid, 12-minute look at the facts surrounding PCI compliance and the impacts of card data compromise. 

Why merchants should stay informed about PCI compliance
PCI compliance is a relatively new concern. The standards are evolving. A PCI Council now exists to oversee future compliance developments on behalf of all the card associations (Visa, MasterCard, etc.) There are now mandatory compliance requirements  for all levels of merchants. Some merchants may still not know about them or understand the implications for their business.  

Which merchants are at risk?
Any merchants not compliant with the PCI standards for the safe handling and storage of card data are at particularly high risk. For example, merchants using older, pre-PCI compliant, POS systems may be storing prohibited card data. Likewise, merchants who are not following best practices for maintaining a secure network, even if they are using a PCI compliant POS system, are also at increased risk. Card data has a high value on the black market. Thieves target brick and mortar merchants to obtain track (magnetic stripe) data that they can use to make counterfeit cards. Eighty-five percent of compromises occur at “card present” environments.

More than 80 percent of these attacks are directed at level 4 merchants. These are merchants processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants – regardless of acceptance channel – processing up to one million transactions per year.

Three compelling reasons for merchant PCI compliance

Merchants are liable for card data thefts from their businesses, even if only a small number of cards are affected. By signing a credit card processing agreement, merchants agree with the card associations’ requirements for handling credit card data according to the PCI data security standards. Card data theft is costly.  When a merchant location is determined to be a common point of purchase for stolen card data, the card associations order a forensic audit. This can cost the merchant $15,000. Then, depending on the number of cards affected, and whether the merchant took the necessary steps toward PCI compliance, the card association(s) assess fines that can range from $50,000 to $500,000. Losing the ability to accept credit cards could destroy a merchant’s business.  Combined with loss of reputation and financial damages, the merchant could be forced to close. Four steps merchants should take now to protect their business Use a PABP (PA DSS)-validated POS system. If you are not sure if the system you are using is PCI compliant, check Visa’s online listing of PABP-validated systems, or contact your POS reseller or Mercury for assistance.  Ensure network security. Our POS reseller partners can help with secure network configuration, from setting up firewalls to advising merchants about password protection, remote access security controls, and other protective measures. Required for all merchants: Complete a yearly PCI self –assessment questionnaire.* This can help identify vulnerabilities within the merchant’s business. Required for all merchants: Complete a quarterly network scan through a PCI-approved scan vendor.*

*We partner with an approved security assessor to assist merchants with these requirements. Please contact us for more information.

Security tips!
We help our merchants stay informed about all sorts of security risks. Here are some additional tips we think you might find helpful.
Be aware of skimming devices
These are small devices thieves use to record track data that they can use to make new fraudulent credit cards. Thieves may entice employees to swipe customer’s credit cards in the skimming device in return for money. Be alert.
Point security cameras at the POS
The simple presence of a camera pointing at the POS can help keep employees honest. Review camera recordings daily and investigate activity that looks suspicious.
Change passwords regularly
Changing passwords every 90 days is a simple practice that deters fraudulent activity. Always keep passwords secure and do not write them down.  Use passwords that are at least eight characters, and are a random combination of letters, numbers and symbols rather than common words, names, birthdates, etc. 
Create a network services management plan
Determine who will have access to particular programs, who is in charge of updating and maintaining security, and how security updates will be handled. 
Document changes by third party vendors
Keep a record of any changes made to your system, including a description of the change, date, and name of vendor providing the service. Check for security following the change.  Ask the third party vendor to sign a statement verifying that they did not leave the network open to vulnerabilities. 

Visa’s top five data security vulnerabilities leading to compromise

Storage of sensitive cardholder data, including track data, Card Verification Value 2 (CVV2), and Personal Identification Numbers (PINs) or PIN blocks Missing or outdated security patches Using vendor-supplied default settings and passwords Insecure website code Unnecessary and vulnerable services on servers

Remote access software safety
We encourage merchants to follow some basic guidelines for using remote access programs. If not configured and managed correctly, they can provide an easy entry point for unauthorized intruders to gain access to the POS system, and potentially to private customer data.

1. Limit the number of people that can access the system remotely. Only allow and provide remote access to those who have a strong business need. This typically includes the POS system vendor/reseller for remote service and may also include owners, management and administrators of the merchant location. 
2. Do not share remote access credentials. Ensure that each user with remote access has a unique username and password.
3. Disable remote access user accounts when no longer needed.
4. Never leave remote access software on and "listening" for incoming connections. It is always best to select a remote access package that requires a user at the merchant site to start or log on to initiate a remote access session.

What are all those acronyms?
PCI DSS (Payment Card Industry Data Security Standards) – A security standard, implemented by the PCI Security Standards Council for all card brands, to protect cardholder data.  It includes requirements for security management, policies, procedures, network architecture, software design, and other protective measures to help facilitate the broad adoption of consistent data security measures.  www.pcisecuritystandards.org
PCI Security Standards Council – A council founded by American Express, Discover, JCB, MasterCard Worldwide, and Visa International to enhance payment account data security by fostering broad adoption of the PCI Security Standards.  www.pcisecuritystandards.org
*PABP (Payment Application Best Practices) – A set of requirements a developer’s point-of-sale payment application must comply with to be considered secure.  For a list of POS system developers who have gone the extra mile to become validated by an independent, Visa-certified security assessor, go to www.visa.com/pabp 
*PA DSS (Payment Application Data Security Standard) – PABP is evolving to PA DSS with the PCI Security Council’s adoption and management of Visa’s PABP program, making it industry wide.
PCI PED (Payment Card Industry PIN Entry Device) — This standard complements the PCI-DSS. It outlines the rules and regulations governing the approval of security for PIN Entry Devices (PED). It’s designed for PIN Pad manufacturing, setup, and use. It can be considered complementary to the PCI-DSS. By following this document, those companies and entities that focus primarily on PEDs can more easily and effectively validate the security of their products. Some card associations such as Visa require the use of PED approved devices. However, there’s a matrix of PED certification versions and corresponding dates governing their deployment and use. The PCI PED is periodically updated and with each revision, gets a new version number (i.e. PCI PED v 1).
Note: Originally, the PED security standard was created by Visa and approved devices were referred to as “Visa PED Approved Devices”. Later, it was adopted by the PCI Council and named “PCI PED.”

What do they mean by level 1, 2, 3, 4 merchants?
These are the levels assigned to merchants based on Visa transaction volume over a 12-month period. 

Compliance requirements by level
Level 1
Annual onsite PCI DSS assessment by merchant’s internal auditor or qualified security assessor, or an internal audit, signed by an officer of the company, in addition to a quarterly network security scan done by an approved scanning vendor.

Level 2
Completion of PCI DSS self-assessment questionnaire annually, and a quarterly network security scan done by an approved scanning vendor.

Level 3
Completion of the PCI DSS self-assessment questionnaire annually and a quarterly network security scan done by an approved scanning vendor. As of 10/01/08, all newly boarded merchants must use a PABP compliant application.

Level 4
Completion of the PCI DSS self-assessment questionnaire annually and a quarterly network security scan done by an approved scanning vendor. As of 10/01/08, all newly boarded merchants must use a PABP compliant application.