PCI DSS COMPLIANCE: UPDATE FROM 1ST NATIONAL

Credit Card Fraud and Data Security breach is becoming a huge problem in the Credit Card Processing Industry. Collectively, it has cost the Card Issuers billions of dollars over the last few years, and the numbers are increasing exponentially as the number credit card and debit card users continues to grow. This is a very serious issue which affects not only the Card Issuers but everyone involved including credit card processors, settlement banks, merchants both retail, wholesale and internet and, of course, the cardholder.

As a result, the Card issuers, Visa, Master Card, Discover and Amex have become very strict with polices on how the banks, processors and merchants need to deal with the processing and storage of cardholder data and which terminals and secure payment gateways may be used to process credit card and debit card transactions. They are holding the banks and processors accountable not only for the security of their own data but that of the merchants as well. Any breach or theft of cardholder data either at the bank and processor end or the merchant end results in severe fines being assessed to the banks and the processors from the card issuers. Recently several major banks and processors were hacked and hundreds of thousands of credit card numbers were in fact stolen. This resulted in huge fines and penalties being handed down by the card issuers on top of all of the cost and additional expenses and manpower to clean up the disaster. One of those processors will be going out of business after VISA/MC is done assessing fines and penalties. In another incident, an example of a breach on the merchant side, a recent theft happened with a high volume, restaurant. A waiter was skimming credit card numbers through a reader in his belt buckle and was able to steal a significant amount before he was apprehended. As a result of this the processor was slapped with a fine of over $30,000 for this single incident alone and the merchant was hit with a significant fine as well. It will take over 5 years for the processor to break even with this merchant on a loss of that magnitude and this is only one example; the average merchant portfolio is over 100,000 strong.

The most difficult and most costly part about these extremely strict policies is that, due the speed at which the industry is changing and growing, the requirements are constantly being amended and updated. On the acquirer side, this results in the credit card processors and settlement banks having to continually upgrade their systems. Each time they do this they have to train and retrain employees on the new systems and fraud and security breach prevention procedures. On the merchant side, it requires the credit card processors and settlement banks to constantly update their equipment and software applications to ensure the merchants are running the most updated and PCI compliant version. To top that off many of the new updates render certain terminals obsolete so the banks and processors are forced to monitor the entire portfolio to make sure merchants are only running units that are consistent with the new compliance updates. Furthermore they continually have to educate, re-educate and then scan and rescan the merchant’s locations to make sure they pass all of the latest PCI Compliance requirements. Between the manpower involved and all of the hardware and software updates required, all of these procedures are very costly but not nearly as severe as a security breach on the acquirer side or the merchant side. Extremely exorbitant fines are being assessed to the banks and acquirers for any and all security breaches. To top that off the card issuers conduct random scans of all of the acquirers and any bank or processor that fails these scans are subject to very heavy fines that add up to hundreds of thousands or even millions of dollars depending on the size of the portfolio and the severity of the failure. Since these thefts, breaches, scan failures and the resulting fines can be so severe and detrimental the banks and processors are all now being required to carry insurance with extremely high premiums due to the high risk to cover any potential losses. And as if there wasn't already enough cost involved, the card issuers have instituted sporadic, industry-wide PCI compliancy fees for all merchants on board the cost of which is based on risk levels, portfolio size, scan results, merchant types, and the overall climate and risk of the industry as a whole. The bottom line is that battle to limit credit card fraud and security breach is very expensive and it has had a significant impact on the banks and acquirers cost of processing credit cards.

1st National, I Payment and Wells Fargo have been spending a fortune on internet security, firewalls, software, systems updates, programming etc to ensure our customers, merchants, and all cardholders are completely protected and compliant with the most recent requirements. It has worked up to now but it is a constant struggle. I Payment fends off about 10,000 attempted breaches of their systems every hour. That’s higher than most US government websites, which is pretty scary. On top of all of that expense, they have invested a fortune in ensuring that all of our merchants are doing everything in their power to protect cardholder data, because, as mentioned previously, not only are we are target, you, the merchant are as well. You can be sure that we have not taken this situation lightly and will continue to work to upgrade and secure our systems as well as our terminals, software and downloadable applications to make sure you have the highest backend security available as well as all of the tools, education and information readily available to ensure that you and your customer's credit card data is safe and secure.

For more information on PCI Compliance please see below. If you have any questions regarding PCI DSS Compliance please contact us at support@1nbcard.com or Toll Free 877-964-1622. We are here to help.

BUYER BEWARE: PLEASE READ BELOW

Please be advised, although fraud and being PCI compliant is mandatory for every merchant accepting credit cards, it does not necessarily render all terminal types obsolete for every merchant. For instance a terminal may still be compliant for merchants processing credit cards and off line debit cards without collecting debit pin numbers and only obsolete for Pin Based Debit transactions. Many merchant service providers are taking advantage of the new PCI Compliance mandate and abusing it to force all of their merchants to upgrade their equipment to churn a profit, even if it is not necessary. To find out the truth as to whether or not your terminal is truly PCI compliant or to get the most competitive prices in the industry on PCI Compliant credit card terminals, please e-mail us or call toll free at 877-964-1622.

Also, be sure to visit our Buyer Beware Series before purchasing a Merchant Account or Credit Card Machine.

PCI DSS Definition & Requirements

Short for Payment Card Industry (PCI) Data Security Standard (DSS), PCI DSS is a standard that all organizations, including online retailers, must follow when storing, processing and transmitting their customer's credit card data. The Data Security Standard (DSS) was developed and the standard is maintained by the Payment Card Industry Security Standards Council (PCI SSC). To be PCI complaint companies must use a firewall between wireless network and their cardholder data environment, use the latest security and authentication such as WPA/WPA2 and also change default settings for wired privacy keys, and use a network intrusion detection system.