Largest indictment of credit card hackers to date
Posted on Wednesday, August 06, 2008 by Bryan Johnson
The Justice Department unveiled possibly their largest indictment of credit card data hackers yesterday. Nine people from the U.S. Estonia, Ukraine, China and Belarus are being charged for allegedly stealing over 40 million credit card records from nine retailers.
They successfully stole credit card data by using 'sniffing' programs on both wireless networks and on cash registers. Once captured, the criminals would load the data onto the magnetic strip of blank credit cards and then withdraw cash from ATM's.
The issuing financial institutions of the stolen cards take large financial losses because cardholders are not responsible for fraud - they are. For example, Justice Department reports that at one Dave & Busters restaurant location the sniffing program captured roughly 5,000 cards that resulted in over $600,000 of losses to the finanical institutions that issued those cards.
The affected retailers include Sports Authority, Office Max, BJ's Wholesale Club, Marshall's, T.J. Maxx and a few others.
Other related posts:
The cost of a credit card breach
PCI Compliance basics
The cost to become PCI Compliant
Tax, Fuel, Debt, Recurring and GSA V/MC Interchange Updates
Posted on Wednesday, July 23, 2008 by Bryan Johnson
Visa & MasterCard have announced some pretty significant changes. Visa is out with two new categories: Debt Repayment and Government to Government. Tax Payment is officially coming out of pilot and interchange reductions at the pump. MasterCard introduces a recurring billing 'preauthorized request' - a great idea. All these will be effective October 3rd, 2008:
Visa Updates
Debt Repayment Programs for U.S. consumer auto loan, credit card, residential mortgage and student loan for debit card only.
- Availability for Financial Institutions Merchandise & Services, Non Financial Foreign Currency Money Orders (no wire transfers) and Travelers Cheques).
- Cannot be used for bad debt, uncollectible debt charge-off debt and debt sold to collection agencies.
Fuel - Trying to reduce the pain at the pump (and appease angry gas station owners):
- Consumer Debit Cards: a maximum interchange amount is now in place, replacing what was formerly a discount rate and transaction fee that varied with amount.
- Consumer Credit Cards: lowered by as much as .50 bps on certain cards and consolidated into a single rate for 6 different card types- Automated Fuel Dispenser (AFD) Partial Authorization
- Partial Authorization: POS Vendors will be required to support this functionality by 10/3/08. As some context, when a consumer swipes a card today today at an AFD an authorization is done for $50 to check validity and availability of funds before approving to pump. That's referred to as a 'Partial Authorization' so if the consumer only pumps $40 of fuel the initial $50 authorization, the merchant can capture for the $40. A problem with that method is that if a check (Signature Debit) or pre-paid card is used and the card does not have the available funds it will be denied. With the Partial Authorization implemented, the issuer would respond with the available amount instead of denying the transaction.
Tax Payments - Visa has had this program in pilot mode for several years now:
- Merchants are required to register for this - no sign up fees before April 1, 2009.
- Existing interchange rates will apply * Interchange rate of $2.50 will apply to consumer debit transactions that are qualified
- Service or convenience fee may be assessed. Fee can be variable for consumer credit and commercial cards but a flat fee must be charged for consumer debit transactions and may not exceed $3.95 (could they make it any more difficult?)
Commercial Card GSA - Introduction of Government-to-Government interchange program (G2G). Level II & III data is not required.
- $5,000 minimum has been removed * Special interchange rate for transactions over $8,750 is removed with interchange rate increasing .25 bps and $4.
- GSA Purchase cards will not be available for Commercial Card Level III rates.
MasterCard
Test transaction for Recurring Billing
- $1 authorization for account status before requesting full amount authorization. (nice work whomever came up with this idea!)
- What's going on MasterCard? Only 1 Update?
Merchant Account Basics
Posted on Friday, July 11, 2008 by Bryan Johnson
There is a lot of confusion surrounding credit card processing and merchant accounts. Some of the most common areas of confusion are the different types of organizations that sell the services, what entities actually process the transactions and the fees and pricing structures that continue to form an unsolvable mystery for most merchants. I'm going to provide a broad overview that will hopefully help make sense of this complicated industry.
The necessity of merchant accounts
Some merchants prefer accepting credit cards because they are a much more convenient and cost effective way of collecting payments from customers. Other merchants, while it still may be convenient, struggle to pay the relatively high fees on their already- thin margins. Either way, merchants can make a number of improvements in their credit card processing by becoming more informed.
Providers of merchant accounts
If you want to get a new merchant account or switch from your existing provider, one thing is for sure: there is no shortage of companies that are anxious to earn your business. You can find merchant service providers by looking in the yellow pages, searching online, talking to your bank, or just waiting for the next sales person to either call you or walk into your business (which shouldn't be long). The key is choosing the RIGHT provider for your business.
Not all service providers are made equal
There are really two types of merchant service providers: processors and resellers (resellers are known in the industry as Independent Sales Organizations (ISO's) and/or Merchant Service Providers (MSP's)). Your first thought is probably that you would rather go with a processor to cut out the middle man, but I'll show you why it's not that clean cut. Before I started Braintree, I worked for a processor and saw first hand some of the limitations they had in providing solutions to merchants. I'll provide more detailed descriptions of both options and then offer an assessment of their differences.
1) Processors - Also known as Acquirers, processors are distinguished by their ability to actually process a transaction. To be a processor, a company must have the technical capability to receive transaction data from a merchant via a telephone line or the internet and then communicate with the appropriate financial institutions to approve or decline transactions. Processors must also be able to settle completed transactions through financial institutions in order to deposit funds into the merchant's bank account.
The processing industry is highly concentrated with the top five processors maintaining over 70% of all transaction volume. Processors can be banks or non-banks. While processors do maintain a direct sales force of their own, they primarily work through ISOs to acquire and maintain their merchant base. A processor's business model is really one of economies of scale. They're volume shops. They essentially outsource the sales function to ISOs. I don't have data on this but I would guess that over 80% of the 7 million U.S. merchants work with an ISO.
Below is simple diagram of the transaction flow. I took the liberty of putting my company in the value chain, but because Braintree is an ISO, there is a processor behind the scenes doing the actual transaction processing. Because most everything is private labeled, it's difficult for most merchants to discern whether their service provider is a processor or an ISO. Be careful not to be improperly influenced by this. Most sales people try to use the 'we are the processor' line to gain additional credibility when in reality it doesn't really matter.
2) ISOs - ISOs resell the products or services of one or multiple processors. They can also develop their own or aggregate other value added products and services. ISO's range from a little sketchy to best in class providers.
There are two types of ISOs:
a. Banks - Banks of all shapes and sizes are ISOs. Wells Fargo, for example, is an ISO of First Data. Your local community and large regional banks are most likely ISOs. Banks entered into the merchant services business because it was a natural fit with their product and service offerings. It's a way to increase revenue per customer. Most, but not all banks, will private label the services so that it's difficult to distinguish whether they are a processor or ISO. The benefit of working with a bank is that you can consolidate your financial services. The drawback is the you usually get out of the box solutions and service.
b. Non-banks - These types of ISOs range from some of the most dynamic and capable providers to firms who don't represent the industry very well.
Industry Dynamics There are a few dynamics that make the industry landscape quite interesting. First, there are very barriers to entry due to the lack of certifications, licenses, and capital requirements. Secondly, there really is no active regulatory body that oversees and enforces acceptable practices. So naturally, with these two market conditions, merchants need to be mindful and through in selecting a provider.
Processors versus ISOs In comparing the two, ISOs offer all of the products and services that processors do (because they are reselling) but processors can't always offer the same products and services as ISOs. This is because ISOs can resell for multiple processors and can either develop their own technologies or aggregate solutions from other providers. ISOs have largely been the most successful creators of value-added services while attempts by processors have usually been pretty clunky. ISO's also tend to be smaller, which usually (but not always) leads to better customer service.
Processors are usually a safer bet for newer merchants that are still learning about the industry. Most still maintain what I consider less-than-upfront pricing practices, but with their services it is less common to hear about some of the more serious problems that merchants encounter when they deal with the wrong ISO. As for price, in most cases, there really is very little to no difference. I argue, and fully disclose my vested interest, that in nearly any situation a best in class, non-bank ISO can provide more value than a processor. For some other considerations about what to bear in mind when evaluating different providers, you can read How to choose a merchant service provider.
Business specific merchant accounts The rates, terms, and conditions of your merchant account will largely depend on your type of business and the provider you choose. Business types are first divided into two buckets: card present (swiped) and card-not-present (non-swiped). Card present merchants, such as restaurants and brick and mortar retailers are low risk and have fairly simple needs. Card-not-present merchants are much more difficult because the risk level is substantially higher when people are transacting business via the internet, telephone, etc. Other risk factors that will affect your merchant account are the types of goods that you're selling, delivery times, whether or not a deposit is required, and about 20 other variables. Most underwriting groups use some sort of actuarial model to determine their guidelines.
To give you an idea of one risk merchant service provider face, here is an example. Let's say that you sell $100,000 in books online. Within 48 hours of selling those items, the customer's money is deposited into your bank account. If you take that $100k and skip town without shipping the books to the people who bought them, the merchant service provider is stuck with the $100k bill because customers are going to contest and win the charge with their banks. So for a few hundred dollars a month in revenue, the risk better be pretty manageable for the provider.
Paperwork and underwriting Most companies have a two page application that will require you to fill out both personal and business information. Many people are justifiably concerned about giving out personal information including their social security number. However, unless you are a publicly traded or non-profit, I don't know of a merchant provider that will underwrite a business without it. When asked why all of the personal information is needed, most companies will point to the Patriot Act that was passed in Congress shortly after 9/11. It basically requires all financial institutions, which include credit card processors, to collect specific identifying information about their customers. Click here for more information on this. You will also be required to sign a personal guarantee before the application is approved.
Most business owners will respond that they incorporated so that they wouldn't be required to sign a personally guarantee. The underwriter will respond by asking why they should have more faith in your business than you do. Both sides have valid points. I think that the issue boils down to whether or not the business will deliver the goods or services that were purchased under the accepted terms and conditions. The personal guarantee is not so much useful in collecting money, but instead used as a deterrent against fraudulent and irresponsible behavior.
Be Careful As you can see in this very high level introduction to the industry, there are a lot of complexities and much to learn. You can also read my post on Some advice to help you avoid common mistakes.
PCI DSS Requirement 6.6 - Code Review or Web Application Firewall (WAP)
Posted on Thursday, July 10, 2008 by Bryan Johnson
The deadline to comply with PCI DSS Requirement 6.6 was June 30th, 2008. Merchants have been given two options:
1. Have all custom application code reviewed for common vulnerabilities by an organization that specializes in application security.
2. Install an application-layer firewall in front of web-facing applications.
The driver behind this new requirement is that a large percentage of credit card breaches are due to SQL Injection, Cross Site Scripting (XSS) and Buffer Overflow attacks. The intent of this requirement is to eliminate those vulnerabilities which would contribute to a significant reduction in breaches. Here is the Information Supplement supplied by the PCI Security Standards Council.
What does it cost to become PCI Compliant?
Posted on Wednesday, June 25, 2008 by Bryan Johnson
The cost of becoming PCI DSS Compliant depends on a number of factors including your business type, number of transactions processed annually, existing IT infrastructure, and current credit/debit card processing and storage practices. Gartner estimates that during 2007, the nation's largest merchants, classified as Level 1 (processing in excess of 6 million transactions of a single card type per year), will spend $125,000 assessing the scope of required PCI-related work and another $568,000 to meet the requirements.
As an example, Robin Sidel and Pui-Wing Tam of the WSJ recently reported that Guitar Center, a national retailer of 210 stores, recently spent nearly $500,000 to become compliant. Gartner also concluded that Level 2 merchants, those processing between 1 and 6 million annual transactions, will spend $105,000 to determine scope and another $267,000 for compliance. Level 3 merchants, processing between 20,000 and 1,000,000 e-commerce transactions, are expected to spend $44,000 assessing and $81,000 for compliance. The costs associated with Level 4 merchants, those doing less than 20,000 ecommerce transactions or up to 1,000,000 non-ecommerce transactions, varies widely.
Only Level 1 merchants are required to have an on-site audit. Levels 2, 3 and 4 need to fill out the Self Assessment Questionnaire and sign up for a quarterly scan to check vulnerabilities on all outward-facing IP addresses. A rough estimate for the scans is $150 to $2,500 per IP address per year.
Other costs may include software and hardware upgrades if information is stored in house. Gartner estimates that a company with 100,000 credit cards on file will pay $6 dollars in encryption costs per card. Alternatively, merchants can use technologies such as tokenization where the data storage is remote, which typically have per transaction fees instead of upfront costs. All of these estimates exclude the cost of labor and the opportunity cost of pursuing other profit-making endeavors.
Smaller restaurants and retailers that only have a single terminal or POS system are still required to become compliant. Both need to fill out the Self Assessment Questionnaire, but the compliance process is usually much less involved. Merchants that are using POS systems to process credit cards need to make sure they are not improperly storing prohibited card data and need to verify that their vendor is PABP compliant (soon to become PA DSS). To verify that your POS system is not storing prohibited information and is compliant, see this updated list was published in November 2007. Some merchants such as Brad Friedlander, a restaurant owner in Cleveland with two stores, paid $50,000 on technology upgrades to become compliant. Any merchant that accepts, stores, or processes credit card information is required to already be compliant.
The Card Associations have determined specific dates about when merchants need to validate compliance. Level 1 merchants were required to validate compliance by 9/30/07. Level 2 are expected to validate compliance by 12/31/07. Level 3 and 4 validation deadlines will come, but at this point they have been left up to the merchant's specific acquirer to be determined. Not only is becoming compliant not optional, but Card Associations have threatened larger merchants with the imposition of monthly fines until compliance is obtained. They've also threatened to increase the cost of interchange, which would increase these merchants' processing costs. But perhaps most importantly, the Card Associations will levy fines and penalties if a merchant is not PCI Compliant at the time of breach. The fines can be devastating to merchants. I've written about two breaches, both of which had significant consequences. One merchant is large, the other is small.
In addition, merchants face remediation and discovery costs can be just as costly, if not more so, than the fines. For a cumulative number, Gartner estimates that the cost of a data security breach can range from $90 to $305 per customer record. Some merchants are frustrated about the PCI requirements, while others see them as basic security requirements that should already be in place. A common misconception is that compliance equals security, but a number of recent breaches have proven that not to be the case. Other related posts: PCI DSS Compliance basics for credit card security PCI DSS Compliance and the cost of a credit card breach Braintree solutions: The Smart Approach to PCI DSS Compliance
Where do credit card fees come from?
Posted on Thursday, June 12, 2008 by Bryan Johnson
It is known by some, but not all, that businesses pay fees in order to accept credit cards as a form of payment. In fact, over 7 million merchants in the U.S. accept credit cards. During 2006 they collectively paid over 30 billion in credit card acceptance fees.
Despite the size of the industry, its a mystery to most who is pocketing all this money and how prices are determined and reported. I had a CPA tell me the other day, “I’m a smart guy. I understand numbers, pricing and reconciliation, but for whatever reason I just cannot get my head around credit card processing fees and the unbelievably complicated way companies report them.” He’s not alone. Hopefully this article will clear up some of that confusion as I provide some context about where credit card fees come from, who’s making the money, and how fees and rates are determined.
Issuing Financial Institutions make roughly 85% of all credit and debit card processing fees The financial institutions that issue credit and debit cards are the biggest benefactors. Some financial institutions such as banks co-issue debit and credit cards with Visa and or MasterCard while others such as American Express and Discover issue them directly (though now after years of litigation, some banks are now issuing American Express to cardholders). Visa and MasterCard are now public membership associations owned by the issuing banks, and collectively own roughly 75% of the credit cards in the market. For example, Visa is a membership association of over 13,000 banks nationwide.
These issuing financial institutions make money every time a card they issued is used to purchase something. For example, let’s assume that a business is paying an effective rate of 3.5% to accept credit cards (that 3.5% is usually comprised of a discount rate and a per transaction fee but I just used a flat rate for simplification purposes). Roughly 85% of that 3.5% is going to the issuing bank. The remaining 15% is divided among Visa or MasterCard, the credit card processor, and if there is one, the Independent Sales Organization (ISO).
How do financial institutions justify their fees? Credit card usage has seen explosive growth in the past 20 years for a number of reasons. Benefits of using plastic include 15 to 45 days to pay original purchases, rewards, a line of credit for extra spending power, fraud protection, a monthly accounting of all purchases and general convenience. The use of Purchase Cards by Corporations or the government (GSA) has also been growing rapidly to lower the cost and to streamline Accounts Receivable and Payables.
An example of some of the costs these financial institutions incur providing and maintaining card holders include fraud, bad debt, customer support, rewards and other perks, and float (they pay for your purchases before you pay them). Usage rewards alone account for roughly 40% of the fees they generate and end up back in the pockets of cardholders. They fiercely compete for new cardholders primarily on their rewards programs.
Continuing our example from above, if you buy movie tickets for $20 and the movie theater is paying 3.5%, the financial institution that issued that credit card would make $0.60 ($20×3.5% = $0.70, x 85% equals $0.60). Visa and MasterCard add their respective fees of .0925% and .0950% on top of what the banks charge (Note: that’s 9.25 and 9.50 basis points. 100 basis points equals 1%). Adding the fees from the bank and Visa or MasterCard together form what is called ‘interchange’.
You now understand why you find a credit card offer in your mailbox everyday. Outside of the 18% interest rates, annual fees, and late fees, being a card issuer is a lucrative business! The issuing institutions are making money on both the front and back end.
That seems simple enough, why does everyone say it’s so complex? From a high level, the rate structure seems pretty simple, but it gets messy fast once we get into the details. There are over 100 different interchange ‘rates’ or ‘categories’. The particular rate that is charged on any given transaction depends on a number of variables, including:
1) The type of card that is used in the transaction i.e. debit, credit, rewards, or business card, international, etc. 2) Where the card is used i.e. restaurant, retail, gas, business to business, ecommerce, etc. 3) The method of usage i.e. swiped, over the phone, or via ecommerce. 4) What information the business captures during the transaction i.e. name, address, tax ID, tax amount, unit description, etc. (the information required is a whole other layer of complexity). 5) When the transaction is submitted to the processor for settlement and funds transfer after the initial authorization.
As you can see, it’s a very complicated matrix. Very few people, including those who’ve been in the industry for years, really understand interchange.
Qualifying for different rate categories and getting hit with downgrades Merchants can often do more than they think to better manage the credit card fees they pay. For example, transactions can be ‘downgraded’ (penalized) when they don’t meet interchange requirements. Example reasons for downgrades include not capturing the correct information when processing (such as billing zip), settling the transaction after a certain period of time, not swiping the transaction and many more. Learning how to recognize these penalties and then making the appropriate adjustments can help you lower the fees that are paid.
One downgrade example is if an a restaurant employee hand keys a credit card number into the point of sale system because the magnetic strip can’t be read, the transaction falls into a different and higher rate category . The transaction is penalized because ‘non swiped’ transactions carry more risk and therefore higher interchange fees. The increase in rate can be significant ranging from 30 basis points to 2%, or more depending on how the service provider has the account priced.
Different rate categories and downgrades are the dirty little secret for merchant service providers. It’s where they make most of their margin because they offer artificially low rates and don’t disclose higher market ups on transactions that don’t fall into a specific rate category. Too many merchants fall for this and think their paying the single, highly competitive rate that was advertised.
A quick search of merchant service providers will demonstrate that non disclosure of fees is a standard practice. See two examples here.
The undecipherable monthly credit card statement As icing on the cake, the unreadable format most merchant service providers use to present this information to you on a monthly basis doesn’t help. Of course, the format used is not because they have no other option, it’s because that’s what makes them the most amount of money.
The frustration with credit card fees Some merchants accept credit cards because they find them to be a easier and more efficient method of accepting money from customers. Most merchants however accept them because they have no other choice. Many merchants and advocacy groups have cried foul lately with Visa and MasterCard increasing ‘interchange’ fees over 117% in the past five years while maintaining over 75% market share. The Card Associations have been accused of being monopolistic.
Interchange has come under increased pressure lately A few years ago, Wal-Mart won a class action lawsuit against Visa and MasterCard. They claimed that debit card interchange was being improperly priced because it had the same interchange rate as credit cards. Among other things, they argued that debit cards should be have a lower interchange rate because money comes directly out of the cardholders account versus a credit card where there is 15 to 45 days between purchase and payment. The courts agreed and awarded Wal-Mart and other retailers billions of dollars in compensatory damages. There are currently a number of other legal battles against the Card Associations surrounding interchange.
ACH and e-check validation and processing
Posted on Friday, May 30, 2008 by Bryan Johnson
E-checks and ACH debits are not direct alternative payment types to credit cards. This is primarily due to their respective validation and authorization capabilities.
With a credit card, a merchant can submit a request to the issuing financial institution and the approval or decline is returned in under 3 seconds. That 'authorization amount' is then guaranteed to the merchant for up to 30 days (depending on the institution and card type). With an e-check or ach debit, there is 'no real time validation' capability.
The closest thing to it is 'networks' owned by bank and company conglomerates that serve up a 'scoring' system based on shared data. They use this information to make their best prediction regarding whether an account is open or closed. If there is insufficient information to provide a score, that response is provided as well.
These networks typically cover a high percentage of financial institutions (~95%). The most important thing to note however is that no e-check or ACH validation service verifies sufficient or insufficient funds. Even if it could, an authorization request can't 'hold' or 'guarantee' the funds like a credit card transaction. These limitations are why e-check and ACH payment methods have not been as widely adopted as credit cards.
They are great payment types for 'trusted' payments such as recurring billing for gym membership and utilities, etc. but inadequate for ecommerce or other 'arms length' transactions. Realizing these short comings, the industry has been trying to get their foot in the door by coming up with a better solution. One such approach allows consumers to choose to pay via their online banking. When that option is selected, the merchant redirects the consumer to their own financial institution's website where they log in and complete the payment.
Thumbs up for the innovation, but as a consumer, I love my credit card and the convenience and protection it provides. It's certainly a hot topic right now and will be interesting to watch how this plays out.
PCI DSS Compliance basics for credit card data security
Posted on Friday, May 23, 2008 by Bryan Johnson
PCI DSS Compliance is an industry-mandated security standard that applies to all businesses that handle, process or store credit cards.
There are 12 core requirements and roughly 250 controls, but as an oversimplification it boils down to three things: 1) all merchants, regardless if credit card data is stored, must achieve and maintain compliance at all times (all deadlines have passed); 2) merchants cannot store certain credit card information including CVV2, CVC2 and CID codes (three or four-digit numbers), track data from the magnetic strip or PIN data; 3) if permitted credit card information such as name, credit card number and expiration date is stored, certain security standards are required. A number of recent high profile breaches have been raising awareness and risks associated with PCI Compliance.
The motivation to become compliant The major credit card companies have provided both carrots and sticks in order to compel merchants to become and maintain compliance. The incentives include 'safe harbor' from certain penalties and fines if a merchant is compliant at the time of breach.
Without compliance, if a merchant is breached and has credit card information stolen, depending on the size of the breach, PCI related fines can be as high as $500,000 per incident. In severe cases, merchants can even be given the 'Death Penalty,' preventing them from accepting credit cards. In all, depending on the number of cards stolen, merchants are estimated to spend between $90 and $302 per record (see graph below).
The Payment Card Industry Data Security Standard (PCI DSS)
What is PCI DSS?
It's a comprehensive security standard that establishes common processes and precautions for handling, processing, storing and transmitting credit card data.
Who created it? While Visa and MasterCard originally developed it, as of September of 2006 American Express, Discover, JCB, MasterCard and Visa jointly formed the PCI Security Standards Council.
Why was it created? It was created in response to a spike in data security breaches over the last few years. A large number of both small and large businesses have been breached including TJX, Bank of America, Citigroup, BJ's Wholesale Club, Hotels.com, LexisNexis, Polo Ralph Lauren and Wachovia.
Who's at risk? Any business that processes, transmits, or stores credit card information. While the publicity of security breaches has recently been focused on larger companies, Visa reports that the majority of breaches are occurring at small businesses.
What are the 12 mandated security requirements?
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored data
4. Encrypt transmission of cardholder data and sensitive information across public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security
What credit card information can and cannot be stored?
How much does it cost to become compliant?
It depends on business type, credit card processing and storage practices and existing IT environment. Read here for a more complete overview.
What do merchants have at risk if credit card information is breached? Fines up to $500,000 per incident Remediation costs estimated at $90 to $302 per record Potential customer lawsuits Company reputation and brand damage
Are their different requirements for large and small businesses? Yes. Merchants belong to one of four levels that is determined by annual transaction volumes. These transactions volumes apply to the highest number of a single card type per year, e.g. a merchant doing 5,000,000 Visa and 2,000,000 MasterCard transactions annually, even though cumulatively equal 7,000,000, would qualify as Level 2.
Definitions from above:
On-Site Security Audit The audit must be completed by Level 1 merchants. Merchants can choose to complete the audit internally or hire an outside Qualified Security Assessor to complete the Report on Compliance (ROC). PCI Security Audit Procedures & Reporting
Self-Assessment Questionnaire (SAQ) Initially the Council had a one size fits all SAQ but it proved too challenging and complicated for the different types and sizes of merchants. In February 2008, the merchant released four versions of the SAQ in an attempt to better accommodate merchant profiles. Here is a summary:Network Vulnerability Scans The PCI Standard requires merchants to scan all outward facing IP addresses. These IP addresses are not protected by a firewall and can be hacked through an open port. The SAQ identifies and mitigates risk from the inside (behind the firewall) while the IP scans identify and mitigate risk from the outside. Validation Dates The Card Associations have set specific dates for validation. Level 1 merchants were required to validate compliance by 9/30/2007, Level 2 by 12/31/07, and the Level 3 and 4 deadlines are processor/acquirer specific.
- SAQ A: Addresses requirements applicable to merchants who have outsourced all processing, transmission and storage of cardholder data.
- SAQ B: Created to address requirements pertinent to merchants who process cardholder data via imprint machines or stand-alone dial-up terminals only.
- SAQ C: Constructed to focus on requirements applicable to merchants whose payment applications systems are connected to the Internet.
- SAQ D: Designed to address requirements relevant to all service providers defined by a payment brand as eligible to complete an SAQ and those merchants who do not fall under the types addressed by SAQ A, B or C.
How to Get Started
1. Identify the individuals that will be responsible for PCI compliance in your organization and assemble a team that includes members from each area.
2. Determine your merchant level (1-4).
3. Determine which SAQ your organization will need to complete.
4. Evaluate whether your organization will try to achieve compliance internally or engage with a Qualified Security Assessor (QSA).
5. Engage with an Approved Scanning Vendor (ASV) to start the required external IP vulnerability scans.
6. Make sure that your organization has an Information Security Policy and that it is being enforced.
7. Immediately address any significant deficiencies discovered during the assessment or scan.
8. Retain record of self-assessments, scans, and follow-up activities. Be prepared to provide these documents upon request.
What should you do if breached? In the event of a security incident, merchants must take immediate action to:
1. Contain and limit the exposure. Conduct a thorough investigation of the suspected or confirmed loss or theft of account information within 24 hours of the compromise
2. Alert all necessary parties. Be sure to notify: * Merchant Account Provider * Visa Fraud Control Group at (650) 432-2978 * Local FBI Office * U.S. Secret Service (if Visa payment data is compromised)
3. Provide the compromised Visa accounts to Visa Fraud Control Group within 24 hours.
4. Within four business days of the reported compromise, provide Visa with an incident report.
Here is a step-by-step guide from Visa - What To Do If Compromised.
Additional resources: A non-profit organization, RSPA produced a 12-minute video aimed at educating smaller restaurant and retail merchants about the risks associated with PCI Compliance.
Other related posts:
PCI DSS Compliance and the cost of a credit card breach
PCI DSS Payment Card Industry Self-Assessment Questionnaire (SAQ)
Vulnerability and security assessment scans for PCI DSS Compliance
Braintree solutions: The Smart Approach to PCI DSS Compliance
Credit card validation
Posted on Monday, May 19, 2008 by Bryan Johnson
In a card-not-present environment, there are two levels of credit card validation. First, is the Luhn Algorithm which is also known as a ‘mod 10’ check. The Luhn algorithm will validate the number of characters for a particular card type. It doesn’t perform any other type of validation. I’d say almost all payment processing systems have this in place as a standard offering.
If merchants want to further validate the card they can do an authorization request to the issuing bank for 1) address verification (AVS) and 2) cvv2 – the three our four digit code on the card. When the auth is submitted the bank will respond with match or mismatch codes for street address, zip (5 and or 9 digits) and cvv2.
In most payment processing systems merchants can set up acceptance or denial rules so that if an authorization comes back as having an incorrect billing address, zip or cvv2 code, the transaction will be automatically accepted, denied or flagged.
For merchants that want to validate the card upon accepting a new customer but not charge them they can do a $1.00 authorization which will then usually fall off the card in a few days. Note however, that there is no standard in the amount of time a particular authorization stays on a debit or credit card. Issuing banks determine the exact duration but generally speaking, most stay valid for between 3 and 10 days but some up to 30 days. In a situation where a merchant accidentally authorizes a card 10 times for $1,000, tying up a customers entire credit limit, they can call the issuing bank and ask to void the transaction.
A few other related points: 1. AMEX recently stopped returning CID (their version of CVV2) responses leaving address verification as the only validation tool. 2. CVV2 does not affect credit card rates. 3. CVV2 data cannot be stored.
PCI DSS Compliance Charge On My Merchant Statement?
Posted on Thursday, May 08, 2008 by Bryan Johnson
Most merchants gave up trying to read their monthly credit card processing statements a long time ago because of how unbelievable complex most providers choose to make them.
For those merchants that occasionally look at them, they may be surprised to see a new 'PCI DSS Compliance' fee in the amount of $4 to $20 per month. This fee is a bit perplexing to me because the merchant account provider, in all the cases I'm familiar with, is not actually providing any product or service to the merchant related to PCI DSS Compliance.
If a merchant gets breached, the Card Associations fine the acquirer and then the acquirer passes the fine down to the merchant. So while the Card Associations have put the responsibility on the processors to make sure that their merchants are compliant, the merchant is ultimately responsible for becoming compliant and paying the fines if breached. So why again are merchant account providers charging businesses this fee?
