How Does Taking Credit Cards by Mail Work with PCI?

As is the case with taking credit cards by phone, receiving sensitive payment information by mail or fax can raise concerns in relation to your organization’s PCI compliance process. Why is it such an issue? Because when card data is handled manually, the corresponding security controls are as much…

Read More

PA-DSS and PCI DSS: Beware the critical difference!

“A QSA’s Deja Nightmare”

A QSA walks into a bar (or gas station chain, or retail organization, etc.) to perform a PCI assessment. The bartender/owner says, “We just have some policies for you! We use <<insert POS company name>> POS, and it is PCI…

Read More

PAN Storage and the PCI DSS

While the only Pan you might currently know is Peter, you should also get to know and understand the acronym PAN if your business accepts credit cards. PAN stands for Primary Account Number, and it is a key piece of cardholder data you are obligated to protect under the PCI…

Read More
Read More

Small Business and PCI Cost vs. Benefit

“Bureaucratic bull crap.” “A waste of my time.” “Simply not relevant.”

Many small business owners wonder why they would ever need to comply with a security standard like the PCI DSS. Some wonder quietly and some more vocally. Either way, it’s an important question to address, because every small…

Read More

Will EMV Make You PCI Compliant?

Many merchant acquirers, payment processors and Independent Sales Organizations (ISOs) have been reaching out to business owners to alert them of America’s 2015 migration from magstripe (i.e., “swipe”) credit/debit cards to EMV (i.e., “chip”) payment cards.

The new EMV cards will have much-needed, enhanced anti…

Read More

Merchants: Know Your Service Providers!

There’s an acronym we use in the payments industry: KYC.  With KYC, which is Know Your Customer, we’re referring to ISOs’ and acquirers’ need to know the type of business each of their merchants conducts. If due diligence for KYC doesn’t take place, the ISO/acquirer could…

Read More

"How Does Taking Credit Cards by Phone Work with PCI?"

Many business owners have asked us how to accept credit card information over the phone in a PCI compliant manner. Some have even assumed that because there’s a human involved the activity must be non-compliant. The good news is that you can take credit cards over the phone…

Read More

3 Basic Ways to Avoid PCI Paralysis

Over the past several months, a barrage of news stories and opinion pieces has sent a worrisome message: The payment security war is being lost because PCI standards are failing us. This defeatist belief that the hackers have won and any business can be breached—or already has been—can…

Read More

Internal vs. External Vulnerability Scans: Why You Need Both

If you’re a merchant trying to get started with PCI compliance, you’re likely to hear the word “scan” from your acquiring bank or the PCI partner they’ve enlisted to help you with the process. In our conversations with merchants, we often find that there is an expectation…

Read More

The Top 5 Questions to ask a Prospective Penetration Tester

If any part of your business network is connected to the Internet, then the information your business handles is within the reach of hackers and cybercriminals. For this reason, the Payment Card Industry Data Security Standard (PCI DDS) requires that your IT network undergo a penetration test. Because the network…

Read More
Read More

PCI Compliance and the Service Provider

Today, even the smallest businesses are Internet dependent, as the ability to pass information “through the cloud” becomes increasingly desirable. The complementary growth in cloud-based services such as data hosting and payment processing has created a new breed of service provider. These service providers and their systems interact with…

Read More

Don't Be Fooled! There's No Such Thing as an Automated Penetration Test.

Many small merchants, having been told they need a “network penetration test,” will seek out the quickest and cheapest way possible to comply with this Payment Card Industry Data Security Standard (PCI DSS) requirement.  This is certainly understandable, given most small businesses’ tight operating budgets and the growing number of…

Read More

Five Steps Before Using a Mobile Device to Accept Credit Cards

The taxi driver at the airport took your credit card using Square on an iPhone. The plumber that fixed your leaky pipes swiped your card on a PayPal device connected to an Android phone. And that posh restaurant where you impressed a client not only took your order on an…

Read More

Level 2 Merchants Beware: Your PCI Validation Process Could Be Changing

If your business processes between 1 million and 6 million credit card transactions annually and you accept MasterCard as a form of payment, your PCI validation process is probably about to change.

Up until June 30, 2012, virtually all Level 2 merchants (defined by both Visa and MasterCard as any…

Read More

PCI Compliance & Small Merchants: Whose Concern Is It Anyway?

Small merchants who want to accept credit cards as part of doing business can find themselves lost in a sea of information when it comes to PCI compliance.  While it can be frustrating, the Payment Card Industry Data Security Standard (PCI DSS) has a worthwhile goal, and that is to…

Read More

Security as a Checklist? Think Again.

The concept of summarizing Payment Card Industry (PCI) requirements into a simple checklist is a welcome one, especially for merchants without a dedicated security team and budget. These are usually merchants with less than one million in annual transactions and who only recently have been informed by their acquiring banks…

Read More