Reducing your risk exposure should be your main concern.
 By Marc Decary
Manager Data Security, Compliance
Moneris Solutions
Ensuring the safety and security of your customer's information is important and can help your business create and maintain a positive image, enhance customer confidence and even assist in improving your bottom line. Securing your customers cardholder data is your responsibility.
All merchants that store, process, or transmit cardholder data must comply with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS was first introduced in December 2004 and since that time all merchants were required to comply with this standard to protect cardholder data and ensure the security of the payment networks. For full information on PCI DSS visit www.moneris.com/pci.
Over the past year there have been several high profile security breaches in the media. This has forced consumers to be more aware than ever about the security of their information. Experiencing a security breach can be devastating to a merchant. The fines and costs incurred due to the breach may have serious impact financially on your business however most importantly if the breach is made public; it may have a negative impact on your brand.
Here are the most effective ways to help reduce your risk;
- Do not store full magnetic stripe data.
It is prohibited to store the full contents of the magnetic stripe on a credit card. If you are storing this data not only are you not complying with the PCI DSS, you are also putting yourself at high risk. The value of this data to hackers is very significant. With little effort, a duplicate card can be created that will appear indistinguishable from the original card during the authorization process.
- Do not store the card validation digit (CVV2/CVC2/CID).
The card validation digit (also known as CVV2/CVC2/CID) is the three digit code on the back of a credit card. This code is used in a card not present transaction (mail order, telephone order, or e-commerce) to validate that the customer is in possession of the credit card. It is prohibited to store this information according to the PCI DSS.
- Only store cardholder data that you need and protect it.
The only information that you are permitted to store is card number, expiry date, cardholder name and service code. Only store the information you need. If you store any of this information, ensure that the data is protected in accordance with the PCI DSS.
Many merchants utilize third party service providers or third party payment applications to assist in processing payment transactions. It is imperative that you confirm the services you are obtaining from these vendors are supporting your compliance requirements for PCI DSS.
A service provider is an entity other than a payment card brand member or a merchant that stores, processes, or transmit cardholder information. All service providers must certify their compliance to PCI DSS. Both Visa and MasterCard publish a list of compliant service providers on their websites. To view the lists,
visit Visa Canada, Visa USA, MasterCard Worldwide.
If you utilize software based third party payment applications to process your transactions, you must ensure that the applications support you in complying with the PCI DSS. Visa has developed the Payment Application Best Practice (PABP) as a means for software vendors to validate that their applications meet the appropriate security requirements to support merchants in complying with the PCI DSS. A list of payment applications that have validated their compliance to PABP can be found
on the Visa website.
Marc Decary is highly experienced within the payment processing industry. He currently manages the card association compliance programs related to data security for our merchants.
|
