Zen Dzign » credit card payment http://www.zendzign.com The official ZZ Servers Blog - Visit http://www.zzservers.com for your business hosting needs. Thu, 26 Jan 2012 05:59:54 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 Understanding PCI Levels and Types http://www.zendzign.com/2009/06/understanding-pci-levels-and-types/ http://www.zendzign.com/2009/06/understanding-pci-levels-and-types/#comments Tue, 02 Jun 2009 13:19:57 +0000 Peter Zendzian http://www.zendzign.com/?p=26 Any merchant who accepts credit cards and has a merchant account must validate compliance. It does not matter if you use a 3rd party processor or if you outsource all of your credit card processing. It’s the ownership of the merchant account that defines if you must validate compliance. The only to avoid PCI compliance is by not having a merchant account. Below are some charts which will help you decide which category and merchant type your business fits into.

Merchant levels and Compliance Validation Requirements

PCI Merchant Levels
Level Description Validation Requirements
1
  • Any merchant, “regardless of acceptance channel, processing over 6,000,000 Visa transactions per year
  • Any merchant that has suffered a hack or an attack that resulted in an account data compromise.
  • Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
  • Any merchant identified by any other payment card brand as Level 1
  • Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”)
  • Quarterly network scan by Approved Scan Vendor (“ASV”)
  • Attestation of Compliance Form
2
  • Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 transactions per year
  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
3
  • Any merchant processing 20,000 to 1,000,000 transactions per year.
  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
4
  • Any merchant processing fewer than 20,000 transactions per year.
  • Annual SAQ recommended
  • Quarterly network scan by ASV if applicable
  • Compliance validation requirements set by acquirer

Merchant Types

The “SAQ” is a self-validation tool for merchants and service providers who are not required to do on-site assessments for PCI DSS compliance. The SAQ includes a series of yes-or-no questions for compliance. If an answer is no, the organization must state the future remediation date and associated actions. In order to align more closely with merchants and their compliance validation process, the SAQ was revised and now allows for flexibility based on the complexity of a particular merchant’s or service provider’s business situation (see chart below). The SAQ validation type does not correlate to the merchant classification or risk level.

Self-Assessment Questionnaires and Validation Types
SAQ ValidationType Description SAQ
1 Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data
functions outsourced. This would never apply to face-to-face merchants.		 A
2 Imprint-only merchants with no cardholder data storage. B
3 Standalone dial-up terminal merchants, no cardholder data storage. B
4 Merchants with payment application systems connected to the Internet, no
cardholder data storage.		 C
5 All other merchants (not included in descriptions for SAQs A, B or C above), and
all service providers defined by a card brand as eligible to complete a SAQ.		 D

Service Provider Levels

Service providers are organizations that process, store, or transmit cardholder data on behalf of clients, merchants, or other service providers. Service provider levels are defined as:

Self-Assessment Questionnaires and Validation Types
Service Provider Level Description Validation Requirements
1 Processors or any service providers that stores, processes and/or transmits over 300,000 transactions per year.
  • Annual On-Site PCI Data Security Assessment validated Qualified Security Assessor (“QSA”)
  • Quarterly network scan by Approved Scan Vendor (“ASV”)
2 Any service provider that stores, processes and/or transmits less than 300,000 transactions per year.
  • Validated by Service Provider
  • Quarterly network scan by Approved Scan Vendor (“ASV”)

By using the charts above, you should be able to easily determine your level and validation type. Knowing this details will go a long way in guiding you through your compliance but it is important to partner with other qualified businesses for your service. ZZ Servers provides PCI focused hosted infrastructure designed for PCI compliance and includes many of controls and measures required for your business infrastructure to be fully compliant.

]]> http://www.zendzign.com/2009/06/understanding-pci-levels-and-types/feed/ 0 PCI Compliance and Receiving Credit Card Payments by Fax http://www.zendzign.com/2008/10/pci-compliance-and-receiving-credit-card-payments-by-fax/ http://www.zendzign.com/2008/10/pci-compliance-and-receiving-credit-card-payments-by-fax/#comments Fri, 31 Oct 2008 17:09:35 +0000 David M. Zendzian http://www.zendzign.com/?p=21 The low cost of web and email based fax delivery services may seem like a good way to save your business money but not if you receive credit card payments by fax. This would fall under the Payment Card Industry standard section 4 that requires transmission of cardholder data across open-public networks to be encrypted and section 12 for contracts that require partners or service providers who handle card data for your company be PCI compliant and accept all PCI security requirements. You will not find an affordable PCI compliant solution without using your own dedicated fax machine.

Many on-line fax services send received faxes by unencrypted email with cleartext (TIFF/JPG or PDF) attachments which are not PCI compliant. One reason for this is PCI clearly states that credit card numbers are not to be emailed in clear-text, they must be encrypted. A fax converted to PDF & emailed is not encrypted and if done that way then both the service provider and the receiver are non-compliant.  During an audit you can’t say you didn’t know, you signed up for the service knowing you were going to receive card numbers.

So, how do you receive credit card payments by fax? The first step is get a phone line w/a $50 fax machine from your local office supplier and come up with a security policy for how to secure the fax machine and incoming faxes. This is cheaper and easier to deal with than trying to make some digital systems PCI compliant. The fax needs to be classified as confidential and handled how your data retention policy dictates, assuming your retention policy is PCI compliant. An example would be a secured fax machine in accounting or other area set aside for receiving secure faxes. Additionally faxes containing credit card numbers need to be stored or archived properly and when disposed of, it needs to again follow your data retention policy and be securely destroyed (cross cut / incinerate, whatever:).

If your company is receiving card data on behalf of your customers, you are liable for all the paths it takes to get to you. Claiming you didn’t know or that it’s out of your hands is not enough when there are secure solutions. Don’t use a fax service unless they can send encrypted emails and securely purge the fax data when sent; otherwise get a real fax machine & secure it and instruct those who have access what it may contain and how to handle it appropriately, and yes training for your employees is a PCI requirement.

In the end, you will find a phone line with $50 fax from your local office supplier is cheaper and easier to deal with than trying to make some digital systems PCI compliant.

]]> http://www.zendzign.com/2008/10/pci-compliance-and-receiving-credit-card-payments-by-fax/feed/ 0