Due to security breaches over the past few years in which companies have had their credit card information stolen, Visa and MasterCard have developed security guidelines to protect merchants, processors and cardholders from future security breaches.

These guidelines, PCI DSS – Payment Card Industry Data Security Standard - apply to ALL merchants regardless of size or number of transactions who accept, transmit or store any cardholder data. Merchants that do not follow these guidelines are subject to penalties, fines and possibly being excluded from credit card processing.

Read a description of some of the steps you need to take to become PCI compliant.

PCI DSS has important implications for us, the software developers, as well as for you, the merchant. Because of the way that PC Charge handles credit card information, to continue to support it would require us to go through regular PCI audits, the fees for which are typically in the range of $10,000 to $15,000. This has left us with 2 options:

  • continue to support PC Charge and increase the EVE license fee, or
  • find alternatives to PC Charge.

We have therefore made the difficult decision to phase out support for PC Charge.

For EVE users in the North Americas, we have sought out and integrated into EVE 5.6 two excellent alternatives: Transport and X-Charge. Both of these solutions take EVE 'out-of-scope' of PCI compliance while allowing EVE to continue seamlessly processing credit cards in a similar way to before. As in previous versions of EVE you will initiate a credit card transaction by clicking on a button on the Payments tab of an Invoice. But instead of an EVE form being presented, you will in future swipe the card directly into a Transport / X-Charge form that will popup instead. So, from the user's perspective, not much will change. In fact it will work rather better than before as, in EVE 5.6, it is now possible to attach a suitable pin pad device and process debit cards as well as credit cards.

The main change will come in the data that is stored to the EVE database. Previously, EVE could be configured to save the full credit card number and expiry date. In future, EVE will only save the last 4 digits of the credit card number entered during a transaction. However, when necessary, you can still save full credit card number and expiry date by opening a Customer record and using the Credit Cards option within the Sales Related section. This is allowed as the card information is not being captured as part of a transaction or settlement. Details saved in this way are strongly encrypted to the EVE database according to PCI DSS standards.

Of course, if you are currently using a PCI compliant version of PC Charge you can continue to use it independently of your EVE software. If you already use X-Charge with EVE, you will need to make sure you are using the most up-to-date version. You can do this in X-Charge by clicking Help and then Check for Update.

Again, be assured that we did not take the decision lightly to discontinue integrated support for PC Charge. If you want to talk to us about this or any other topic relating to PCI compliance please call the ISSYS offices on +1 405 285 1912 or email us at support@issys.co.uk. If you would like more information about Transport or X-Charge please use the contact details below:

For Transport, contact Dylan Penebre at Merchant Warehouse on 800 498 0823 x2107 or email: dpenebre@merchantwarehouse.com

For X-Charge, contact Nate Imahara on 800 637 8268 x268 or email: nate.imahara@x-charge.com

Links

 

Become PCI compliant

PCI-DSS stands for Payment Card Industry Data Security Standard. Everybody who accepts credit cards as payment has to take some action regarding PCI-DSS. Failure to become compliant may result in fines and possibly the loss of the ability to process credit cards.

Your credit card processor should be able to tell you what is required and when. There are Six Processes to Compliance

 

Build and Maintain a Secure Network

First of all, you must maintain a secure network where names are kept. It is not even a matter of credit card processing-it you store names on your computer at your business, or on your laptop and connect to the Internet you must maintain the security of that information. That includes having a secure firewall between your computer and the Internet.

 

Protect Cardholder Data

If you do not store cardholder data on your network things are a little simpler. But if you do, the information on your computer must not only be protected by a firewall, the credit card information has to be encrypted so that if access is made by unauthorized users, they would not be able to read the information.

Much of the compliance requirements are for those businesses that sell over the Internet and would not necessarily apply to all stores.

 

Maintain a Vulnerability Management Program

This one is simple and you should have been doing it all along. Keep up to date on your virus protection software and browser updates. Internet Explorer has weaknesses that need to be fixed periodically through IE updates. Be sure you are staying current with your software.

 

Implement Strong Access Control Measures

Limit access to cardholder data to only those persons that need to use it. You are are also responsible for assigning a unique identification to each person that does have access

 

Regularly Monitor and Test Networks

Networks that store cardholder data need to be monitored and tested regularly. Regular scans of security measures and processes, monitoring and tracking of network access to cardholder data are required to satisfy this standard.

 

Maintain an Information Security Policy

You need a company-wide information security policy. Make sure that your employees know and understand their responsibilities with regards to cardholder data before it becomes an issue.

The first step in PCI compliance is to meet the above standards. Credit card companies and financial institutions validate that vendors are abiding by the regulations, giving them ratings based on their volume of transactions. The rating that a company receives determines the process that they must go through in order to be validated.

 

Levels of Compliance

The four levels of compliance requirements depending on volume of transactions:

  • Level 1 comprises all merchants, regardless of acceptance channel, who have Visa and MasterCard transactions totaling 6 million and up per year, as well as any merchant who has experienced a data breach. Validation requirement: Annual onsite review by merchant's internal auditor or qualified security assessor (QSA), or an internal audit, which must be signed by an officer of the company, in addition to a quarterly network security scan done by an approved scanning vendor (ASV).
  • Level 2 comprises all merchants, regardless of acceptance channel, whose Visa and MasterCard transaction total is from 1 million to 6 million per year. Validation requirement: Completion of PCI DSS self-assessment questionnaire (SAQ) annually and a quarterly network security scan done by an ASV.
  • Level 3 comprises all merchants whose Visa and MasterCard e-commerce transaction total is from 20,000 to 1 million per year. Validation requirement: Completion of the PCI DSS SAQ annually and a quarterly network security scan done by an ASV.
  • Level 4 comprises all merchants who do not fall into the other levels: merchants processing fewer than 20,000 Visa or MasterCard e-commerce transactions per year, as well as all other merchants processing up to 1 million Visa or MasterCard transactions per year.

Validation requirement: Completion of the PCI DSS SAQ annually and a quarterly network security scan done by an ASV.

Level 4 merchants are now receiving more scrutiny in terms of PCI compliance because they are using POS terminals connected to high speed Internet connections, which are vulnerable to hackers.

Level 4 merchants process fewer transactions than merchants at other levels, but they account for more than 99% of the merchants who accept Visa and MasterCard.

For the most part, level 4 merchants do not have the technical expertise to properly secure cardholder data. It is up to the acquirer (this is not the processor, but the bank that the processor uses to deposit the transactions into your bank) to make sure that its level 4 merchants understand the need for being PCI compliant.

 

Self-Assessment Questionnaire

Now that you have determined what level merchant you are, you need to fill out a Self-Assessment Questionnaire (SAQ). The type of SAQ you fill out is determined by the way you process transactions. The SAQ can be found here:

https://www.pcisecuritystandards.org/saq/instructions_dss.shtml#instructions

  1. The first category is card-not-present. This is typical of an e-commerce business. This would never apply to face-to-face merchants. It could apply to you if you have a webpage that takes credit cards.
  2. Imprint only merchants with no electronic cardholder data storage-knuckle-busters with paper receipts.
  3. Stand-alone terminal merchants, no electronic cardholder storage-dial up terminals.
  4. Merchants with POS systems connected to the Internet, no electronic cardholder data storage-virtual terminals like PC Charge, Smart Swiper™, and IC Verify.
  5. Anything else.

Of course, one could fall into more than one category; in that case, more than one SAQ needs to be completed.

 

The Scan

The scan is done by an Approved Scanning Vendor (ASV). You credit card processor can recommend the one that they work with. The scan checks to see that the information you transmit over the Internet complies with the standards. A list of ASV's is here:

https://www.pcisecuritystandards.org/pdfs/asv_report.html