Am I required to be PCI Compliant? Part 2

By law? No. By your credit card processor? Yes.

In a nutshell, PCI DSS is a baseline information security program. The PCI DSS outlines security best practices like utilizing a security firewall and using password best practices. Merchants are required by their credit card processors to adhere to PCI requirements and are asked to attest their compliant status annually. The merchant’s processor may ask them to fill out an SAQ (self assessment questionnaire) or conduct a QSA-led (qualified security assessment) PCI assessment as part of the client’s annual compliance validation process.

Are There Penalties?

Yes. The penalty for refusal to adhere to the PCI DSS and the processor’s compliance validation requirements could result in significant potential suspension from credit processing networks and significant fines. These fines include chargebacks to the merchant, and potentially additional third party auditing costs.

It is more important now than ever to make PCI DSS a constant priority in all business considerations. The continuity the program provides will help ensure protection of cardholder data from malicious individuals. Because the world of digital transactions is ever-evolving, continuing to stay current with PCI practices is the best way to stay informed of the latest security practices.

Am I required to be PCI Compliant?

Think of the Payment Card Industry Data Security Standards (PCI DSS) as an umbrella that covers any entity that stores, processes, or transmits cardholder data; and even extends to service providers with the ability to affect the security of the cardholder data environment.

PCI Compliance is a requirement for any entity that meets the description above, because it works for business continuity. On your journey toward compliance, it is important to remember that there is a difference between the PCI DSS Compliance and PCI DSS Compliance Validation. Complying with the PCI DSS is not a feat that can be conquered overnight; it is an IT project.

**
PCI Compliant graphic borrowed from Nettitude (credit https://www.nettitude.com/a-guide-to-starting-the-pci-dss-process/)

THE VIEW FROM ABOVE: QIR Customer Experience Highlights

To maintain their certification, QIR companies are held accountable for the impact they have on the security of the cardholder data environment as they work to uphold the Payment Card Industry Security Standards Council (“PCI SSC”) Code of Professional Responsibility. Over the course of the last year, RDS has made major investments related to meeting the new QIR qualification and implementation requirements. Trained by the PCI SSC, RDS employees perform Qualified Installations every day in accordance with the QIR Program.

The diagram above shows the Qualified Installation process and parties involved. (diagram credit PCI-SSC)

The PA-DSS Implementation Guide is prepared by the software application vendor, such as NCR, and passed to the QIR Company (RDS). The QIR qualified employee uses this vendor-provided PA-DSS Implementation Guide, QIR Implementation Statement Instructions, and their knowledge of the PCI DSS, when implementing the payment application software into the merchant’s environment.

Throughout each stage of the implementation, the QIR employee documents details related to the install and PCI DSS on an Implementation Statement. This document provides a record of their work with a checklist of implementation/functionality items for the QIR employee to test and sign off. Within 10 business days of the installation, the QIR installer reviews the completed Implementation Statement for Quality Assurance. Once the document is signed off, the customer receives a copy for their records. To ensure continuing process improvements, the customer is invited to share their experience through a survey located on the PCI SSC website. The QIR Feedback Form serves as a tool for the PCI SSC to validate the performance of the QIR Company, in accordance with the QIR Program Requirements, through the customer’s experience.

RDS appreciates our customers’ feedback and can help guide and assist you as needed on your PCI Compliance journey. If you have any questions about our QIR Program, please email: compliance@rdspos.com.

QIR and The Small Merchant

Did you know that 60% of small businesses go under within 6 months of a cyber attack*? According to industry research**, restaurants and retail small business merchants make up the biggest portion of total known breaches, and only about 20% are compliant with the Payment Card Industry Data Security Standards (PCI DSS).

In credit card processor speak, small business merchants fall into the Level 4 merchant category. As such, they are required to adhere to the PCI DSS and to demonstrate Payment Card Brand specific compliance annually. Failure to do so results in penalties by the processor. Merchants have seen many changes to their credit processor validation requirements over the last several years between updates to the PCI DSS, hardware, and the recent VISA Qualified Integrator and Reseller (QIR) mandate.

Last year VISA issued a QIR mandate to Level 4 merchants and were given a deadline of February 2017 to begin utilizing only PCI Security Standards Council (PCI SSC) qualified QIR Companies for Point of Sale activities, or pay a fine. This is the first mandate of it’s kind, and other payment card brands are anticipated to follow suit in the near future. The mandate is meant to alleviate compliance risk during implementation and ongoing maintenance support of point of sale systems. By using organizations that have completed the PCI SSC QIR qualification, merchants improve security by ensuring that point of sale systems are installed and integrated in a manner that facilitates the merchant’s PCI DSS compliance and ultimately reduces risk.

RDS has over 130 QIR qualified technicians and is dedicated to cultivating internal PCI DSS awareness and serving as a resource to guide our customers throughout their PCI Compliance journey. As a QIR Company, RDS only installs and maintains PA-DSS validated payment applications and implements data security into every facet of business operations, from the implementation of point-of-sale systems, to keeping our employees trained and up-to-date with the latest security standards.

In the POS industry since 1950, RDS has continuously adapted and grown through many changes providing smarter products and support to our clients year after year. This includes cultivating PCI DSS compliant processes and environments to serve as an advisor to our clients. RDS is proud to have over 130 employees QIR qualified to conduct Qualified Installations and assure compliance with the PCI DSS.

*Cyber Security Statistics – Numbers Small Businesses Need to Know, Jan 3, 2017, Small Business Trends (https://smallbiztrends.com/2017/01/cyber-security-statistics-small-business.html)

**Verizon 2015 PCI Compliance Report
Visa graphic borrowed from PCI SSC (credit www.pcisecuritystandards.org)

What is an EMV Card?

Visa does a great job of explaining to the masses what an EMV card is, what it isn’t and what it means to consumers and merchants alike.   Click below and use the arrows on the left and right of your screen to see what this means to merchants and consumers when the EMV Liability Shift goes live October 1, 2015.

Have a look at the Visa Chip Business Toolkit

http://usa.visa.com/merchants/grow-your-business/payment-technologies/credit-card-chip/resources/merchant-toolkit/index.jsp?page=toc

Also be sure to read our post by our own Janice Mackler, “What is EMV and what does it mean to you as the Merchant?”

What is EMV and what does it mean to you as the Merchant?

By Janice Mackler

View the PDF

EMV stands for Europay, MasterCard and Visa, a global standard for inter-operation of integrated circuit cards (IC cards or “chip cards”) and IC card capable point of sale (POS) terminals and automated teller machines (ATMs), for authenticating credit and debit card transactions. The EMV standard is moving the consumers to chip card technology. These new cards contain an integrated circuit containing payment related information protected by layers of security. The EMV standard allows for cardholder verification methods other than a PIN.

As a merchant there are three core areas of concern:

  1. Expand TIP – TIP will end the mandate for merchants to validate their compliance with the PCI Data Security Standard for any year where 75% of the merchant’s VIS transactions stem from chip-based terminals.
  2. Build Infrastructure – Chip acceptance will require service providers to be able to carry and process additional data that is included in chip transactions, including cryptographic messages that make each transaction unique.
  3. Shift Liability – Effective October 2015 the party, either the issuer or merchant, who does not support EMV, assumes liability for counterfeit card transactions.

EMV is not the silver bullet that can wholly insulate a merchant from the credit breaches common in the news today.  Credit card theft will continue, and merchants will still need to protect themselves. EMV transactions still send credit card data in clear text that hackers can use for credit card fraud.   Since creating fake cards is more difficult in the EMV environment, hackers will be more apt to perpetrate fraud in an on-line environment rather than in person. Therefore, your firewall is still extremely important for protecting your business.

Questions you need to be asking your POS provider?  Is your POS Hardware ready for EMV? Is your software version able to accept EMV transactions? Does your POS have enough memory to support the EMV peripheral devices for both contact and contactless acceptance?  Has your credit processor defined what is required of the POS system to communicate in the EMV standard?  Most POS providers will not have the code completed until 2016, as these requirements are still being defined.

What does this liability shift mean to you as a merchant? How many transactions are flagged as fraud in a given year?  What is the cost to the merchant for those transactions? We’ve heard many merchants say the liability shift is far less than the cost of immediately transitioning to EMV.

As your trusted POS advisor we want to ensure you are ready to successfully meet these new requirements.  Please call us to discuss your needs.

1.855.737.1500 | rdspos.com

 

April 8th XP End of Life – Don’t be an Ostrich

Windows XP was laid to rest on April 8, 2014.  It is survived by its siblings Windows Vista (stop laughing), Windows 7 and Windows 8.

Before you read further, this does not pertain to XP embedded.  You still have time left on that; end of life for XP embedded is January of 2016.  Not sure if you are on XP embedded?  Keep reading and contact us. We can help.

The passing of Windows XP marks a major milestone in the progression of desktop technology.  Many times Microsoft extended the life of the platform because of the success it had in the marketplace and the outcry of the impact ending support would have on the PC community.  Finally, just a few short weeks ago, Microsoft pulled the plug; this time for good.

A few months back we posted an article about the “tsunami of viruses” that were likely to hit at end of life.  Thus far, those fears have not come to reality; at least not anything that has created any public outcry.  Why is this?  It could be the end of life was much ado about nothing.  It also could be as many reports suggest; thieves are targeting smaller firms.  The attacks are likely happening, but not getting the headlines.  Additionally, recent reports show the market share for XP has only dipped by about 1.5% since end of life.  Larger firms, especially since the Target breach, have shored up their networks.  Smaller firms often the laggards, not so much.  Small business is vulnerable and the crooks know it.

One other major concern if you are still running XP on your front or back of house systems, XP is no longer PCI compliant.  Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release. (Source: www.pcisecuritystandards.org) 

If and when your business is breached and you are running Windows XP, you will likely not garner much sympathy from the PCI Security Council as they determine origin of fault and levy fines.

Many store owners we talk to are not even sure if they have XP.   There is a lot of misinformation out there.   If you are not sure if you are vulnerable, let us know.  This is not the time to stick your head in the sand and not take action.  We are happy to provide an assessment.    Whether or not you use RDS to help with the upgrade or change, protect yourself.  Upgrade your system and remove this liability from your business.

Growing Concerns as XP End of Life is Approaching

Experts predicting a “tsunami of viruses” as operating system support ends.

Let’s face it, the media loves a technical disaster story. In 2000 we had Y2K, and a plethora of security breaches and viruses and worms (Remember Nimda?) that seem to never be as big as what we are told they will be. These items caused lot of inconvenience and in some cases some serious damage but nothing that wasn’t patched, and repaired. We adapted, learned and moved on. So why should we get concerned about XP end of life when other technical “disasters” that either happened or were looming turned out to be much ado about nothing? It’s simple really. The people in charge of updating, patching and preventing are not going to be doing it anymore as of April 8, 2014.

So what?

XP is still being updated and security holes are still being patched. Between January 1 and March 30 of 2013 Microsoft released patches for 34 security vulnerabilities 28 of these were network related. So without these patches there were 28 ways a hacker could have created something to harm systems running on the XP Operating system. The Windows XP operating system in April is going to be “as is” there will be no more patching, no more updates. This will make the machines that are currently operating on Windows XP vulnerable and a soft and relatively easy to exploit target. Even currently with patches, the malware infection rate for a Windows XP machine is over 2 times greater than that of Windows 7 machine and it will get worse. Additionally with the install base for Windows XP being as high as 43% from some reports, XP will be a major target of those looking to exploit systems for financial gain. Additional reports even speculate that more sophisticated groups are withholding code in hopes that the vulnerabilities they have discovered remain unpatched after end of life in April. For more information read Microsoft’s own Security Intelligence Report

For most Point of Sale customers on a modern touch screen point of sale system the problem is not the front of house POS system. Many but not all run XP embedded which has another couple of years of life with end of life set for that on December 31, 2016. The issue is in the back office computers. Many back office systems even those deployed in the last few years run XP Pro and most are exposed to the internet. Firewalls, PCI compliance and other solutions can only protect so far and an outdated system like this is likely to cause you to fall out of PCI compliance no matter what other safeguards are in place.

There are other reasons that an update should be in the works for any machine you have still on XP. Technology changed. Windows XP just doesn’t work with many newer and peripherals like printers, scanners, scales, and other devices. Why? It’s more than a decade old and the machine it was designed to be installed on just doesn’t have the horse power to drive these new devices. Not to mention the leaps and bounds software has taken. Newer programs just don’t work on a machine that was designed to surf the web, check email and run a few programs. To put it in perspective… 12 years ago when it was released the PC it was designed for had less power than an iPhone does now.

If you have questions or concerns about the risk your business may be taking with your current operating environment please visit our windows XP end of life page at www.rdspos.com/xp or call your local office.

Article by:

Patrick Solum
Marketing Director
Retail Data Systems
psolum@rdspos.com

@sodakforce

 

Can You Afford to Not Have Integrated Video Surveillance?

Studies show that 75% to 90% of employees will steal from their employer.   Theft can take many forms, from the coffee that the cashier “forgot” to ring up, the produce that the cashier let lean on the side of the scale to give a friend a lower price on those steaks, theft of product from the stock room or just out-and-out skimming from the register.   So as a store owner how do you deter theft in a way that will allow you to run your business without turning into a full-time store police officer? 

One way that is rapidly gaining popularity due to its ease of use, time savings and rapid return on investment is an integrated store surveillance system.  Although more expensive than the off the shelf products that sell for a few hundred dollars, these products allow the t-log information from the POS to be burned into the video image allowing the transaction log and the video to always be in sync.  Integrated systems also allow for intelligent monitoring where only transactions where a void or over ring can be quickly viewed.  They also can be set up in high theft areas to monitor when someone moves into the video frame.  Additionally these products can be monitored remotely and securely so an owner does not have to be in the store at all times.

Studies are showing that integrated video surveillance systems are one of the top technology purchases for 2013 due to their proven effectiveness.

Are integrated video surveillance solutions right for you?  Possibly not.   Your local RDS representative can help you evaluate your potential ROI to determine if one of these systems is right for your business.

Join the conversation…. 

Some examples of their value some of our many customers with these systems have shared with use are:

  • A fraudulent slip and fall lawsuit that was avoided after video was reviewed.
  • A thief stealing from the office safe that was caught.
  • A cashier that was not ringing up items for friends and family.
  • A stock boy who was stealing merchandise from the storage room during his night shift.
  • The unprofessional behavior of a bartender towards customers.
  • A cashier that was giving free drinks and food items to her friends.
  • The shoplifter that was caught stealing baby formula.
  • A C-store cashier giving away beer.
  • Many, many more

If you have a something to share about how video surveillance has helped your business please post in the comments below. 

Windows XP Not PCI Compliant in April, 2014

Microsoft Ending life of Operating SystemXP RIP

Microsoft has had April 14, 2014 publicized for some time now as being the end of life for its most successful and widely adopted Operating system, Windows XP.  This is creating a serious PCI risk in that many retailers have not paid attention as they are stuck with machines that will no longer be PCI compliant due to this issue.  It is critical that if your company is running a point of sale system with Windows XP that you put in process a plan to move to a platform that is PCI compliant and will be for the foreseeable future.  Not doing so will put your company outside of PCI compliance and opens up your company to all kinds of risks from hackers, spam, viruses and spyware as the operating system will not be receiving any patches after that date.   In addition most manufacturers and developers have stopped developing software and peripherals for the platform leaving retailers finding it difficult to work with newer technologies such as updated scanners, cell phone coupons, loyalty programs, and others.   For more information on if your store might be at risk please contact your local RDS representative for a FREE POS Analysis.