My Merchant Account Blog
My Merchant Account Blog should help you with your merchant account and electronic payment gateway. Also
hopefully it will help explain some fraud attempts and how to notice fraud
on your orders.
Search My Merchant Account Blog
My Merchant Account Blog Categories
- Domain Names (1)
- Electronic Payment Gateways (4)
- LinkPoint (3)
- Merchant Accounts (38)
- Miscellaneous (12)
- Security (19)
- Web Hosting and Design (4)
My Merchant Account Blog Archives
- December 2008
- September 2008
- April 2008
- March 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
My Merchant Account Blog Recent Entries
- Credit Transaction
- PCI Myths
- Maintain an Information Security Policy
- Regularly Monitor and Test Networks
- Payment Card Industry Data Security Standard
- Implement Strong Access Control Measures
- Maintain a Vulnerability Management Program
- Payment Processing Recommendation and Integrating
- Protect Cardholder Data
- Cardholder Data and Sensitive Authentication Data Elements
Other Blogs
Pod Casts
SiteMap
Credit Transaction
Tuesday, December 30, 2008
There might be a time where you need to refund a customer, however the transaction is not on the electronic payment gateway. For example, you might have change electronic payment gateways or the customer no longer has the credit card that was used to purchase the merchandise.This feature is usually disabled because of the risks involved. For example, the merchant could abuse this privilege by crediting his own credit card. You might have an individual that does the billing, and that person could credit his own credit card, skip town - leaving you with an empty bank account. Or you might accidentally enter the wrong credit card number in the virtual terminal, thus crediting another person instead of your customer.
In the electronic payment gateway's virtual terminal, look for Credit (instead of Sale). You should be able to enter the correct information to credit your customer's credit card. If you do not see this option, contact your merchant account provider to have permission to do a credit transaction.
PCI Myths
Thursday, December 11, 2008
Now that we have talked about PCI Compliance and the six cores:- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Hackers Only Target Large Companies
Some merchants might think that breaches only happen to the large corporations. Part of this is true - breaches do happen to large corporations, but smaller merchants are just as vulnerable. If you have a shopping cart and the code is not kept up-to-date, this could leave you wide open for a data compromise. If you are storing any cardholder data (the primary account number along with the cardholder's name or expiration date), you need to be PCI compliant.Processing is Done on the Gateway (or Third Party)
The transaction is done on the electronic payment gateway's secure website or third party processor (3PP) / Internet Payment Service Provider (IPSP) and they are PCI compliant. This does not mean you are compliant or exempt. PCI Compliancy is an ongoing process. The PCI DSS requirements and security assessment procedures include the data security, physical security, and your security policies.For example, the CISP Compliant list from Visa (3 May 2007), shows that Google Checkout was late in reporting their compliancy to Visa. And on the 15 Jul 07 CISP Compliant list, Google Checkout was removed because they were over 90 days to file their report. On the 15 Nov 08 Visa CISP Compliant list, Google Checkout is listed
The Shopping Cart and Hosting Company are PCI Compliant
The shopping cart and hosting company are just a part of being PCI Compliant. As stated above, it covers your security policies and how you handle the transactions. For example, your security policy should address how your employees handle cardholder data if an order is taken over the phone.PCI Only Applies to the IT Department
Unfortunately, this is not the case. In the example above, the employee handling the order on the telephone is in the sales department. PCI Compliancy covers all individuals in your company that handle, process, store, or transmit the cardholder data.We Only Handle Two Orders a Month
Breaches can happen to any company, no matter the size. Since your company has access to cardholder data, you need to be PCI Compliant.PCI Compliancy Is Too Much
While the guidelines seem intimidating, most of them are probably already being done by your company. The guidelines help you with the specifics and an effective way to secure cardholder data.We Are PCI Compliant
Just because you have completed the self-assessment questionnaire and had a company scan your website does not mean you are protected from breaches. Compromises can still happen to a PCI Compliant merchant.
Maintain an Information Security Policy
Monday, December 08, 2008
The last core of Payment Card Industry Data Security Standard (PCI DSS) only has one requirement- Maintain an Information Security Policy
The policy should assign a team or individual to security management to ensure policies are disseminated accordingly.
The policy should address what happens when a compromise occurs. It should help to identify who should be called, no matter the time of day. The plan should include continuity procedures, data backup processes, roles and responsibilities, and a contact strategy (for example, contacting the credit card associations).
You should also review the PCI DSS Requirements and Security Assessment Procedures for the complete requirement. It will go into complete detail of what your information security policy should contain.
Regularly Monitor and Test Networks
Sunday, December 07, 2008
The fifth core of Payment Card Industry Data Security Standard (PCI DSS) consists of two requirements:- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Track and Monitor All Access to Network Resources and Cardholder Data
We have said it in the past few posts, but it bears saying again. Audit trail history should be retained for at least one. These logs should provide the company with a- Unique User Identification
- Type of Event
- Date and Time
- Origination of Event
- Success or Failure Indication
- Identity / Name of Affected Data, System Components, Resources
Regularly Test Security Systems and Processes
Systems should be scanned to discover potential vulnerabilities. A vulnerability scan is an automated tool run against external and internal access points and servers on the network that will help identify ports and vulnerabilities that could be exploited by hackers. If any vulnerabilities are detected, steps should be taken to fix them immediately. Network intrusion detection systems should also be in place.Approved Scanning Vendor
Most merchants will be required to do have a quarterly scan completed by an Approved Scanning Vendor (ASV). Approved Scanning Vendors (ASV) can complete the quarterly scan for your company. Only choose a vendor that is listed Approved Scanning Vendors web page. Otherwise, you might compromise your data or the scan will not be accepted by the council. The scan requirements are quite rigid - all 65,535 ports will be scanned. Any vulnerability that is rated between three to five must be fixed. You will also get two reports:- An executive summary report with a PCI approved compliance statement suitable for submission to acquiring banks for validation
- A technical report that details all vulnerabilities detected with solutions
Selecting a PCI Network Security Testing Service
While there are a number of Approved Scanning Vendors listed, there are three critical things to look for when choosing a company:- Accuracy: False positives can increase the activities and costs that are associated with these false positives (and even false positives). You do not want the company to generate a large number of false positives / false negatives that will increase the amount of time you have to work through each issue.
- Efficient Vulnerability Remediation Process: The company should offer technical support to fix each issue found.
- Automated Report Preparation and On-Line Filing: This will reduce your work and time you spend on getting PCI compliance if the company offers automatic preparation and electronically filing.
Qualified Security Assessor
Large merchants that are considered Level One (or merchants that have had a data breach) are required to have an on-site security audit performed by a Qualified Security Assessor (QSV). These vendors are authorized to perform the annual audits. QSAs are companies that assist organizations in reviewing the security of its payments transaction systems and have trained personnel and processes to assess and validate compliance with PCI DSS.