PCI SSC Releases Small Merchant Guide to Safe Payments

PCI SSC Releases Small Merchant Guide to Safe Payments

With a significant portion of merchants switching to internet and cloud based processing, there is a greater risk of data breach. The Payment Care Industry Security Standards Council (PCI SSC), the same organization that creates the standards for PCI compliance, has released a Small Merchant Guide to Safe Payments. This document covers some of the risks that small businesses face and provides basic guidance on how to mitigate risk and make your organization a less desirable target.

Some of the points they address are:

  • Don’t give hackers easy access to your systems
  • Use anti-virus software
  • Scan for vulnerabilities and fix issues
  • Use secure payment terminals and solutions
  • Protect your business from the Internet
  • For the best protection, make your data useless to criminals

For further reading, the document can be found at:

If you have any questions please feel free to contact us at 1-800-644-3909 or by email at info@agapay.gives.

The Agapay Team

PCI DSS 3.2 Update Summary

PCI DSS 3.2 Update Summary

As they do every so often the PCI standards have been updated. For most businesses, things will continue to be business as usual. However, the updating of the standards is always a good time to evaluate your compliance status with PCI and make sure that your company is adequately protecting cardholder data.

The 3 main points of the update are:

1. Updating the term “Two-Factor Authentication” to “Multi-Factor Authentication”
Most payment environments already use Two-Factor Authentication, meaning in addition to a password they will have security questions such as “What is your Mother’s Maiden Name?”, “What was the name of your high school?”, etc. Other “factors” can include key cards, fingerprints, etc.

2. Only when instructed, some merchants may have additional reporting requirements
Most merchants will be unaffected. But when required by a card brand or acquirer, merchants may be required to provide additional information in accordance with PCI DSS Supplemental Designated Entities Validation (DESV). The document is available to download on this page.

This is likely to only be required for merchants that are seen as “high risk”

3. New requirements for service providers
Service providers are required to test system security more frequently, including mandatory penetration testing every 6 months, and quarterly reviews of internal policies and procedures.

While your organization may be doing everything it can to ensure cardholder data is secure, it is important to ensure that any 3rd party vendors are current with their PCI DSS compliance.

If you have any questions please feel free to contact us by emailing info@agapay.gives.

Best Regards,

The Agapay Team

What is PCI Compliance?

What is PCI Compliance?

More than likely if you’ve interacted with one of our staff, you’ve probably heard us talk about PCI Compliance, and you may have wondered, “What is it?” and, “Why do they seem to think it’s so important?” The truth is that, yes it is important, but it’s important to understand how it applies to you.

PCI stands for “Payment Card Industry”. However, when we talk about PCI, what we are actually referring to the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is a set of rules and regulations that cover nearly every aspect of data security and integrity relating to consumer credit card data. It is massive, worded in sometimes confusing ways, and a lot of it doesn’t directly apply to merchants. But the part that does relate to merchants can put you in hot water if you’re not in compliance.

To simplify, let’s cover a few key factors that can help keep you in compliance.

1. Change default passwords

When you purchase new computers or network equipment, the first thing you should do is set a secure password. By not changing default login information, you leave your system vulnerable to attacks or the placement of malicious software that can steal transaction data. Think of changing your passwords as closing the windows and back doors to keep the pests out.

2. Restrict access to sensitive information

Customers credit card data should always be restricted on a “need to know” basis. Only employees who are trustworthy and directly involved should have access to credit card data. Small data breaches are often caused by dishonest employees, by restricting access, it minimizes the risk of someone taking that information and using it for fraudulent purposes.

3. Always use PCI compliant vendors

When purchasing a terminal, setting up an online shopping cart software or using a virtual terminal, always check to verify the machine/software is PCI compliant. If any of your software, hardware or 3rd party service providers that handle credit card data are not PCI compliant, you are also not PCI compliant.

4. Whenever possible, do not store consumer credit card data

Whenever you hold customer credit card data, you are putting yourself at risk of a data breach. If you must keep a paper copy, keep them in a locked cabinet with restricted access. If you need to keep cards on file, a better solution may be to use a PCI compliant online gateway. While there is a monthly service fee, these vendors hold the liability for any fraud in the event that their system is breached; saving you the headache and the cost.

5. Complete your annual SAQ

The SAQ is the main reason merchants are charged a “PCI Noncompliance Fee”. For most small merchants, it can be completed in 10-15 minutes, and a completed SAQ is valid for 1 year. Agapay is always happy to help our merchants navigate the questions, just give us a call if you need help logging in or completing the questionnaire.

While this list is not exhaustive, it gives you a few simple things you can do to be in compliance. If you have any questions feel free to call us at 1 (800) 644-3909 or email us at info@agapay.gives.

Best Regards,

The Agapay Team

Pin It on Pinterest