|
|
|
|
|
|
 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
PCI Certification — Safeguarding Your Business Don’t understand PCI Compliance? Don’t worry, you aren’t alone! PCI Compliance can be complicated depending on the processing methods used by your business. Therefore, UMS Banking has developed a free PCI Compliance Brochure to help you understand the basics of PCI Compliance! Just call our Customer Care department and request your free PCI Compliance Brochure today at (800) 866-1881. If you represent a financial institution or have a group of 20 or more individuals that need education on PCI Compliance, UMS Banking offers a free 30 minute Webinar covering the basic concepts of PCI Compliance. Call UMS Banking to schedule a Webinar for your group or business today! Why is PCI Certification important to your business? Protection. It’s that simple. The Payment Card Industry (PCI) Data Security Standards (DSS) have been put in place by the major card companies (VISA, MasterCard, American Express and Discover) to help protect your business, your livelihood, and your assets. How? By protecting cardholder data and ensuring that your business is safe from web based intrusion. By limiting the possibilities of cardholder theft and identity theft, the problem of fraudulent sales resulting in chargebacks is greatly reduced. Thanks to businesses, like yours, the PCI Initiative has been extremely successful managing loss due to the theft of cardholder information.
So what does this all mean? And how does it impact your business? UMS Banking has retained a security vendor, one sanctioned by the major card types, to assist us in making sure that your business is fully protected as mandated and that can help us make sure that you know what needs to be done in order to ensure the safety of your business.
Historically, good security services have been expensive. The cost of security consultants, personalized software, and perpetual maintenance has kept adequate merchant security out of reach of most businesses and that is why cardholder theft is so prevalent now.
The goal of Security Metrics is to provide a comprehensive set of automated, on-line security services and hardware devices to help businesses detect and repair security problems at reasonable prices. SecurityMetrics, Inc. was founded in February of 2000 with funding from Software Development Corporation, the company that developed WordPerfect for UNIX/Linux for Novell, Inc. and Corel Corporation.
UMS Banking is confident that the pricing brokered by SecurityMetrics is one of the best in the industry. Payments are made monthly, instead of being made in one lump sum, and appear on your merchant statement. Qualified security consultants at SecurityMetrics are ready to answer your questions and help you through the enrollment process.
Who needs to complete PCI certification?
Every merchant and service provider who accepts, processes, stores, or transmits cardholder transactions.
Technology is quickly becoming an integral part of our daily lives for online purchasing, bill payment, and other Internet transactions. Therefore, the protection of the information you store has become increasingly important.
Visa’s Cardholder Information Security Program (CISP) and Account Information Security (AIS) program, along with MasterCard’s Site Data Protection (SDP) program, American Express’s Data Security Requirements, and have been aligned into the Payment Card Industry (PCI) Data Security Standard, which outlines best practices for securing credit card data that is stored, processed or transmitted.
The table below outlines actions for merchants to comply with the PCI Data Security Standards:
Which Self Assessment Questionnaire Does My Business Need To Fill Out? The Payment Card Industry Security Standards Council (PCS SSC) revised the original version of the Self Assessment Questionnaire (SAQ) in March 2008 in order to address the various scenarios that can exist at a merchant’s point of sale enviroment. As most Acquirer’s require Self Assessment Questionnaires on merchant levels 2, 3, & 4., it is important to know which version of the SAQ your business may need to complete. There are five SAQ validation categories. Use the table below to select which SAQ applies to your business.
All versions of the SAQ are available for download, free of charge, on the Payment Card Industry Security Standards Council website at:
Cost of the program? What will my fees cover?
Merchants are responsible for the cost of the program.
Services provided by Security Metrics cover assistance with aspects of PCI Compliance. Security Metrics will help you create your security policies and procedures. they will walk you through the self-questionnaire and will perform Quarterly Scans on all your IP addresses. they will perform additional, unlimited scans, at no cost, and will be there as the merchant's consultant for all PCI security aspects. Once a merchant is validated as PCI Compliant, the merchant can place a PCI Certification Certificate on their website informing customers of their security compliance! Security Metrics will provide all merchants using their validation process and Certification letter enabling the Safe Harbor (freedom from potential fines if breached, as long as merchant remains compliant). See Safe Harbor below.
What the fees do not cover
Security Metrics will perform security scans for all IP addresses. If an IP address does not pass the security scan, Security Metrics will not fix the portal but will provide the necessary information to the merchant for their IT technician to correct the situation.
The fee does not cover the cost of annual on-site in depth security audits required of Level 1 merchants or merchants who have been compromised.
What must be checked to safeguard your business?
The scope of compliance certification is focused on any system(s) or system component(s) where cardholder data is processed, stored, or transmitted. The PCI certification includes but is not limited to:
What can you do to ensure an easy PCI Certification?
Cardholder data security is not an individual problem, it is a problem that affects every business owner. As such, UMS Banking embraces the initiatives that the industry has implemented on data security. PCI Certification combines card association programs such as MasterCard Site Data Protection (SDP) and Visa’s Cardholder Information Security Program (CISP), American Express, Discover, and Japanese Credit Bureau.
As business owners, there are a number of simple steps we can take to help protect our customer’s data – better known as the cardholder data. The following 9 steps can help your business take the necessary security precautions in order to protect cardholder data.
1. Do not store the full contents of any magnetic stripe data.
2. Do not store the card validation / verification code (3-digit code printed on the signature panel of most cards. On American Express this is a 4-digit printed on the front of card).
3. Truncate or mask credit card numbers that you choose to store and/or print. Many states now require this procedure by state law. (Example: California, & New York)
4. Store all cardholder data in a secure environment with controlled access by personnel.
5. Purge all transaction history on a regular basis from your in-house systems so that it can never be read or retrieved by unauthorized personnel. If your business utilizes a point of sale terminal, simply “batching out” or settling on a daily basis will accomplish this.
6. Permanently destroy all paper copies of cardholder data after the two-year storage period expires (Example: by a professional paper shredding company).
7. Notify UMS Banking if your business plans on systematically accepting, storing, or transmitting cardholder data.
8. Notify UMS Banking immediately if your business is compromised.
9. Comply with all industry security protocols like SDP and CISP.
What happens if I don’t complete the certification process? Merchants and Service Providers who do not undergo the PCI certification process face possible penalties and fines. The major card associations are not playing around. Compliance is mandatory and non-compliance is severely treated, especially when cardholder data is compromised. For example: 1) Even a small retail merchant who has six (6) cardholder numbers stolen from their business can face penalties up to $36,000. 2) A mid-leveled merchant or service provider who has comprised the cardholder information for 40 million cardholders can be fined up to $11 million. In addition to these charges, restitution to the Issuers to re-issue the cards to the cardholders can be applied. 3) Any merchant who has a laptop stolen that contains cardholder / customer information can be fined up to $110,000. What is Safe Harbor and why is it beneficial to my business? Safe harbor is the outcome of the PCI certification process and provides members protection from fines and compliance exposure in the event of a data compromise. To attain safe harbor status:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
