Payment Application Best Practices from Visa

Monday, March 31, 2008

High profile breaches of cardholder data have garnered a lot of attention in the media.  Most of us have read or heard about the 40 million cards that were compromised at CardSystems, or the 100 million cards compromised at TJX.  As a result of these breaches, the payment industry developed the Payment Card Industry (PCI) Data Security Standard (DSS).  However, complying with the PCI DSS can be complicated and expensive, especially for smaller merchants.  Although we may not read about it in the press, breaches at smaller merchants occur every day because the payment hardware and software they use is not compliant with PCI DSS. 



In an effort to make compliance with the PCI DSS a little easier for merchants who use payment application software, Visa developed the Payment Application Best Practices (PABP).  The PABP applies to software applications that store, process, or transmit cardholder data as part of authorization or settlement.  It does not apply to software developed in-house by merchants since that would be covered under the merchant’s normal PCI DSS compliance. 

Software vendors are required to have their payment applications certified as PABP compliant by a Qualified Application Security Professional that is employed by a Qualified Payment Application Security Company.  Once compliant, Visa will include the software vendor and product version in a list of validated payment applications for one year.  Software vendors must re-validate their payment applications each year to remain on the list. 

The PABP mandates are designed to eliminate the use of non-secure/vulnerable payment applications from the Visa system.  They require that members ensure that merchants do not use applications that retain prohibited data elements and use payment applications that adhere to Visa’s PABP.  If you are using a payment application from a software vendor that is not PABP compliant then you will not be able to comply with the PCI DSS.

As of January 1, 2008 new merchants are not allowed to establish a merchant account using a non-compliant payment application.  Existing merchants should check with their agent or ISO to make sure their payment application is on the list of PABP compliant applications.

How to Handle a Large Order

Thursday, December 20, 2007

When you have an order that varies significantly from your typical order size, special care needs to be taken to make sure the order is legitimate. Fraudsters typically place large orders with unsuspecting merchants so you should be wary of shipping out merchandise until you have fully "vetted" the order.  For example, lets say your average ticket is about $200.00.  You just received an e-mail from your store showing that a customer has placed an order for $3,000.00 worth of merchandise and the electronic payment gateway shows that the address verification (AVS) and Card Verification Value 2 (CVV2) was verified. But what now?  Do you ship out the merchandise to the customer and hope that they are legitimate?  Of course not!  The AVS and CVV2 verifications are simply not adequate enough to ensure that the customer is not using a stolen credit card.  Further vetting of the transaction is required.

Vetting the Transaction

Fraudsters will ask that the merchandise be shipped to a different address than the one on the credit card so a good place to start is to look at the Internet Protocol (IP) address of the consumer to see if it is close to the credit card billing address. Some merchants have a service built into their shopping cart software that will verify this automatically. Or you can use a website like Geo IP Tool or IP 2 Location.  Unfortunately, this might not work for all consumers, especially dial-up users on America Online (AOL). For example, an IP address of AOL is 172.192.48.225. Most of these will report back to Reston, Virginia, United States. This does not help you as the merchant, especially if the billing and shipping address is in Colorado.

Contacting the Consumer

Fraudsters will typically not leave a valid phone number and will usually use a free email service such as Yahoo!® or Hotmail®. Don't hesitate to contact the customer on large orders. When calling them you should identify yourself and ask them to verify the order. Don't be afraid to also e-mail the customer and ask them to reply back to the e-mail to verify the order. You might also require the customer to sign a credit card authorization form and fax it to you.

Require a Signature on Delivery

When shipping out the order, ask the shipper to get a signature on delivery. You should also notify the customer that you will require a signature on delivery or else the merchandise will be returned.

Contact your Payment Processor

After you have vetted the transaction and documented your actions, contact your merchant account provider before your daily batch is uploaded. Most processors will place funds on hold if the order amount is significantly larger than the typical ticket size for your account. Tell them about the order and what you have done to verify it. Ask them if they need you to do anything else. When they tell you everything is OK, get the representative's name and / or employee ID number.

PCI Compliancy is not Just About Scanning

Wednesday, August 22, 2007

There are core requirements of PCI DSS which we will go over. Let us assume though that your hosting company states that is compliant. This does not make you, your shopping cart, or your e-commerce business PCI compliant. While it is an important part, there are other factors as well:

• Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for system passwords and other security passwords
• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks
• Use and regularly update anti-virus software
• Develop and maintain secure systems and applications
• Restrict access to cardholder data by business need-to-know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes,
• Maintain a policy that addresses information security

A few of these requirements will be provided to you by your web hosting company. The other requirements will be provided by your shopping cart system and by your policies that you create with the help of your attorney, like Jeffrey Cohen of Internet Litigators. You should seriously consider using the services of an attorney to help protect yourself and your company.

One useful website is LoudPCI.

Introduction to Data Security Requirements

Sunday, June 24, 2007

When customers offer their bankcard at the point of sale, over the Internet, on the phone, or through the mail, they want assurance that their account information is safe. That's why Visa USA has instituted the Cardholder Information Security Program (CISP for short). Mandated since June 2001, CISP is intended to protect Visa cardholder data-wherever it resides-ensuring that members, merchants, and service providers maintain the highest information security standard.



In 2004, the CISP requirements were incorporated into an industry standard known as Payment Card Industry (PCI for short) Data Security Standard resulting from a cooperative effort between Visa and MasterCard to create common industry security requirements.
Effective September 7, 2006, the PCI Security Standards Council owns, maintains and distributes the PCI Data Security Standard and all its supporting documents. Visa and Mastercard manage all PCI compliance enforcement and validation initiatives.

So, what are the general rules regarding protection of Cardholder data?

1. You must destroy or purge all Media containing obsolete transaction data with Cardholder information and notify your processor immediately if any unauthorized person or entity obtains transaction data
2. You can deliver the Cardholder copies of transactions in either paper or electronic format for Internet transactions
3. You cannot transmit Cardholder account numbers to Cardholders for Internet transactions, store or retain Card Validation Codes, store or retain Magnetic Stripe data, PIN data or AVS data

Remember, you may be audited to verify compliance with security procedures. Failure to comply can result in substantial fines. If you have any questions regarding this Podcast please contact Loud Commerce at 800-931-9835 or visit our website at www.loudcommerce.com.