7 1 2 - 8 5 2 7
If your credit card processing terminal is out of regulatory compliance, you are putting your customer information and possibly your entire business in jeopardy. Businesses that use noncompliant credit card processing equipment are at high risk for a data security breach. A data breach, while out of compliance could result in:
- fines and penalties up to $500,000
- monthly noncompliance fees
- damage to your reputation
Even if you do not suffer a data breach, noncompliant credit card processing terminals can cause major headaches including:
- slower payment transactions
- longer downtimes
- loss of service
- inability to find replacement parts
Are you at risk for a data security breach?
Noncompliance can lead to disaster before you know it. The scale below shows how quickly matters can get even worse once you let your credit card processing equipment fall out of compliance.
Core terminals are fully updated, and receive Class A support from the manufacturer and your merchant services provider, including troubleshooting and technical support.
Non-Class A terminals are no longer in production and do not have manufacturer support. Replacement parts and inventory are increasingly difficult to find, and performance steadily degrades.
Non-compliant terminals no longer meet the standards for regulatory compliance. Merchants using non-compliant equipment are at risk for data security breaches and subsequent penalties up to $100,000.
Unsupported terminals are non-compliant and are not supported by the manufacturer or your merchant services provider. These terminals may be supported by a third-party service provider, but still put you at risk for breaches and penalties.
Obsolete terminals are outdated, non-compliant and wholly unsupported, making them ineligible for updates, modifications, troubleshooting or repairs. These terminals pose the highest risk for security breaches and subsequent fines. Continued use of these terminals may lead to the inability to accept credit cards and the potential failure of your business.
What devices need to be in compliance?
Any equipment that you use to process credit card payments must meet industry and government compliance requirements, particularly the Payment Card Industry Data Security Standards (PCI DSS). Following are the basics of compliance for credit card processing equipment.
The PCI DSS clearly states that sensitive information (including credit card numbers and expiration dates) cannot be stored on any credit card processing equipment. Specific compliance requirements are outlined in the PCI DSS. Credit card processing equipment that does not adhere to these security standards is classified as non-compliant and puts your business at risk for fines and data security breaches.
The data security standards outline specific requirements for the printing of credit card receipts. Only the last four digits of a credit card number may be shown and the expiration date must be obscured on all copies of a receipt. Use of noncompliant equipment that does not adhere to these standards can lead to fines and limited processing capability.
Debit cards (often referred to as bank cards) and electronic benefits transfers (EBTs) require customers to enter a personal identification number (PIN) into a PIN pad or other PIN entry device (PED). PED compliance calls for rigorous security measures, such as triple DES encryption, fixed key security and authentication software. Using a non-compliant PED could result in fines and the inability to process PIN-based cards.
Triple DES Encryption
Visa and MasterCard stipulate that all PEDs encode PIN data using a multilayer data encryption standard (DES) algorithm. Failure to use triple DES encryption knocks your PED out of compliance and puts you at risk for the consequences listed above.
Out of compliance? We can help!
Through Atlas Payment Processing, you have access to leading edge credit card processing terminals:
- accepts all magnetic stripe cards
- delivers the fastest approvals
- supports multiple applications (check imagers, PIN pads, contactless readers)
- offers more payment options
- includes the revolutionary SureLoad printer
- rated ” most capable” Internet/dial terminal in the industry
- fully updated security
- exclusive diagnostics application that:
- troubleshoots multiple checkpoints
- pinpoints where errors happen and how to fix them
Data Breach Protection
There is a war being waged in the digital world — a war for coveted credit card information. You have it, thieves want it and they will stop at nothing to take it.
Imagine an army of skilled hackers, each with their own diabolical database of tactical strategies to breach your network. Day and night they are on the attack, scouring your systems to find the one vulnerability that will allow them access to all of your most valuable information, from credit card numbers and expiration dates to customer names, addresses and social security numbers. Terrifying? Not if they work for you.
When you sign up for penetration testing through Compliance 101, you get an elite team of experts, all with the same skills, experience and knowledge as the most notorious hackers on the Internet. These tech wizards will engage in a number of simulated attacks on your systems, using the latest hacking techniques to find the weak spots that hackers are eager to exploit.
What is penetration testing?
Penetration testing is a powerful tool for preventing intrusion into your networks and systems. Using a strategy known as “ethical” (or “white hat”) hacking, penetration testing identifies vulnerabilities in your data security and the extent to which these vulnerabilities can be exploited by hackers.
Tests are run on software and devices within your system to inspect web applications and databases, and to search for malicious intrusions, such as adware and spyware. Tests are also performed on various data security measures, including firewalls and intrusion detection systems.
Using an effective combination of automated tools and manual techniques, penetration testing probes for specific weaknesses, such as technical flaws, that make your systems vulnerable. When the penetration testing is complete, you will receive a risk assessment and a detailed outline of the steps you need to take to eliminate vulnerabilities and vastly improve data security.
Why do I need penetration testing?
If the thought of hackers storming the walls of your virtual fortress leaves you unfazed, there are other reasons to conduct penetration testing.
PCI DSS Requirement 11
Requirement 11 of the Payment Card Industry Data Security Standards (PCI DSS) states:
“Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.”
Requirement 11.3 more specifically designates that any business that accepts credit cards must:
“Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
Penalties and fines
The penalties for a security breach, while out of compliance, can range from a slap on the wrist to substantial fees. Issuing banks and credit card processors can be fined up to $500,000 for regulatory compliance violations. These costs are inevitably passed on to you, the merchant. In addition, it’s likely that you’ll see an increase in transaction fees.
Long term damage
Penalties can put a significant dent in the company coffers, but they are nothing compared to the damage that a data security breach can do to your business. If your security is compromised, while out of compliance, you run the risk of losing your merchant account, which means you will be unable to accept credit cards.
While that is detrimental in itself, merchants who lose their accounts are placed in the Visa/MasterCard Terminated Merchant File (TMF) and are ineligible for another merchant account for several years. The results are devastating, irredeemably destroying your credibility, customer loyalty and, ultimately, your entire business.
©2017 Atlas Payment Processing. All Rights Reserved.
Atlas Payment Processing is a registered ISO/MSP of Wells Fargo Bank, N.A., Walnut Creek, CA