Payment Card Industry Compliance is complicated. We make it simple.
What is PCI DSS Compliance?
It stands for Payment Card Industry Data Security Standards. This is a regulatory body that enforces a set of comprehensive requirements for enhancing payment account data security, in order to help facilitate the broad adoption of consistent data security measures on a global level.
The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.
Who Created It?
The PCI Security Standards Council, includes every major card association: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
What Does It Require?
The PCI DSS compliance covers some of the most important, yet basic vulnerabilities in the industry, including API Abuse, Access Control, Authentication, Code Permissions, Code Quality, Cryptography, Error Handling, General Logic Error, Input Validation and Environmental Security in regard to systems. These can be traced back to the original 12 Requirements of Visa CISP:
1. Install and maintain a firewall to protect data.
2. Keep security and patches up-to-date.
3. Protect stored data.
4. Encrypt data sent across networks.
5. Use and update antivirus software at all times.
6. Restrict access to “need to know.”
7. Assign unique ID’s to all users.
8. Modify pre-set security settings of 3rd party vendor software.
9. Trace all access to data by unique ID’s.
10. Regularly test your security systems and policies.
11. Implement and maintain an information security policy.
12. Restrict physical access to data.
The program ensures the annual validation of merchants and service providers on both the issuing and acquiring side of the business.
Why is this important to me?
In 2008 electronic crime passed up all other organized crime combined(drugs, guns, theft). Not only is customer’s data at stake, but so is your business’ reputation. If you don’t follow it, you may be shut down, fined, or held accountable for any of your customers card data being stolen and misused.
How do I ensure PCI Compliance?
We’ve already done most of the work. Here’s how:
- Third Party Audits. and ongoing scans by qualified assessors, including: Security Metrics, TrustWave, Comodo, McAfee.
- 1024-Bit SSL. All of PaymentGear’s communications and processing occur through Secure Socket Layers (SSL). To ensure an even higher level of security, we use 1024-bit SSL encryption with all of our transactions. Any toolkits linked for usage with the USA ePay gateway are also tested to make sure that security is set up properly. With the proper security layers set up between toolkits and the gateway, we can ensure that no information can be stolen and all information is securely transmitted.
- Identification Through Source Keys. Many older gateways use IDs and passwords to verify a user’s identity and facilitate communication between that user and the gateway, but the security of this method is easily compromised. So at PaymentGear, we developed the Key System for safe, secure identification and communication.Each Merchant toolkit (such as a shopping cart) communicates with the gateway using a unique high-bit encrypted string called a Key. When information is sent to the gateway, the Key identifies not only the merchant, but also the specific toolkit from which the information originated. This allows merchants to feel secure in the knowledge that the toolkit source code does not contain sensitive information such as their username and password. It also provides the opportunity for merchants to use separate Keys for each individual toolkit. Merchants can also revoke a Key if they notice that it is being misused.
- Fraud Stopper. Fraud Stopper is built on a Module Stack Design. Each module controls a different aspect of security and merchants can choose which modules to include in the fraud control stack. Some examples of modules include: duplicate transaction control, block by country, block by IP address, and many more. The Module Stack Design provides the opportunity for merchants to add or change their fraud modules depending on their unique security needs. USA ePay is always adding new fraud modules to the Fraud Stopper to keep our merchants up to date with the latest fraud security.Fraud Stopper also allows merchants to apply different fraud settings to different Keys or Sources. For example, a merchant may wish to implement a high level of fraud control for an online shopping cart, but a lower level on the console for their own employees.
- Storing Credit Cards Securely. Payment Gear realizes that the theft of lists or databases in which credit card information is stored can have dire consequences for merchants and for their customers. With this in mind, Payment Gear has a revolutionary new way of storing credit card information, through Tokenization. In our Gateway System, each credit card number is stored individually, making it impossible to steal an entire list or database full of sensitive data. Credit card numbers can only be viewed on an individual basis by unlocking or decrypting each one. If a card number is needed, the requested number is decrypted and unparsed from the system, a process that takes only a few seconds.
Payment Gear’s non-database system provides the highest possible level of security for credit card data storage.
Take These Four Easy Steps to Ensure PCI Compliance.
1. Integrate our secure API or us a partner app on our platform.
2. Use our third party certification software for free. This completes your annual SAQ and Scan requirements
2. Businesses that do over 6 Million transactions must hire a Qualified Security Assessor. We will help you find the right one. Just email:security(at)paymentgear.com.
3. Put us to work. Make sure to work with your Account Manager to ensure everything is done correctly.
4. Receive Your Certification.