Archive for the ‘PCI Complaince’ Category

This is a great video that explains PCI Compliance.  VMS-Washington encourages all business owners to learn more about credit card processing so they can save more money on their processing, learn better ways to processing and to know right from wrong when talking to a potential credit card processor.

If you’re interested or want more information about interchange and better rates from an “A Rated” company contact us, VMS-Washington is giving businesses the Summer Deal of the Year.  For a limited time we are offering rock bottom rates for new and existing businesses.  The questions we always ask business owners are:

  • Have you checked out your current or potential merchant service company on the BBB?
  • Does your current provider or potential provider promote your business?
  • Does your current provider or potential provider send referrals your way?
  • Are you getting the best rates in town?
  • Has your current or potential merchant told you about the Durbin Amendment?

Wouldn’t you want an A rated company that and will promote your business though their social media and monthly newsletters.  For more information contact us.

Thank you,

800.531.8575 ext.697

Is PCI Compliance a Toothless Tiger?
The massive data breach announced in January by Heartland Payment Systems continues to raise significant questions regarding the state of security in the payment industry. As many as 100 million credit card and debit cards have been compromised, impacting unknown millions of consumers, 175,000 merchants and 600 institutions. One of the most pressing questions of the day is the relevance of the Payment Card Industry Data Security Standard (PCI), which is an industry-driven standard meant to ensure the safe handling of sensitive information.
Leading up to the breach, Heartland listed on its own Website that it was certified as being PCI-compliant last April. “Obviously, Heartland was not in compliance at the time of the breach,” explained Steven Bearak, CEO of Identity Force ( “This lapse in compliance is not just troubling; it causes many to wonder if the PCI standard is in fact a toothless tiger.”
Heartland is still in operation. Visa, while taking Heartland off of its “compliant” list, continues to accept transactions processed by the company. And a top analyst at Gartner Research just this week is urging companies that do business with Heartland Payment Systems Inc. and RBS WorldPay Inc. (another breached processor) not to switch to other payment processors.
Heartland has even gone so far as to threaten to sue companies that try to take its business away by raising questions about the effectiveness of its security systems.
What is clear is that millions of people and merchants have been put at risk, and little is being done voluntarily to mitigate the damage. What good is PCI compliance if there are no penalties involved for the major institutions that claim compliance and are not?
Security is only as strong as the weakest link. PCI compliance certification is not a guarantee against breaches. Organizations should prepare accordingly.
PCI compliance requires that any business that processes transactions, stores credit card or card holder data MUSTbe compliant with the PCI DSS (Payment Card Industry Data Security Standards). If you handle or accept credit cardpayments then this means you too. Non-compliance is not an option and the fines and consequences are hefty.
Credit card data, personal information and other private data attacks are a big part of “white-collar crime”. Anonymity from the crime via internet provides a larger problem and possess bigger treats as the attacks can be launched from anywhere in the world, even from within your own organization. Business size and type has little to do these days with potential data breeches and attacks as some believe that “any data will do” no matter what size the organization or business.Plain and simple, PCI is not optional and should be considered a key business policy to practice compliance. The PCI Security requirements have been put in place to secure the data and everyone must become compliant. Non-compliancy brings about fines and penalties from the payment card industry and providers. Fines can include the following:
  • Fines of $500,000 per data security incident
  • Fines of $50,000 per day for non-compliance with published standards
  • Liability for all fraud losses incurred from compromised account numbers
  • Liability for the cost of re-issuing cards associated with the compromise
  • Suspension of merchant accounts

Frequently Asked Questions
Payment card industry compliance is confusing for many ecommerce merchants. But it potentially affects every merchant that accepts credit card payments. Failure to understand the PCI compliance standards could result in higher merchant account fees and fines from the credit card issuers.
Merchants oftentimes have similar general questions on PCI compliance. We posed some of them to Tim Erlin, principal product manager for nCircle, a security consulting and compliance firm that offers PCI-related services, among other compliance services. Those questions, and his answers, are below.

What is PCI?

“PCI generally refers to the Payment Card Industry Data Security Standard, or the PCI DSS. This standard was developed by the PCI Security Standards Council, which is a consortium of the major credit card brands (Visa, Mastercard, American Express, and Discover). It represents the combination of two previous separate programs: the Visa Cardholder Information Security Program (CISP) and MasterCard’s Site Data Protection program (SDP). The goal of the PCI DSS is to specify a common standard for protecting cardholder data from compromise.”

How does PCI compliance affect my ecommerce business?

“If you accept credit cards as a form of payment, you are required to be compliant with the PCI DSS. In most cases, smaller merchants can achieve compliance by using compliant shopping carts and payment gateway services. If, however, you choose to collect and store credit card data as part of your business, you’ll need to carefully consider the requirements of the PCI DSS.”
“Larger volume merchants (more than 20,000 credit card transactions annually) will need to complete some specific validation requirements to demonstrate compliance with the PCI DSS. The requirements range from filling out a self-assessment questionnaire to an onsite audit from a qualified auditor. You can find out more details about merchant levels here.”

Where can I learn more about PCI?

“The PCI Security Standards Council is the authoritative source for information. You can find their website at You can also look to the card brands themselves for additional information.”

My annual sales are very small. Do I still have to comply with PCI?

“Every merchant that accepts credit cards must comply with PCI, but smaller merchants often achieve compliance by using compliant services. If you don’t store, transmit or process any credit card data, then your systems are out of scope for PCI DSS compliance.”

How do I know if my ecommerce business is PCI compliant?

“Do you store, transmit or process credit card data? If the answer is yes, then you are required to fill out a self-assessment questionnaire to demonstrate PCI compliance. You may be required to perform other work to demonstrate compliance depending on your merchant level.”
“If you do not store, transmit or process credit card data, but do accept credit cards through a payment gateway or merchant account provider, then you should validate whether your providers are PCI compliant.”

What happens if my business is not PCI compliant?

“If your business is not PCI compliant there are various measures that the card brands can take, ranging from warnings and monetary fines to revoking your ability to process transactions entirely. More importantly, the PCI DSS allows you to assure your customers that you’re protecting their credit card data appropriately.”

If my business is PCI compliant, does it reduce my insurance liability?

“Generally, no. If you’re not compliant and experience a breach, however, you can be open to legal action from the affected customers.”

Will PCI compliance reduce my business’s merchant account fees?

“This isn’t generally the case. In fact, it can increase the cost. Merchant account providers have to demonstrate their own PCI compliance, and they can and have passed that cost onto their customers.”

Where can I find a list of shopping carts and hosts that are PCI compliant?

“Unfortunately, there is no single list of compliant shopping carts, hosts or other providers. However, because PCI compliance is a basic requirement for accepting credit card payments, all of the most common hosted shopping carts are PCI compliant. Choose the shopping cart that has the features and functions you need, then validate that their service is PCI compliant.”

What Is PCI Compliance?

What Is PCI Compliance?
Simply put, PCI compliance means that as a business, you are properly and securely managing your customer credit card information, sensitive data, credit card transactions and your business environment.
The goal of PCI is to ensure that people who want to conduct business with merchants using their credit cards can do so with confidence and trust because they know that the merchant is compliant with all of the Payment Card Industry (PCI) standards. By doing so, both the consumer and the merchant can continue using recognized Payment Brand credit cards (Visa, MC, Amex, Discover) as the safest, simplest and most trusted means of payment exchange.PCI compliance is outlined by the Payment Card Industry (PCI) Council and the standards for compliance are established by them as well. The primary role of the PCI Council is to advise businesses about what the credit card companies or Payment Brands expect from merchants that transact day-to-day business with their customers using credit cards as a means of payment. As a result, the PCI Council has established a set of credit card payment and security standards to help businesses minimize data breaches and credit card security problems and to provide assurance to their financial service providers that they are PCI compliant as a business.Complying with the PCI Council standards requires the completion of a Self Assessment Questionnaire (SAQ). This SAQ contains questions that require a business owner to know information about how their business operates, handles IT connectivity, completes credit card transactions and stores critical information. Completing the SAQ can be a daunting task for business owners or managers that are not information security professionals. The critical issue in completing the SAQ is the accuracy of the answers to the questions. Getting professional security consultant assistance with the SAQ can be very costly for a small business. As a result, Panoptic Security has developed an online application that provides the expert direction and help needed to guide a small business owner or manager through the PCI SAQ.Panoptic SecurityPanoptic Security and our online PCI compliance solution, ExpertPCI™ helps businesses in assessing whether or not they are PCI compliant and advise on what to do to become PCI compliant. We can provide support for all size and type of businesses, but our online web application was designed by our PCI security experts to make the PCI compliance process easier specifically for small to mid-size business owners.

Our solutions make PCI assessment and compliance more understandable and affordable for any business owner or manager that has been advised by their merchant services provider, bank or credit card company that they need to become PCI compliant. PCI compliance is required for any and all businesses that do credit card transactions with their customers.

Becoming PCI compliant not only assures your merchant services provider, bank and credit card company that your credit card transactions are handled within PCI standards, it also assures your customers that you can provide them with a safe and reliable way to do business with them.
For the ISOs, acquiring banks and processors that work with merchants, PCI compliance is required for your merchants that do credit card transactions. The level and scope of PCI compliance needed for each merchant is what we help you and your merchants assess. We do so in a way that can be managed directly by you or by us.

Thank you all in advance,
Michael Roberts
National Sales Director for Valued Merchant Services
Phone: 800-531-8575 ext.697