Payment,Card,Industry,PCI,Data business, insurance Payment Card Industry (PCI) Data Security Standard (DSS)

As we all know to live in this world we have to perform some activity by which we can earn money. There are many activities by which we can earn money and meet the standards to live in this society. And from one of them is franchise.  Franc Small offices have unique needs, and thatincludes document shredding. Designed with the smaller business inmind, the Dahle 20314 is a cross-cut shredder that offers Level 3security and brings you into compliance with federal regulations. The

We wrote this guide to help our merchants process online payments in a way that will ensure compliance with Visa and MasterCard regulations, which, in turn, translates into lower levels of chargebacks and downgrades and, eventually, into lower processing costs. We divided it in 10 parts for easier digestion and following is the first one, which covers our best practices suggestions for the information online merchants should make available for their customers.Payment Card Industry (PCI) Data Security Standard (DSS)3.1               What is the Payment Card Industry (PCI) Data Security Standard (DSS)?In 2006 all major credit card companies joined forces to create the Payment Card Industry (PCI) Data Security Standard (DSS). It is the first unified data security standard that Visa, MasterCard, American Express, Discover and JCB released to address the growing problem of data security compromises in the payment card industry. Prior to its release, the credit card companies used proprietary tools to fight unauthorized data management. The best known among them are Visa’s Cardholder Information Security Program (CISP) and MasterCard’s Site Data Protection (SDP).3.2               Who must comply with the PCI DSS?PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. All merchants must comply with this standard and periodically review their compliance. Failing to do so can result in significant fines and, potentially, in cancellation of their merchant accounts.3.3               What data can you store?The following table illustrates commonly used elements of cardholder and sensitive authentication data; whether storage of each data element is permitted or prohibited; and if each data element must be protected. This table is not exhaustive, but is presented to illustrate the different types of requirements that apply to each data element.Data ElementStoragePermittedProtectionRequiredCardholder dataPrimary account number (PAN)YesYesCardholder name*YesYesService code*YesYesExpiration date*YesYesSensitive authentication data**Full magnetic stripeNon/aCVC2/CVV2/CIDNon/aPIN / PIN blockNon/a* These data elements must be protected if stored in conjunction with the PAN. This protection must be consistent with PCI DSS requirements for general protection of the cardholder environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of these data or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS; however, does not apply if PANs are not stored, processed, or transmitted.**Sensitive authentication data must not be stored subsequent to authorization (even if encrypted).3.4               PCI DSS requirements.The following requirements comprise the PCI DSS requirements.3.4.1                   Install and maintain a firewall configuration to protect cardholder data.All systems must be protected from unauthorized access from the Internet, whether entering the system as e-commerce, employees’ Internet-based access through desktop browsers, or employees’ e-mail access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.3.4.2                   Do not use vendor-supplied defaults for system passwords and other security parameters.Hackers (external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known in hacker communities and easily determined via public information.3.4.3                   Protect stored cardholder data.Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed and not sending PAN in unencrypted e-mails.3.4.4                   Encrypt transmission of cardholder data across open, public networks.Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and divert data while in transit.3.4.5                   Use and regularly update anti-virus software or programs.Many vulnerabilities and malicious viruses enter the network via employees’ e-mail activities. Anti-virus software must be used on all systems commonly affected by viruses to protect systems from malicious software.3.4.6                   Develop and maintain secure systems and applications.Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches. All systems must have the most recently released, appropriate software patches to protect against exploitation by employees, external hackers, and viruses. Note: Appropriate software patches are those patches that have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For in-house developed applications, numerous vulnerabilities can be avoided by using standard system development processes and secure coding techniques.3.4.7                   Restrict access to cardholder data by business need-to-know.This requirement ensures critical data can only be accessed by authorized personnel.3.4.8                   Assign a unique ID to each person with computer access.Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.3.4.9                   Restrict physical access to cardholder data.Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted.3.4.10                Track and monitor all access to network resources and cardholder data.Logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis if something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.3.4.11                Regularly test security systems and processes.Vulnerabilities are being discovered continually by hackers and researchers, and being introduced by new software. Systems, processes, and custom software should be tested frequently to ensure security is maintained over time and with any changes in software.3.4.12                Maintain a policy that addresses information security for employees and contractors.A strong security policy sets the security tone for the whole company and informs employees what is expected of them. All employees should be aware of the sensitivity of data and their responsibilities for protecting it.3.5               Merchant level definitions for PCI certification.Merchant LevelDefinitionLevel 1Level 1 are merchants processing over 6 million Visa or MasterCard transactions per year.Level 2Level 2 are merchants processing from 150,000 to 6 million Visa or MasterCard transactions per year.Level 3Level 3 are merchants processing from 20,000 to150,000 Visa or MasterCard transactions per year.Level 4Level 4 are all merchants not included in Levels 1, 2 or 3.3.6               PCI certification requirements by merchant level.Merchant LevelAnnual On-Site ReviewAnnual Self-AssessmentQuarterly Security ScansLevel 1Required by a certified 3rd partyn/aRequired by a certified 3rd party for external IP addresses.*Level 2n/aRequired to complete questionnaire.**Required by a certified 3rd party for external IP addresses.*Level 3n/aRequired to complete questionnaire.**Required by a certified 3rd party for external IP addresses.*Level 4n/aRecommended Annually.Recommended Annually.*Internet accessible.**PCI self-assessment questionnaire.You can access the latest version of the Payment Card Industry’s Data Security Standard here.http://unibulmerchantservices.com