PCI Testing

Penetration Testing for the Business

The major question that we should ask ourselves is whether penetration testing is mandatory? PCI test is a crucial process if your business has to remain safe. A lot of unguided speculations have been running around the media, due to misinformation. Traders rely on untested facts, which exposes them to possible fines because of lack of compliance. Any business person should first consider evaluating his or her PCI compliance. Therefore, linking with experts in the field of PCI would improve the performance of validation.

The frequently asked question.

Through our process to provide knowledge on PCI, we encounter different questions. Subsequently, we strive to give well-informed feedback for the benefit of our clients.

Question: in the version 3.0, the regulations state that I should apply for penetration testing. While doing the test in version 2.0, I did not find any restrictions based on future improvements. Besides, is it a MUST to have version 3.0 testing?

Answer: version 3.0 penetration is a requirement by the PCI DSS. Although the testing is not new compared to the version 2.0, there have been some improvements. The decision to restructure the guideline was arrived at after the council realized the importance to heighten security of the cardholder. It is, therefore, a must for any trader to conduct the PCI test in version 3.0

Key Changes in Penetration PCI

The following paragraph will show the critical changes in PCI penetration

  • The methodology adopted to test PCI penetration should be acceptable in industry-based
  • Testing should cover the applications and networks to ascertain for vulnerabilities.
  • The trader should perform penetration on both internal and external networks, on an annual basis. Furthermore, the business can conduct penetration due to change of network infrastructure or on request.
  • Any problem identified in the process of testing should be solved and retested to ensure it’s cleared.

Additionally, the following posts would guide you in understanding the penetration process:

https://www.pcicomplianceguide.org/the-top-5-questions-to-ask-a-prospective-penetration-tester/

https://www.pcicomplianceguide.org/dont-be-fooled-theres-no-such-thing-as-an-automated-penetration-test/

The PCI Security Standard Council has provided penetration guidance document. Use the link provided to access the same:

https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf.

Accessing Credit Card Data by Phone

Is taking Credit Card by Phone PCI compliance?

The proliferation of e-commerce has gained acceptance in the present times. Organizations are embracing phone payments, therefore, increasing efficiency. Most importantly, they are able  to maximize their market performance. Taking credit cards by phone is a question that has disturbed many traders. This is because they fear the fraudsters. The PCI compliance phone has to be used to conduct the process.

How to accept credit Card information by Phone

A myriad of business owners have raised concern over the accessibility of credit card data. Besides that, accessing the credit card information by phone and remain PCI compliance could be a challenge. Additionally,questions regarding the authenticity and security of data tops the list of discontentment. Simultaneously, it is paramount to ask ourselves whether phones should be used to generate credit card information. Since there is human involvement, the validity of the process could be questioned. The good news is that you can take your credit card by phone, and remain PCI compliant!

How taking the credit card via the phone works

learn how you can take the credit card using your phone, bi visiting our official site provided ;www.pcicompliance.com.

Improving the Knowledge of PCI

It is essential to go through the document that is available at PCI Security Standards Council. Additionally,the information contained in the report elucidates the methods to protect telephone-based card data.

How do you heighten the security of the Card Data?

PCI compliance guideline assists you to answer compelling questions. You can access the services through the link provided below.

http://www.pcicompliance.com

https://www.pcisecuritystandards.org/

https://www.pcicomplianceguide.org

To enhance the security of your business and clients, make an appointment with the experts using the contacts provided on the site.

Don’t forget to subscribe to this blog for more tips and educative announcements.

 

PAN Storage and the PCI DSS

The Tricks of Storing PAN Data

The PAN is an acronym which most people don’t understand its meaning. It stands for Primary Account Number, and it is necessary to protect and safeguard such information. It is obligated by the PCI DSS, to conceal the data, to avoid exposing the customers’ personal information. Storing PAN increases the risks in your business, and if you have not a business reason to store, leave it.

If you have to store PAN data, then you have to comply with the PCI DSS requirements 3.4. This is are policies laid down to guide on safeguarding both the users and the clients. The storage has to be done in a way that the card data is unreadable, through the following methods:

  • One –way hashes based ion strong cryptography
  • Truncation
  • Index tokens and pads
  • Strong cryptography with associated key-management processes and procedures

The following paragraph illustrate the examples of hashing in action.

Card-not-present transaction with card-present verification at time of pick-up:  If you book for a rail ticket online, one is required to produce the real card when collecting the ticket. This is used for verification purposes, to ensure you are the real person who made the ticket request. The kiosk attendant might ask you to insert the card. To avoid storage of PAN data, the rail attendant can choose to store hashed data.

Recurring payment transactions:  Another illustration is in fraud management system that is able to store only has values of PAN data. By storing only hash values of PAN data within the Fraud Management system you are not exposing real PAN data, even to fraud analysts.

How storage of PAN influence the scope of compliance

The only way to save yourself from PCI DSS compliance complication is to evade storage of PAN data. Engaging in this activity would require a lot of validation, to ascertain you’ve really adhered to the set down procedures.

Aligning your business requirements with a reduced PCI Scope

Enhancing security of stored PAN data, is a sophisticated endeavor to engage into. However, if your business has a true need to do so, then it’s worth to get it right.

PCI Compliance

Merchants and Providers PCI Compliance

There has been a tremendous growth of organization which accepts credit cards in their operations. As the changes in technology are witnessed rapidly, the payments methods are also evolving. The surge desire to increases the sales, hence boost revenue has attracted various businesses to embrace the era of cashless payments. Although the convenience of credit cards is by far valuable compared to cash transactions, the number of risks have increased. The cases of frauds involving credit cards and other modes of online payments have hit the media headline, signaling the seriousness of the matter.

Merchants have no clear understanding of their role in preventing any risks associated with payments. They just know they are sellers but have little knowhow of their role in the business. Lack of clear awareness is, further, exposing them to the contrary repercussions that come along with money fraudsters. They should understand their responsibilities well, to abate such cases.

Do You Classify Yourself as a Merchant?

Well, the PCI Security Standards Council (SSC) has placed a definition of the merchant, to eradicate the confusion that might contribute to respective parties understanding their roles. A merchant is defined as the entity which allows transaction using cards that bears the logos of any of the PCI SSC member. Some of those members are American Express, Discover, JCB, MasterCard or Visa. More information concerning the members can be accessed at:www.pcisecuritystandards.org

Merchants should, therefore, adhere to the standards set out by the council. One of the major issues that every trader must be aware of is their service providers. Additionally, the parties involved in service delivery should understand their roles, to avoid breaching the stipulated policies.

Are you a provider of services?

PCI service providers are companies and individuals that are entrusted with processing, storage, and transmission of the customer’s card data. Most of them are not aware of their functions, which places them at a higher end of litigations for negating the security of the clients. This information can be derived from www.pcisecuritystandards.org.Examples of service providers are hosting, billing account management, back office services among others. These providers are not aware they are service providers.

The Scoop of Responsibilities for Being Both a Merchant and a Service Provider.

Is it possible to be both a provider and a merchant? The question is answered by the PCI Security Standards Council definition. The council highlights that a merchant can accept cards for payments of goods and services and also act as the provider of services by transmitting card data. The definition is backed up by the information derived from the following site: www.pcisecuritystandards.org

Building Trust with Customers as a Service Provider

Providing the services to the clients would require great demonstration of quality service, through adherence to the PCI standards. This is not only helpful to the image of the business, but also prevents the owner from the fines by the court. It all begins with validating the PCI Service Provider compliance.

  1. Choose to complete PCI level 1 assessment, which is achieved alongside Quality Security Assessor (QSA).It is meant to ensure that the providers protect the customers’ data to mitigate the cases of leakage.
  2. If one is not able to complete level 1 assessment but qualifies the second level, he or she can take self-assessment, which would require a complete SAQ service provider.
  3. Work with merchants and assist them to meet PCI compliance requirements. The council has provided a document that can be used as a reference to cross check the responsibilities of every party.
  4. Ensure that you appear in the list of Visa Global Registry of Service Providers. This is where the merchants browse to see the authenticity of the providers.

Compliance with PCI is a move to legitimize your business, and improve the perception from the outside world. Every organization should understand its role, and apparently strive to uphold the laid down policies.