Search My Merchant Account Blog

Search this Blog:

The Security of Your Customers

Wednesday, March 19, 2008

So I know in the past, we have always talked about credit card security, PCI Compliance, etc.  But I would also like to remind you about your customer's usernames and passwords.  How are these being stored?  A lot of shopping carts will store this information in plain text.  If the passwords are being stored in plain text and you have a server compromised, your users' information might be readily available for the hackers. 

Most shopping will store the information in a database like Microsoft Access, mysql, or MSSQL.  You should be able to view the databases somehow, either though phpMyAdmin, Microsoft Access, or Microsoft SQL Server 2000 Desktop Engine (something similar).  How you access this information is usually established when you choose a web hosting provider.  Some will allow you to access the information also via an Open Database Connectivity (ODBC).

When you are viewing these tables and records, look for the table that stores your user's information, especially the password table.  Are the passwords encrypted?  If not, you should consider getting another shopping cart or contact the vendor for assistance to enable secure passwords.

A lot of consumers use the same password for everything.  While this is a great risk to them, it is the quickest way for consumers to get to their information.   This is the reason you want to protect them as much as possible.

Your Shopping Cart Password

First and foremost, your administrator password should be changed immediately when you start to add your items.  Don't wait until you are going live - you have too much on you mind by then.  Your password should contain letters, numbers and maybe a couple of extra characters like %, !, *, {, etc.  The harder it is for you to remember, the better. 

Did you know that by changing your password from the vendor-supplied password, you have already met one of the requirements for PCI DSS?

Password Strength and Security

When new customers are signing up, your website should ask them for a unique password.  And explain to them why your company is asking for this information.  Password checker is also a great website to have them check their password strength. 

And when asking users to create an account, their session should be in a secure.  This will help to protect them when they are entering their username and password.  Even if you use a third party processor or have one of the electronic payment gateway's web page handle the transaction, if you are asking for a password, the page should be secure.

Payment Application Best Practices from Visa

Tuesday, March 11, 2008

High profile breaches of cardholder data have garnered a lot of attention in the media.  Most of us have read or heard about the 40 million cards that were compromised at CardSystems, or the 100 million cards compromised at TJX.  As a result of these breaches, the payment industry developed the Payment Card Industry (PCI) Data Security Standard (DSS).  However, complying with the PCI DSS can be complicated and expensive, especially for smaller merchants.  Although we may not read about it in the press, breaches at smaller merchants occur every day because the payment hardware and software they use is not compliant with PCI DSS. 

In an effort to make compliance with the PCI DSS a little easier for merchants who use payment application software, Visa developed the Payment Application Best Practices (PABP).  The PABP applies to software applications that store, process, or transmit cardholder data as part of authorization or settlement.  It does not apply to software developed in-house by merchants since that would be covered under the merchant’s normal PCI DSS compliance. 

Software vendors are required to have their payment applications certified as PABP compliant by a Qualified Application Security Professional that is employed by a Qualified Payment Application Security Company.  Once compliant, Visa will include the software vendor and product version in a list of validated payment applications for one year.  Software vendors must re-validate their payment applications each year to remain on the list. 

The PABP mandates are designed to eliminate the use of non-secure/vulnerable payment applications from the Visa system.  They require that members ensure that merchants do not use applications that retain prohibited data elements and use payment applications that adhere to Visa’s PABP.  If you are using a payment application from a software vendor that is not PABP compliant then you will not be able to comply with the PCI DSS.

As of January 1, 2008 new merchants are not allowed to establish a merchant account using a non-compliant payment application.  Existing merchants should check with their agent or ISO to make sure their payment application is on the list of PABP compliant applications.

Our Grand Opening

Tuesday, December 18, 2007

I know that when a business starts, everyone is excited.  Merchants will often hold a "grand opening sale".  While you might think this is a good thing, in the Internet realm - it is letting the the scammer know you are green to the area and might open you up to numerous fraud orders.  For review, please check out the post: Some Ways to Help Internet Merchants Reduce Fraud and Chargebacks.

If you need to post this type of sale, be very wary of any orders that as previously identified in our Preventing Online Fraud post.  And make sure that you keep an eye on your Chargeback Ratios.  Your merchant account needs to be maintained by you just as much as the merchant account provider.  Just by simply checking the (billing) address and the Card Verification Value 2 / Card Identification Number (CVV2 / CVC2 / CID)  will potentially save you hundreds, if not thousands.  Don't let those large orders fool you.

PCI Compliancy is not Just About Scanning

Thursday, July 26, 2007

PCI Compliancy does not just involve scanning your network every so often to have a company say you are safe from intruders.  It is a process.  And this process includes every part of the transaction from A to Z. 

I know earlier we told you about how some providers have not completed their paperwork on PCI Compliancy.  Visa released their list of CISP Compliant Providers again on July 15, 2007.  It still shows the same companies as not being compliant with the rules set forth by the PCI Security Standards Council.

Core Requirements of PCI DSS

Let us assume though that aplus.net was compliant.  This does not make you, your shopping cart, or your e-commerce business PCI compliant.  While it is an important part, there are other factors as well:

• Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for system passwords and other security passwords
• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks
• Use and regularly update anti-virus software
• Develop and maintain secure systems and applications
• Restrict access to cardholder data by business need-to-know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
• Maintain a policy that addresses information security

A few of these requirements, will be provided to you by your web hosting company.  The other requirements will be made by your shopping cart system and by your policies that you create with the help of your attorney, like Jeffrey Cohen of Internet Litigators.  Consider using the services of an attorney to help protect yourself and your company.

You are already probably doing a lot of the requirements listed above, i.e. you changed the password of the shopping cart once it was installed.  And hopefully you used a combination of letters and numbers.  If possible, you even used some symbols (like #, !, $, *, etc) if they are allowed.  Even better, if the control panel supported both upper- and lower-case letters. 

You also purchased an SSL certificate as well from a company like Comodo to help encrypt data between the browser and the server.

Self-Assessment Questionnaire

The PCI DSS Self-Assessment Questionnaire v1.0 can be downloaded and reviewed at your leisure if you are interested in learning more about securing and protecting your data.  Also check out the supporting documents on the PCI Security Standards Council website for more information and possibly a new version of the PCI DSS Self-Assessment Questionnaire.

PCI Compliancy is an Ongoing Process

Thursday, July 19, 2007

Once you are PCI (Payment Card Industry) compliant, you should stay PCI compliant.  Usually, you rely on your electronic payment gateway (Linkpoint, Payflow, Authorize.net/Cybersource, etc) or your IPSP (Internet payment service provider) to stay PCI compliant. This is a standard that the card associations (American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International) created to help maintain and implement the security standards of cardholder data.

Visa updates the list of processors and companies who are PCI compliant on a regular basis.  For example, APlus.net and iTransact allowed their PCI compliancy lapse on May 31,2006 and Cybersource allowed their PCI compliancy lapse on June 30, 2006.  Aplus.net is a webhosting provider that offers e-commerce solutions.  So if you are relying on their network to be compliant, you might be liable for any breech.  Cybersource is an electronic payment gateway that is used by thousands of merchants.  Allowing their compliancy to expire, even for a few days, should be unacceptable to merchants and customers who rely on their system to securely process transactions. Of course, these companies just might be late in reporting to Visa that they are PCI compliant.

Google Checkout

Another company that has allowed their status to lapse is Google Checkout.  They allowed their PCI compliancy to expire on February 28, 2006.  Your credit card data might not be as secure as you would like to think consumers.  Even though Google is a large corporation, there is no excuse with not complying with the standards set forth by the card associations.  As with Aplus.net, iTransact, Cybersource, they might just be late in reporting their status to Visa. 

Remember, it is your responsibility, as a merchant, to ensure that the provider you are using is compliant with the security standards.  If a service provider has allowed their PCI compliancy to lapse, you might consider contacting them to check on the status or switching to a provider that is compliant. 

All payment gateways are required to have an on-site security audit annually and a network scan quarterly.

MasterCard Security Card Features

Thursday, February 08, 2007

When a consumer gives you his / her MasterCard® credit card to process, you should swipe the credit card and hold on to the credit card.  Every MasterCard® card contains a set of unique design features and security elements developed by MasterCard® to help merchants verify a card's legitimacy.  This will allow you to take a look at the credit card to verify the security features and to compare the signature on the back of the card with the signature on the sales receipt.

MasterCard International has introduced new card design format options and modified several card security features. New card design options offer flexible placement of the MasterCard Hologram (card front or back) and introduce the option to use a new holographic magnetic tape, HoloMag™ (card back only). This quick reference guide will highlight valid card formats, as well as mandated card security features.

Front of the MasterCard®

The "MC" Security Character is no longer permitted on newly issued cards (effective June 1, 2006), but may continue to appear on cards through June 2010. This is the cursive M that you might see near the expiration date.  The MasterCard® log should be on the right hand side, either in the top right or lower right of the card. On the front, you will see a embossed or printed account number. The account number should be even and straight. Right underneath the account number, you will see four digits. This four-digit number must match exactly with the first four digits of the account number.

Requirements

• Must include full-color MasterCard® Brand Mark
• MasterCard® account numbers must start with the number 5
• First four digits of the account number must be the same digits as those printed directly below (pre-printed BIN)
• 16-digit account number must be clear and uniform in size and spacing and must appear on one line
• Must include valid expiration date
• Must include MasterCard® Hologram unless hologram or MasterCard® HoloMag tape appear on card back

Optional

• MasterCard Hologram may be removed from the card front if the hologram or MasterCard® HoloMag tape appears on card back
• "MC" Security Character is no longer permitted on newly issued cards (effective June 1, 2006), but may continue to appear on cards through June 2010
• Card design and MasterCard Brand Mark may be oriented vertically

Back of the MasterCard®

The last four digits of the account number must be printed in reverse italics on the signature panel.  The CVC 2 number is printed in reverse italics to the right of the last four digits of the account number. Instead of the magnetic stripe, you might see the HoloMag™.

Requirements

• Must include signature panel with the word "MasterCard" printed in multicolors at a 45° angle
• Last four digits of the account number must be printed in reverse italics on the signature panel
• CVC 2 number (three-digit validation code) must be printed in reverse italics to the right of the last four digits of the account number
• Magnetic tape must be present and appear smooth and straight with no signs of tampering
• Must include MasterCard® Hologram or HoloMag tape unless hologram appears on card front

Optional

• HoloMag tape may be used in place of the traditional magnetic tape
• MasterCard Hologram may be placed on the card back if not appearing on card front

If you suspect that the MasterCard is fraudulent, call your Voice Authorization Center and tell them you have a Code 10.

Visa Credit Card Security Features

Wednesday, February 07, 2007

Earlier I wrote about an electronic payment gateway being the start of the transaction. However, if you really drill down, the consumer is the start of the transaction.  They initiate the transaction before it hits the electronic payment gateway, like LinkPoint®.

When the consumer decides to buy your product in a brick and mortar atmosphere, the consumer will hand you his / her Visa credit card.  This card can be described in four different ways:

• Cards with Visa Mini Dove Design Hologram on Back of Card
• Cards with Visa Holographic Magnetic Stripe on Back of Card
• Cards with Dove Design Hologram on Front of Card
• Visa Flag Cards with Dove Design Hologram on Front of Card

Processing a Visa Transaction

When a consumer gives you his / her Visa credit card to process, you should swipe the credit card and hold on to the credit card.  Every Visa card contains a set of unique design features and security elements developed by Visa to help merchants verify a card's legitimacy.  This will allow you to take a look at the credit card to verify the security features and to compare the signature on the back of the card with the signature on the sales receipt.

Cards with Dove Design Hologram on Front of Card

Front of the Visa Credit Card

On the front, you will see a embossed or printed account number. The account number should be even and straight.  Right underneath the account number, you will see four digits. This four-digit number must match exactly with the first four digits of the account number. Both of these will also begin with a 'four'. You will then see a "Good Thru" or "Valid Thru" date.  This is the expiration date of the card and is usually under the account number.  The Visa Brand Mark appears in blue and gold on a white background. It must appear in either the bottom right, top left, or top right corner. The Flying Dove Hologram should appear to be three-dimensional and appear to move when the card is tilted back and forth.

Back of the Visa Credit Card

The signature panel has a tamper-resistant design.  If someone has tried to erase the signature, the word "VOID" will be displayed.  It may vary in length dependent on card type. There is also the magnetic stripe. The magnetic stripe is encoded with the card’s account number, expiration date, and other identifying information. Card Verification Value (CVV2) is a three-digit code that appears either on the signature panel or on a white box to the right of the signature panel. Portions of the account number may also be present on the signature panel. CVV2 is used primarily in card-not-present transactions to verify that the customer is in possession of a valid Visa card at the time of the sale.

Cards with Visa Mini Dove Design Hologram on Back of Card

Front of the Visa Credit Card

On the front, you will see a embossed or printed account number. The account number should be even and straight.  Right underneath the account number, you will see four digits. This four-digit number must match exactly with the first four digits of the account number. Both of these will also begin with a 'four'. You will then see a "Good Thru" or "Valid Thru" date.  This is the expiration date of the card and is usually under the account number.  The Visa Brand Mark appears in blue and gold on a white background. It must appear in either the bottom right, top left, or top right corner.

Back of the Visa Credit Card

The signature panel has a tamper-resistant design.  If someone has tried to erase the signature, the word "VOID" will be displayed.  It may vary in length dependent on card type. There is also the magnetic stripe. The magnetic stripe is encoded with the card’s account number, expiration date, and other identifying information. Card Verification Value (CVV2) is a three-digit code that appears either on the signature panel or on a white box to the right of the signature panel. Portions of the account number may also be present on the signature panel. CVV2 is used primarily in card-not-present transactions to verify that the customer is in possession of a valid Visa card at the time of the sale.

Cards with Visa Holographic Magnetic Stripe on Back of Card

Front of the Visa Credit Card

On the front, you will see a embossed or printed account number. The account number should be even and straight.  Right underneath the account number, you will see four digits. This four-digit number must match exactly with the first four digits of the account number. Both of these will also begin with a 'four'. You will then see a "Good Thru" or "Valid Thru" date.  This is the expiration date of the card and is usually under the account number.  The Visa Brand Mark appears in blue and gold on a white background. It must appear in either the bottom right, top left, or top right corner.

Back of the Visa Credit Card

The signature panel has a tamper-resistant design.  If someone has tried to erase the signature, the word "VOID" will be displayed.  It may vary in length dependent on card type. There is also the magnetic stripe. The Holographic Magnetic Stripe should have a ring around the sun when the card is moved from side-to-side. The word "VISA" should appear in the center of the sun when the card is tilted.. Card Verification Value (CVV2) is a three-digit code that appears either on the signature panel or on a white box to the right of the signature panel. Portions of the account number may also be present on the signature panel. CVV2 is used primarily in card-not-present transactions to verify that the customer is in possession of a valid Visa card at the time of the sale.

Visa Flag Cards with Dove Design Hologram on Front of Card

Front of the Visa Credit Card

On the front, you will see a embossed or printed account number. The account number should be even and straight.  Right underneath the account number, you will see four digits. This four-digit number must match exactly with the first four digits of the account number. Both of these will also begin with a 'four'. You will then see a "Good Thru" or "Valid Thru" date.  This is the expiration date of the card and is usually under the account number. A Flying “V” is an embossed security character beside the “Good Thru” date. This character is not a required security feature and may or may not appear on the card. Visa Logo should have micro-printing around the border. The fine print is barely readable without magnification. The Flying Dove Hologram should appear to be three-dimensional and appear to move when the card is tilted back and forth. As a general rule of thumb - always check the hologram. It is easier to spot a re-embossed number there.

Back of the Visa Credit Card

The Signature Panel should be white with the word "VISA" repeated in a diagonal pattern in blue and gold print. The card account number should be printed in the panel. The words "Authorized Signature" and "Not Valid Unless Signed" must appear above, below, or beside the signature panel. If someone has tried to erase the signature panel, the word "VOID" will be displayed. There is also the magnetic stripe. The magnetic stripe is encoded with the card’s account number, expiration date, and other identifying information. Card Verification Value (CVV2) is a three-digit code that appears either on the signature panel or on a white box to the right of the signature panel. Portions of the account number may also be present on the signature panel. CVV2 is used primarily in card-not-present transactions to verify that the customer is in possession of a valid Visa card at the time of the sale.

When something does not look right, i.e. the security features look altered or they are missing, keep the card in your possession and make a Code 10 call to your authorization center.  You may be asked to keep the credit card or you might be instructed to return the card.  If your authorization center tells you it is ok, write down the authorization number on the sales receipt.

MasterCard and the PCI Data Security Standard

Monday, January 08, 2007

Data theft from online merchants, providers and third party processors is increasing at an alarming rate. Card associations developed the Payment Card Industry (PCI) Data Security Standard to help combat compromises. MasterCard was a primary sponsor in the PCI Data Security Standard during its inception in 2005.

MasterCard Site Data Protection

MasterCard Site Data Protection (SDP) is a component of the PCI Data Security Standard.  This program provides guidelines to merchants, acquirers, providers and compliance tools to help protect credit card data.

Being PCI Compliant

Being PCI compliant is not just getting scanned by a vendor like ControlScan. It is also adhering to standards, like storing card holder data and only allowing certain personnel access to cardholder data; completing a self-assessment questionnaire; and a possible on-site review (for Level One Merchants and Level One and Two Service Providers).

Storing Cardholder Data

Under PCI Standards, companies can store a cardholder's account number in a secure fashion. The account number should be encrypted or truncated. You can store the expiration date and cardholder's name as well. If these are stored in along with cardholder's primary account number, they should be encrypted as well. Merchants are not authorized to stored the CVC2 or Personal Identification Number (PIN).

Failure to Comply

Failure to comply with these standards can result in fines imposed by MasterCard. Level One Merchants along with Level One and Two Service Providers can be fined up to $25,000 USD per merchant or service provider.  Level Two and Three Merchants can be fined up to $5,000 USD per merchant.  Further non-compliance may also result in termination of your merchant account.