PCI - PAYARC

Support Line

+1 (877) 203-6624

PCI Compliance Checklist
To ensure the security of cardholder data, it’s essential to install and maintain effective NSCs (Network Security Controls). This involves deploying a robust firewall to shield your CDE (Cardholder Data Environment) from unauthorized access, carefully configuring and maintaining NSCs to prevent vulnerabilities, and establishing a secure zone for storing all sensitive card data. By implementing these measures, you can minimize the risk of data breaches and protect the confidentiality, integrity, and availability of cardholder information.

2. Apply Secure Configurations to all System Components

Default passwords are a weak point that hackers often exploit to gain unauthorized access to sensitive information. To prevent such breaches, it’s crucial to apply secure configurations to your system components and change default passwords to stronger ones that aren’t easily guessed. By taking these steps, you can significantly reduce the risk of unauthorized access and protect your sensitive data from cyber threats.

3. Protect Stored Account Data

To safeguard sensitive data, such as credit card information, it’s necessary to employ robust protection methods, such as point-to-point encryption, truncation, masking, and hashing. Minimizing the amount of sensitive data you store, truncating cardholder data, and avoiding sending confidential information through email or instant messaging are other effective risk-reduction strategies. By adopting these measures, you can strengthen the security of your data, reduce the likelihood of unauthorized access or data breaches, and safeguard the privacy and integrity of your customers’ information.

4. Protect Cardholder Data with Strong Cryptography

To safeguard your data from cyber threats, it’s important to use strong cryptography, particularly when transmitting data over networks that are highly susceptible to attacks, such as public networks. Employing robust encryption protocols, such as AES, RSA, or TLS, can help ensure the confidentiality and integrity of your data, even if it falls into the wrong hands. By using cryptography, you can significantly reduce the risk of data breaches and safeguard the privacy and security of your communications.

5. Protect all Systems and Networks from Malicious Software

To protect your cardholders and prevent malware attacks, deploy effective anti-malware and antivirus software solutions. These tools can detect and remove malicious software, as well as prevent future infections by blocking suspicious downloads and email attachments. By utilizing such protections, you can significantly enhance the security of your systems and safeguard the confidentiality and integrity of your cardholders’ data.

6. Develop and Maintain Secure Systems and Software

To prevent hacks and protect your systems against cyber threats, you must take proactive measures, such as applying vendor-provided security patches, monitoring your SLC (Software Lifecycle), and utilizing secure coding techniques. Regularly updating your system components with the latest software patches can help protect against malware and other types of compromise. Monitoring your SLC can help you identify vulnerabilities and address them before they can be exploited by attackers. Using secure coding practices can help minimize the risk of coding errors that could lead to security breaches. By implementing these measures, you can enhance the security of your systems and reduce the risk of cyber-attacks.

7. Restrict Access to System Data

To prevent unauthorized access and protect critical data, implement access controls that limit access to authorized systems on a need-to-know basis. By creating rules that grant specific access and privileges to IT personnel based on their job roles and responsibilities, you can ensure that only necessary tasks are performed and that sensitive data is not exposed to unnecessary risk. By following the principle of least privilege, you can minimize the attack surface and reduce the risk of insider threats or accidental breaches. By employing such access control mechanisms, you can enhance the security of your systems and safeguard the confidentiality and integrity of your critical data.

8. Identify Users and Authenticate Access to System Components

To ensure the security of your systems and protect against unauthorized access, you should authenticate users by establishing their identity and implementing a robust verification process. Consider implementing MFA (Multifactor Authentication) mechanisms that require users to provide proof of identification through multiple factors, such as something they know (e.g., password), something they have (e.g., security token), or something they are (e.g., biometric data). By using MFA, you can significantly enhance the security of your systems and prevent unauthorized access, even if passwords or other authentication factors are compromised. By implementing these measures, you can improve the security posture of your systems and safeguard the confidentiality and integrity of your data.

9. Restrict Physical Access to Cardholder Data

To protect the transmission of cardholder data, restrict physical access to sensitive information. This involves minimizing the use of hard copies and other physical documents that contain cardholder data and implementing strict controls over their storage and disposal. If hard copies are necessary, it’s essential to limit access to authorized personnel and ensure that sensitive information is properly secured and protected from theft or loss. By implementing such physical security measures, you can significantly reduce the risk of data breaches and prevent unauthorized access to sensitive information.

10. Log and Monitor all Access to System Components and Cardholder Data

To enhance the security of your systems and protect cardholder data, it’s important to implement logging mechanisms that track user activities and system events. By collecting and analyzing logs from system components, you can detect and respond to security incidents in a timely and effective manner. Logs can help with tracking user activities, detecting anomalies, and identifying potential indicators of compromise. They can also provide valuable information for forensic analysis and incident response in the event of a breach. By implementing such logging mechanisms, you can enhance the security of your systems and improve your ability to detect and respond to cyber threats.

11. Test Security of Systems and Networks Regularly

To ensure the continuous security of your systems and protect against cyber threats, you must implement a proactive security testing program that includes regular vulnerability assessments and penetration testing. By using specialized tools and processes to stress test your systems and networks, you can identify potential security weaknesses and address them before they get exploited by attackers. Regular security testing can help you stay ahead of evolving threats and ensure that your security controls are effective and up to date. By implementing such security testing measures, you can enhance the resilience of your systems and reduce the risk of security incidents and data breaches. Remember, hackers don’t rest, and neither should your security testing.

12. Support Information Security with Organizational Policies and Programs

By putting your policies in writing, you can ensure that they’re clear, consistent, and actionable, and that all employees are aware of their roles and responsibilities. It’s also crucial to provide regular training and education to your employees on your security and compliance policies, as well as the importance of safeguarding customer data. By doing so, you can create a culture of security and compliance within your organization and minimize the risk of human error or insider threats. Strong security and compliance practices start with clear policies and well-informed employees.

How can PAYARC help with PCI compliance?

PAYARC specializes in providing secure and reliable payment processing solutions to businesses of all sizes. PAYARC can help businesses comply with PCI DSS requirements by offering the following services:
1. PCI DSS compliance assessment: PAYARC can help businesses assess their current PCI DSS compliance status and identify any areas of non-compliance that need to be addressed.
2. Secure payment processing solutions: PAYARC offers secure payment processing solutions that are designed to comply with PCI DSS requirements. This includes encryption, tokenization, and other security features that help protect sensitive payment data.
3. PCI DSS training and education: PAYARC provides training and education on PCI DSS compliance best practices to help businesses understand the requirements and implement the necessary security measures.
4. Ongoing support and monitoring: PAYARC provides ongoing support and monitoring to ensure that businesses remain PCI DSS compliant. This includes regular security updates, vulnerability scanning, and other measures to help prevent data breaches and other security incidents.
Reach out to us today to see if your business is complying with the PSI compliance standard!
Payarc

March 29, 2023
PCI Compliance Standard
When understanding the PCI compliance standard, it’s important to know what’s considered PCI non-compliance. The PCI DSS requirements cover a range of security measures that businesses must implement to ensure that their credit card transactions are secure.

Examples of PCI non-compliance include:
1. Failure to encrypt sensitive cardholder data: Businesses that fail to encrypt sensitive credit cards information such as card numbers, expiration dates, and CVV codes are at risk of a data breach.
2. Inadequate access controls: Businesses that fail to implement adequate access controls, such as limiting access to credit card data only to authorized personnel, can be at risk of data theft.
3. Weak passwords: Businesses that use weak passwords or don’t regularly update their passwords can be vulnerable to hacking and data theft.
4. Failure to maintain secure networks: Businesses that fail to implement proper network security measures, such as firewalls and intrusion detection systems, can be at risk of a cyber-attack.
5. Lack of regular security testing: PCI DSS requires regular security testing to ensure credit card transactions are secure. Businesses that fail to conduct regular security testing can be at risk of a data breach.
The consequences of PCI non-compliance can be severe. Businesses that fail to comply with PCI DSS may face significant fines and penalties, as well as the loss of the ability to process credit card transactions. In addition to financial penalties, non-compliance can damage a business’s reputation and lead to a loss of customer trust.

What is a data breach?

Another important factor in understanding the PCI compliance standard is knowing what a data breach is and what it entails. A data breach is an unauthorized or illegal access, theft, or exposure of sensitive, confidential, or protected information. This can include personal identifiable information (PII), financial data, medical records, intellectual property, trade secrets, or any other type of sensitive information a person or organization has a duty to protect.

Data breaches can occur through a variety of means, such as cyberattacks, hacking, phishing scams, malware, physical theft, or even accidental exposure. Once the data has been compromised, it can be used for identity theft, financial fraud, or other malicious purposes.

Data breaches can have significant consequences for individuals and organizations, including financial losses, legal liability, reputational damage, and loss of customer trust. In some cases, data breaches can result in regulatory fines or penalties, especially if the breach involves personal or sensitive information that is protected by data privacy laws.

To prevent data breaches, individuals and organizations should implement security measures such as encryption, access controls, two-factor authentication, regular security updates, and employee training on data security best practices. In the event of a data breach, it’s important to take immediate action to contain the breach, notify affected individuals or authorities, and implement measures to prevent future breaches.

What is a data breach lawsuit?

A data breach lawsuit is a legal action brought by individuals or organizations whose personal information or sensitive data has been compromised in a data breach. Data breach lawsuits can be brought against the entity that experienced the data breach, such as a company or organization, or against a third party, such as a vendor or service provider.

The purpose of a data breach lawsuit is to seek compensation for damages that were caused by the breach, such as financial losses, identity theft, reputational damage, and emotional distress. The damages sought in a data breach lawsuit may include costs related to credit monitoring and identity theft protection, loss of income, and expenses related to repairing credit or other damages.

Data breach lawsuits can be brought under various legal theories, including negligence, breach of contract, and violations of data protection laws. In many cases, data breach lawsuits are brought as class action lawsuits, where a group of individuals who have been affected by the breach join together to seek compensation for their damages.

The outcome of a data breach lawsuit can vary depending on the specific circumstances of the breach and the legal theory under which the lawsuit is brought. In some cases, the parties may reach a settlement agreement, which provides compensation to the affected individuals in exchange for a release of liability. In other cases, the lawsuit may proceed to trial, where a judge or jury will determine the damages owed to the plaintiffs. Understanding the ins and outs of data breach lawsuits is important in understanding the PCI compliance standard.

What happens if you refuse to comply with PCI standards?

If a business or organization refuses to comply with the PCI DSS, they may face significant consequences, such as:
1. Fines and penalties: Credit card companies and payment processors may impose fines and penalties on businesses that fail to comply with PCI DSS. These fines can range from a few hundred dollars to thousands of dollars per month, depending on the severity of the non-compliance.
2. Loss of the ability to process credit card payments: Credit card companies and payment processors may revoke a business’s ability to process credit card payments if they’re found to be non-compliant with PCI DSS. This can have a significant impact on the business’s ability to operate and generate revenue.
3. Legal liability: In the event of a data breach or other security incident, businesses that are found to be non-compliant with PCI DSS may face legal liability for damages caused by the breach. This can include costs related to credit monitoring, identity theft protection, and other damages.
4. Reputational damage: Non-compliance with PCI DSS can damage a business’s reputation and lead to a loss of customer trust. This can have a long-term impact on the business’s ability to attract and retain customers.
Knowing the penalties for non-compliance is another important factor in understanding the PCI compliance standard.

How can PAYARC help?

PAYARC specializes in providing secure and reliable payment processing solutions to businesses of all sizes. PAYARC can help businesses comply with PCI DSS requirements by offering the following services:
1. PCI DSS compliance assessment: PAYARC can help businesses assess their current PCI DSS compliance status and identify any areas of non-compliance that need to be addressed.
1. Secure payment processing solutions: PAYARC offers secure payment processing solutions that are designed to comply with PCI DSS requirements. This includes encryption, tokenization, and other security features that help protect sensitive payment data.
1. PCI DSS training and education: PAYARC provides training and education on PCI DSS compliance best practices to help businesses understand the requirements and implement the necessary security measures.
1. Ongoing support and monitoring: PAYARC provides ongoing support and monitoring to ensure that businesses remain PCI DSS compliant. This includes regular security updates, vulnerability scanning, and other measures to help prevent data breaches and other security incidents.
Reach out to us today to see if your business is complying with the PSI compliance standard!
Payarc

March 29, 2023
MATCH/TMF

Usually, when a merchant account is terminated, the merchant’s name and business is listed on MATCH—Member Alert to Control High Risk. Ending up on MATCH is the nightmare of legitimate merchants. This is because finding an individual’s name on MATCH means that most processors will not approve a different merchant account with the same owner due to the higher risk of potential for fraud.

What is MATCH/TMF?

MATCH (previously known as TMF, or Terminated Merchant File), is a database of merchants used by payment processing companies that contains information on merchants and individuals whose accounts have been terminated. Payment processors check MATCH for each new potential account to mitigate their own risk and keep their business safe. Once a merchant or individual is on MATCH, it is very difficult to be removed and very unlikely that another merchant account will be approved for processing.

Why Would A Merchant Account Be Terminated?

There are several reasons as to why a merchant account would be terminated:

Placing a merchant or an individual on MATCH is not a decision that an acquiring bank or payment processor makes lightly, so if you’re not committing fraud you are probably safe. MasterCard and Visa both have penalties in place for acquiring banks and payment processors who not comply with their regulations—both for placing merchants on MATCH and for failing to do so. However, mistakes do happen, and if you believe that you have been placed on MATCH in error be sure to speak with an attorney who has experience in the credit card industry.

Payarc

January 27, 2022
American Express Chargeback Dispute Process
American Express chargeback disputes work differently than Visa and Mastercard.

One of the main reasons American Express chargeback disputes differ is because American Express operates differently than other card networks. Unlike Visa and Mastercard, American Express has their own financial institutions that issue credit cards to consumers.

What Happens after a Customer Disputes a Transaction?

The American Express chargeback dispute process may look complicated at first glance. So we are going to breakdown the entire process step-by-step, so you will understand exactly how it works.

The process is initiated if an American Express cardmember contacts American Express to dispute a transaction. A customer might dispute a transaction for a number of reasons, including undelivered goods or services, dissatisfaction, or more.

American Express will review the customer’s dispute and act in one of THREE ways:
1. Dismiss the case
2. Issue an immediate chargeback to the customer
3. Send you (as the merchant) an enquiry
Most merchants won’t ever receive an enquiry unless American Express doesn’t have all of the information they need to settle the dispute.

In the event that you receive an enquiry, here are four ways to respond:

Four Ways to Respond if you have been Issued an Enquiry

Whether you have been issued a chargeback or an enquiry, you have 20 days to respond. Cardmembers aren’t subject to the same time restrictions. They are free to dispute a transaction at any time.

Within the 20 day period, here are four ways to respond if American Express gets in touch with you for a transaction dispute:
1. Authorize the chargeback
2. Issue a credit to the customer (or prove that you have already issued credit)
3. Issue partial credit
4. Provide sufficient evidence to validate the charge
Chargeback disputes can happen to any business, but you’re going to want to keep your chargeback levels to a minimum. Exceeding the chargeback threshold set by card associations could land you a spot on a chargeback monitoring program.

The best way to avoid chargeback disputes is to prevent chargebacks altogether. Here’s how…

How to Prevent American Express Chargebacks:
- Process credit immediately and let cardmembers know when they will receive a refund
- Share the return or exchange policy before completing the checkout process
- Ask for the Card Identification Number
- Use the Automated Address Verification Service
- Keep dissatisfied customers in the loop about the steps you are taking to resolve the dispute
- Obtain the customer’s signature for items picked up in store, work orders, etc
- Bill customers after products are shipped or service provided
Need Help with an American Express Dispute?

If your business has been subject to an American Express chargeback dispute, or if you have received an enquiry – you need to act fast.

Get in touch with us right away so we can help you successfully navigate a chargeback dispute with ease and confidence.

‍
Payarc

January 27, 2022
Address Verification System (AVS)
If your business depends primarily on online orders, then perhaps you’ve come across the acronym AVS. AVS stands for “AddressVerification System” and it is a fraud prevention tool used to verify the billing address provided by the customer with the address on file with the credit card issuing bank. AVS checks the numeric portions of the address—like street number and zip code—in order to return a verification. Sometimes this results in false positives or negatives which may result in having to do manual override, but overall it is a good means of preventing fraud.

Additionally, making sure to use AVS can also affect your interchange rate! Credit card companies like to see merchants taking the initiative to protect against fraud and merchants who capture AVS data can receive lower interchange rates. Overall, it is a good idea to institute a policy of AVS, especially if you’re a merchant that relies on card-not-present transactions.

The codes for AVS are alphabetical, and some are card brand-specific. The codes are:
- A: Street address matches, ZIP does not.
- B: Street address matches, but ZIP is not verified.
- C: Street address and ZIP not verified.
- D: Street address and ZIP match (International only).
- E: AVS data is invalid or AVS is not allowed for this card type.
- F: Street address and postal code match (UK only).
- G: Non-US issuing bank does not support AVS.
- I: Address information not verified for international transactions.
- K: Not applicable.
- L: Not applicable.
- M: Street address and postal code match (International only).
- N: Street address and ZIP code do not match.
- O: Not applicable.
- P: Zipcode matches, street address unverifiable due to incompatible formats(international only).
- R: System unavailable, retry.
- S: AVS not supported.
- T: Not applicable.
- U: Address information unavailable. Returned if the US bank does not support-US AVS or if the AVS in a US bank is not functioning properly.
- W: 9-Digit ZIP matches, street address does not.
- X: 9-Digit ZIP and street address match.
- Y: 5-Digit ZIP and street address match.
- Z: 5-Digit ZIP matches, street address does not.
‍
Payarc

January 27, 2022
Card Verification Value (CVV)

One solution they’ve rolled out is the CVV-–the Card Verification Value. You’ve probably used this feature as a customer yourself! This is a 3-digit number on the back of the card that is used to prevent fraud in the case of online orders (Note: American Express cards have a four-digit code on the front of the card instead). This code is entered onto the checkout page on the website and authorizes the transaction.

What Is CVV2?

CVV2 is just CVV, although is refers explicitly to the three digits on the back of the card which was developed for online usage of the card. The original CVV is encoded into the magnetic stripe. Similarly, Discover and American Express use the acronym CID –Card Identification Number, but the intent is the same as the CVV.

How Does the CVV Protect Against Fraud?

When companies have their data compromised, customer card information can end up on the “Dark Web” where criminals can then buy the information. CVV offers an extra layer of security that is meant to protect against fraud where the card thief purchases the card number online, and because they are not in physical possession of the card and they cannot know the CVV number.

Payarc

January 27, 2022
Payment Processors and Compliance
There is a raging sea of merchant service providers available to merchants. From simple gateways to full-scale integrated payments solution providers, merchants have endless options for payment processing.

Online merchants, in particular, have a robust variety of choices in how and through whom they can accept payments. The additional risk posed by card-not-present online payments means that eCommerce merchants should be especially picky when choosing merchant services providers. Consider whether or not the provider you’re considering is reputable if their technology is compliant, and if they maintain certifications (PCI-DSS, HIPAA, SSAE-16).

Online merchants can greatly simplify compliance by working with a payment processor that offers a PCI-compliant gateway. Since the gateway itself is audited for PCI compliance, it reduces the scope for merchants who can simply employ one of these audited gateways. The other thing to note is what tier a gateway provider falls under. There are four tiers under the PCI standard and each level has its own set of requirements. The breakdown is as follows:
- Tier 1: process over 6 million Visa transactions annually through card present, card not present, and eCommerce channels.
- Tier 2: process 1-6 million Visa transactions annually through card present, card not present, and eCommerce channels.
- Tier 3: process 20,000 to 1 million Visa transactions annually through card present, card not present, and eCommerce channels.
- Tier 4: process up to 1 million Visa transactions annually through card present, card not present, and eCommerce channels and do not process over 20,000 Visa transactions exclusively via e-commerce each year.
Payarc

January 5, 2022
Payment Processing

“Hack” and “data breach” are scary words to customers. It threatens their sense of security in shopping and threatens their very identity. Bottom line – no one wants to shop with a retailer perceived to have lax (or no) security measures in place. This is especially true for online merchants that have the added risk of card-not-present transactions. Using multi-factor authentication as well as other prescribed security measures can help demonstrate to consumers that you’re secure and that their sensitive data is protected.

Consider contactless for loyalty

Contactless transactions using NFC technology offer cardholders a streamlined experience for checkout. When customers can use a smartphone or other contactless-enabled payment device to checkout, there is a perceived (and actual) reduced transaction time. Merchants can also tie in rewards programs to push payment via this method. Customers earn points that can be redeemed for discounts and free products each time they use the contactless payment method, making it even more appealing and improving customer loyalty.

Payarc

January 5, 2022