by Chelsea Palo
Chelsea is CardConnect's Partner Marketing Manager and a big fan of yurts.
Amanda Dunfee Oct 13 2017
Recently, CardConnect and HALOCK held a live Q&A on PCI compliance. The interactive session drew a large crowd of participants who openly and honestly asked their toughest PCI questions with complete anonymity. Hosts Viviana Wesley, HALOCK’s Managing Consultant, and Mark Cuneo, one of CardConnect’s own PCI Payments Professionals, each drew on over 16-years of practical information security experience to help participants successfully navigate through PCI governance, risk and compliance issues. In case you missed it, we’ve recorded the session and are serving it up podcast-style, below, so you can catch up on the biggest PCI issues affecting professionals today. Also, included below is a sampling of questions asked during the webinar and resources referenced in response. We encourage you to check ‘em out. Questions from Audience. Answers Provided by the Experts. Question: Is there a single document outlining the requirements for PCI compliance?Answer: Yes, to date, PCI DSS v3.2 contains the latest requirements, testing procedure and guidance for each requirement. Download it by visiting the PCI Security Council's library. Question: What does AOC stand for?Answer: AOC stands for Attestation of Compliance. The PCI Glossary of Terms is linked here and is a very helpful resource for similar questions. Question: eProcurement platforms, the platform encrypts PCard data with the purchase order transmission via their network sent to the supplier, but does not encrypt the expiration date. I have two questions: I understand that both PCI combined with federal FACTA, the expiration date must also be masked. Who is responsible to ensure that the supplier receiving the PO is PCI DSS/FACTA compliant? Us or the eProcurement platform? The supplier would be the merchant to whom we are paying via card - it is our card.Answer: Our understanding from Visa in past years is that PCards are not in-scope for the entity that has issued them, but they are in-scope for the merchants where the credit cards are used. From a security perspective, it is a good idea to protect these cards the same as consumer credit cards, but from a compliance perspective, it is likely not required. The PCI SSC has an old Frequently Asked Question on this topic from 2009 that states that one should confirm this with the payment brand. Check it out here for more information. Question: If an email system is cloud based such as Gmail or Office365, how would you make it PCI compliantAnswer: If your email system is being used to store, process or transmit cardholder data, then it is in-scope for compliance. If it is outsourced to a third-party service provider, like Google or Microsoft, who is hosting and managing that cloud infrastructure then that organization is a PCI Service Provider to the organization. There are two ways to deal with third party service providers, as explained on page 12 of the PCI DSS: Annual assessment: Service providers can undergo an annual PCI DSS assessment(s) on their own and provide evidence to their customers to demonstrate their compliance; or Multiple, on-demand assessments: If they do not undergo their own annual PCI DSS assessments, service providers must undergo assessments upon request of their customers and/or participate in each of their customer’s PCI DSS reviews, with the results of each review provided to the respective customer(s) As far as we know, neither Google nor Microsoft have PCI Compliant cloud email offerings at this time. Question: We have customers who regularly email us credit card information in non-encrypted emails. How does this impact us?Answer: This brings your email system and any connected systems into scope for compliance. We highly recommend that this business process be changed since the email messages are not encrypted (which would be required if it were to continue) and since it is very difficult if not impossible to reduce your scope with your email system in-scope for compliance. If this business process can be changed, and this still occurred from time to time, you would then see this as an unintended channel for receiving cardholder data and need to do the following: Implement controls to prevent acceptance of cardholder data via unsecured channels Respond to customers in a manner which does not propagate any further unsecured transmissions of cardholder data Train staff and customers to proactively prevent customer from continuing to send cardholder data via email The PCI SSC has a Frequently Asked Question article on dealing with accidentally receiving cardholder data through an unintended channel that goes into a bit more detail as well. Check it out here. Question: If your third-party providers have a SOC 1 or SSAE 16 Report, does this minimize your requirementsAnswer: No, the only documentation recognized for PCI DSS validation are the official documents from the PCI SSC website. The PCI SSC has a Frequently Asked Question article on this topic. You can view it here. Question: At what point should your company have an ISA? We are currently using tokenization and P2PE with CardConnect.Answer: First we should explain the difference between an ISA and QSA. QSA is the acronym for ‘Qualified Security Assessor’. QSAs are qualified by PCI SSC to perform PCI DSS onsite assessments for any merchant or service provider. ISA is the acronym for ‘Internal Security Assessor’. ISAs are qualified by the PCI SSC to perform PCI DSS assessments for their own company. The company also needs to be certified as an ISA company. Validation of PCI DSS Compliance is based on annual credit card transactions volumes that determine an organization's merchant or service provider level. These levels and validation requirements are defined and maintained by the card brands. Links to the security and compliance resources of each card brand can be found here: Visa: resources linked here Mastercard resources: linked here Discover resources: linked here and here American Express resources: linked here The JCB Data Security resources: linked here To determine if an organization can validate compliance with an ISA rather than a QSA, they should ask their acquiring bank, as they are the entities responsible for ensuring their merchants are compliant and what compliance validation paperwork they require. Question: Some of our customers send in their CC details through phone. How do we ensure PCI compliance in this situation?Answer: There is not one single way to ensure compliance for this one credit card acceptance channel. The organization needs to look at the entire channel to determine all of the system components that would need to come into scope for compliance and then address all applicable requirements for all in-scope components to meet PCI DSS compliance. Please keep in mind with all types of credit card acceptance channels, the organization can and should always consider scope reduction techniques. When it comes to reducing the scope of PCI DSS compliance, organizations have several options that should be considered. These options are not mutually exclusive and can be combined to address PCI DSS compliance obligations and/or reduce the environment that the PCI DSS requirements apply to. All credit card acceptance channels need to be considered when reducing scope. Currently, organizations that have PCI DSS compliance obligations can reduce scope in the following ways: Eliminate or change business processes to no longer store, process or transmit cardholder data Implement network segmentation, or isolate, the cardholder data environment from the remainder of an entity’s corporate network Outsource cardholder data functions to PCI DSS compliant third-party service providers Implement a PCI SSC listed point-to-point-encryption (P2PE) solution, CardConnect provides a PCI Validated P2PE Solution. If you have any questions on the materials referenced, feel free to email Viviana Wesley at firstname.lastname@example.org or Mark Cuneo at email@example.com.
Shaila Ortega Integrated Payments Oct 12 2017
In today’s world, the evolution of technology is king — creating new challenges for retailers to remain relevant and accessible to the equally evolving retail shopper. Constant connectivity, instant gratification and limitless resources create a need for retail shops to push beyond the traditional brick-and-mortar in order to cater to the rise in digital transactions. What once was a valued face-to-face interaction that formed a shopping experience, has quickly evolved into the need for an omnichannel purchase option with round-the-clock accessibility. According to the Pulse of the Online Shopper, a study by UPS, 4 out of 10 purchases are made outside of the store. That's a stat that's important to our CardPointe users who take advantage of the platform's omnichannel solutions. So, how are businesses handling the evolution of the tech-savvy shopper? It can really be summed up in one sentence: Retailers need to provide an omnichannel purchasing solution to remain relevant in this space. An omnichannel solution provides customers with an accessible, integrated shopping experience at their convenience. Don't miss our infographic below, that tells the story of the evolving retails shopper. The first step to moving towards this experience is to look into your current payments partner and evaluate the platform provided. Is it conducive to the evolved shopper profile? If so, they will offer varied options such as: direct integrations, security and a suite of omnichannel solutions. These features will allow your tech-saavy customer to seamlessly shop their way through any mobile, desktop or tablet device safely and securely. CardConnect takes pride in being able to offer retailers a complete integrated solution that facilitates all of the aforementioned sales channels. PROTECTING YOUR CUSTOMERS With potential fraud attacks always lurking in the shadows of the digital space, Retailers and their customers rely on their integrated payments provider to protect every transaction. CardConnect provides retailers with peace of mind by offering CardSecure, an omni-channel protection feature that prevents fraud attacks. It is important to highlight that of the shoppers surveyed in the UPS Pulse, 33% stated they had concerns over security and 27% over privacy that prevented them from using digital payment options. While the brick-and-mortar will cater to those not quite ready to shift over to a digital transaction, don’t let security be a reason why the potential sale is lost. As a retailer, you’ll want to decide which sales channels are most favored by your customers, and then find a way to support and integrate those checkout options into your business operations as seamlessly as possible. If you want to explore how CardPointe makes that possible, drop us a note and one of our support specialists will be in touch. If you want dig deeper into the motivations and actions of the evolved shopper, you can check out the entire study: UPS Pulse of the Online Shopper™. Below, we've also got a snazzy infographic to show you how the retails shopper has been evolving over time. Share this Image On Your SitePlease include attribution to cardconnect.com with this graphic.
Taylor Havlisch Women in Business Oct 5 2017
For 14 years, the city of Philadelphia has hosted what is now the nation’s largest conference for women in the country. On Tuesday, October 3, close to 12,000 attendees came together for another unforgettable Pennsylvania Conference for Women (@PennWomen), a few of whom were talented members of the CardConnect team. The events of the conference began early but had every attendee wide awake with the powerful voices of those including Shonda Rhimes (writer and executive producer of several hit TV shows including “Grey’s Anatomy” and “Scandal”), Carla Harris (Vice Chairman, Managing Director and Senior Client Advisor at Morgan Stanley), and Shawn Achor (New York Times best-selling author of The Happiness Advantage and Before Happiness). Carla’s confident and echoing voice reached every corner of the Convention Center’s grand auditorium and reminded the women (and a few men) who were hanging on every word, about the importance of discovering and embracing the power that each one of us has. What took the form of thoughtful advice to her 25-year-old self, was a lesson to all listeners about speaking at the table you’ve been invited to, in the room which you belong. She expressed the value of investing in relationships, which without you cannot fully reach the highest potential, and to be careful not to waste time on those who can “dim your light.” When Shonda took the stage, her theme was that of renaming “obstacles” to change perspective and hopefully turn those challenges into opportunities, by giving them a new meaning. She revealed her own deep fear of public speaking, and the journey of renaming such, that brought her to speak in front of her 12 thousand listeners. “I belong in every room I’m in.” Shonda Rhimes As the day continued, the agenda allowed for attendees to venture into breakout sessions that provided for opportunity to track down discussions of many different topics including lessons for how to lead authentically, advice for dealing with difficult people in the workplace, tips for finding balance and purpose, and strategies for tackling barriers. When the thousands of attendees came back together during lunch, additional keynote speakers inspired the crowd including Joanne Ryder, Executive VP and Chief Administration Officer at Beneficial Bank, and Dr. Brené Brown, a research professor at the University of Houston. Dr. Brown too took the audience through a story of belonging and shed some light on the science behind the feeling. She also taught us lessons of being strongest when you’re standing alone, in what may seem to be “the wilderness.” What was arguably the most anticipated event of the day was the moment Former First Lady Michelle Obama and Shonda Rhimes shared the stage for a conversational interview. The energy in the room was wild as Michelle entered, welcomed warmly by a standing ovation. She gave the intently listening room her best advice on being a mother, leader and strong woman. She reminded us to give our nation’s children a voice from the beginning, so they have the foundation and confidence to use that voice in the future. Both Michelle and the crowd were also surprised when Former President Barack Obama shared with the audience a heartfelt video message for Michelle on what was their 25th wedding anniversary. The thread that seemed to string together the majority of the abundant advice spoken during the conference was the message of belonging exactly where you are, wherever you are, embracing that belonging and using your voice to harness the power of your seat at the table.