Going to Sapphire 2016? Drop by booth 1146 and chat with CardConnect.
CardConnect is known for creating the best in ERP security technology for the payments industry. Our flexible SAP-certified integrations offer a secure avenue for accepting payments, while simultaneously cutting costs and reducing PCI-scope.
Our payment experts are available during Sapphire to discuss how to make payments within SAP simple, secure and 100% PCI compliant.
by Chelsea Palo
Chelsea is CardConnect's Partner Marketing Manager and a big fan of yurts.
Accept Chip Cards on Your CardPointe Mobile App with Bolt
Remember when we told you that we combined CardPointe with Bolt P2PE, so you can accept EMV (or chip cards) right within the CardPointe Virtual Terminal? Okay, well now we’ve brought that same powerful combo to the CardPointe Mobile app.
We’ve created another perfect pair that combines the simplicity of using CardPointe with the serious security of Bolt. Our Bolt P2PE devices protect data with both EMV technology and point-to-point encryption (P2PE).
Who should be using Bolt P2PE devices?
Bolt P2PE is a cloud-based solution that’s heavily used by software companies looking to seamlessly integrate secure payments into their existing systems. Now that Bolt P2PE comes with its own terminals that are integrated to CardPointe, it’s great for any merchant.
If you’d like to learn more about the superhero strength of the CardPointe and Bolt combination, check out the latest CardPointe Mobile release notes here.
If you're a current merchant with us and would like to start using a Bolt terminal, all you have to do is complete a Support Ticket in your CardPointe account.
[Log in here]
Beyond Bolt, there are a few other goodies to know about the latest edition of the CardPointe Mobile app. We’ve also added the ability for you to capture additional information when running a transaction with the CardPointe Mobile app. Now, you can capture:
All you have to do is enable the capture of these fields in the Settings of your CardPointe Mobile app. To learn more about the CardPointe Mobile and how you can be using it to easily process payments, visit our Support Center.
Don’t forget, you can always get started with any products in the CardPointe suite, by filling out an inquiry form here.
Nov 10 2017
Here's What You Should Understand About PCI Compliance
The Payment Card Industry Data Security Standard (PCI DSS) is managed by the PCI Security Standards Council (PCI SSC). Founded in 2006 by the five biggest credit card providers: MasterCard, Visa, Discover, Amex and JCB International, the Council ensures that merchants (sellers and organizations) protect their customers’ credit card information during transactions and when it’s being stored.
Being PCI compliant is not a requirement by law. However, it is highly advisable that merchants who accept card payments follow the regulations set by the PCI SSC to avoid any potential data infringement and to avoid hefty non-compliance fees. The requirements for becoming PCI compliant are relative to how your company operates.
There are many areas where your business could have security vulnerabilities, such as operating systems and devices which hackers could use to access your company’s private network. Data can be stolen from many areas, including but not limited to:
Identifying where your company’s weaknesses are when it comes to the protection of sensitive cardholder information, and securing how your business processes payments is paramount.
What do I need to do to become PCI Compliant?
There are various levels of PCI compliance which depend on the amount of payments your business processes each year (12 month period). There is one component that remains necessary across the board, which is that a business should really achieve 100% PCI compliance and maintain it, in order to keep the data of themselves and their customers safe.
Each of the five major credit card members of the PCI SSC have their own data security standards. Below is a simplified, general breakdown of potential PCI DSS requirements:
PCI requirements depend on which level is applicable to your business. Each level will require merchants to complete the relevant PCI DSS Self Assessment Questionnaire (SAQ), provide evidence that the merchant has completed and passed a vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV), and complete and submit the Attestation of Compliance (AOC) to your acquirer.
If you would like any clarification on the information here, please visit the PCI Security Standards Council’s website.
What happens if I’m not PCI compliant?
As previously mentioned, being PCI compliant is not required by the law, however, you could incur major damage to your business, its reputation, brand image and a multitude of fines if your customers' data is breached. In the long term, it will cost your business a lot less to comply with PCI DSS requirements.
The State of PCI DSS Compliance
According to Verizon’s 2017 Data Breach Investigations Report (DBIR) the state of PCI DSS compliance is continuing on an upward trend, seeing growth of 44.3% since 2012. However, 44.6% of businesses still failed to pass an interim PCI CSS validation in 2016:
SecurityMetrics has predicted that data breaches and attacks from hackers will ‘likely follow similar trends from the latter half of 2016,’ referring to companies such as Yahoo, who notoriously fell victim to a series of attacks in which the personal information of millions was compromised.
SecurityMetrics forensic takeaways from 2016:
CardConnect’s Point-to-Point Encryption and Tokenization
CardConnect can provide merchants with solutions that help to reduce PCI audit scope, with PCI-validated point-to-point encryption (P2PE) which is applied in both retail (card-present) and call center (card-not-present) transactions.
It’s part of the CardSecure solutions.
CardSecure's P2PE solution is designed to provide businesses with the highest degree of payment security and greatly reduce the scope of PCI DSS compliance requirements.
Check out an overview of how a typical transaction works below:
PCI DSS Compliance FAQ’s
Q: What is the PCI DSS?
A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. The PCI DSS is administered and managed by the PCI SSC, an independent organization that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.).
Q: How does a merchant get educated about PCI compliance?
A: Merchants getting started with PCI compliance can find a wealth of information on the PCI Council website and download the PCI Council's Getting Started Guide and Quick Reference Guide. To learn what a merchant's specific compliance requirements are, the PCI Council recommends the merchant check directly with the card brands: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, Visa Inc., Visa Europe.
Q: To whom does PCI compliance apply?
A: PCI compliance applies to ANY organization or merchant (includes international merchants/organizations), regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
Q: Is a merchant obligated to be PCI compliant?
A: PCI compliance is not a law. The PCI standards were created by the major card brands Visa, MasterCard, Discover, AMEX and JCB. At their acquirers’/service providers’ discretion, merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach occur. The time and effort put into maintaining PCI compliance far outweighs the consequences of non-compliance.
Q: How often is PCI DSS validation required?
A: Merchants must demonstrate compliance annually via a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC). Validation requirements vary depending on the number of transactions processed annually and the payment card brand. Compliance requires establishing and maintaining a PCI program that incorporates appropriate business policies, procedures and technologies to ensure ongoing compliance through continuous protection of payment card data.
Q: What are the requirements to be in compliance with the PCI Data Security Standard?
A: The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. It’s comprised of 12 general requirements designed to: build and maintain a secure network; protect cardholder data; ensure the maintenance of vulnerability management programs; implement strong access control measures; regularly monitor and test networks; and ensure the maintenance of information security policies.
Q: Which Self Assessment Questionnaire (SAQ) must be completed by a merchant?
A: The PCI DSS SAQ Instructions and Guidelines information provides a summary of the different SAQs and the types of environments that each SAQ is intended for. Merchants should also consult with their acquirer (merchant bank) or payment brand to determine if they are eligible or required to submit an SAQ, and if so, which SAQ is appropriate for their environment. Additional SAQs may apply depending on how the merchant is conducting business. For more information please visit the PCI Council website.
Q: How does CardConnect help minimize PCI scope within a merchant environment?
A: CardConnect provides cardholder data tokenization. A token replaces the cardholder data that a merchant needs to store when handling transactions. The token is used when submitting the transaction to the payment processor. Since the token is not card data, the merchant can store the token and reduce the PCI scope of the system storing the token. Merchants with e-commerce sites can also reduce their PCI scope by making use of the available CardConnect tokenization solutions.
Q: If a merchant only accepts credit cards over the phone, does PCI compliance still apply to the merchant?
A: Yes. All businesses that store, process or transmit payment cardholder data must be PCI compliant.
Q: What are the penalties for failure to comply with PCI DSS?
A: The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on to their merchants. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.
Q: What is a vulnerability scan?
A: A vulnerability scan checks a merchant or service provider’s systems for security vulnerabilities. It is a tool that will conduct a non-intrusive scan to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan identifies vulnerabilities in operating systems, services and devices that could be used by hackers to target the company’s private network. The scan does not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks are generally performed.
Q: How often does a merchant have to have a vulnerability scan?
A: Once every 90 days. Merchants requiring a vulnerability scan are required to submit a passing scan. Merchants and service providers should submit compliance documentation (successful scan reports) according to the timetable determined by their acquirer. Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV) such as Security Metrics.
Q: Do organizations using third-party processors like CardConnect have to be PCI compliant?
A: Yes. Using CardConnect services does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI DSS.
Q: Is CardConnect a PCI compliant Gateway Service Provider?
A: Yes. CardConnect is a PCI compliant Gateway. Every year, CardConnect engages in rigorous PCI DSS process to review and re-assess all data security measures. As a result of the process, a ROC (Report of Compliance) is generated. A yearly Attestation of Compliance (AOC) document is available upon request.
Q: Who is required to fill out a PCI SAQ document?
A: Any merchant handling credit card transactions is required to fill out a specific PCI SAQ document based on the nature of the cardholder data process in place. To determine which SAQ corresponds to a merchant, please visit our SAQ document summary section.
P2PE Frequently Asked Questions
Q: What is P2PE?
A: Point-to-point encryption (P2PE) cryptographically protects account data from the point at which a merchant accepts the payment card through the entire lifecycle of the transaction. By using P2PE, account data (cardholder data and sensitive authentication data) is unreadable until it reaches the secure decryption environment, which makes it less valuable if the data is stolen in a breach. Merchants using PCI-validated P2PE solutions also have fewer applicable PCI DSS requirements, which helps simplify compliance efforts. CardConnect's P2PE solution is validated by the PCI Council as one of few companies qualified to offer the solution. Click here to see the PCI Council’s list of validated solutions, including CardConnect’s.
Q: What are the benefits of P2PE?
A: A P2PE solution:
Makes account data unreadable by unauthorized parties and protects customer data and therefore a company's reputation
“De-values” account data because it can’t be decrypted even if stolen
Simplifies compliance with PCI DSS requirements
Reduces the P2PE Self-Assessment Questionnaire to only 26 requirements
Q: Who can use SAQ P2PE-HW?
A: SAQ P2PE-HW is intended for SAQ-eligible merchants, who process cardholder data only via approved payment terminals as part of a Council-listed P2PE solution. Merchants wishing to use SAQ P2PE-HW must confirm that they:
Are using a P2PE solution that is listed on the PCI SSC’s List of Validated P2PE Solutions
Do not store, process, or transmit any cardholder data on any system or electronic media (for example, on computers, portable disks, or audio recordings) outside of the payment terminal used as part of the P2PE solution
Do not store any cardholder data in electronic format. This includes verifying that there is no legacy storage of cardholder data from other payment devices or systems
Have implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider.
Q: How does CardConnect reduce the PCI audit scope of an Independent Software Vendor?
A: An Independent Software vendor who provides software solutions to merchants processing credit cards, can remove their respective application from PCI scope as long as their solution is integrated with CardConnect's P2PE solution.
Running a Business
Oct 30 2017
A Guide to Merchant Services: What You Need to Know
Despite the arrival of mobile payments, consumers still favor using credit and debit cards to make payments both in-store and online.
According to the most recent payments study conducted by the Federal Reserve, noncash payments in 2015 are estimated to have totaled 144 billion, with a value of $178 trillion. Within these figures, the number of debit card payments grew to 69.5 billion in 2015 with value of $2.56 trillion, growing at an annual rate of 6.8% by value. The largest payment growth rate among the payment types considered in this study was credit card payments, which grew to 33.8 billion with a value of $3.16 trillion, a growth of 7.4% annually.
What is Merchant Services?
In short, merchant services allow your business to accept card payments from your customers. This is otherwise known as credit card payment processing. Our CardPointe platform was built to address all of your payment processing needs.
When a customer makes a payment for goods or services, this transaction undergoes a chain of approval so the payment can be accepted.
The customer’s credit card information is sent to the merchant’s acquiring bank, which is then sent to a payment processor. Next, the card association (MasterCard, Visa, Discover, AMEX) sends this information to the issuing bank (this is the bank where the credit card was initially issued). This is where the approval, or denial, of payment happens. The issuing bank then sends a code to the credit card association, who sends it to the merchant’s acquiring bank, and finally onto the merchant’s payment terminal. Once the transaction is completed, the merchant’s terminal then prints a receipt. The customer will then pay their credit card bill at the end of the billing period.
What is a merchant account?
Put simply, a merchant account allows businesses to accept credit and debit card payments.
To open a merchant account, a contractual agreement is made between the merchant and the acquiring bank (who will be processing the card payments) and any other parties involved in processing payments, such as a payment processor, an independent sales organization (ISO), and a member service provider (MSP).
What are merchant account fees?
It is important to understand the various types of fees when considering a merchant account. Typically these fees are determined by the way your business operates; the size of your company, credit score, potential risk factors and whether you have a history with any other merchant services. Businesses can expect to pay transaction fees which are calculated by the actual transaction amount and a flat fee (this can vary depending on your merchant services provider), minimum fees which are applied monthly, and gateway fees which are only charged if the merchant services provider uses a third party payment processor.
What are interchange fees?
Understanding the importance of interchange fees, what they mean, and how they relate to your business is crucial for businesses considering a merchant account. Also known as interchange rates or pricing, these fees are charged to the merchant by a credit card processor (such as CardConnect), and must be paid in order for the merchant to accept credit card payments. These rates are set by the card associations and card-issuing banks.
Interchange fees are determined by the type of merchant you are, how big or small your company is and how your company accepts payments.
To find out more about interchange rates and pricing, click here to listen to a podcast from Angelo Grecco, our Chief Business Development Officer, and George Peabody from Glenbrooks’ Payments on Fire, who discuss at length the importance of interchange fees.
What is Interchange Optimization?
There are hundreds of interchange cost structures available, which is where interchange optimization can really help your business find the best interchange rates available to maximize on credit card processing savings. Interchange optimization is based on industry-specific program requirements created by the major card brands (MasterCard, Visa, AMEX), and ensure that your business qualifies for the best interchange rates in every transaction that you process.
How do I know that the card payments I accept are secure?
The Payment Card Industry (PCI) Security Standards Council enforces a set of standards called the PCI Data Security Standards. These standards make sure that all customer and credit card information is securely handled, lessening the impacts of a data breach.
CardConnect’s devices are protected by CardSecure, which is a combination of point-to-point encryption (P2PE) and our patented tokenization. This ensures that your customers’ payment data is instantly protected at the point of entry, ensuring secure transmission for processing. Using patented, intelligent tokenization, CardPointe reduces the challenges they encounter with PCI compliance for all transactions – both card-present and card-not-present. Only P2PE certified vendors like CardConnect can deliver this unparalleled level of payment security.
5 FREQUENTLY ASKED QUESTIONS ABOUT MERCHANT ACCOUNTS
1) Are merchant services right for my business?
Merchant services can really help your business grow and control costs. Engaging a payment processor that uses their own products and technology is more likely to be cost effective. Fraud prevention and data security are as paramount online as they are in-store. Choosing a merchant provider that specializes in eCommerce, for example, will ensure that you can securely accept payments from all major credit cards, as well processing popular virtual payment types, such as Apple Pay.
The best merchant services can transform how your business manages transactions, saving you both time and money, allowing you to focus on other areas of your business.
2) Will I be approved for a merchant account?
This will depend on your type of business, and whether the credit card networks have assigned you any risk factors. You may experience a longer application process, or be required to pay higher fees for transactions with a bigger risk factor.
3) How much will it cost to have a merchant account?
The cost of accepting credit card payments can vary. It’s important to note what fees will be assessed for your company, which will be laid out in the initial contract. The fees you are responsible for will include both interchange rates and processing fees. Depending on the payment processor you choose, there may be room to negotiate a better, or lower rate for your business.
4) How long will it take before I'm up and running?
The setup process is dependent on different variables of a business, like size and card acceptance method. Larger more established businesses that require multiple POS systems in multiple locations, for example, could experience a more extensive setup.
5) What type of POS do I need?
The type of terminal you need will depend on the type of payment method your business will be accepting. If you are based in a single location, a POS terminal may be the best option, however, if you are on the move, then a virtual terminal or mobile device that works with an integrated app, for example, would be a better option.
Why choose CardConnect as your merchant services provider?
Founded in 2006, CardConnect is one of the 10 largest independent sales organizations (ISOs) of First Data Merchant Services, the world’s largest electronic payment processor.
CardConnect is a leading provider of payment processing and technology services, helping more than 67,000 merchants across the U.S., from Fortune 500 to small startups, accept billions of dollars in card transactions every year.
CardConnect’s mission is to provide simple and secure payment processing solutions. Using CardSecure, our patented tokenization, gateway and hardware solutions, we make payment acceptance simple, integrated and secure.