Merchant Newsletter - December 16, 2006

PC Verifier now PCI-DSS Compliant!



Even dial-up terminals need to be reprogrammed!


  You've chosen the car you want, filled out all the paperwork (including the car loan application with the car dealer's finance department). The car dealer tells you that although your loan hasn't been "officially" approved yet, you can drive the car home anyway.

DON'T DO IT!!  Here's what can happen if you do: A few days later, you'll get a call from the car dealership saying your loan wasn't approved at the interest rate you discussed. However, you were approved at a higher rate.

This means that you'll likely pay thousands of dollars more than you expected. Further, if you try to call off the deal, the car dealer will either tell you that they already sold your trade-in so you have no options, or they simply will say they'll sue you if you don't agree to the new terms.

The worst part is that you probably are stuck, because the loan agreement included a "writ of rescission," which means that you agreed to pay a higher interest rate if you did not qualify for the loan at the original, agreed-upon rate.

Be careful. And don't take your new car home from the car dealer until all the i's are dotted and the t's are crossed.  They generally (in the fine print have what is called Mandatory Arbitration or Conflict Resolution: This ploy sounds reasonable at first, but be very cautious... After everything else has been agreed to, the sales person asks you to sign a "Dispute Resolution" or "Conflict Resolution" agreement. The sales person tells you it just says that if a problem occurs, you agree to settle through arbitration and not take the car dealer to court. Many sleazy car dealerships require these agreements because they'd get sued frequently without them.



A man Allegedly Uses Fake Check Amid 80 Cops in Chesterfield Township, MI on Dec. 7 - A man who police say tried to pass a counterfeit check at a Wal-Mart chose the wrong store at the wrong time. Dozens of officers were at the suburban Detroit store Tuesday helping needy children pick out items as part of an annual "Shop with a Cop" charity event.

That didn't stop Calvin E. Fluckes Jr., 21, from pulling into the parking lot next to 40 marked squad cars, police said. He apparently was unfazed by the police presence as he tried to pay for merchandise with a poorly photocopied check for $847.83

The cashier called over a manager, who alerted one of the 80 officers who happened to be in the store. He was immediately apprehended, and  could face up to 14 years in prison if convicted, The Detroit News reported.

Be careful!  While the story above is funny, we have seen checks and Drivers Licenses that would fool even the bank and/or the police!  Anyone with Photoshop and the proper equipment can crank out documents as good as DMV and the bank can.  The check and ID above are both examples that we made here with Photoshop for our CrossCheck web page!

Bad checks are always a problem during the holiday season, the bad check passer knows that merchants do not have the time to properly check out each transaction, as there are people waiting in line...  


NOTE: These changes apply ONLY if you are SAVING PC Verifier Transactions for later processing.  It DOES NOT affect transactions that are processed immediately.

Under the old Visa CISP (Cardholder Information Security Program),  the ability to store swiped transactions on a  terminal or PC was allowed.  This made sense, as merchants would often visit customers or venues where they would swipe a card, but had no land line available to dial out.  The terminal or laptop would store the swipe (hopefully in a heavily encrypted format as we had done), and when the merchant got back to a location with landline, wireless, or other connectivity they would send the sale as a swiped transaction.

The new PCI-DSS standard (Payment Card Industry - Data Security Standard) is much more strict.  Under the new PCI-DSS rules, magnetic track information can NEVER be stored.  What CAN be stored, is the information that would be retained if it were a "keyed" transaction (Cardholder Name, Cardholder Number, and Expiration Date), and must be stored in an encrypted format, displaying only a truncated card number to the user.

The Payment Card Industry Data Security Standard, or PCI DSS, was established to create a unified security standard whose implications have grown due to new industry regulations. The PCI DSS governs the safekeeping of cardholder information throughout the transaction process and applies to any and all entities, whether merchant or service provider that stores, processes or transmits cardholder account and/or transaction information. Security requirements were established in six major areas that cover 12 requirements.

In September 2006, an updated standards release, 1.1, introduced important changes to improving corporate safeguards for securing financial information. Significant changes in three sections and the addition of two appendices make it necessary for organizations to validate that their current approach meets the new requirements. Enforcement of the new standard is increasingly more vigilant with increased financial penalties for non-compliance and the real threat of acceptance privileges being suspended or revoked.

The lowdown is, that if you swipe a card, and process it immediately, it is still a swiped transaction. But if you store it, it is STORED as a Keyed transaction.  When you submit it later, it is processed as a KEYED transaction, even though it was initially swiped.

When a swiped transaction is SAVED (rather than PROCESSED), PC Verifier will display the message: "Due to recent changes in Visa Operating Regulations, and in order to comply with the PCI (Payment Card Industry) Security Rules, this transaction will be stored as a KEYED Transaction." (see photo at top).


PCI-DSS instituted these measures, in part, due to the recent, highly publicized thefts of confidential data from computer systems and laptops.  PC Verifier users have always been protected by two layers of security:  First, all data stored is HEAVILY encrypted, and after approval the magnetic track data is purged, and the card number is "Truncated".  Truncation is the process where all but the last 4 digits are replaced with asterisks (*) so even the merchant cannot see them.  Second, PC Verifier limits the damage that could be done, as the card numbers are not accessible, and PC Verifier will not issue credits to cards that have never been charged.

PC Verifier users can update their software easily.  MerchantAnywhere customers have always had the benefits of our "Free Upgrades" Policy.  In order to upgrade your PC Verifier, just go to:

www.merchantanywhere.com/upgrades 

Click on PC Verifier at the bottom of the upgrades menu, or simply click here to download the upgrade directly. Make sure that PC Verifier is closed when you do this so you have no problem with open files.  If you have a multi-station network, it is important that you perform this upgrade on each one of your workstations.

NOTE: These changes apply ONLY if you are SAVING PC Verifier Transactions for later processing.  It DOES NOT affect transactions that are processed immediately.

Simply using this new version of PC Verifier does not make you PCI-DSS Compliant.  In order to be fully compliant you must also:

Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security

 

ORDER FREE MERCHANT MATERIALS HERE!!!

Copyright (c) 2004 Advanced Merchant Solutions, Inc. All Rights Reserved
  See all of our newsletters in our newsletter archive!  Get tips and tricks, previews of new product announcements, tips to prevent fraud, Free stuff, and much, much more

Merchant Information is a newsletter that is available to all members of MerchantAnywhere.com and Advanced Merchant Solutions, Inc. This newsletter is provided as an informational tool designed to keep you up-to-date on the latest news and tools available for mobile commerce and merchant processing. As with all user information, we do not give or sell your personal information to any outside company for its use in marketing or solicitation. To unsubscribe from this newsletter, please reply with "REMOVE" in the subject line.  All of our merchant applicants should be receiving this email newsletter.  If you would like to subscribe, send an email with 'SUBSCRIBE' in the subject to: merchantapp@merchantanywhere.com.  If you are currently receiving the newsletter, and would like to be removed from the mailing list, send an email with the word 'REMOVE' in the subject to: inform@merchantanywhere.com . Once removed, we cannot reinstate that email address, you must re-subscribe with another.