PCI DSS Compliance - Getting Started

Starting July 1, 2010, the enforcement of PCI DSS will begin for all businesses that accept credit cards. This includes all of the Cash Practice® members. This requirement is NOT unique to being a Cash Practice® Member. It applies to any business that accepts credit cards.

Watch the PCI Webinar Video to see How Easy We Make it to get PCI Compliant.

For payment card transactions and today's fast-paced environment, security has become a primary consideration for every type and size of business that accepts credit and debit cards.

Cash Practice Inc is committed to ensuring that cardholder data remains secure and that our members are protected from the theft and fraud that can result from data breaches on merchant payment processing networks. In conjunction with our merchant provider, Processing Point, it is now a mandated that all parties in our co-operative processing environment, including Cash Practice® Members, are Certified with the Payment Card Industry Data Security Standard (PCI DSS) . The PCI DSS has been set forth by the Card Brands (Visa, MasterCard, Discover & American Express), and includes guidelines, measures and controls to help you implement strong security precautions and ensure safe credit card usage and secure information storage.

Cash Practice Inc is Level 2 PCI DSS Certified. However, this in of itself does not make your company PCI DSS compliant. For example, although you are using CashPractice.com, you are still required to follow a variety of other rules. In order for your company to be PCI DSS Compliant, you are required to do two things, both of which are accomplished using an Approved Scanning Vendor (ASV).

There are many ASV's and the annual fee for their service is typically $179.00 to $250.00 per merchant account. You can certainly use any ASV you want. However, as a Cash Practice® Member, you can get the service for only $148 per year (split into two payments) for BOTH the Retail & Internet Merchant Accounts. The fee is only $99 for one merchant account, Retail or Internet. In the coming months, you will see a $50 charge on only one of your Processing Point merchant statements followed by a $49 charge the following month on each of the merchant account statements. Again, we want you to know that this is not a requirement by Cash Practice Inc. This is something all businesses that accept credit cards have to do and they all have to pay for this service. See the FAQ for more details.

Cash Practice Inc, in partnership with Processing Point, has teamed with Trustwave, an Approved Scanning Vendor (ASV), to assist our members with their required compliance efforts. Trustwave is the leading provider of on-demand data security and payment card industry compliance management solutions to businesses and organizations throughout the world.

How to get started:

You will need your Company DBA and your Merchant Account Number(s). Your DBA is located under [My Account] ⇒ [Member & Company Info]. The MID's are located under [Auto-Debit System®] ⇒ [Setup] ⇒ [Step 1] ⇒ [Merchant Accounts Tab].

If you only see one MID, then you only have one merchant account. If you see two, then you have two. The Internet merchant account is for processing credit-keyed transactions, such as auto-debits. The Retail merchant account is for processing credit-swiped transacations.

Please Note: You will need to go through this process for each of your Merchant Accounts.

Additionally you will be granted access to the following services through the Processing Point PCI DSS Evaluation Program:

Thank you for taking the time to protect your business and the data you handle daily on behalf of your clients. If you have any questions please call Customer Service at 877-841-7014, or by email at trustkeeper@sagepayments.com. We appreciate your business and encourage you to take this action as soon as possible.

Why are Processing Point & Cash Practice implementing this program?

In today’s environment, security has become a primary consideration for every type of business that accepts credit and debit cards. In an effort to reduce fraud and the related costs associated with data breaches, Processing Point is committed to implementing processes that help ensure that cardholder data remains secure. We have endeavored to assist our merchants in meeting obligations toward full data integrity and security compliance with the Payment Card Industry Data Security Standards (PCI DSS).

Why is Processing Point requiring their merchants to be Payment Card Industry Data Security Standards (PCI DSS) compliant?

PCI DSS Compliance has been mandated by the PCI Security Standards council which includes the 4 major credit card associations (Visa, MasterCard, AMEX and Discover). In an effort to reduce fraud and the related cost associated with data breaches, upcoming mandates will require all processors, on an annual basis, to ensure merchant's businesses are compliant, including the use of compliant payment applications by July 1st, 2010. Processing Point is required to report any non-compliant merchants to Visa & MasterCard on a quarterly basis.

Are other processors doing this?

Yes, all processors are required by the PCI DSS to implement these programs and validate their merchant portfolios. This is not unique to being a Cash Practice® Member.

What is the cost of the PCI DSS analysis and how is going to be billed?

The PCI DSS Analysis is only $99 for one merchant account, Retail or Internet. In the coming months, you will see a $50 charge on only one of your Processing Point merchant statements followed by a $49 charge the following month on each of the merchant account statements. It will be debited to the merchant’s end of the month processing fees. The PCI DSS Analysis fee will be billed annually beginning in the applicable month of March, April or May.

Is this a competitive price for the PCI DSS Analysis – certification program?

Yes, Cash Practice® & Processing Point have partnered with Trustwave to provide a bundled rate for this program. This fee is very competitive compared to what other processors are billing for this service. Our competitive analysis revealed annual rates from $179.00 to $250.00 per merchant account.

Does the PCI DSS certificate need to be renewed?

Yes, the requirement is for merchants to have their businesses reviewed annually to ensure compliance and the appropriate validation.

What types of merchants are involved in this program?

All Level 4 merchants. PCI DSS classifies merchants under this level as shown below:

1. Retail merchants processing under $1 million transactions (Visa & MasterCard) per month (per location).
2. MOTO/Internet merchants processing under $20K transactions (Visa & MasterCard) per month (per location).

Who does this program affect?

To all Level 4 merchants boarded on or before January 31st, 2010. Level 4 merchants boarded on or after February 1st, 2010 will have to comply with the PCI DSS certificate program 90 days after their initial approval to process with Processing Point, at which time they will be notified and the TrustKeeper fee will apply.

Why does the merchant have to pay this fee?

PCI DSS Certification is a procedure implemented to perform a review of your data SECURITY PRACTICES. This procedure will review if you are currently processing credit cards using approved equipment, POS software and/or hosted Virtual Terminal under the Payment Card Industry Data Security Standards (PCI DSS) requirements, as described below:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software

Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Maintain a Information Security Policy

Requirement 12: Maintain a policy that addresses information security

What does the merchant get for this fee?

PCI Educational Webinar series for merchant (both live and prerecorded)

TrustKeeper Agent provides assistance to the merchant during the PCI DSS analysis process.

TrustKeeper Monthly Vulnerability Scan ensures no credit card data is being stored on the POS, Software or anywhere within the computer’s memory used by the merchant.

Trustwave PCI DSS Assistant, this feature provides FAQ’s of PCI and the Trustwave site.

On-demand PCI Self Assessment Questionnaire (SAQ)

Security Policy Advisor Tool (Excluding SAQ)

On-line Security Awareness Training

PCI Validation SAQ/IP Scan services, makes certain the merchant has the appropriate PCI DSS Validation once the analysis is performed.

Live Help Desk Support

FAQ’s & links or additional resources regarding PCI

Why do I need the system scan if I am using hosted POS Software (virtual terminal or Ecommerce buy button) such as CashPractice.com?

Many of us have had questions regarding hosted Virtual Terminals and Ecommerce Buy Buttons that are PA DSS certified and housed behind a certified service provider’s firewalls. The following explanations have been provided to us by Trustwave based on PCI requirements:

Hosted Virtual Terminal (CashPractice.com): Hosted Virtual terminals used for swipe or key entered transactions will require a scan to verify appropriate security and firewall settings are in place so that card data is not compromised for the following reason:

1. Key Entered Transactions – Without appropriate security settings and firewalls at the member;s location, “key stroke logging” devices can be utilized to track entries into the merchant’s system outside the hosted payment application. In other words, the computers in your business can record the key strokes. The analysis will let you know if that is occuring.
2. Swiped transactions – Without appropriate security settings and firewalls at the member's location, card data transmitted from the card swipe device can be intercepted.

Ecommerce Buy Button (Shopping Cart): Hosted ecommerce buy buttons used for internet transactions will require a scan to ensure that merchant practices and system integrations protect card holder data.

1. Ensure merchants are not utilizing their system as a virtual terminal.
2. Make certain merchants internal system integrations into the buy button are secure.
3. Guarantee the shopping cart is not capturing card holder data and if so, the data is transmitted to the buy button securely.

If a merchant has a Multi-Merchant ID account, is there a fee per Merchant ID to perform the PCI DSS analysis?

Yes, the PCI DSS analysis must be performed on each Merchant ID. The cost of the PCI DSS analysis will apply to each Merchant ID.

If a merchant has already acquired a PCI DSS certificate with another authorized vendor, are they required to upload their PCI DSS certificate on the Trustwave/TrustKeeper site?

Yes, the merchant will have to upload their PCI DSS certificate on theTrustwave/TrustKeeper site (https://ProcessingPoint.pci.trustwave.com) Processing Point will manually validate their PCI DSS certificate.

Is there a fee to upload the PCI Certificate acquired through an Approved Scanning Vendor?

Yes, a $10.00 fee will be billed to the merchant in order to manually validate the certificate.

How about if the merchant already has a PCI DSS certificate but they were still charged the $50.00 PCI DSS analysis access on their statement?

Once the merchant uploads their certificate a manual validation by Processing Point is completed and a refund of $40.00 will be credited to the merchant’s account. The $10.00 processing fee still applies.

Do you have to be concerned about PCI Compliance?

Most Cash Practice® members are Level 4 Merchants. This is the easiest merchant level when it comes to PCI Compliance. In most circumstances, other than using the Cash Practice® Systems, all a Level 4 merchant is required to do is take the Simple Type A Self-Assessment Questionnaire. Continue reading below for details.

Many smaller business owners may not realize that the Best Practice 6.6 of the PCI Data Security Standard (DSS) became a requirement on June 30th, 2008. The regulation requires merchants dealing with debit and credit cards to tighten their security by both conducting application code reviews and installing Web application firewalls. This guide throws out a lot of information, but if you're a Cash Practice® member, a lot of the work is done for you.

Best Practice 6.6 of the PCI Data Security Standard was put forth by the PCI Security Standards Council, which issues, maintains, and enforces the PCI security standards that govern payment account data security to which all corporations that deal with payment cards must adhere. However, across industries, small businesses are struggling to comply with the Council's standards, designed to protect consumer's personal data.

Consumers want to pay with their credit cards and be assured their data is safe. Small businesses want to collect payments in the most convenient way as well as guarantee their data is secure. But since 2005, according to Visa USA Inc, more than 80% of the instances of unauthorized access to card data have involved small merchants. These small businesses account for 85% of the seven million locations nationwide that accept credit cards. And if a business is found to not be PCI Compliant, its merchant account will be suspended, leaving the business unable to accept credit cards.

Not all merchants are evaluated the same in the eyes of Visa and MasterCard, though. There are several levels of PCI compliance, which are based on the number and type of transactions a business processes a year. Most, if not all, Cash Practice® Members are Level 4.

Level 1 - Process over 6 million credit card transactions each year.

Level 2 - Process between 1 million and 6 million credit card transactions each year.

Level 3 - Process between 20,000 and 1 million e-commerce transactions each year.

Level 4 - Process less than 20,000 e-commerce transactions per year, and under 1 million total transactions per year. The majority of small businesses, including chiropractic offices, fall into this category.

Level 1 Merchants are the only ones required to undergo an actual on-site PCI Compliance Audit. Level 2 and 3 Merchants must complete an Annual PCI Self Assessment, as well as quarterly network security scans. Level 4 merchants must also complete an Annual PCI Self Assessment, but in many cases are not required to complete the quarterly network scan. The self-assessment, results of the network security scan (if applicable), and an attestation of compliance must be submitted to the Acquirer (Processing Point). The attestation of compliance certifies that the company has accurately completed the self-assessment, and that the company falls within the applicable processing limits for self-assessment. Processing Point is responsible for making sure that all of its merchants, including tjhe Cash Practice® Members, are PCI Compliant.

There are four Self Assessment Questionnaires (SAQ), each designed around the way a small business processes its payments. By utilizing the Cash Practice® Systems as a third party payment processing provider, and making sure that all transactions are directly entered into and exclusively stored in the Cash Practice Auto-Debit System®, small businesses performing transactions can qualify for the simplest Type A SAQ, which consists of only 11 questions (as opposed to the more complex Type D that contains 226 questions). The key question in SAQ Type A is whether the third party provider is certified PCI Compliant, which all Cash Practice® members can confidently answer "yes".

Cash Practice® members do need to take the following steps, if they have not already, to assure compliance with Best Practice 6.6 of the PCI Data Security Standard:

Determine the appropriate SAQ type for their business. Instructions for doing this can be found on the PCI Security Standards Council website at: https://www.pcisecuritystandards.org/pdfs/instructions_guidelines_v1-1.pdf

Obtain and complete the appropriate SAQ, and submit it along with the attestation of compliance letter to Processing Point. SAQ Type A, which also contains the attestation of compliance letter, can be downloaded here: https://www.pcisecuritystandards.org/docs/saq_a_v1-1.doc

Level 2 and Level 3 Merchants must contract for quarterly network security scans, and submit a successful scan to Processing Point.

Take a hard look at their own business environment, and make certain they are operating in a secure manner. Simple steps like shredding all documents containing credit card numbers, installing virus protection and anti-phishing software on all computers, and implementing strong policies regarding passwords and user ids can go a long way towards protecting against a security breach.

Cash Practice® Systems Security Certification - PCI Compliance. We take security very seriously.

The entire Cash Practice® System uses the most powerful security systems found in the marketplace to protect your personal data.

PCI DSS Certified

Payment Card Industry Data Security Standard (PCI DSS) has become one of the most important advances in the credit card industry and online security, and is now required by Visa/MasterCard for all merchants handling credit cards. Not following these rules can result in fines to the merchant and processing privileges being suspended. Security Metrics, a VISA Qualified Security Assessor, has independently audited Cash Practice® Systems and certified that Cash Practice® Systems is PCI DSS compliant.

The Cash Practice® System is designed to provide a secure, easy and efficient system that strictly follows these rules: The Cash Practice® Systems never stores CVD data. Although members have the ability to enter it for one-time transactions to enhance security and the probability the transaction will be approved. The Cash Practice® Systems never stores swiped track data for any reason.

Here is a list of additional measures we take to ensure that security.

The dedicated servers that host Cash Practice® are stored in a secure internet hosting facility with 24x7x365 onsite security and surveillance.

Hardware firewall protection prevents unwanted internet intruders from gaining any access to the servers data.

We use a third-party vendor, Security Metrics, to scan our dedicated servers for security vulnerabilities. If any are detected, immediate action is take to remedy.

All connections made to the server are over an encrypted (https) SSL (Secure Socket Layer) connection and compliant with PCI DSS - Payment Card Industry Data Security Standards. This is the same technology used by banks.

All sensitive data, such as merchant account numbers, credit & bank account numbers, passwords and more are stored in the database in an encrypted format, and cannot be decrypted-except during the process of transmitting a transaction. This means that if transactions are entered directly into the system, or if card numbers are saved in the system for future one-time or recurring transactions, the merchant is, by definition, operating under PCI compliant standards, because Cash Practice® Systems itself has been certified. Even if someone saw the database they can't read the data. Only the Cash Practice® member can view it when logged in.

Each Cash Practice® member has their own encryption key, ensuring your data remains private.

Once credit and bank account numbers are entered into the Auto-Debit System®, they are blinded with X's when accessed and viewed by users.

When left inactive for a period of time, the website automatically logs the user out.

Each time a Cash Practice® web page is loaded, it validates you are an authentic user.

Cash Practice® members can create separate logins for staff with limited access to the website. Account users can be limited to logging in only on allowed days & times as well as limited to only accessing allowed pages and activities.

When entering data into forms, all entries are validated & cleaned before processing and database storage. Programming best practices are used to ensure no database injections can occur.

We require you to routinely update your password.