You may have noticed a new option for credit card Record Types when you go to process a credit card.
gotoBilling is pleased to announce that we have added AVS Only as a transaction type to the gotoBilling application. AVS is short for Address Verification System, which simply tries to map/match the the address given with the card holder’s address. AVS Only transactions are $0.00 transactions and are currently supported on the credit card platforms listed below. As other platforms make use of this transaction type, it will be made available to all gotoBilling customers.
VITAL/TYSYS
Cardnet (First Data North)
Global East
The AVS Only transaction will also make use of the CVV code to reduce fraudulent use of credit cards. Visa® calls this code Card Verification Value (CVV); MasterCard® calls it Card Validation Code (CVC); Discover® calls it Card ID (CID). Whichever term you use, gotoBilling will send it along with the transaction to help prevent losses to the merchant. In many cases, merchants will use the AVS Only transaction to validate identity without charging or pre-authorizing an amount on a customer’s card.
If you have any questions, please feel free to let us know. If you are unsure if your credit card processor supports AVS Only transactions, contact the number on your credit card statement.
There have been a lot of emails and letters circulating around lately about PCI compliance–a set of standards that everyone who accepts credit card payments must adhere to. In an effort to de-mystify the whole PCI issue, we have listed here some frequently asked questions about PCI compliance, what it means and how it is administered? We hope this will help many of you understand the process and why it was put into place.
Q: What is PCI?
A: PCI stands for “Payment Card Industry”, but it usually means one or other of the following:
-
The Payment Card Industry Security Standards Council. This is an industry body made up of organizations like Visa, MasterCard, American Express, Discover, etc. The Council is how these companies cooperate to agree upon a single, common security standard that they insist merchants meet.
-
The actual security standard put together by the Council described in the first definition above. The real name for this standard is the Payment Card Industry ‘Data Security Standard’ (PCI DSS). Merchants must meet this set of security requirements if their business accepts, transmits, or processes customer payment cards (such as credit cards or debit cards).
Q: What is the ‘PCI DSS’?
A: PCI-DSS stands for ‘Payment Card Industry Data Security Standard’. This is a (quite technical and broad-ranging) set of security requirements created by the Payment Card Industry, laying out what Merchants need to do to protect customer information. The PCI Council requires that Merchants meet this set of security requirements if their business accepts, transmits, or processes customer payment cards (such as credit cards or debit cards). Merchants that do not comply with these requirements can be penalized in a number of ways, up and including having their card-processing privileges revoked, leaving them unable to accept customer payment cards. A copy of the PCI-DSS is available here. It should be noted that this site gives Merchants additional tools and advice to help them deal with the requirements of the PCI-DSS.
Q: To whom does PCI apply?
A: PCI applies to ALL organizations or Merchants, regardless of size, that accept, transmit, or store any payment card information. In other words, if any customer of that organization ever pays using a credit card or debit card, then the PCI-DSS requirements apply.
Q: What if a Merchant refuses to cooperate?
A: PCI is not, in itself, a law: the standard was put together by business organizations including Visa, MasterCard, and the other major card companies. Merchants that do not comply with PCI-DSS are not necessarily breaking any law, but they are probably violating their Terms of Service or contract with their acquiring bank and the card associations. This means that the Merchant might be penalized or sued, or these companies might refuse to work with the Merchant. This would mean that the merchant would be unable to process credit or debit cards.
Q: What does a merchant have to do in order to satisfy the PCI requirements?
A: To satisfy the requirements of PCI, a Merchant must do two things:
-
Comply with the Data Security Standard (by meeting all of the requirements laid out in the Data Security Standard), and
-
Validate their compliance. This means the Merchant must SHOW (in a manner appropriate to their size and situation) that they are complying with the Data Security Standard. For some Merchants (those with a high volume of card transactions, or with a history of security problems) validation involves on-site audits by certified professionals, but for many Merchants the primary requirements are
-
annual completion and submission by the merchant of a PCI Self-Assessment Questionnaire (the ‘SAQ’); and
-
where appropriate, undertaking a quarterly network vulnerability scan undertaken by a certified scanning company.
More information is available in the FAQ sections on Compliance and Validation. It is important to note that being in Compliance does NOT automatically mean that the Merchant has met their Validation requirement (in the same way that individuals must comply with the Tax Code by paying income tax, AND validate their compliance via the use of receipts and other documents.)
Q: What is the ‘Self-Assessment Questionnaire’?
A: The Self-Assessment Questionnaire is a form that Merchants may be required to complete every year and submit to their Acquiring Bank. It was created by the PCI Council. Completing a Self-Assessment Questionnaire helps Merchants do two things:
-
Check their Compliance, by finding out for themselves if they are in compliance with the Data Security Standard; and
-
Complete part of their Validation, but giving others, such as their Acquiring Bank, evidence that they are in Compliance with the PCI Data Security Standard. As of February 2008, there is no longer a single ‘one size fits all’ Self-Assessment Questionnaire. Merchants now need to identify which of 5 ‘Validation Type’ categories they fit into, and then complete the appropriate Self-Assessment Questionnaire for their category.
For some Merchants, the appropriate Self-Assessment Questionnaire is short and simple, which for other merchants the appropriate Self-Assessment Questionnaire is long and extremely technical. Note that for all versions of the Self-Assessment Questionnaire, Merchants will only pass if they pass (or be able to say ‘Not Applicable’ to) ALL of the questions in the Questionnaire. This web site gives Merchants access to free tools and services that make it much easier for them to identify the Self-Assessment Questionnaire that is appropriate for them, and complete it. In fact, the tools here do it for the Merchant, based on their answers to some much simpler questions that this web site asks. Where the questions are complicated or technical, the tools provide expert assistance and guidance. Merchants also have access through this site to a variety of tools and services to help them quickly and easily solve any Compliance failures they might have.
Q: What is the ‘SAQ’?
A: ‘SAQ’ stands for the PCI ‘Self-Assessment Questionnaire’. See the above question and answer for more detail.
Q: What is meant by ‘Compliance’?
A: Being in Compliance means ‘meeting all of the requirements laid out in the Payment Card Industry Data Security Standard’. The requirements for Compliance are the same for ALL Merchants, large or small. (However, smaller Merchants typically avoid many of the Compliance problems that larger organizations face, because their systems and networks are usually simpler.)
Q: What is meant by ‘Validation’?
A: Validation means a Merchant’s ability to show, via standard documents and/or tests, that they are meeting the PCI-DSS requirements. The different types of Merchant face different levels of Validation burden, depending on which of four levels they are assigned to. Merchants that were directed to this web site are, at the very least, required to complete the Self-Assessment Questionnaire.
Q: How are the different Merchant Levels defined?
A: The following table defines the levels:
-
Merchant
-
Description
-
Level
Any Merchant that processes over 6,000,000 Visa or MasterCard transactions per year (regardless of whether:
-
The transactions are e-commerce or not), OR
-
Any Merchant that is declared to be Level 1 by any Card Association
-
Any Merchant that has suffered a security incident or attack that resulted in an account data compromise
-
Any Merchant processing 1,000,000 to 6,000,000 Visa or MasterCard transactions per year.
-
Any Merchant processing 20,000 to 1,000,000 Visa or Mastercard e-commerce transactions per year. Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants
-
Processing fewer than 1,000,000 transactions per year.
Q: What meant by ‘Remediation’?
A: Remediation means the process of fixing any Compliance failures. A Merchant who constructs an appropriate remediation program and completes it will be (by definition) in compliance with the PCI-DSS.
Q: Is PCI a government program? Is it a law?
A: No: PCI is not, in itself, a law. The standard was put together by business organizations including Visa, MasterCard, and the other major card companies. Merchants that do not comply with PCI-DSS are not necessarily breaking any law, but they are probably violating their Terms of Service or contract with their acquiring bank and the card associations. This means that the Merchant might be penalized or sued, or these companies might refuse to work with the Merchant. This would mean that the merchant would be unable to process credit or debit cards.
Q: Are Merchants required to use the tools provided through this web site to fix any Compliance problems?
A: No: The tools provided through this web site are offered as a low-cost convenient way to fix problems, but Merchants are free to use any remediation tools they want to fix their Compliance problems. Merchants who use other tools are then solely responsible for making sure that those tools are appropriately selected and properly implemented, and are then responsible for re-taking the Self-Assessment Questionnaire.
There are many ways to become compliant. One is by using a service like www.getPCICertified.com that will help you through the process and will coordinate system scanning and policy generation. Another is by going to the PCI-DSS website and following the instructions on the site itself. Although this method is cheaper (it’s free for the SAQ) it may take more time to decipher the standard and put everything into place that it would take to have experts help you. You would also have to obtain scanning elsewhere. However, if you only use PayPal or Google Checkout to process your transactions, I recommend not using a service at all. In this case the added expense simply isn’t worth it. A simple SAQ A will do the trick.
