Tailor Your Defenses
Merchants who accept card payments have what thieves want: cardholder data. Often, this sensitive data -- whether it's stored in a magnetic stripe or on a paper record -- is all that stands between thieves and your customers' money.
How you keep cardholder data secure will depend on how you accept and process payments. The key is to create a solid defense customized to how you process payments.
If You Use a Standalone Dial-up Terminal (Dial or Internet Protocol (IP):
- Make sure that neither the customer receipt nor your merchant receipt includes the full account number or expiration date.
- If your terminal is not in compliance, PNC Merchant Services® can help you program your terminal to show only the last four digits of the account number and to hide the expiration date.
- Make sure your Internet connection is protected by a firewall that is properly configured to prevent unauthorized computer access or traffic.
- Have an Approved Scanning Vendor perform network vulnerability scans on your Internet connection at least every three months. PNC Merchant Services has teamed up with Trustwave® to provide validation services at a preferred rate.
If You Use a Third Party Payment Application:
- Ask your payment application vendor or check with PNC Merchant Services to see if your particular payment application you are using is compliant with the Payment Application Data Security Standard (PA-DSS). You may also check this website: www.pcisecuritystandards.org to learn if the payment application has been validated against this standard. If the payment application is not PA-DSS compliant, it may need to be upgraded.
- Payment Applications must also be certified with PNC Merchant Services.
- Install anti-virus and anti-malware programs on any computer system that contains your payment applications, and update these programs regularly.
- Change any IDs and passwords supplied by the payment application vendor to new ones that are unique and hard to guess.
- Create a unique ID and hard-to-guess password for every employee accessing the computer system and/or the payment application. Passwords should include a combination of uppercase and lowercase letters, numbers and special characters.
- If you have vendors that access your computer systems remotely, ensure they are using secure access protocols and protecting any data within their control.
If You Accept Card-Not-Present Transactions (Mail Order/Telephone Order/Fax Order/e-mail Order/Internet Order):
- Do not store the three-digit security number from the back of any payment cards (CVV2,CID,CVC) in any format.
- Do not request the security code number on mail-order forms or billing forms.