Software Compliance Person Image

Software Compliance

With recent advances in the technology that drives eCommerce, it may seem as though credit card processing software takes care of itself. But without regular upgrades and ongoing maintenance, your credit card processing programs can quickly become outdated and slip out of compliance.

The potential pitfalls of noncompliance

Noncompliant software puts you at high risk for a data security breach, potentially costing you

  • fines and penalties up to $500,000
  • monthly noncompliance fees
  • damage to your reputation

Even if you do not suffer a breach, software that is out of compliance can cause a number of problems, such as

  • less efficient and failed payment transactions
  • computer crashes
  • loss of technical support

Data storage: a compliance no-no

Keeping extensive files may be good for tracking inventory, but it’s bad for security. Data stored in a secure system is like money in a vault – just waiting to be stolen by skilled thieves and hackers. Thus, the less information that is stored by your credit card processing software the better.

According to the most current mandates of the Payment Card Industry Data Security Standards (PCI DSS), software should never store the following:

Magnetic strip contents

The magnetic strips on the backs of credit cards and debit cards contain extremely sensitive information, such as credit card numbers, expiration dates, names and addresses.

Card Verification Value (CVV)

This code is stamped on the back of a credit card but is not embedded on the magnetic strip, proving that the actual card is being used. If the CVV is compromised, this valuable security measure is rendered useless.

PIN Data

Personal identification numbers (PINs) are an added security measure for debit cards and EBTs. If a thief obtains this data, it makes committing fraud much easier.

Basic Credit Card Processing Software Tools:

Staying Compliant

There are a wide variety of credit card processing software packages available to meet the unique needs of many different businesses, but certain types of software are universal. Some of the most widely-used software tools for eCommerce are listed below. If you use any of these credit card processing programs, you must ensure that they meet all of the current data security standards for compliance.

Virtual Terminals allow you to process credit card payments from any computer with an Internet connection. Simply type the customer’s credit card information into a secure web server and submit the payment for processing. Yet the same technology that makes virtual terminals so quick and convenient also puts them at risk for a security data breach. Because virtual terminals are open to the Internet, they require ongoing assessment to guard against attack. Quarterly PCI scanning may be required in order for your virtual terminal to remain in compliance.

Virtual Shopping Carts are the vehicles with which online shoppers make their purchases. The shopping cart enables customers to choose and hold the items they wish to buy, and upon checkout it helps to conduct the actual purchase by collecting valuable data (including card and address information). If the card information is entered directly through your website (instead of a separate, secure server), your cart is at increased risk for a data security breach and so quarterly PCI scans may be required to maintain compliance.

Payment Gateways are online credit card processing systems that enable customers to make secure purchases through a website. The customer keys their information into a secure payment page, and the data is then encrypted and submitted to the credit card processing company through a secure channel. The processor verifies the information with the issuing bank and the bank in turn either approves or declines the transaction. Because data is being transmitted over the Internet, payment gateways may require quarterly PCI scans in order to stay compliant.

 

The information on this page is not intended to be a source of legal advice. Therefore, you should not rely on the information provided herein as legal advice for any purpose, and should always seek the legal advice of competent counsel in your jurisdiction.