News 2007

Coming soon – 3D Secure Verified by Visa and MasterCard SecureCode

November 2007

3D secure is a technical standard developed by Visa and MasterCard and is commonly known as Verified by Visa and MasterCard SecureCode. It is a simple password-protected identity-checking service that takes the risk out of online retail, for you and for your customers.

You get protection from fraudulent transactions and the costs associated with it, and your customers get the reassurance they need to spend with confidence.

· Eliminate chargebacks – Helps protect you from fraudulent claims from cardholders – that they didn’t take part in, or authorise, a payment. Once you are up and running with Verified by Visa, you are no longer liable for chargebacks of this nature.

· Boost customer confidence – Research in Germany, Spain and the UK shows that 84 percent of people who do not shop online would be more likely to with Verified by Visa. Of established Internet shoppers, 71 percent say they would do so more frequently.

· Achieve bigger sales – Research by the analysts Gartner Group states that the average e-commerce transaction is worth less than €73. Figures from Visa Europe show that the average Verified by Visa transaction is worth more than €138

EFT/400 Encryption module now available

November 2007

We are pleased to announce that the EFT/400 Encryption module is now available to all our EFT customers.

The module addresses the following PCI requirements:

Requirement 3: Protect stored cardholder data

Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimising risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full Primary Account Number (PAN) is not needed and not sending PAN in unencrypted e-mails.

Requirement 7: Restrict access to cardholder data by business need-to-know

This requirement ensures critical data can only be accessed by authorised personnel.

7.1 Limit access to computing resources and cardholder information only to those individuals whose job requires such access.

7.2 Establish a mechanism for systems with multiple users that restricts access based on a user’s need to know and is set to “deny all” unless specifically allowed.

Features:

Credit card numbers are masked and only last 4 digits of card are generally available unless the user is authorised to see the whole number. Data is Encrypted using AES 256 bit encryption Access to full data restricted to ‘need to see’ users by security access cards Encryption key management included Full Audit trail of card data enquiries.

Quick and easy Implementation:

Software will be issued on CD with 2 security access cards despatched separately User libraries will be issued with appropriate changes A one-time routine is provided to encrypt current data and remove observable data on EFT files.

What do I need to do next? You can speak to us to find out how we can help you.

What is PCIDSS?

October  2007

What is PCI?

Firstly, it is important to note that PCI is not a law: It is a private security standard that members, merchants and service providers must follow pursuant to their contracts with the credit card companies. Although PCI is not a law, it is enforceable by the credit card companies through contractual penalties or sanctions that include revocation of the company’s right to accept or process credit card transactions.

Who does it apply to?

There is a myth that “I don’t take enough credit cards to need to be compliant.” This statement has been heard many times and is a common and broad misunderstanding of the requirements. While there are various levels of credit card merchant and service providers, there is no difference in compliance requirements. The fundamental confusion is between compliance and validation. If you are a current user of EFT/400 then PCI applies to you. Basically PCI applies to all members, merchants and service providers that store, process or transmit cardholder data, whether that data is received in a point of sale, phone, e-commerce or other type of transaction.

In addition to the compliance requirements, PCI also contains ongoing validation requirements. These requirements differ somewhat from one credit card company to another,

There is a general misconception that being compliant is hard and expensive – it needn’t be. PCI is just good, basic security. A diligent company should meet most of the requirements prior to even reviewing themselves for PCI compliance.

You could, in fact, make a strong case that PCI is the direct result of poor corporate governance by organisations handling credit card data. Had those organisations made best-practice efforts to secure that data, credit card theft and fraud might have been negligible, thereby reducing the need for the credit card companies to create a set of minimum standards to help offset the risk of offering credit card services. Another myth is that you only need to protect your system form external hackers. You will benefit if you look at protecting you data internally, because if it is secure from you internal team then it is going to be secure from everyone else!

What if I don’t comply?

The PCI program includes monetary penalties and other contractual sanctions for failure to meet its requirements. Under the Visa PCI program, members can be fined up to £250,000 per incident if any merchant or service provider that is not PCI-compliant is compromised. Visa members who fail to immediately notify Visa of a suspected or known loss or theft of transaction information may be fined£50,000 per incident, plus additional fines if a PCI violation presents immediate and substantial risks to Visa and its members.

More importantly failure to meet PCI can also result in suspension or revocation of a company’s right to accept or process credit card transactions. This certainly doesn’t look good for your business.

What do I need to do next? You can speak to us to find out how we can help you.

Offices to Let – Colwyn Bay

July 2007

Whether you are looking for a single office for a business start up or a full office suite with a reception area we can cater for your needs.  The offices are close to the centre of Colwyn Bay,  A55 links, local shopping centre and train station

We can provide offices furnished/unfurnished, with telephone and internet access if you require.

Terms can be either short, medium or long term to meet your requirements. We are on hand if you have any technical requirements.

Contact us for further information on Tel: 01492 533003

We have now moved

June 2007

We have now moved to our new offices in Colwyn Bay.
The new address and telephone number are:
23 Princes Drive,
Colwyn Bay
Conwy.
LL29 8HT
Tel: 01492 533003

On the Move

May 2007

We are on the move again in North Wales.

We have purchased an office building in the nearby town of Colwyn Bay. The Abergele branch will be relocating in the very near future and the new building will give us all the room we will need to grow. The additional office space will be made available on either a short or long term agreement as required. Further information will be made available as soon as we have it.

EFT/400 and the Payment Card Industry Data Security standard (PCIDSS)

May 2007

The press has recently been full stories in relation to the Payment Card Industry Data Security Standard (PCIDSS) and this has grew dramatically when a major retailer had its credit card information stolen consisting of millions of customers card details.

At the end of June 2007, the Payment Card Industry Security Standards Council, a consortium of major card payment scheme brands, including Amex, MasterCard and Visa, will impose the Payment Card Industry Data Security Standard (PCIDSS) for credit card payment merchants. It aims to improve the security of consumers’ card details.

Whilst nothing to panic about, there are clear security guidelines with unclear audit standards and undefined penalties for non-compliance. The implications are clear though – all merchants are expected to follow this standard or be prepared for the consequences should fraud be detected and PCIDSS not be in place. Rather like the introduction of chip and PIN operation, there was no compulsion, but penalties (with chip and PIN they took the form of increased charges) if not introduced. While non-compliance penalties also vary among major credit card networks, they can be substantial. Participating companies can be barred from processing credit card transactions, higher processing fees can be applied; and in the event of a serious security breach, fines of up to £500,000 can be levied for each instance of non-compliance.

So as a user of EFT/400 what can you do to reduce the threat to your business? By following the standard and implementing the new Encryption module available to users of EFT/400 you can help protect your business.

For further information on PCIDSS use the following link: Payment Card Industry Data Security Standards Link