Cardholder Data and Sensitive Authentication Data Elements
Cardholder data includes the Primary
Account Number (PAN), cardholder name, expiration date, service code, the
CAV2 / CVC2 / CID / CVV2, PIN, and other sensitive information that is found on the
full magnetic stripe. There are certain fields that cannot be stored and
other fields that can be stored as long as it is encrypted.
Never store the
CAV2 / CVC2 / CID / CVV2 in your database or logs.
This is a direct violation of the requirements. If you have to store the
PAN for any reason, it should always be encrypted. If it needs to be
displayed, it should be masked unless the personnel is authorized with a
specific need to see the full account number. You can display the first
six digits and the last four digits if necessary, but that is the maximum number
of digits that you should display. Some websites might show the customer
the last four digits just so he can confirm what card number is on file with the
merchant.
The cardholder name, service code, and expiration date can be stored, but must
be encrypted if this information is stored in conjunction with the PAN.
PCI DSS does not apply if PANs are not stored, processed or transmitted.
The PAN should be unreadable anywhere it is stored, for example backups, logs,
or any other type of media that is used to store the numbers. Developers
can consider using truncation, strong cryptography, index tokens and securely
stored pads, or a one-way hash based on strong cryptography.
The PAN should never be sent in unencrypted emails (which almost all emails are
just plain text), instant messaging, instant chats, or over any unsecured
transmission. If you are asking customers to send you’re their PAN via a
form to email method, you must make sure the email is secure. Just because
they are submitting the form with an https: in the URL does not mean the
email is secure and encrypted.
Card Validation Value or Code
The card association developed a three or four digit code to
help prevent fraud on all keyed transactions. This code is uniquely assigned
to each card and ties the card account number to the card itself.
- CVV2: Card Verification Value 2 (Visa)
- CVC2: Card Validation Code 2 (MasterCard)
- CID: Card Identification Number (American Express and Discover)
- CAV2: Card Authentication Value 2 (JCB)
The Security of Your Customers
So I know in the past, we have always talked about credit card security, PCI
Compliance, etc. But I would also like to remind you about your customer's
usernames and passwords. How are these being stored? A lot of shopping carts
will store this information in plain text. If the passwords are being stored
in plain text and you have a server compromised, your users' information might
be readily available for the hackers.
Most shopping will store the information in a database like Microsoft Access, mysql,
or MSSQL. You should be able to view the databases somehow, either though
phpMyAdmin, Microsoft Access, or
Microsoft SQL Server 2000 Desktop Engine (something similar). How you
access this information is usually established when you choose a web hosting
provider. Some will allow you to access the information also via
an Open Database Connectivity (ODBC).
When you are viewing these tables and records, look for the table that stores
your user's information, especially the password table. Are the passwords
encrypted? If not, you should consider getting another shopping cart or
contact the vendor for assistance to enable secure passwords.
A lot of consumers use the same password for everything. While this is a
great risk to them, it is the quickest way for consumers to get to their
information. This is the reason you want to protect them as much as
possible.
Your Shopping Cart Password
First and foremost,
your administrator password should be changed immediately when you start to add
your items. Don't wait until you are going live - you have too much on you
mind by then. Your password should contain letters, numbers and maybe
a couple of extra characters like %, !, *, {, etc. The harder it is for
you to remember, the better.
Did you know that by changing your password from the vendor-supplied password,
you have already met one of the requirements for PCI DSS?
Password Strength and Security
When
new customers are signing up, your website should ask them for a unique
password. And explain to them why your company is asking for this
information.
Password checker
is also a great website to have them check their password strength.
And when asking users to create an account, their session should be in a secure. This will help to protect
them when they are entering their username and
password. Even if you use a third party processor or have one of the
electronic payment gateway's web page handle the transaction, if you are
asking for a password, the page should be secure.
Payment Application Best Practices from Visa
High profile breaches of cardholder data have garnered a lot of attention in the
media. Most of us have read or heard about the 40 million cards that were compromised
at CardSystems, or the 100 million cards compromised at TJX. As a result of these
breaches, the payment industry developed the Payment Card Industry (PCI) Data Security
Standard (DSS). However, complying with the PCI DSS can be complicated and expensive,
especially for smaller merchants. Although we may not read about it in the press,
breaches at smaller merchants occur every day because the payment hardware and software
they use is not compliant with PCI DSS.
In an effort to make compliance with the
PCI DSS a little easier for merchants who
use payment application software, Visa developed the Payment Application Best Practices (PABP). The PABP applies to software
applications that store, process, or transmit cardholder data as part of authorization
or settlement. It does not apply to software developed in-house by merchants since
that would be covered under the merchant’s normal PCI DSS compliance.
Software vendors are required to have their payment applications certified as PABP
compliant by a Qualified Application Security Professional that is employed by a
Qualified Payment Application Security Company. Once compliant, Visa will include
the software vendor and product version in a list of validated payment applications
for one year. Software vendors must re-validate their payment applications each
year to remain on the list.
The PABP mandates are designed to eliminate the use of non-secure/vulnerable payment
applications from the Visa system. They require that members ensure that merchants
do not use applications that retain prohibited data elements and use payment applications
that adhere to Visa’s PABP. If you are using a payment application from a software
vendor that is not PABP compliant then you will not be able to comply with the PCI
DSS.
As of January 1, 2008 new merchants are not allowed to establish a merchant account
using a non-compliant payment application. Existing merchants should check with
their agent or ISO to make sure their payment application is on the list of PABP
compliant applications.
Payment Application Best Practices from Visa
High profile breaches of cardholder data have garnered a lot of attention in the
media. Most of us have read or heard about the 40 million cards that were compromised
at CardSystems, or the 100 million cards compromised at TJX. As a result of these
breaches, the payment industry developed the
Payment Card Industry (PCI) Data Security
Standard (DSS). However, complying with the PCI DSS can be complicated and expensive,
especially for smaller merchants. Although we may not read about it in the press,
breaches at smaller merchants occur every day because the payment hardware and software
they use is not compliant with PCI DSS.
In an effort to make compliance with the
PCI DSS a little easier for merchants who
use payment application software, Visa developed the Payment Application Best Practices (PABP). The PABP applies to software
applications that store, process, or transmit cardholder data as part of authorization
or settlement. It does not apply to software developed in-house by merchants since
that would be covered under the merchant’s normal PCI DSS compliance.
Software vendors are required to have their payment applications certified as PABP
compliant by a Qualified Application Security Professional that is employed by a
Qualified Payment Application Security Company. Once compliant, Visa will include
the software vendor and product version in a list of validated payment applications
for one year. Software vendors must re-validate their payment applications each
year to remain on the list.
The PABP mandates are designed to eliminate the use of non-secure/vulnerable payment
applications from the Visa system. They require that members ensure that merchants
do not use applications that retain prohibited data elements and use payment applications
that adhere to Visa’s PABP. If you are using a payment application from a software
vendor that is not PABP compliant then you will not be able to comply with the PCI
DSS.
As of January 1, 2008 new merchants are not allowed to establish a merchant account
using a non-compliant payment application. Existing merchants should check with
their agent or ISO to make sure their payment application is on the list of PABP
compliant applications.
MasterCard Security Card Features
When a consumer gives you his / her MasterCard®credit card to process, you should
swipe the credit card and hold on to the credit card. Every MasterCard® card
contains a set of unique design features and security elements developed by MasterCard® to help merchants verify a card's legitimacy. This will allow you to take
a look at the credit card to verify the security features and to compare the signature
on the back of the card with the signature on the sales receipt.
MasterCard International has introduced new card design format options and modified
several card security features. New card design options offer flexible placement
of the MasterCard Hologram (card front or back) and introduce the option to use
a new holographic magnetic tape, HoloMag™ (card back only). This quick reference
guide will highlight valid card formats, as well as mandated card security features.
Front of the MasterCard®
The "MC" Security Character is no longer permitted on newly issued cards (effective
June 1, 2006), but may continue to appear on cards through June 2010. This is the
cursive M that you might see near the expiration date. The MasterCard® log
should be on the right hand side, either in the top right or lower right of the
card. On the front, you will see a embossed or printed
account number. The account
number should be even and straight. Right underneath the account number, you will
see four digits. This four-digit number must match exactly with the first four digits
of the account number.
Requirements
- Must include full-color MasterCard® Brand Mark
- MasterCard® account numbers must start with the number 5
- First four digits of the account number must be the same digits as those printed directly below (pre-printed BIN)
- 16-digit account number must be clear and uniform in size and spacing and must appear on one line
- Must include valid expiration date
- Must include MasterCard® Hologram unless hologram or MasterCard® HoloMag tape appear on card back
Optional
- MasterCard Hologram may be removed from the card front if the
hologram or MasterCard® HoloMag tape appears on card back
- "MC" Security Character is no longer permitted on newly issued
cards (effective June 1, 2006), but may continue to appear on cards
through June 2010
- Card design and MasterCard Brand Mark may be oriented vertically
Back of the MasterCard®
The last four digits of the account number must be printed in reverse italics on
the signature panel. The CVC 2 number is printed in reverse italics to the
right of the last four digits of the account number. Instead of the magnetic
stripe, you might see the HoloMag™.
Requirements
- Must include signature panel with the word "MasterCard"
printed in multicolors at a 45° angle
- Last four digits of the account number must be
printed in reverse italics on the signature panel
- CVC 2 number (three-digit validation code) must be
printed in reverse italics to the right of the last four digits
of the account number
- Magnetic tape must be present and appear smooth and straight with no signs
of tampering
- Must include MasterCard® Hologram or HoloMag tape
unless hologram appears on card front
Optional
- HoloMag tape may be used in place of the
traditional magnetic tape
- MasterCard Hologram may be placed on the card
back if not appearing on card front
If you suspect that the MasterCard is fraudulent, call your Voice Authorization Center
and tell them you have a
Code 10.
Visa Credit Card Security Features
Earlier I wrote about an
electronic payment gateway
being the start of the transaction. However, if you really drill down, the
consumer is the start of the transaction. They initiate the transaction before
it hits the
electronic payment gateway.
When the consumer decides to buy your product in a brick and mortar atmosphere,
the consumer will hand you his / her Visa credit card. This card can be described
in four different ways:
- Cards with Visa Mini Dove Design Hologram on Back of Card
- Cards with Visa Holographic Magnetic Stripe on Back of Card
- Cards with Dove Design Hologram on Front of Card
- Visa Flag Cards with Dove Design Hologram on Front of Card
Processing a Visa Transaction
When a consumer gives you his / her Visa credit card to process, you should swipe
the credit card and hold on to the credit card. Every Visa card contains a
set of unique design features and security elements developed by Visa to help merchants
verify a card's legitimacy. This will allow you to take a look at the credit
card to verify the security features and to compare the signature on the back of
the card with the signature on the sales receipt.
Cards with Dove Design Hologram on Front of Card
Front of the Visa Credit Card
On the front, you will see a embossed or printed
account number. The account number should be even and straight. Right
underneath the account number, you will see four digits. This four-digit number
must match exactly with the first four digits of the account number. Both of these
will also begin with a 'four'. You will then see a "Good Thru" or "Valid Thru" date.
This is the expiration date of the card and is usually under the account number.
The
Visa Brand Mark appears in blue and gold on a white background.
It must appear in either the bottom right, top left, or top right corner. The Flying
Dove Hologram should appear to be three-dimensional and appear to move when the
card is tilted back and forth.
Back of the Visa Credit Card
The signature panel has a tamper-resistant design. If someone has tried to
erase the signature, the word "VOID" will be displayed. It may vary in length
dependent on card type. There is also the magnetic stripe. The magnetic stripe is
encoded with the card’s account number, expiration date, and other identifying information.
Card Verification Value (CVV2) is a three-digit code that appears either on the
signature panel or on a white box to the right of the signature panel. Portions
of the account number may also be present on the signature panel. CVV2 is used primarily
in card-not-present transactions to verify that the customer is in possession of
a valid Visa card at the time of the sale.
Cards with Visa Mini Dove Design Hologram on Back of Card
Front of the Visa Credit Card
On the front, you will see a embossed or printed
account number. The account number should be even and straight. Right
underneath the account number, you will see four digits. This four-digit number
must match exactly with the first four digits of the account number. Both of these
will also begin with a 'four'. You will then see a "Good Thru" or "Valid Thru" date.
This is the expiration date of the card and is usually under the account number.
The
Visa Brand Mark appears in blue and gold on a white background.
It must appear in either the bottom right, top left, or top right corner.
Back of the Visa Credit Card
The signature panel has a tamper-resistant design. If someone has tried to
erase the signature, the word "VOID" will be displayed. It may vary in length
dependent on card type. There is also the magnetic stripe. The magnetic stripe is
encoded with the card’s account number, expiration date, and other identifying information.
Card Verification Value (CVV2) is a three-digit code that appears either on the
signature panel or on a white box to the right of the signature panel. Portions
of the account number may also be present on the signature panel. CVV2 is used primarily
in card-not-present transactions to verify that the customer is in possession of
a valid Visa card at the time of the sale.
Cards with Visa Holographic Magnetic Stripe on Back of Card
Front of the Visa Credit Card
On the front, you will see a embossed or printed
account number. The account number should be even and straight. Right
underneath the account number, you will see four digits. This four-digit number
must match exactly with the first four digits of the account number. Both of these
will also begin with a 'four'. You will then see a "Good Thru" or "Valid Thru" date.
This is the expiration date of the card and is usually under the account number.
The
Visa Brand Mark appears in blue and gold on a white background.
It must appear in either the bottom right, top left, or top right corner.
Back of the Visa Credit Card
The signature panel has a tamper-resistant design. If someone has tried to
erase the signature, the word "VOID" will be displayed. It may vary in length
dependent on card type. There is also the magnetic stripe. The Holographic Magnetic
Stripe should have a ring around the sun when the card is moved from side-to-side.
The word "VISA" should appear in the center of the sun when the card is tilted..
Card Verification Value (CVV2) is a three-digit code that appears either on the
signature panel or on a white box to the right of the signature panel. Portions
of the account number may also be present on the signature panel. CVV2 is used primarily
in card-not-present transactions to verify that the customer is in possession of
a valid Visa card at the time of the sale.
Visa Flag Cards with Dove Design Hologram on Front of Card
Front of the Visa Credit Card
On the front, you will see a embossed or printed
account number. The account number should be even and straight. Right
underneath the account number, you will see four digits. This four-digit number
must match exactly with the first four digits of the account number. Both of these
will also begin with a 'four'. You will then see a "Good Thru" or "Valid Thru" date.
This is the expiration date of the card and is usually under the account number.
A Flying “V” is an embossed security character beside the “Good Thru” date. This
character is not a required security feature and may or may not appear on the card.
Visa Logo should have micro-printing around the border. The fine print is barely
readable without magnification. The Flying Dove Hologram should appear to be three-dimensional
and appear to move when the card is tilted back and forth. As a general rule of
thumb - always check the hologram. It is easier to spot a re-embossed number there.
Back of the Visa Credit Card
The Signature Panel should be white with the word "VISA" repeated in a diagonal
pattern in blue and gold print. The card account number should be printed in the
panel. The words "Authorized Signature" and "Not Valid Unless Signed" must appear
above, below, or beside the signature panel. If someone has tried to erase the signature
panel, the word "VOID" will be displayed. There is also the magnetic stripe. The
magnetic stripe is encoded with the card’s account number, expiration date, and
other identifying information. Card Verification Value (CVV2) is a three-digit code
that appears either on the signature panel or on a white box to the right of the
signature panel. Portions of the account number may also be present on the signature
panel. CVV2 is used primarily in card-not-present transactions to verify that the
customer is in possession of a valid Visa card at the time of the sale.
When something does not look right, i.e. the security features look altered or
they are missing, keep the card in your possession and make a
Code 10 call to
your authorization center. You may be asked to keep the credit card or you
might be instructed to return the card. If your authorization center tells
you it is ok, write down the authorization number on the sales receipt.
Fighting Fraud in your E-Commerce Store
Card association payer authentication (e.g. Verified by Visa (VBV), MasterCard SecureCode (MSC)) is becoming increasingly more important in online transactions. Also knowing whether the consumer is near his or her billing address by using Geo-IP. Other merchants would like to know if the consumer has a tendency to do a chargeback, maybe consumer purchasing behavior.
Quantum Gatway
The
Quantum Payment Gateway is the only payment gateway in the United States to offer
at no extra charges to the merchant:
- A Virtual Terminal (both for the desktop and your smart phone)
- MaxMind GeoIP
- QuantumVault (to safely secure you customers' credit card numbers)
- Recurring Billing
- Address Verification Service (AVS)
- DialVerify
- Verified By Visa / MasterCard Secure Code (VBV / MSC)
Verified by Visa / MasterCard SecureCode
I wrote some things regarding VBV / MSC a few months ago and it still holds true today. VBV merchants are protected from chargebacks on the Reason Code 83 (I didn't do it). MasterCard users though have to be enrolled in MSC for you, the merchant, to be protected.
Consumer Purchasing Behavior
While a number of electronic payment gateways use First Data's Nashville platform to process the credit card transaction, First Data maintains these transactions per Visa and MasterCard regulations. Using software developed by
Fair Isaac Corporation, LinkShield™ is
unavailable to LinkPoint merchants. A few gateways that use First Data's Nashville Platform include:
- LinkPoint Secure Payment Gateway
- Authorize.net Electronic Payment Gateway
- Verisign's Payflow Services
- PC Charge
- Cybersource
- Jettis
- USA ePay
- Yahoo®
This is just a small percentage of electronic payment gateways that use the First Data Nashville Platform as their transaction processor. First Data takes these transactions and profiles them. When using the LinkShield™ product along with the LinkPoint Secure Payment Gateway, the merchant has the ability to accept or decline the transaction based on the score that First Data provides. First Data also provides another option using the ClearCommerce® FraudAnalyzer
FraudAnalyzer uses neural network technology to score fraud risk in real-time. The model was developed by examining extensive transaction and chargeback data supplied by ClearCommerce's Fraud Data Consortium, which includes millions of e-commerce transactions supplied by thousands of merchants. With the addition of FraudAnalyzer, the ClearCommerce® Engine is the only transaction processing software that integrates merchant rules, neural network risk scoring, service data and human review to minimize credit card fraud costs.
Preventing Online Fraud
One of the first things you need to do as a merchant is to verify the consumer.
On card-present transactions, this can easily be done by asking for a valid photo
identification card, i.e. a driver's license or state issued ID card. On card-not-present-transactions,
this is much more difficult for the merchant to accomplish.
Basic Fraud Prevention Techniques - Steps One, Two, and Three
Address Verification
The first step in preventing fraud in a card-not present environment is called address
verification. The consumer will enter their billing address. The gateway will send
this information over to the transaction processor (usually First Data or Nova
(Elavon))
for verification. The transaction processor will send back some codes to let you
know that the AVS was a match or not. Usually this match is done on the street number
and ZIP code only. So if the street address was 1234 Main Street and the ZIP code
was 90210, the transaction processor would take a look at 1234 and 90210. The alpha
characters are not verified.
Once this is completed, you will want to seriously consider sending your product
to the billing ZIP code. This will help to prevent some of the
chargebacks but will
also cause some problems if the consumer works all day. The shipping companies have
become so inundated with packages from the ever-growing business, that they will
drop the package at the door, not waiting for a signature. Without a signature,
you do not have proof of delivery.
AVS is subject to a significant rate of "false positives" which may lead to rejecting
valid orders as well as missing fraudulent orders. If the cardholder has a new address
or a valid alternate address (such as seasonal vacation home), this information
may not be up-to-date in the records of the cardholder's issuing bank, so the address
would be flagged as invalid. Merchants typically do not rely solely on the AVS result
to accept or reject an order. Approximately 75% - 80% of online merchants rely on
address verification service as a tool to help prevent fraud.
CVV2 / CVC2 / CID
Card Verification Value 2 / Card Verification Code 2 / Card Identification Number
Visa calls the three digit number a CVV2 (Card Verification Value 2). MasterCard
calls it CVC2. American Express and Discover call this CID. This number is found
on the back of the of Visa, MasterCard, and Discover cards. It is a four digit number
on the front of American Express. At first the card associations came out with this
number to curb fraud. The card associations told the merchants - do not store this
number. They thought this would potentially stop most of the fraud. However, these
numbers can be obtained by fraudsters just as credit card numbers are obtained.
The CVV2 / CVC2 / CID usage by online merchants has continued to increase rising
from 44% of online merchants using this tool in 2003 to 66% today. It appears that
asking for the CVV2 / CVC2 / CID has become standard practice for many online merchants
in 2005.
The purpose of card verification number in a card-not-present transaction is to
attempt to verify that the person placing the order has the card in their possession
in order to provide the additional security digits. Requesting the card verification
number during an online purchase can add a measure of security to the transaction.
Approximately 66% - 75% of online merchants rely on this number to help reduce fraud.
Other Measures
There are other products to consider as well: Calling the customer to verify
the order, looking at the IP address, Verified by Visa (VBV) / MasterCard Secure
Code (MSC). Some of these products have to be integrated into the
electronic payment gateway. However, check out the
Quantum Gateway - it offers all these features at no cost. They care
more about your business than any other provider out there and built this
electronic payment gateway to help merchant combat fraud.