Payments Insider

Dear Valued Merchant:

It’s been a year since TJX Companies, Inc. suffered a massive computer breach that compromised the identities of millions of credit and debit cardholders. Just recently, the company agreed to pay up to $40.9 million to eligible U.S. Visa issuers — the resultant amount after Visa rescinded a portion of the fines it imposed. And, that’s not the end of it. TJX still faces other fines and lawsuits.

Information breaches are hardly a concern just for large companies. Yet, many small business owners don’t understand the damage information security incidents can cause — and they don't properly protect themselves and their customers. Make no mistake: safeguarding information should be one of your top priorities.

That’s why we are devoting this issue of Payments Insider to compliance with data security standards.

If you have any questions about the security of your payment transactions, please call your relationship manager, servicing manager or our Heartland servicing team at 888.963.3600. You can also reach us at
Heartland@e-hps.com.

Best regards,

P. Gayle Hoskinson
Interchange and Compliance Manager
NEWS ALERT

Payment Card Industry Data Security Standards — PCI DSS — protect you and your customers from fraud. However, not all point-of-sale systems comply with these standards. When you’re processing transactions and capturing data using non-compliant equipment, you may expose your customers — and your business — to great risk. You could be fined thousands of dollars — and with the theft of personal information — your customers’ lives can be changed forever.

When you take steps to ensure compliance, you protect your customers and your business. By being ever vigilant, you better safeguard the information you need to process each transaction.

Failing to comply with PCI Data Security Standards can cost you fines of up to $500,000 and troubleshooting costs as high as $100,000. Add to that the intangible cost of harming your customers and your business’ reputation.

Ways To Protect Your Customers

If your Point-of-Sale system is connected to the Internet, hackers may be able to breach your network. Protect your card transactions by following these tips:

  1. Consult with Heartland before making any changes to your point-of-sale (POS) system.
  2. Maintain a secure network by using a POS system that complies with Visa’s Payment Application Best Practices (PABP) and PCI Data Security Standards. To review Visa’s list of validated applications, go to www.visa.com/CISP and click on Validated Payments Applications PDF.
  3. Protect cardholder data by storing only the portion of customers’ credit card data that is essential to your business — such as receipts and reports — in a secure area limited to authorized personnel only.
  4. Destroy all documents with obsolete transaction data that includes cardholder information. Each card association recommends a timeframe for retaining these kinds of documents.
  5. Install and/or update your Internet firewall security on all computers and POS systems using IP connectivity — including those with dial-up Internet connections.
  6. Implement strong access control measures such as using personalized passwords and changing passwords when employees leave the business.
  7. Regularly monitor and test your networks, and update your anti-virus software.
  8. Enforce an information security policy.
  9. Report card theft immediately. A rapid response minimizes your risk — and protects your customers.

Payment Card Industry Data Security Standards — PCI DSS — were agreed upon by the PCI Security Standards Council, an organization founded by American Express®, Discover Financial Services®, JCB,

MasterCard Worldwide® and Visa International. The Council is an open forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data

protection. It enhances payment account data security by fostering a broad adoption of standards among merchants. For a review of the standards, please visit: www.pcisecuritystandards.org.


Making sure your equipment complies with Data Security Standards is essential. Just as important, make sure everyone in your company knows how diligent he or she must be to protect your customers. Make sure every employee follows these four processes.

  1. Don’t store any credit or debit card information when it is swiped unless the data is encrypted. Even then, store only the card’s last four digits.
  2. Don’t print more than the last four digits of the card number on your customers’ receipts. Never print the entire number.*
  3. Store your copy of each receipt in a safe, secure location.
  4. Shred old receipts based on the timeframe recommended by each card association.

* Some states — such as California — will soon be implementing new laws that allow only limited numbers of card number digits to be printed on the merchant receipt. Check with your attorney to ensure you comply with these state law initiatives.



Data Security Standards are no longer a worry for only large companies. Merchants of every size must uphold and comply with the PCI DSS. In some cases, merchants can be fined for noncompliance, even without evidence their systems were compromised.

The good news is ... it’s easy to avoid fines. You simply need to understand the PCI DSS’s six core principles and work with Heartland and your technology providers to meet the standards.

PCI DSS’s Six Core Principles

  1. Build and Maintain a Secure Network. Choose, install and maintain an up-to-date network firewall and anti-virus and anti-spyware programs. Always change the default password for your programs, firewall, routers, computers and other systems. This ensures only authorized users can log onto your network resources.
  2. Protect Cardholder Data. Encrypt all transmissions across open, public networks. When data is encrypted, software transforms it to an algorithm code that can only be deciphered by the person who has the software key to read the encrypted information. Encryption software is required for point-of-sale (POS) systems connected to the Internet for cardholder data transmission. Also, only keep cardholder data that’s essential to the business.
  3. Maintain a Vulnerability Management Program. If you’re using a credit card payment software application or POS with a debit card PIN pad, ask your card processor to verify the compliancy and request an upgrade on outdated equipment or applications. Dated systems without proper software face an exponentially higher risk for network breaches and data theft. Regularly update all core security applications.
  4. Implement Strong Access Control Measures. Only give access to cardholder data to your most senior, most trusted people. Protect access by issuing user IDs and passwords and assigning access control rights through your network. Make sure anyone who has access to cardholder data has had a background check performed. Lastly, delete log ins and update all company passwords when an employee leaves the company.
  5. Regularly Monitor and Test Networks. Test your computers, POS systems and any equipment that stores or processes cardholder data. Maintain tracking records to demonstrate your security systems and processes are regularly tested and validated.
  6. Maintain an Information Security Policy. Document and maintain an enforceable policy addressing details of information security. All employees handling sensitive information should know and understand the rules.

As Visa continues to align its Payment Application Best Practices (PABP) approach with the Payment Card Industry Data Security Standards, it has announced five new mandates for its merchants and processors to meet by 2010. The new mandates were announced last November and will be phased in during the next few years to give merchants time to comply. The new Visa mandates are:

  1. Processors must not board merchants using known vulnerable payment applications, and processors and Independent Sales Organizations (ISOs) may not certify any software known to be vulnerable. Mandate effective date: January 1, 2008.
  2. Processors and ISOs must only certify new payment software to their platforms that is PABP-compliant. Mandate effective date:
    July 1, 2008.
  3. Newly boarded Level 3 and Level 4 merchants must be PCI-compliant or use PABP-compliant applications. Your level is based on transaction volumes. To determine whether you are a Level 3 or Level 4 merchant, visit www.visa.com/CISP or www.mastercard.com/sdp.
  4. Processors and ISOs must decertify all vulnerable payment applications. Mandate effective date: October 1, 2009.
  5. Processors must make sure their merchants, processors and ISOs only use PABP-compliant applications. Mandate effective date:
    July 1, 2010.