Archive for February 21st, 2009


Simple PCI Compliance – Part 1

eWeek published an article by Evelyn de Souza entitled ‘How To Achieve Payment Card Industry Compliance: 5 Simple Steps’.  The article is focused on small merchants and while the article points out five great ideas, in my experience, it’s the implementation of those ideas that create the problem.

Ms. De Souza’s first idea is to not store cardholder data.  This is easier said than done.  First, a lot of small merchants still use a manual embosser, otherwise known as a ‘knuckle buster’.  A knuckle buster captures everything on the front of the card on the charge slip.  One copy of the charge slip goes with the customer and the other copy goes with the merchant.

At this point, it seems like a good time to discuss Ms. de Souza’s fifth rule, protecting cardholder receipts.  Those knuckle busters can generate a lot of receipts that contain cardholder data.  Under the PCI DSS, the merchant is responsible for securing their copy of the charge slip.  Merchants typically need to hang onto this slip for a minimum of 90 days and a maximum of around 120 days in the event of disputes or chargebacks.  Keep in mind that even a lot of large merchants still have knuckle busters as their backup in the event that their automated systems fail.  While such failures are rare, large merchants can generate thousands of transactions in a very short time even with knuckle busters.  We typically get a lot of push back from clients that believe the PCI DSS only concerns electronic information.  The PCI DSS is responsible for securing ALL cardholder data, regardless of whether it is electronic, handwritten, embossed or whatever.

For small merchants that have moved into a more modern era, they have invested in a VeriFone, Hypercom, Nurit and the like credit card terminal.  These terminals get their information from the cashier swiping the card.  The terminal connects to the credit card processor through a dialup or Internet connection.  Once the transaction has been approved, the terminal generates a receipt using a thermal printer.  At the end of the day, one of the merchant’s supervisory personnel generates an end-of-day (EOD) report to balance our the cash register.  It’s the EOD report where things go wrong because most of these terminals are not properly configured, so the EOD report prints out the card numbers for every transaction since the last EOD report run.  One would think that the source of the terminal would have properly configured the terminal so that it truncated the card numbers, but for whatever reason, they do not.  In addition, I have run into instances with customers where I have contacted the terminal vendor and they have indicated that the terminal needed a software upgrade and then reconfigured to truncate the card numbers – for a brand hew terminal!

As you can see, while trying not to store cardholder data is an admirable goal, it can sometimes be difficult to implement.

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

February 2009