Simple PCI Compliance – Part 1

eWeek published an article by Evelyn de Souza entitled ‘How To Achieve Payment Card Industry Compliance: 5 Simple Steps’.  The article is focused on small merchants and while the article points out five great ideas, in my experience, it’s the implementation of those ideas that create the problem.

Ms. De Souza’s first idea is to not store cardholder data.  This is easier said than done.  First, a lot of small merchants still use a manual embosser, otherwise known as a ‘knuckle buster’.  A knuckle buster captures everything on the front of the card on the charge slip.  One copy of the charge slip goes with the customer and the other copy goes with the merchant.

At this point, it seems like a good time to discuss Ms. de Souza’s fifth rule, protecting cardholder receipts.  Those knuckle busters can generate a lot of receipts that contain cardholder data.  Under the PCI DSS, the merchant is responsible for securing their copy of the charge slip.  Merchants typically need to hang onto this slip for a minimum of 90 days and a maximum of around 120 days in the event of disputes or chargebacks.  Keep in mind that even a lot of large merchants still have knuckle busters as their backup in the event that their automated systems fail.  While such failures are rare, large merchants can generate thousands of transactions in a very short time even with knuckle busters.  We typically get a lot of push back from clients that believe the PCI DSS only concerns electronic information.  The PCI DSS is responsible for securing ALL cardholder data, regardless of whether it is electronic, handwritten, embossed or whatever.

For small merchants that have moved into a more modern era, they have invested in a VeriFone, Hypercom, Nurit and the like credit card terminal.  These terminals get their information from the cashier swiping the card.  The terminal connects to the credit card processor through a dialup or Internet connection.  Once the transaction has been approved, the terminal generates a receipt using a thermal printer.  At the end of the day, one of the merchant’s supervisory personnel generates an end-of-day (EOD) report to balance our the cash register.  It’s the EOD report where things go wrong because most of these terminals are not properly configured, so the EOD report prints out the card numbers for every transaction since the last EOD report run.  One would think that the source of the terminal would have properly configured the terminal so that it truncated the card numbers, but for whatever reason, they do not.  In addition, I have run into instances with customers where I have contacted the terminal vendor and they have indicated that the terminal needed a software upgrade and then reconfigured to truncate the card numbers – for a brand hew terminal!

As you can see, while trying not to store cardholder data is an admirable goal, it can sometimes be difficult to implement.


1 Response to “Simple PCI Compliance – Part 1”

  1. 1 Lauren Mesch
    February 22, 2009 at 4:11 AM

    Very good points

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


February 2009
    Mar »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,941 other followers


%d bloggers like this: