Merchant Processing
"6. A chip card performs which of the following functions? A. Encrypts the magnetic stripe for transmission over the telecom lines B. Encrypts the magnetic stripe prior to passing it into the terminal C. Utilizes an algorithm to send to the issuer instead of track data D. Utilizes an algorithm to encrypt data off of the magnetic stripe
" "C. Utilizes an algorithm to send to the issuer instead of track data
"3. Which of the following is NOT a part of the consultative sales approach? a. Aggressive telephone calls b. Active listening c. Understanding closing techniques d. Effective closing strategies
" a. Aggressive telephone calls.
"14. What is host capture? a. Authorized transactions are captured on approval and settled on processors system b. The definition for an Internet gateway used by e-commerce merchants c. How ATM debit and EBT transactions are processed d. Terminal stores approved transaction in batch for settlement at days end
" a. Authorized transactions are captured on approval and settled on processors system
"8. What term best describes the accumulation of captured credit card transactions in the merchant's terminal or POS system awaiting settlement? a. Batch b. Credit c. Deposit d. Processing
" a. Batch
"3. According to the MasterCard and Visa rules, which of the following types of merchants would be required to be registered in the high risk category? a. Drug stores and pharmacies b. Counterfeit and copyright infringement merchandise c. Deceptive marketing practices d. Illegal prescription drugs
" a. Drug stores and pharmacies
"2. An auditor can accept all of the following forms of evidence to prove compliance EXCEPT: a. Employee's word b. Configuration files c. Official company policies d. Screenshots
" a. Employee's word
"11. In the case of a potential data breach, the merchant is required to: a. Follow their incident response plan b. Immediately email the card brands c. Print out a list of all cards that may have been compromised. d. Call the local FBI office
" a. Follow their incident response plan
"6. Active listening is best supported by which of the following activities when on a sales call? a. Follow up questions b. Advancing the sale c. Problem resolution d. Objection handling
" a. Follow up questions
"11. Which of the following is a benefit to pricing a merchant on an Interchange Plus program verses a tiered rate program? a. Full cost disclosure b. More detailed volume reporting c. Mid and Non-Qualified fees are detailed d. Flat rate for all fees
" a. Full cost disclosure
"10. An annual Self-Assessment Questionnaire, and scanning if applicable, in lieu of an onsite audit, is acceptable for all of the following merchant levels EXCEPT: a. Level 1 b. Level 2 c. Level 3 d. Level 4
" a. Level 1
"8. On a merchant statement, how would you determine if the merchant is being billed on Interchange Plus, tiered pricing or a bundled rate program? a. Look at the discount rates section b. Add up all transaction fees c. Calculate non-qualified fees d. Look at all monthly fees
" a. Look at the discount rates section
"7. What does surcharge/ bill back mean on a merchant's statement? a. Mid and Non-Qualified fees b. Total sales c. Monthly processing fee d. Discount rate
" a. Mid and Non-Qualified fees
"9. Which of the following is the largest negotiation element in any sales call? a. Price b. Value c. Service d. Length of term
" a. Price
"6. Which of the following IS NOT a card present warning sign? a. Purchases for groceries and standard household items b. Cardholders making larger ticket purchases than approved during UW c. Purchases at unusual hours d. Purchases of large quantities of items that are out of pattern
" a. Purchases for groceries and standard household items
"7. Which of the following is the most appropriate response when a merchant objects to a particular solution being offered? a. Stop and listen b. Immediately offer another solution c. Lower the price d. Quickly explain the benefits
" a. Stop and listen
"4. Where can specific UDAAP regulations be found? a. The Dodd Frank Act. b. The OCC Guidelines c. The Telemarketing Sales Rule d. Visa and MasterCard regulations.
" a. The Dodd Frank Act.
"10. Which of the following is the BEST method of selling value over price? a. The return on investment of the product or service being sold to the customer b. The detailed plan for implementation of the product or services being sold to the customer c. The price being paid by the merchant today d. Understanding the competition's product in place at the customer
" a. The return on investment of the product or service being sold to the customer.
"4. What is the purpose of AVS? a. To assist in the verification of the cardholder both on and offline b. To guarantee the transaction c. A decline code d. To verify the mag stripe
" a. To assist in the verification of the cardholder both on and offline
"17. What purpose does a gateway serve for a merchant? a. To process transactions originating from a website or shopping cart b. To use a POS terminal over the Internet or WIFI network c. To connect to a new processor network and control fraud d. To convert from a dialup to an internet based terminal
" a. To process transactions originating from a website or shopping cart
"1. What type of questions should you ask a merchant to have them provide a detailed explanation of their business objectives and needs for credit/debit card processing? a. What payment types and ancillary services are needed? b. What advertisers do you use? c. How do you price your products? d. How many student employees do you have?
" a. What payment types and ancillary services are needed?
"18. When is it permissible to change the MCC a. When the merchants primary line of business changes b. When changing it will enable more authorizations to clear c. After the merchant complains about down grades d. To evade registration requirements
" a. When the merchants primary line of business changes
" "7. End-to-End encryption is best described as: a. card data encrypted within the magnetic stripe reader environment and remaining encrypted all the way to the processor's host or card brand b. Card data encrypted in the terminal by software, just prior to passing the card data onto the network to the gateway c. Card data encrypted within the magnetic stripe reader and within the keypad (for key entered transactions) and remaining encrypted all the way to the processor's host or card brand d. A mandate by the card brands that all equipment and processors must support
" a. card data encrypted within the magnetic stripe reader environment and remaining encrypted all the way to the processor's host or card brand
"9. How many tracks of data are encoded on a standard credit card? a. 1 b. 2 c. 3 d. 4
" b. 2
"10. Which of the following represents a balanced portfolio? a. A portfolio that does not cause losses b. A portfolio that is not reliant on any one segment or a small set of merchants. c. A portfolio that is approved by the acquirer d. A shared BIN portfolio
" b. A portfolio that is not reliant on any one segment or a small set of merchants.
"8. PCI Merchant levels are determined by a merchant's: a. Number of employees b. Annual transaction processing dollars c. number of transactions processed d. Previous year's merchant level
" b. Annual transaction processing dollars
"8. Excellent sales people best prepare for objections by doing which of the following? a. Offering your best price first b. Anticipating objections prior to the call c. Continually closing d. Moving the conversation or presentation faster
" b. Antiicpated objections prior to the call
"4. What is the first step that leads into the discussion of payment mechanisms, ancillary solutions required by the merchant, and any additional data exchange as part of the payment process or apart from the payment process? a. Gift card processing, including support for an existing gift card program b. Determine merchant need or desire to accept primary payment brands c. Need for purchasing card support, including level 2 or level 3 data d. Check verification, guarantee, or Check 21
" b. Determine merchant need or desire to accept primary payment brands
"10. How would a $79 annual fee get converted into basis points (bps), for a merchant that processes $10,000 a month in sales volume? a. Divide 79 by 10,000 x 12 b. Divide 79 by 12 and divide by monthly sales c. Multiply 79 by 12 months, then divide by 10,000 d. Multiply 79 by the discount rate
" b. Divide 79 by 12 and divide by monthly sales
"4. What does EIRF stand for? a. Transactions captured electronically b. Electronic transactions captured and settled within 2 days of authorization c. Transactions captured and settled within 29 days of authorization d. Transactions captured on a corporate or international card
" b. Electronic transactions captured and settled within 2 days of authorization
"2. What is the most efficient way for a merchant to process other than via a phone line? a. A laptop b. IP or ethernet processing c. Fax d. Voice authorization
" b. IP or ethernet processing
"5. Which of the following IS NOT a card present best practice? a. Swipe the card b. Ignore the card expiration date c. Check authorization response d. Obtain a signature
" b. Ignore the card expiration date
"12. What is tiered pricing? a. Processing fees charged at different volume tiers b. Interchange rates grouped into major categories for simpler pricing c. Swiped, non-swiped and debit fee totals d. Processing fees charged by card type
" b. Interchange rates grouped into major categories for simpler pricing
"1. What data elements are required for a merchant's commercial card transactions to qualify for Level 1, Level 2 and Level 3 Interchange programs? a. Account #, address and zip code b. Item #, date and AVS Info c. Customer #, order #, CVV # d. Customer #, sales tax and invoice #
" b. Item #, date and AVS Info
"4. Which one of the following relationships is NOT important to the success of retaining a merchant account? a. Customer service b. Mail carrier c. Risk management d. Technical support
" b. Mail carrier
"14. In a CNP environment the following is-NOT a protective measure for the merchant: a. Engage the services of a third party threat validation company to validate identities. b. Obtain a signed authorization form in place of nonmatching AVS. c. Display a click to agree with e-mail confirmation for online exchange and return policies. d. Enable delivery confirmation of shipped goods.
" b. Obtain a signed authorization form in place of nonmatching AVS.
"7. VISA, MasterCard, American Express, and Discover are referred to as: a. Payments processors b. Payment card brands c. Merchants d. PCI SSC
" b. Payment card brands
"8. Tokenization is best described as: a. Encrypting card data for recurring billing purposes b. Providing a merchant or system with a value that corresponds to card data for use in transaction processing c. Providing a user with encrypted card data for use in transaction processing d. Something that the merchant does with their database prior to sending to the card issuers
" b. Providing a merchant or system with a value that corresponds to card data for use in transaction processing
"3. Which of the following is part of the process for training/ educating a merchant on the use of a terminal? a. Test the terminal and provide merchant with technical support number (usually an 800 number) b. Read the terminal user guide to the merchant c. Include a DIY (do it yourself ) guide in the box with the terminal d. Provide the merchant with the terminal manufacturer phone number
" b. Read the terminal user guide to the merchant
"5. Sarbanes Oxley applies ONLY to: a. Companies with over 1000 employees b. SEC registrant companies c. Companies accepting credit or debit cards for purchases d. Health care organizations
" b. SEC registrant companies
"6. In PCI DSS an SAQ is a: a. Single Account Quota b. Self Assessment Questionnaire c. Security Assessment Questionnaire d. Security Applicability Quiz
" b. Self Assessment Questionnaire
"14. In the United States, which organization is responsible for creation and administration of the merchant contract? a. The card brands b. The acquiring bank c. The ISO d. The sales agent
" b. The acquiring bank.
"15. What is terminal capture? a. POS device authorizes each card type and sends approval to merchant b. Transaction approved by processor then captured in memory in terminal for batch settlement c. Terminal is downloaded for all merchant processing parameters d. POS transaction is swiped and authorized electronically
" b. Transaction approved by processor then captured in memory in terminal for batch settlement
"5. What is the Interchange rate charged for transactions that clear for EIRF? a. 1.54% + $.10 b. 2.70% + $.10 c. 2.30% + $.10 d. 1.85% + $.10
" c. 2.30% + $.10
"11. Which of the following methods is NOT appropriate for contract execution? a. Actual signature from the owner in ink on the application b. An electronic signature by the owner c. A signed letter on letterhead, of acceptance from the owner d. A signed and faxed application from the owner
" c. A signed letter on letterhead, of acceptance from the owner.
"16. What is a gateway? a. Software needed to connect POS devices and peripherals together b. The connection between the host processor and terminal at the merchant site c. A web-based virtual terminal that connects to major processors for browser based and e-commerce transactions d. Name for merchant's front end processing platform
" c. A web-based virtual terminal that connects to major processors for browser based and e-commerce transactions
"1. Credit card track data stored on a hard disk drive is considered: a. In-flight b. Out of scope c. At-rest d. Encrypted
" c. At-rest
"9. How can a merchant's charge per authorization be determined when the amount appearing on the statement is the total for all authorizations? a. Add up all the fees and divide by sales volume b. Total sales divided by average ticket c. Authorization fees divided by number of transactions for each card type d. Discount fees divided by average ticket
" c. Authorization fees divided by number of transactions for each card type
"4. In addition to features and advantages, traditional product positioning includes which of the following? a. Cost b. Units deployed c. Benefits d. Competition
" c. Benefits
"9. Which entity typically initiates a chargeback? a. Acquirer b. Card issuer c. Cardholder d. Merchant bank
" c. Cardholder
"9. Which of the following is a trigger that will place a merchant on a Card Brand Chargeback Monitoring Program? a. Chargeback rates less than 1% b. Number of chargebacks is equal to the number of sales in one day c. Chargeback rates greater than 1.5% d. Chargeback is 50% greater than average ticket
" c. Chargeback rates greater than 1.5%
"12. In which situation below is the merchant liable? a. Mag stripe only card swiped at the point of sale cardholder claims fraud. b. Chip card dipped in the terminal and the cardholder claims fraud. c. Chip card not dipped and it is counterfeit fraud. d. Visa chip card swiped and not dipped cardholder claims lost or stolen.
" c. Chip card not dipped and it is counterfeit fraud.
"7. Which of the following peripheral devices reads pocketsized cards with embedded integrated circuits that can process and store data, and communicate with a terminal via radio waves? a. Landline terminal b. Pin pad c. Contactless reader d. Check reader
" c. Contactless reader
"1. Which of the following is a standard method to group prospective leads? a. Square footage of business b. Number of items for sale on their website c. Geographic location d. Political affiliation
" c. Geographic Location
"2. What is the one 'key' question to ask, when considering the impact of a potential payments solution for a merchant that has 90% face-to-face transactions, and 10% MOTO transactions with one stand-alone dial terminal currently in place? a. Do you have in-house IT staff available? b. Do you accept checks as a form of payment? c. How many face-to-face credit card transactions do you process per hour? d. What percentage of credit card transactions are taken over the telephone versus taken via email?
" c. How many face-to-face credit card transactions do you process per hour?
"1. Which of the following merchant types would be placed under permitted? (Some merchant types could fit under more than one category) a. Adult content b. "Knock off" goods c. Lingerie sales d. Gambling
" c. Lingerie sales
"1. What is the correct term for a number used to identify the merchant during processing of daily transactions, rejects, adjustments, chargebacks, and end-of-month processing fees? a. Terminal Identification Number b. Automated Clearing House Number c. Merchant Identification Number d. Demand Deposit Account Number
" c. Merchant Identification Number
"2. Which of the following merchant types would be placed under Restricted? (Some merchant types could fit under more than one category) a. Makeup sales b. Tobacco c. Neutraceuticals d. Trophy Shops
" c. Neutraceuticals
"5. What does "No Line" mean when displayed on the POS device? a. No lines will print on the receipt b. No waiting in line c. No dial tone detected d. No power
" c. No dial tone detected
"11. Which regulatory agency is NOT currently a factor in acquiring? a. DOJ b. FTC c. OSHA d. CFPB
" c. OSHA
"5. When first meeting a prospect, which of these activities might a sales professional engage in to ease tension? a. Purchasing their product b. Presenting the proposal c. Open ended questions d. Closed ended questions
" c. Open ended questions
"2. What types of transactions and which banks were regulated by the Durbin amendment to the Dodd-Frank Wall Street Reform and Consumer Protection Act? a. Swiped transactions from foreign banks b. Corporate card transactions from issuing banks c. Regulated debit card transactions from large issuing banks d. MOTO check cards from domestic banks
" c. Regulated debit card transactions from large issuing banks
"8. Which of the following is NOT a merchant initiated type of payment card fraud? a. Bust out b. Collusion c. Shipping goods when CVV doesn't match d. Factoring
" c. Shipping goods when CVV doesn't match
"15. In the United States, a merchant services contract is between a merchant and which of the following? a. The card brands b. The ISO c. The acquiring bank d. The sales agent
" c. The acquiring bank.
"6. How is a merchant's effective rate calculated? a. Discount rate x average ticket b. Sum of Qualified, Mid- and Non-Qualified fees c. Total fees divided by total sales d. Number of transactions x transaction fee
" c. Total fees divided by total sales
"13. Which of the following is NOT an accurate source for industry knowledge? a. VISA, MasterCard, American Express and Discover websites b. Electronic Transactions Association website c. Wikipedia d. Federal Trade Commission website
" c. Wikipedia.
"13. Which one of the following would use a Micros terminal? a. An e-commerce merchant b. A wireless merchant c. An international merchant d. A restaurant merchant
" d. A restaurant merchant
"17. Which answer is not true: Repeat or excessive auths could be a sign of: a. Technical issues b. Customer confusion/excitement c. Auth testing d. A sale
" d. A sale
"3. PCI Compliance is mandatory for merchants accepting what volume of credit card transactions annually? a. Less than 1 million transactions annually b. From 1 million to 6 million transactions annually c. More than 6 million transactions annually d. All merchants regardless of size must be compliant if they accept credit cards
" d. All merchants regardless of size must be compliant if they accept credit cards
"2. Which of the following is the LEAST effective method of developing a list of prospects? a. Research the industry b. Talk to local influencers c. Consider the product set of their business d. Cold call on initial prospects of interest
" d. Cold call on initial prospects of interest.
"12. Which of the following is NOT part of the ongoing sales support function? a. Timely response b. Accurate record keeping c. Basic technical understanding d. Detailed technical knowledge
" d. Detailed technical knowledge.
"3. What is the best method to communicate with a merchant? a. Text b. Facebook c. Leave a note on their account d. Email
" d. Email
"13. Merchants with chargeback problems tend to be: a. Ok because there is a fee earned by the provider for each chargeback b. Ok if reserves are in place to cover them c. Ok as long as the merchant is educated about the chargeback process d. Exhaustive of resources and causes additional exposure for acquirers
" d. Exhaustive of resources and causes additional exposure for acquirers
"15. Future delivery of goods and services provided by a merchant: a. Allows merchants to obtain funds up front to purchase product. b. Only matters when the merchant goes out of business. c. Only matters if the merchant is CNP. d. Extends the chargeback period.
" d. Extends the chargeback period.
"6. Which of the following methods of processing uses a secure web server that provides an interface for merchant websites and shopping carts that require real-time transaction processing? a. Mobile solutions b. Landline terminal c. Wireless terminal d. Internet solutions
" d. Internet solutions
"12. Which one below is not PII? a. Social Security Number b. Driver's License Number c. Home Address d. Latitude and Longitude
" d. Latitude and Longitude
"20. When a merchant is facing challenges with chargebacks should you: a. Increase their reserves to cover your potential fine exposure b. Increase their monthly volume to offset the disputes c. Help the merchant open multiple accounts to load balance d. Launch a fact finding mission and tailor an education campaign based on learnings
" d. Launch a fact finding mission and tailor an education campaign based on learnings
"19. How soon after you get notified about a problematic chargeback merchant should you close the account and open up a new one? a. 15 days b. 20 days c. Immediately d. Never
" d. Never
"7. Which of the following is NOT a warning sign of e-commerce (Card Not Present) fraud? a. Orders on multiple credit cards b. Shipping to an international address c. Multiple transactions on one card over a short period of time d. Repeat customer with good history
" d. Repeat customer with good history
"9. Payment card security is concerned with protecting all of the following types of data EXCEPT: a. Primary Account Number (PAN) b. Sensitive Authentication Data (SAD) like CVV c. Card Track Data d. Social Security Number
" d. Social Security Number
"3. What constitutes a small ticket transaction? a. Sales less than $25.00 b. Internet transactions under $10.00 c. Recurring billing transactions under $50.00 d. Swiped sales under $15.00
" d. Swiped sales under $15.00
"16. What data elements won't be able to help you ascertain the risk balance of a portfolio? a. MCC concentrations b. % of registered high risk c. CNP ratio to CP d. Terminal type
" d. Terminal type
"10. Which of the following is applicable to a gateway provider? a. They always connect directly to the card brands b. They connect to the payments processors c. They are not regulated by the card brands d. They must support all card types and brands
" d. They must support all card types and brands
"5. Which of the following is NOT an important component of a merchant processing statement? a. Header information b. Deposit summary c. Surcharges d. Tips on how to save money
" d. Tips on how to save money
What items should be used in the process of building your portfolio strategy?
"1 Average merchant size 2 Merchant profitability 3 Portfolio profitability 4 Transaction counts 5 Chargeback ratios 6 Refund percentages 7 Card not present vs. face-to-face processing 8 Future delivery of goods or services 9 Digital content 10 Registered high-risk merchants 11 Acquirer reserves on file 12 Merchant industry (MCC) analytics 13 Merchant reserves 14 Fraud tools used by CNP merchants 15 Compensation strategy for your sales reps 16 Underwriting or evaluation of sales reps
For CNP transactions, what can the merchant obtain or perform, to be provided certain levels of protection against cardholder disputes?
"1. Utilizes Verified by Visa or MasterCard Secure Code to authenticate the user at the time of the transaction. Use of this service shifts the liability for certain disputes directly to the issuer. Unfortunately, at this time, very few US merchants or issuers participate in the program. For certain merchant segments, this may be an option to mitigate the risk of cardholder fraud. 2. Recurring payment transactions. In many instances, the merchant can obtain a contractual agreement with the user for recurring payments to their credit card. Agreements must be constructed to meet specific card brand criteria. Consult card brand requirements or work with your acquirer to determine exact language and benefits of such transactions. This is especially beneficial for utilities, insurance companies and institutions where the goods and services delivered are easily determined and can be validated between both parties.
Do all card brands monitor their chargeback levels?
"All Card Brands monitor the chargeback levels of merchants accepting their credit and debit cards. Merchants are required to keep their chargeback rates below the required thresholds , whenever excessive chargeback levels are detected, merchants and their processing banks are required to take corrective measures.
" What are the interchange categories
"Along with understanding the interchange categories, it is important to be able to explain how and when your merchant may encounter transactions qualifying for each of the rates. It used to be as simple as card swipe rates and non-swipe rates. Today, it depends on the card type, the data passed along from the POS, the programs in place by the issuer and other ancillary data that moves through the systems with each transaction. While it is not necessary to know all the details, it is necessary to understand the qualification requirements for these interchange categories and appropriately convey these requirements to merchants.
What are some elements of CNP service providers?
"Batch processing, real-time, recurring payments, account updater, fraud tools, fulfillment center integration, order validation, ACH, check, etc.
How can you assess and mitigate the risks related to "EMV Chip Card"?
"If a consumer presents a chip card and the merchant is not able to accept the card AND the consumer claims fraud, the liability is now held by the merchant. This is a new risk not previously faced by card present merchants. The details of this shift are below. o If a merchant is not EMV certified with a chip-enabled POS terminal, and a customer pays with a chip-enabled card, then the merchant (or its acquirer) will bear the liability for any resulting fraud. o If the merchant is EMV ready, but the financial institution card issuer has not supplied the customer with a chip-enabled card, the financial institution card issuer will be held liable for the costs of the fraudulent transaction. o If the merchant is EMV certified with a chip-enabled POS terminal, and the customer pays with a chip-enabled card, and fraud still takes place, the card issuer will be liable, much like today.
What problems do excessive chargebacks pose?
"Merchants with chargeback problems create additional exposure and work for acquirers resulting in additional scrutiny of the merchant in question. Merchants with excessive chargeback problems face risk of termination and/or a cash reserve to allow their business to continue accepting credit cards.
What are the benefits of merchant card acceptance?
"The benefits of card payment acceptance are numerous and vary based upon the industry in which your merchant operates. Benefits of card acceptance for a B2B merchant will differ from those for a high volume quick service restaurant. An e-commerce merchant will benefit differently than a plumber operating out in the field. You should be able to articulate the benefits of the various card types (PIN debit, signature debit, prepaid, purchasing card, etc.) in a manner specific to your merchant's needs. Further, many additional benefits of card acceptance exist in the technologies and methods you will recommend or sell to your merchant. These all work together as part of the payments process and should be understood as such.
How you can assess the risk related to the "future delivery"?
"The risk with transactions dependent on the future delivery of goods and services is that the chargeback period may be quite lengthy. Examples include household furniture and/or appliances, membership dues, home renovation/ remodeling, or service contracts. If the merchant goes out of business prior to delivery or completion of services and is not capable of covering the returns/chargebacks, the acquirer will absorb loss. Anytime you have a retail establishment that you think may offer some sort of future delivery, it is important that enhanced financial due diligence be performed and ongoing audits be conducted. Examples of enhanced due diligence materials can include: an evaluation of inventory, suppliers, terms of delivery and a review of financial strength. Reserves or delayed funding may help provide financial security for future delivery merchants.
With face-to-face transactions, why is the "future delivery" an important risk factor?
"The risk with transactions dependent on the future delivery of goods and services is that the chargeback period may be quite lengthy. Examples include household furniture and/or appliances, membership dues, home renovation/remodeling, or service contracts. If the merchant goes out of business prior to delivery or completion of services and is not capable of covering the returns/chargebacks, the acquirer will absorb loss. Anytime you have a retail establishment that you think may offer some sort of future delivery, it is important that enhanced financial due diligence be performed and ongoing audits be conducted. Examples of enhanced due diligence materials can include: an evaluation of inventory, suppliers, terms of delivery and a review of financial strength. Reserves or delayed funding may help provide financial security for future delivery merchants.
Why is it important to understand the various VARs?
"These features may be among those requested by the merchant as a way to increase the service they can offer to their customers, to make the transaction process compatible with their overall business process, and to increase efficiency. All of this can solidify the merchant relationship and increase merchant retention. Some of these VAR features add steps to the entire process. However, if there is a problem with a VAR in the processing of a transaction the support staff will know instantly because the merchant will not be able to access the frontend system to get an authorization.
What variance and resources available to you should you be familiar with?
"n Class A vs. Class B support from the payment processor. o Understand what these terms mean, HOW your merchant can reach the processor, and WHEN they should reach out to the processor. o Methods for reaching the support, including e-mail, web chat, telephone, discussion forums and online portals. n An understanding of Level 1 vs. Level 2 operational support from a service provider. n QRGs terminal templates and user guides available for your merchant. n Where or who does your merchant call for terminal supplies, receipts, or if a terminal or PIN pad needs to be replaced? n Back office support for answering questions regarding chargebacks, statement questions, ACH, balancing or batch issues often is different than the support for the terminal or payment application. n What are the requirements to support a third party VAR application (e-commerce or web based) and how does this differ from supporting a standard POS terminal? o Programming the application o Managing discrepancies between the POS data and what was processed at the settlement level o Who manages the installation and updates for the initial deployment, and who is responsible for ongoing card brand enhancement, maintenance and support? o Researching authorization issues o Troubleshooting communications issues between the POS, within the store, and with the website o Integrating a payment application with the shopping cart or VAR o Use of third party payment software as part of a POS application, who provisions this software, and what are the pitfalls of using a third party application? o Who is responsible for PCI, and what is the process for obtaining PCI compliance with each of the parties involved in the POS or web environment? n How the use of third-party applications such as check processing, gift card or loyalty can be integrated at the POS o Separate applications or combined applications? o Single support source for help or multiple endpoints for support? o What is the billing process, and what are the merchant's expectations?
" What specific interchange categories exist?
"n Consumer/Commercial n Rewards Cards n Card Present/Card Not Present transactions n Regulated/Non-Regulated n No Signature Required n Quick Service Restaurants (QSR) n Supermarket n Fuel n Small Ticket n Emerging Markets n Level 1, 2 and 3 Data
" What elements of may be included within technical training for E-commerce, CNP and software solutions ?
"n Installation of payment processing software o Operating system version compatibility with software, hardware and firmware o Browser support required o User control and access n Configuration of routers, firewalls and access to the systems n Administration, setup and configuration of account on the gateway or e-commerce software platforms. Building the TID information into the systems. o APIs required for authorization, settlement and reporting o APIs required for hosted payment pages o Upload of initial data for recurring payments o SSL certificates for secure web processing o Integration tools with accounting or back office software o User hierarchy n Configuration of peripherals and validation of functionality n Troubleshooting and reporting tools available to assist merchant with support calls, including communications issues and third party integration concerns. n Network connectivity for the various stations and consolidated reporting at the processor level should be validated.
" What are some key terms to know when recommending or agreeing to support a merchant's processing solution?
"n Know which terminals your processor has certified as Class A or Class B n Stage-only n Information required to program the software o VAR program information sheet o Terminal download information n SoftPay, TermMaster and other application download programs n Terminal deployment, repair and supplies n PIN pad encryption and key injection n Peripheral support o SmartPhone sleds and dongles o Wedges or mag stripe readers for POS systems o Check readers n Gateway escalation process between your merchant and the processor n Quick reference guides, online support forums and other technical resources available for use within your organization and by the merchant n Billing for third party services and the ability to audit or escalate discrepancies n Making changes to the application in the terminal or software o Who, how, when, and at what cost? n Number of years in business and financial strength of the business partners n Average speed of answer at the support desk n Knowledge level of help desk along with an escalation path for you and for your merchant n Defined service levels and metrics used to track service levels
" Traditional terminal technical training should cover the following elements:
"n Power and connectivity of the device to the payment processing network. This may include connectivity to a physical or wireless internet network, power and/ or telephone line. n Attachment and or use of peripherals including printers, PIN pads, CHIP card readers, contactless card readers, check readers or other devices attached to the terminal. n The various error messages produced by the device along with where and how to fix the errors. This could include rejected batches, communication errors, dial tone errors, duplicate batches or changes to receipt verbiage. n Use of the terminal including processing sales, credits, voids, settling batches, reversal transactions, partial approval transactions, PIN debit, balance inquiries, clerk or server reports and other functionality of the application residing in the terminal. n Downloading or accessing additional applications or services connected to the device. n Troubleshooting tools available in the terminal.
" What points should merchant training cover?
"n Transacting a sale n Demonstrating the use of an EMV reader which will hold the card through the transaction versus a swipe of a card. n Issuing of refunds or voids: the how, when and why for each transaction, along with where this occurs in their software or processing device. n Receipt truncation and how to acquire the full card number should they need to issue a credit or an adjustment. n An overview of the timeframes and rules for chargeback processing, ensuring that they understand the importance of a timely response and that they know where to look for the information in their systems to respond to a chargeback. n Duplicate batches are not a common problem with processing; however, your merchant should understand the potential for fines and what to do if they suspect that a batch has been duplicated. n Storage of card data: o When it is allowed? o How it is to be stored? o What capabilities exist for secure storage and access with their processing systems? n A thorough understanding of the fraud tools available to your merchant, whether processing CNP or card present, is a critical training component. o Key entered AVS, signature matching, card identification characteristics o AVS, CVV responses, approvals, IP validation checking, expired cards and other tools for CNP merchant o EMV as a fraud prevention tool? o A discussion that an approval is not a guarantee of a good transaction. o Ensure they understand the timeliness for settlement and rules regarding authorizations. o Issuing of credits to an offsetting transaction o Other tools that may exist within or for a particular solution n Card acceptance rules for credit, debit, prepaid and other schemes to ensure that the merchant does not run afoul of card brand rules. o An example is the reciprocity agreement between Discover and JCB, Union Pay, BC Card, etc. These international card brands work at Discover accepting merchants. n Discuss the telephone numbers available for support and which numbers to call for different types of issues. n Balancing the batch settlement reports vs. the merchant statement. o Your merchant should understand what reports are available in their systems and how they relate to the month end merchant statement.
" What are the three segments of "technical training"?
"n installation or integration of the device or software n use of the device or software n the communication technology of the device or software.
What should be considered when recommending POS systems to a merchant client?
"o Connectivity method to the processor (dial, SSL, dedicated) o Processors supported by the POS system software o Installed and serviced by a VAR or directly o Third party applications supported including check, gift, loyalty, chip or PIN debit o Who will be supporting the installation of the system ❍ Will there be costs and is the merchant willing to pay to make changes to their merchant services o Benefits of a proprietary system offered by a processor or a generally available solution in the market o PCI Compliance o Hardware and/or Software upgrades that may be available and/or required prior to making changes to the merchant services, as well as the cost of these upgrades o Ancillary services required by the merchant ❍ Inventory management ❍ Time and attendance ❍ Remote receipt printing ❍ Network capabilities for remote reporting o Third party gateway providers in the middle of the transaction ❍ PCI compliance ❍ Benefits provided by the gateway o Petroleum solutions ❍ Pay at the pump ❍ Inside counter sales ❍ Fleet card types accepted ❍ Software integrated on a controller to support multiple devices
What are the functional elements of a traditional terminal?
"o Dial or Dual Comm (Ethernet connectivity) o Multi application or single application o Stand alone printers or integrated printers o Custom receipts or standard receipts o Integrated chip card processing o Stand alone PIN pad or integrated PIN pad o WiFi or wireless modems o Battery operated o Touch screen displays o Check reader connectivity o Network connectivity amongst devices o Contactless or Near Field Communication (NFC) support o EMV Reader Stand alone or integrated. o Mobile reader operating in the Mobile phone audio jack
Mail Order/Telephone Order (MOTO) or Internet
"the selling of goods online; non-face-to-face transaction (ANY Card Not Present environment)
What are some elements of e-commerce solutions?
"❍ Batch processing, fraud tools, one time or recurring payments, fulfillment center integration, order validation, delivery methods ❍ Hosted payment page, integration options, card data storage ❍ Online malls ❍ Multi-currency processing
What are the two ways to look at an MCC?
1. By grouping of similar MCCs that fit a particular business category, or; 2. by individual MCC that describes the business type in detail.
What can you do when uncomfortable with activity you've observed?
1. Contact the card issuer for help in investigating a transaction directly with the cardholder; 2. work with the acquirer and merchant to implement reserves, delay funding or limit the transaction amounts and volumes until such time as you are comfortable with the business.
What authentication steps can a merchant take in a face-to-face transaction environment?
1. Hand the physical goods directly to the cardholder; 2.Verify the cardholder by comparing signatures and obtaining additional forms of identification if suspicious; 3. Swipe or dip the card to confirm the card was present; 4. Readily confirm receipt of refund and exchange policies; 5. Obtain alternate forms of payment if not comfortable with any information presented by the cardholder
What are some of the key "authorization data" points that can be used to understand merchant processing?
1. Interchange qualification patterns/anomalies; 2. Terminal capability; 3. Cardholder identification method from the terminal; 4. Cardholder identification method
What are some of the key "Interchange qualification patterns/anomalies" points that can be used to understand merchant processing?
1. Problems with system; 2. Normal course of business; 3. Merchant changing their business.
What are some of the key "Cardholder identification method" points that can be used to understand merchant processing?
1. Signature; 2. Card present; 3. AVS/CVV
What are some of the key "Terminal capability" points that can be used to understand merchant processing?
1. Swipe terminal; 2. Chip/EMV enabled terminal; 3. Key entered only terminal.
What are some of the key "Cardholder identification method from the terminal" points that can be used to understand merchant processing?
1. Swiped; 2. Dipped; 3. Key entered; 4. Key entered with AVS; 5. Key entered CNP; 6. Use of the MOTO button
What authentication steps can a merchant take in a "card not present" transaction environment?
1. Validate card using methods such as CVV2/CVC2 and/or AVS, as opposed to a signature validation or alternate form of ID;2. If the AVS or CVV 2/CVC2 do not match, the merchant can ask for another form of payment or decline the transaction; 3. Engage the services of a third party threat validation company to review device history, validate identities, or enable -knowledge- based authentication validation for high ticket items; 4. Enable delivery confirmation on shipped goods with signature on delivery when applicable. In the case of electronic delivery enable device tracking and IP validation rules; 5. Exchange and return policies should be prominently displayed or as a click-to agree, with an email confirmation of the TOS (including the refund policy)
What is the average approval timeframe for a merchant application?
24-48 hours.
What are Visa's specific high risk MCCs that require registration?
5967, Direct Marketing - Inbound Teleservices Merchant (adult content); 5966, Direct Marketing - Outbound Telemarketing Merchant; 5962, Direct Marketing - Travel-Related Arrangement Service; 7995, Betting, including Lottery Tickets, Casino Gaming, Off-Track Betting, and Race Tracks; 5122, Drugs, Drug Proprietaries, and Druggist Sundries; 5912, Drug Stores and Pharmacies
Virtual Appliance (VA)
A VA takes the concept of a pre-configured device for performing a specific set of functions and run this device as a workload. Often, an existing network device is virtualized to run as a virtual appliance, such as a router, switch, or firewall.
PIN Block
A block of data used to encapsulate a PIN during processing. The PIN block format defines the content of the PIN block and how it is processed to retrieve the PIN. The PIN block is composed of the PIN, the PIN length, and may contain subset of the PAN.
What alternate documents can be provided to satisfy a site survey requirement?
A business license, fictitious business name filing (DBA), seller's permit, and articles of incorporation or tax privilege license.
Wildcard
A character that may be substituted for a defined subset of possible characters in an application version scheme. In the context of PA-DSS, wildcards can optionally be used to represent a non-security impacting change. A wildcard is the only variable element of the vendor's version scheme, and is used to indicate there are only minor, non-security- impacting changes between each version represented by the wildcard element.
Index Token
A cryptographic token that replaces the PAN, based on a given index for an unpredictable value.
Risk Ranking
A defined criterion of measurement based upon the risk assessment and risk analysis performed on a given entity.
Data-Flow Diagram
A diagram showing how data flows through an application, system, or network.
VLAN
A diagram showing how data flows through an application, system, or network.
Network Diagram
A diagram showing system components and connections within a networked environment.
Merchant Category Code (MCC)
A four-digit code that identifies a merchant by their business line. It is similar to a Standard Industrial Classification (SIC) code, but it is specific to the acquiring industry.
Remote Lab Environment
A lab that is not maintained by the PA-QSA.
Dial UP Terminal
A landline terminal that can read the track data on a magnetic stripe and communicate transaction information to the frontend platform and receives authorization instructions via the merchant's phone line usually by dialing a toll free number
Parameterized Queries
A means of structuring SQL queries to limit escaping and thus prevent injection attacks.
What is the merchant provided upon approval?
A merchant identification number, a welcome kit, a terminal, and terminal identification number if necessary.
What is split funding?
A merchant may receive a capital advance from a third party and direct the processor to repay the third party with a % of their daily credit/debit card processing deposited into the third party's bank account and the remainder deposited into the merchants bank account.
What does PCI DSS 3333.0 require?
A merchant must prove that cardholder data does not reside in areas which are stated to be outside of the cardholder data environment (CDE). This became a mandatory requirement that affects you and the merchant.
Split Knowledge
A method by which two or more entities separately have key components that individually convey no knowledge of the resultant cryptographic key.
Rainbow Table Attack
A method of data attack using a pre-computed table of hash strings (fixed- length message digest) to identify the original data source, usually for cracking password or cardholder data hashes.
Installing Peripheral Devices
A peripheral device may be provided in addition to the credit card terminal. The payments professional will need to determine if peripheral devices are needed and ensure that they are operating properly. Before installing any peripheral device, you must insure that all batches are cleared and the power is turned off to the terminal to avoid blowing encryptions and/or harming the equipment.
What is a personal guarantor used for?
A personal guarantor ensures the full and faithful performance and payment responsibilities of the merchant to the acquirer and member bank, as outlined in the terms and conditions of the merchant processing agreement.
Card Skimmer
A physical device, often attached to a legitimate card-reading device, designed to illegitimately capture and/or store the information from a payment card.
What is a balanced portfolio?
A portfolio that is not heavily dependent upon one industry type or a few select merchants or cyclical businesses.
Versioning Methodology
A process of assigning version schemes to uniquely identify a particular state of an application or software. These schemes follow a version-number format, version-number usage, and any wildcard element as defined by the software vendor. Version numbers are generally assigned in increasing order and correspond to a particular change in the software.
Insecure Protocol/Service/Port
A protocol, service, or port that introduces security concerns due to the lack of controls over confidentiality and/or integrity. These security concerns include services, protocols, or ports that transmit data or authentication credentials (for example, password/passphrase) in clear-text over the Internet, or that easily allow for exploitation by default or if misconfigured. Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP v1 and v2.
What typically allows for a wider spectrum of merchants to be onboarded?
A sales channel with a larger size and spectrum.
Virtual Machine
A self-contained operating environment that behaves like a separate computer. It is also known as the "Guest," and runs on top of a hypervisor.
Proxy Server
A server that acts as an intermediary between an internal network and the Internet. For example, one function of a proxy server is to terminate or negotiate connections between internal and external connections such that each only communicates with the proxy server.
Secure Cryptographic Device
A set of hardware, software and firmware that implements cryptographic processes (including cryptographic algorithms and key generation) and is contained within a defined cryptographic boundary. Examples of secure cryptographic devices include host/hardware security modules (HSMs) and point-of-interaction devices (POIs) that have been validated to PCI PTS.
Personal Firewall Software
A software firewall product installed on a single computer.
Password / Passphrase
A string of characters that serve as an authenticator of the user.
Critical systems / critical technologies
A system or technology that is deemed by the entity to be of particular importance. For example, a critical system may be essential for the performance of a business operation or for a security function to be maintained. Examples of critical systems often include security systems, public-facing devices and systems, databases, and systems that store, process, or transmit cardholder data. Considerations for determining which specific systems and technologies are critical will depend on an organization's environment and risk-assessment strategy.
Cryptographic Key
A value that determines the output of an encryption algorithm when transforming plain text to ciphertext. The length of the key generally determines how difficult it will be to decrypt the ciphertext in a given message. See Strong Cryptography.
Virtual Payment Terminal
A virtual payment terminal is web-browser-based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual payment terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.
Virtual Switch or Router
A virtual switch or router is a logical entity that presents network infrastructure level data routing and switching functionality. A virtual switch is an integral part of a virtualized server platform such as a hypervisor driver, module, or plug-in.
AES
Abbreviation for "Advanced Encryption Standard." Block cipher used in symmetric key cryptography adopted by NIST in November 2001 as U.S. FIPS PUB 197 (or "FIPS 197"). See Strong Cryptography.
IPSEC
Abbreviation for "Internet Protocol Security." Standard for securing IP communications at the network layer by encrypting and/or authenticating all IP packets in a communication session.
RADIUS
Abbreviation for "Remote Authentication Dial-In User Service." Authentication and accounting system. Checks if information such as username and password that is passed to the RADIUS server is correct, and then authorizes access to the system. This authentication method may be used with a token, smart card, etc., to provide multi-factor authentication.
SSH
Abbreviation for "Secure Shell." Protocol suite providing encryption for network services like remote login or remote file transfer.
LPAR
Abbreviation for "logical partition." A system of subdividing, or partitioning, a computer's total resources—processors, memory and storage—into smaller units that can run with their own, distinct copy of the operating system and applications. Logical partitioning is typically used to allow the use of different operating systems and applications on a single device. The partitions may or may not be configured to communicate with each other or share some resources of the server, such as network interfaces.
MAC Address
Abbreviation for "media access control address." Unique identifying value assigned by manufacturers to network adapters and network interface cards.
SysAdmin
Abbreviation for "system administrator." Individual with elevated privileges who is responsible for managing a computer system or network.
TELNET
Abbreviation for "telephone network protocol." Typically used to provide user-oriented command line login sessions to devices on a network. User credentials are transmitted in clear text.
Remote Access
Access to computer networks from a location outside of that network. Remote access connections can originate either from inside the company's own network or from a remote location outside the company's network. An example of technology for remote access is VPN.
Account Data
Account data consists of cardholder data and/or sensitive authentication data. See Cardholder Data and Sensitive Authentication Data.
What are some methods to monitor merchant satisfaction?
Acquirer and processor notification systems, customer surveys, re-pricing, redesigned solutions, and value-added services.
ANSI
Acronym for "American National Standards Institute." Private, non-profit organization that administers and coordinates the U.S. voluntary standardization and conformity assessment system.
ASV
Acronym for "Approved Scanning Vendor." Company approved by the PCI SSC to conduct external vulnerability scanning services.
CIS
Acronym for "Center for Internet Security." Non-profit enterprise with mission to help organizations reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls.
CVSS
Acronym for "Common Vulnerability Scoring System." A vendor agnostic, industry open standard designed to convey the severity of computer system security vulnerabilities and help determine urgency and priority of response. Refer to ASV Program Guide for more information.
DSS
Acronym for "Data Security Standard." See PA-DSS and PCI DSS.
ECC
Acronym for "Elliptic Curve Cryptography." Approach to public-key cryptography based on elliptic curves over finite fields. See Strong Cryptography.
MAC
Acronym for "Elliptic Curve Cryptography." Approach to public-key cryptography based on elliptic curves over finite fields. See Strong Cryptography.
SHA-1/SHA-2
Acronym for "Elliptic Curve Cryptography." Approach to public-key cryptography based on elliptic curves over finite fields. See Strong Cryptography.
FIPS
Acronym for "Federal Information Processing Standards." Standards that are publicly recognized by the U.S. Federal Government; also for use by non-government agencies and contractors.
FTP
Acronym for "File Transfer Protocol." Network protocol used to transfer data from one computer to another through a public network such as the Internet. FTP is widely viewed as an insecure protocol because passwords and file contents are sent unprotected and in clear text. FTP can be implemented securely via SSH or other technology. See S-FTP.
GPRS
Acronym for "General Packet Radio Service." Mobile data service available to users of GSM mobile phones. Recognized for efficient use of limited bandwidth. Particularly suited for sending and receiving small bursts of data, such as e-mail and web browsing.
GSM
Acronym for "Global System for Mobile Communications." Popular standard for mobile phones and networks. Ubiquity of GSM standard makes international roaming very common between mobile phone operators, enabling subscribers to use their phones in many parts of the world.
IETF
Acronym for "Internet Engineering Task Force." Large, open international community of network designers, operators, vendors, and researchers concerned with evolution of Internet architecture and smooth operation of Internet. The IETF has no formal membership and is open to any interested individual.
IMAP
Acronym for "Internet Message Access Protocol." An application-layer Internet protocol that allows an e-mail client to access e-mail on a remote mail server.
LDAP
Acronym for "Lightweight Directory Access Protocol." Authentication and authorization data repository utilized for querying and modifying user permissions and granting access to protected resources.
MO/TO
Acronym for "Mail-Order/Telephone-Order."
NIST
Acronym for "National Institute of Standards and Technology." Non- regulatory federal agency within U.S. Commerce Department's Technology Administration.
NVD
Acronym for "National Vulnerability Database." The U.S. government repository of standards-based vulnerability management data. NVD includes databases of security checklists, security-related software flaws, misconfigurations, product names, and impact metrics.
NTP
Acronym for "Network Time Protocol." Protocol for synchronizing the clocks of computer systems, network devices and other system components.
OWASP
Acronym for "Open Web Application Security Project." A non-profit organization focused on improving the security of application software. OWASP maintains a list of critical vulnerabilities for web applications. (See http://www.owasp.org).
OCTAVE®
Acronym for "Operationally Critical Threat, Asset, and Vulnerability Evaluation." A suite of tools, techniques, and methods for risk-based information security strategic assessment and planning.
PTS
Acronym for "PIN Transaction Security," PTS is a set of modular evaluation requirements managed by PCI Security Standards Council, for PIN acceptance POI terminals. Please refer to www.pcisecuritystandards.org.
PVV
Acronym for "PIN verification value." Discretionary value encoded in magnetic stripe of payment card.
PA-DSS
Acronym for "Payment Application Data Security Standard."
PA-QSA
Acronym for "Payment Application Qualified Security Assessor." PA-QSAs are qualified by PCI SSC to assess payment applications against the PA- DSS. Refer to the PA-DSS Program Guide and PA-QSA Qualification Requirements for details about requirements for PA-QSA Companies and Employees.
PCI DSS
Acronym for "Payment Card Industry Data Security Standard."
PCI
Acronym for "Payment Card Industry."
POI
Acronym for "Point of Interaction," the initial point where data is read from a card. An electronic transaction-acceptance product, a POI consists of hardware and software and is hosted in acceptance equipment to enable a cardholder to perform a card transaction. The POI may be attended or unattended. POI transactions are typically integrated circuit (chip) and/or magnetic-stripe card-based payment transactions.
POP3
Acronym for "Post Office Protocol v3." Application-layer protocol used by e- mail clients to retrieve e-mail from a remote server over a TCP/IP connection.
QIR
Acronym for "Qualified Integrator or Reseller." Refer to the QIR Program Guide on the PCI SSC website for more information.
ROC
Acronym for "Report on Compliance." Report documenting detailed results from an entity's PCI DSS assessment.
ROV
Acronym for "Report on Validation." Report documenting detailed results from a PA-DSS assessment for purposes of the PA-DSS program.
SSL
Acronym for "Secure Sockets Layer." Industry standard that encrypts the channel between a web browser and web server. Now superseded by TLS. See TLS.
SAQ
Acronym for "Self-Assessment Questionnaire." Reporting tool used to document self-assessment results from an entity's PCI DSS assessment.
SNMP
Acronym for "Simple Network Management Protocol." Supports monitoring of network attached devices for any conditions that warrant administrative attention.
SQL
Acronym for "Structured Query Language." Computer language used to create, modify, and retrieve data from relational database management systems.
SANS
Acronym for "SysAdmin, Audit, Networking and Security," an institute that provides computer security training and professional certification. (See www.sans.org.)
TACACS
Acronym for "Terminal Access Controller Access Control System." Remote authentication protocol commonly used in networks that communicates between a remote access server and an authentication server to determine user access rights to the network. This authentication method may be used with a token, smart card, etc., to provide multi-factor authentication.
TCP
Acronym for "Transmission Control Protocol." One of the core transport- layer protocols of the Internet Protocol (IP) suite, and the basic communication language or protocol of the Internet. See IP.
TLS
Acronym for "Transport Layer Security." Designed with goal of providing data secrecy and data integrity between two communicating applications. TLS is successor of SSL.
TDES
Acronym for "Triple Data Encryption Standard" and also known as "3DES" or "Triple DES." Block cipher formed from the DES cipher by using it three times. See Strong Cryptography.
URL
Acronym for "Uniform Resource Locator." A formatted text string used by Web browsers, e-mail clients, and other software to identify a network resource on the Internet.
WPA/WPA2
Acronym for "WiFi Protected Access." Security protocol created to secure wireless networks. WPA is the successor to WEP. WPA2 was also released as the next generation of WPA.
WEP
Acronym for "Wired Equivalent Privacy." Weak algorithm used to encrypt wireless networks. Several serious weaknesses have been identified by industry experts such that a WEP connection can be cracked with readily available software within minutes. See WPA.
AOC
Acronym for "attestation of compliance." The AOC is a form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Self-Assessment Questionnaire or Report on Compliance.
AOV
Acronym for "attestation of validation." The AOV is a form for PA-QSAs to attest to the results of a PA-DSS assessment, as documented in the PA- DSS Report on Validation.
AAA
Acronym for "authentication, authorization, and accounting." Protocol for authenticating a user based on their verifiable identity, authorizing a user based on their user rights, and accounting for a user's consumption of network resources.
CDE
Acronym for "cardholder data environment." The people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data.
DNS
Acronym for "domain name system" or "domain name server." A system that stores information associated with domain names in a distributed database to provide name-resolution services to users on networks such as the Internet.
HSM
Acronym for "hardware security module" or "host security module." A physically and logically protected hardware device that provides a secure set of cryptographic services, used for cryptographic key-management functions and/or the decryption of account data.
HTTPS
Acronym for "hypertext transfer protocol over secure socket layer." Secure HTTP that provides authentication and encrypted communication on the World Wide Web designed for security-sensitive communication such as web-based logins.
HTTP
Acronym for "hypertext transfer protocol." Open internet protocol to transfer or convey information on the World Wide Web.
IP
Acronym for "internet protocol." Network-layer protocol containing address information and some control information that enables packets to be routed and delivered from the source host to the destination host. IP is the primary network-layer protocol in the Internet protocol suite. See TCP.
IPS
Acronym for "intrusion prevention system." Beyond an IDS, an IPS takes the additional step of blocking the attempted intrusion.
IDS
Acronym for "intrusion-detection system." Software or hardware used to identify and alert on network or system anomalies or intrusion attempts. Composed of: sensors that generate security events; a console to monitor events and alerts and control the sensors; and a central engine that records events logged by the sensors in a database. Uses system of rules to generate alerts in response to detected security events. See IPS
LAN
Acronym for "local area network." A group of computers and/or other devices that share a common communications line, often in a building or group of buildings.
MPLS
Acronym for "multi-protocol label switching." Network or telecommunications mechanism designed for connecting a group of packet-switched networks.
NAC
Acronym for "network access control" or "network admission control." A method of implementing security at the network layer by restricting the availability of network resources to endpoint devices according to a defined security policy.
NAT
Acronym for "network address translation." Also known as network masquerading or IP masquerading. Change of an IP address used within one network to a different IP address known within another network, allowing an organization to have internal addresses that are visible internally, and external addresses that are only visible externally.
PDA
Acronym for "personal data assistant" or "personal digital assistant." Handheld mobile devices with capabilities such as mobile phones, e-mail, or web browser.
PIN
Acronym for "personal identification number." Secret numeric password known only to the user and a system to authenticate the user to the system. The user is only granted access if the PIN the user provided matches the PIN in the system. Typical PINs are used for automated teller machines for cash advance transactions. Another type of PIN is one used in EMV chip cards where the PIN replaces the cardholder's signature.
POS
Acronym for "point of sale." Hardware and/or software used to process payment card transactions at merchant locations.
PAT
Acronym for "port address translation" and also referred to as "network address port translation." Type of NAT that also translates the port numbers.
PAN
Acronym for "primary account number" and also referred to as "account number." Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account.
SDLC
Acronym for "system development life cycle" or "software development lifecycle." Phases of the development of a software or computer system that includes planning, analysis, design, testing, and implementation.
VPN
Acronym for "virtual private network." A computer network in which some of connections are virtual circuits within some larger network, such as the Internet, instead of direct connections by physical wires. The end points of the virtual network are said to be tunneled through the larger network when this is the case. While a common application consists of secure communications through the public Internet, a VPN may or may not have strong security features such as authentication or content encryption. A VPN may be used with a token, smart card, etc., to provide two-factor authentication.
WAN
Acronym for "wide area network." Computer network covering a large area, often a regional or company-wide computer system.
WLAN
Acronym for "wireless local area network." Local area network that links two or more computers or devices without wires.
CERT
Acronym for Carnegie Mellon University's "Computer Emergency Response Team." The CERT Program develops and promotes the use of appropriate technology and systems management practices to resist attacks on networked systems, to limit damage, and to ensure continuity of critical services.
S-FTP
Acronym for Secure-FTP. S-FTP has the ability to encrypt authentication information and data files in transit. See FTP.
Protocol
Agreed-upon method of communication used within networks. Specification describing rules and procedures that computer products should follow to perform activities on a network.
RSA
Algorithm for public-key encryption described in 1977 by Ron Rivest, Adi Shamir, and Len Adleman at Massachusetts Institute of Technology (MIT); letters RSA are the initials of their surnames.
Encryption Algorithm
Also called "cryptographic algorithm." A sequence of mathematical instructions used for transforming unencrypted text or data to encrypted text or data, and back again. See Strong Cryptography.
Degaussing
Also called "disk degaussing." Process or technique that demagnetizes the disk such that all data stored on the disk is permanently destroyed.
Stateful Inspection
Also called "dynamic packet filtering." Firewall capability that provides enhanced security by keeping track of the state of network connections. Programmed to distinguish legitimate packets for various connections, only packets matching an established connection will be permitted by the firewall; all others will be rejected.
Secure Wipe
Also called "secure delete," a method of overwriting data residing on a hard disk drive or other digital media, rendering the data irretrievable.
Card Verification Code or Value
Also known as Card Validation Code or Value, or Card Security Code. Refers to either: (1) magnetic-stripe data, or (2) printed security features. Also known as Card Validation Code or Value, or Card Security Code. Refers to either: (1) magnetic-stripe data, or (2) printed security features. (1) Data element on a card's magnetic stripe that uses secure cryptographic processes to protect data integrity on the stripe, and reveals any alteration or counterfeiting. Referred to as CAV, CVC, CVV, or CSC depending on payment card brand. The following list provides the terms for each card brand: . CAV - Card Authentication Value (JCB payment cards) . PAN CVC - Card Validation Code (MasterCard payment cards) . CVV - Card Verification Value (Visa and Discover payment cards) . CSC - Card Security Code (American Express) (2) For Discover, JCB, MasterCard, and Visa payment cards, the second type of card verification value or code is the rightmost three-digit value printed in the signature panel area on the back of the card. For American Express payment cards, the code is a four-digit unembossed number printed above the PAN on the face of the payment cards. The code is uniquely associated with each individual piece of plastic and ties the PAN to the plastic. The following list provides the terms for each card brand: . CID - Card Identification Number (American Express and Discover payment cards) . CAV2 - Card Authentication Value 2 (JCB payment cards) . PAN CVC2 - Card Validation Code 2 (MasterCard payment cards) . CVV2 - Card Verification Value 2 (Visa payment cards)
Wireless Access Point
Also referred to as "AP." Device that allows wireless communication devices to connect to a wireless network. Usually connected to a wired network, it can relay data between wireless devices and wired devices on the network.
Database Administrator
Also referred to as "DBA." Individual responsible for managing and administering databases.
Trojan
Also referred to as "Trojan horse." A type of malicious software that when installed, allows a user to perform a normal function while the Trojan performs malicious functions to the computer system without the user's knowledge.
Audit Log
Also referred to as "audit trail." Chronological record of system activities. Provides an independently verifiable trail sufficient to permit reconstruction, review, and examination of sequence of environments and activities surrounding or leading to operation, procedure, or event in a transaction from inception to final results.
Smart Card
Also referred to as "chip card" or "IC card (integrated circuit card)." A type of payment card that has integrated circuits embedded within. The circuits, also referred to as the "chip," contain payment card data including but not limited to data equivalent to the magnetic-stripe data.
Forensics
Also referred to as "computer forensics." As it relates to information security, the application of investigative tools and analysis techniques to gather evidence from computer resources to determine the cause of data compromises.
Compromise
Also referred to as "data compromise," or "data breach." Intrusion into a computer system where unauthorized disclosure/theft, modification, or destruction of cardholder data is suspected.
Track Data
Also referred to as "full track data" or "magnetic-stripe data." Data encoded in the magnetic stripe or chip used for authentication and/or authorization during payment transactions. Can be the magnetic-stripe image on a chip or the data on the track 1 and/or track 2 portion of the magnetic stripe.
IP Address
Also referred to as "internet protocol address." Numeric code that uniquely identifies a particular computer (host) on the Internet.
Acquirer
Also referred to as "merchant bank," "acquiring bank," or "acquiring financial institution". Entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance. See also Payment Processor.
Network Sniffing
Also referred to as "packet sniffing" or "sniffing." A technique that passively monitors or collects network communications, decodes protocols, and examines contents for information of interest.
Network Segmentation
Also referred to as "segmentation" or "isolation." Network segmentation isolates system components that store, process, or transmit cardholder data from systems that do not. Adequate network segmentation may reduce the scope of the cardholder data environment and thus reduce the scope of the PCI DSS assessment. See the Network Segmentation section in the PCI DSS Requirements and Security Assessment Procedures for guidance on using network segmentation. Network segmentation is not a PCI DSS requirement.
BAU
An acronym for "business as usual." BAU is an organization's normal daily business operations.
Web Application
An application that is generally accessed via a web browser or through web services. Web applications may be available via the Internet or a private, internal network.
Why is managing chargebacks is a critical piece of a successful merchant program?
An efficient and well run merchant allows acquirers to focus on growth within their portfolio as well as process improvement.
Reseller / Integrator
An entity that sells and/or integrates payment applications but does not develop them.
Security Event
An occurrence considered by an organization to have potential security implications to a system or its environment. In the context of PCI DSS, security events identify suspicious or anomalous activity.
Organizational Independence
An organizational structure that ensures there is no conflict of interest between the person or department performing the activity and the person or department assessing the activity. For example, individuals performing assessments are organizationally separate from the management of the environment being assessed.
Sensitive Area
Any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes the areas where only point-of-sale terminals are present such as the cashier areas in a retail store.
System Components
Any network devices, servers, computing devices, or applications included in or connected to the cardholder data environment.
Privileged User
Any user account with greater than basic access privileges. Typically, these accounts have elevated or increased privileges with more rights than a standard user account. However, the extent of privileges across different privileged accounts can vary greatly depending on the organization, job function or role, and the technology in use.
System-level object
Anything on a system component that is required for its operation, including but not limited to database tables, stored procedures, application executables and configuration files, system configuration files, static and shared libraries and DLLs, system executables, device drivers and device configuration files, and third-party components.
What should you look for when monitoring "monthly volume"?
Applications typically request the average monthly volume and a peak season volume. Sales beyond these volumes may indicate risk problems or may warrant adjustments in account set up to off set merchant growth. Larger than expected volumes in the first month may be an indicator that the merchant has past sales they are trying to process, a bust-out scheme, or that the application was erroneous or false. The volume should also be balanced against similar merchants. Larger volumes than similar merchants may be an indicator of risk and should be investigated.
What is the industry approval rate?
Approximately 95%.
Cardholder Data
At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not stored) as part of a payment transaction.
Why is it important to ask "Is there a budget allocated for hardware or for software changes?"
At the end of the day, you need to understand the merchant's cost constraints to ensure your proposed solution is in line with their processing needs as well as their financial goals.
IP Address Spoofing
Attack technique used to gain unauthorized access to networks or computers. The malicious individual sends deceptive messages to a computer with an IP address indicating that the message is coming from a trusted host.
Batching
Authorized transactions are stored in batches, either in the terminal or on the processor's host, which are sent to the acquiring clearing processor on a predetermined schedule, also know as "auto batch". If a transaction is not submitted in the batch, the authorization will stay valid for a period of time, determined by the issuer, after which the held amount will be returned to the cardholder's available credit (see authorization hold). Some transactions may be submitted in the batch without prior authorizations; these are typically seen where the authorization was unsuccessful but the merchant still attempts to force the transaction through. (Such may be the case when the cardholder is not present but owes the merchant additional money, such as a hotel stay extension or car rental.)
Service Provider
Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).
What is collected on/with a merchant application?
Business information, contact information, voided check or bank letter, storage/PCI compliance, site survey, and a personal guarantor (case-by-case).
What is a "Card Not Present" (CNP) transaction?
CNP transactions are any transaction where the card cannot be physically processed. These may be where the mag stripe cannot be read, the chip cannot be read, mail or telephone order (MOTO), e-commerce or recurring transactions (where the first sale was not card present).
Authentication Credentials
Combination of the user ID or account ID plus the authentication factor(s) used to authenticate an individual, device, or process,
What is a good way to establish a baseline and determine best practices?
Comparing the portfolio of your organization against industry metrics.
Compensating Controls
Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must: (1) Meet the intent and rigor of the original PCI DSS requirement; (2) Provide a similar level of defense as the original PCI DSS requirement; (3) Be "above and beyond" other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and (4) Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement. See "Compensating Controls" Appendices B and C in PCI DSS Requirements and Security Assessment Procedures for guidance on the use of compensating controls.
Web Server
Computer that contains a program that accepts HTTP requests from web clients and serves the HTTP responses (usually web pages).
Server
Computer that provides a service to other computers, such as processing communications, file storage, or accessing a printing facility. Servers include, but are not limited to web, database, application, authentication, DNS, mail, proxy, and NTP.
Mainframe
Computers that are designed to handle very large volumes of data input and output and emphasize throughput computing. Mainframes are capable of running multiple operating systems, making it appear like it is operating as multiple computers. Many legacy systems have a mainframe design.
Threat
Condition or activity that has the potential to cause information or information processing resources to be intentionally or accidentally lost, modified, exposed, made inaccessible, or otherwise affected to the detriment of the organization
How should your organization respond if there is a compromise of PII?
Consult with legal counsel, as there are various state and federal notification requirements.
What often influences a stricter guidelines?
Contractual relationships and risk appetites.
What banking information must be provided in support of a merchant application?
Copy of the merchant's voided check or bank letter with account name, account number and routing number. and a bank contact name and phone.. Most processors will not allow "starter" or non pre-printed checks to be used.
How can you encourage merchants to self-report suspected breaches?
Create an environment of trust with your merchants so they will escalate breaches and ask for help, rather than trying to navigate the waters alone.
Strong Cryptography
Cryptography based on industry-tested and accepted algorithms, along with key lengths that provide a minimum of 112-bits of effective key strength and proper key-management practices. Cryptography is a method to protect data and includes both encryption (which is reversible) and hashing (which is "one way"; that is, not reversible). See Hashing. At the time of publication, examples of industry-tested and accepted standards and algorithms include AES (128 bits and higher), TDES/TDEA (triple-length keys), RSA (2048 bits and higher), ECC (224 bits and higher), and DSA/D-H (2048/224 bits and higher). See the current version of NIST Special Publication 800-57 Part 1 (http://csrc.nist.gov/publications/) for more guidance on cryptographic key strengths and algorithms. Note: The above examples are appropriate for persistent storage of cardholder data. The minimum cryptography requirements for transaction- based operations, as defined in PCI PIN and PTS, are more flexible as there are additional controls in place to reduce the level of exposure. It is recommended that all new implementations use a minimum of 128-bits of effective key strength.
Transaction Data
Data related to electronic payment card transaction.
What are the two main types of payment cards?
Debit card and credit card.
What are the possible components of a payment transaction?
Debit card, credit card, Point of Sale terminal, wireless terminal, mobile payment solution, virtual terminal, and PIN pads / PIN entry devices (PEDs).
Why is it important to ask "How is the sale completed today"?
Defining how the sale is completed helps determine the hardware or software solution(s) required. If it is a restaurant with a seasonal patio that needs payment processing at the table, then it might be appropriate to have a device inside the restaurant and another portable one for the patio. If it is an e-commerce environment, do they need batch processing or is real-time a requirement? Can you improve the plumber's efficiency by providing a smart phone solution as opposed to them calling the office? If the order is processed by a third-party, what type of controls does the merchant need, or is the merchant fine completely outsourcing?
Off-the-Shelf
Description of products that are stock items not specifically customized or designed for a specific customer or user and are readily available for use.
Procedure
Descriptive narrative for a policy. Procedure is the "how to" for a policy and describes how the policy is to be implemented.
What is "qualifying" your merchant?
Determining the appropriate products or services for your merchant will differ somewhat based upon whether your merchant is new to accepting credit cards or already accepts credit cards. In either case, the goal is to ensure that you are properly addressing the payment processing needs and ancillary services required to appropriately service your merchant
Cryptography
Discipline of mathematics and computer science concerned with information security, particularly encryption and authentication. In applications and network security, it is a tool for access control, information confidentiality, and integrity.
Information System
Discrete set of structured data resources organized for collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
Backup
Duplicate copy of data made for archiving purposes or for protecting against damage or loss.
What are some common value-adds?
EBT, debit card, gift card/loyalty programs, split funding, and checks.
Encryption
ECC Acronym for "Elliptic Curve Cryptography." Approach to public-key cryptography based on elliptic curves over finite fields. See Strong Cryptography.
Administrative Access
Elevated or increased privileges granted to an account in order for that account to manage systems, networks and/or applications. Administrative access can be assigned to an individual's account or a built- in system account. Accounts with administrative access are often referred to as "superuser", "root", "administrator", "admin", "sysadmin" or "supervisor- state", depending on the particular operating system and organizational structure.
Issuer
Entity that issues payment cards or performs, facilitates, or supports issuing services including but not limited to issuing banks and issuing processors. Also referred to as "issuing bank" or "issuing financial institution."
What does "communications technology" mean in the payments world?
Everything from a dial-up phone line to satellite based systems used to deliver card (and other data) to host and processing systems.
Issuing services
Examples of issuing services may include but are not limited to authorization and card personalization.
Who are some commonly known "payment processors"?
Examples of payments processors include Global Payments, First Data, Chase Paymentech, TSYS, and Elavon.
What should be done if a merchant exceeds acceptable chargeback thresholds?
Fees and/or fines may be levied to the acquirer if their merchant exceeds acceptable chargeback thresholds as outlined by the card brands and are often passed to the merchant.
How does Mastercard respond to excessive chargebacks?
Fines begin at $25 per chargeback above the 1.5% in the second month and include a fine calculated by MasterCard.
When were smart cards first used, and when were they ported to payment cards?
First used in French payphones in 1983, which were eventually ported to payment cards in 1993.
Vulnerability
Flaw or weakness which, if exploited, may result in an intentional or unintentional compromise of a system.
Payment Cards
For purposes of PCI DSS, any payment card/device that bears the logo of the founding members of PCI SSC, which are American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or Visa, Inc.
Merchant
For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.
SQL Injection
Form of attack on database-driven web site. A malicious individual executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet. SQL injection attacks are used to steal information from a database from which the data would normally not be available and/or to gain access to an organization's host computers through the computer that is hosting the database.
Schema
Formal description of how a database is constructed including the organization of data elements.
What are some typical indicators of money laundering?
Frequent credits for large amounts and spikes in "keyed" (card-not-present) transactions.
Personnel
Full-time and part-time employees, temporary employees, contractors, and consultants who are "resident" on the entity's site or otherwise have access to the cardholder data environment.
Firewall
Hardware and/or software technology that protects network resources from unauthorized access. A firewall permits or denies computer traffic between networks with different security levels based upon a set of rules and other criteria.
Router
Hardware or software that connects two or more networks. Functions as sorter and interpreter by looking at addresses and passing bits of information to proper destinations. Software routers are sometimes referred to as gateways.
Least Privilege
Having the minimum access and/or privileges necessary to perform the roles and responsibilities of the job function.
What are the key parts of a merchant statement?
Header information, deposit information, settlement/discount, surcharges, other fees, and total credited/debited.
What are some typical fraud indicators?
High chargebacks, excessive authorizations, high maximum tickets, deviations from the expected average ticket, and credits without offsetting sales.
ID
Identifier for a particular user or application.
How are the necessary "payment types" identified?
Identifying the payment types required by the merchant starts with the card brands and then moves into other payment mechanisms, including check, ACH or gift. Further, there may be requirements for additional data exchange as part of the payments process or apart from the payments process.
With face-to-face transactions, why is the "EMV Chip Card" an important risk factor?
If a consumer presents a chip card and the merchant is not able to accept the card AND the consumer claims fraud, the liability is now held by the merchant. This is a new risk not previously faced by card present merchants.
Why is it important to ask "What type of hardware and software is in place today? Is it PCI compliant, and what is the functionality?"
If the merchant has a stand-alone terminal, this question helps determine whether you can re-program the device, how many devices and whether their software is compatible with your software. Understanding who supports the software or device is as critical as to whether you can re-program the device.
What should you look for when performing "chargeback monitoring"?
If your merchant is receiving a lot of chargebacks, you should quickly evaluate the reason codes behind the chargebacks and question the merchant's practices. Increased chargebacks may mean your merchant's business is in financial distress, is experiencing supplier issues, or has gone rogue and is committing fraud, potentially against the consumer. This is especially the case if the chargebacks are for unauthorized charges, services not received, or duplicate transactions.
What are some of the MCCs that Visa and MC prohibit?
Illegal prescription drugs; Illegal tobacco sales; Deceptive marketing practices; Counterfeit and copyright infringing merchandise; Child pornography; Illicit websites depicting violence and extreme sexual violence; Bestiality
Pad
In cryptography, the one-time pad is an encryption algorithm with text combined with a random key or "pad" that is as long as the plain-text and used only once. Additionally, if key is truly random, never reused, and, kept secret, the one-time pad is unbreakable
Dependency
In the context of PA-DSS, a dependency is a specific software or hardware component (such as a hardware terminal, database, operating system, API, code library, etc.) that is necessary for the payment application to meet PA- DSS requirements.
Payment Application
In the context of PA-DSS, a software application that stores, processes, or transmits cardholder data as part of authorization or settlement, where the payment application is sold, distributed, or licensed to third parties. Refer to PA-DSS Program Guide for details.
Masking
In the context of PCI DSS, it is a method of concealing a segment of data when displayed or printed. Masking is used when there is no business requirement to view the entire PAN. Masking relates to protection of PAN when displayed or printed. See Truncation for protection of PAN when stored in files, databases, etc.
Authorization
In the context of access control, authorization is the granting of access or other rights to a user, program, or process. Authorization defines what an individual or program can do after successful authentication. In the context of a payment card transaction, authorization occurs when a merchant receives transaction approval after the acquirer validates the transaction with the issuer/processor.
Token
In the context of authentication and access control, a token is a value provided by hardware or software that works with an authentication server or VPN to perform dynamic or multi-factor authentication. See RADIUS, TACACS, and VPN. See also Session Token.
ISO
In the context of industry standards and best practices, ISO, better known as "International Organization for Standardization" is a non-governmental organization consisting of a network of the national standards institutes.
Session Token
In the context of web session management, a session token (also referred to as a "session identifier" or "session ID"), is a unique identifier (such as a "cookie") used to track a particular session between a web browser and a webserver.
Network Components
Include, but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances.
Application
Includes all purchased and custom software programs or groups of programs, including both internal and external (for example, web) applications.
Consumer
Individual purchasing goods, services, or both.
Non-Consumer Users
Individuals, excluding cardholders, who access system components, including but not limited to employees, administrators, and third parties.
Personally Identifiable Information
Information that can be utilized to identify or trace an individual's identity including but not limited to name, address, social security number, biometric data, date of birth, etc.
Cryptographic Key Generation
Key generation is one of the functions within key management. The following documents provide recognized guidance on proper key generation: . NIST Special Publication 800-133: Recommendation for Cryptographic Key Generation . ISO 11568-2 Financial services — Key management (retail) — Part 2: Symmetric ciphers, their key management and life cycle o 4.3 Key generation . ISO 11568-4 Financial services — Key management (retail) — Part 4: Asymmetric cryptosystems — Key management and life cycle o 6.2 Key life cycle stages — Generation . European Payments Council EPC 342-08 Guidelines on Algorithms Usage and Key Management o 6.1.1 Key generation [for symmetric algorithms] o 6.2.1 Key generation [for asymmetric algorithms] Cryptographic Key Management The set of processes and mechanisms which support cryptographic key establishment and maintenance, including replacing older keys with new keys as necessary.
Installing on Dial up (Analog)
Locate the power cord and plug it into the terminal. Have a phone line available and trace it from the wall jack to the back of terminal. It must be able to install on dial up. Plug one end of the phone cable into the terminal base and the other end into phone jack. For dial communication, a prefix may be needed to dial (e.g., 9 or 8 preceding the area code). The prefix can be preprogrammed or initialized at set up.
Port
Logical (virtual) connection points associated with a particular communication protocol to facilitate communications across networks.
Default Accounts
Login account predefined in a system, application, or device to permit initial access when system is first put into service. Additional default accounts may also be generated by the system as part of the installation process.
Host
Main computer hardware on which computer software is resident.
What is "relationship building" (in the context of merchant processing) and why is it important?
Maintaining an open and professional relationship with all areas of business is important to keeping the lines of communication open. The payments professional is going to be successful by communicating with customer service, technical support, applications processing and partner support. Maintaining a relationship with risk management and the collections divisions will help the professional stay ahead of notifications, funding holds and other performance concerns.
Memory-Scraping Attacks
Malware activity that examines and extracts data that resides in memory as it is being processed or which has not been properly flushed or overwritten.
What is one way to keep up with regulatory updates?
Many regulatory bodies offer conferences to clarify their positions, explain the intent of regulations, and to offer suggestions to the board. Regular attendance of these events or training within the organization by a qualified individual should be scheduled to keep all critical personnel up to date with changes and trends in the industry and the governing body's interpretations of their regulations.
How does Mastercard manage excessive chargebacks?
Mastercard has two tiers of "excessive" chargeback merchants: 1. An Excessive Chargeback Merchant (ECM) when: 100 chargebacks (or more) per calendar month, and a ratio of chargebacks this month/sales last month in excess of 1.00%. This designation is maintained until the merchant is below the predetermined ratio. 2. A Merchant in the "Excessive Chargeback Program": The ECP monitors chargeback levels for all merchants on a monthly basis. If a merchant reaches excessive chargeback rates: 100 chargebacks (or more) in each of the two previous consecutive months, and a ratio of chargebacks this month/sales last month of 1.50% or greater.
What are typical risk factors to be monitored?
Maximum ticket, average ticket, monthly volume, large dollar or excessive credits, duplicate transactions of the cardholder, chargeback monitoring, percentage keyed vs. swiped, repeat or excessive authorizations, and merchant information changes.
Access Control
Mechanisms that limit availability of information or information-processing resources only to authorized persons or applications.
Removable Electronic Media
Media that store digitized data and which can be easily removed and/or transported from one computer system to another. Examples of removable electronic media include CD-ROM, DVD-ROM, USB flash drives and external/portable hard drives.
Multi-Factor Autentication
Method of authenticating a user whereby at least two factors are verified. These factors include something the user has (such as a smart card or dongle), something the user knows (such as a password, passphrase, or PIN) or something the user is or does (such as fingerprints, other forms of biometrics, etc.).
Ingress Filtering
Method of filtering inbound network traffic such that only explicitly allowed traffic is permitted to enter the network.
Egress Filtering
Method of filtering outbound network traffic such that only explicitly allowed traffic is permitted to leave the network.
Truncation
Method of rendering the full PAN unreadable by permanently removing a segment of PAN data. Truncation relates to protection of PAN when stored in files, databases, etc. See Masking for protection of PAN when displayed on screens, paper receipts, etc.
Cellular Technologies
Mobile communications through wireless telephone networks, including but not limited to Global System for Mobile communications (GSM), code division multiple access (CDMA), and General Packet Radio Service (GPRS).
Why is it important to monitor merchant satisfaction?
Monitoring merchant processing patterns is essential to drive prompt and immediate action to service the needs of your customers and eliminate reason for risk-of-flight.
Why is understanding the intent of regulations important?
Most regulatory bodies leave the exact implementation of the regulations up to the assessor and/or the organization itself. Understanding the intent of each regulation will allow you to provide the merchant with a more economical and efficient way of reaching their security or compliance goals. Often a small amount of additional process or training can replace an expensive off-the-shelf product or application.
Security Protocols
Network communications protocols designed to secure the transmission of data. Examples of security protocols include, but are not limited to TLS, IPSEC, SSH, HTTPS, etc.
Private Network
Network established by an organization that uses private IP address space. Private networks are commonly designed as local area networks. Private network access from public networks should be properly protected with the use of firewalls and routers. See also Public Network.
Trusted Network
Network of an organization that is within the organization's ability to control or manage.
Wireless Networks
Network that connects computers without a physical connection to wires.
Untrusted Network
Network that is external to the networks belonging to an organization and which is out of the organization's ability to control or manage.
Is a personal guarantor always required?
No.
Does a PCI Level 4 Merchant need to undergo an onsite audit?
No. A PCI Level 4 merchant does not need to undergo an onsite audit, so a Self Assessment Questionnaire (SAQ) would be appropriate based on the type of business they do (and as defined by the acquirer).
Cardholder
Non-consumer or consumer customer to whom a payment card is issued to or any individual authorized to use the payment card.
What are important questions to ask regarding the "payment environment"?
Number of transactions at peak, method of sale completion, third party usage (for taking orders or placing outbound calls), necessary speed of processing, type of IT Staff for merchant, internet speed, process inefficiencies, fraud protection tools needed, hardward/software in place, hardware/software functionality, desired hardware/software functionality, and budget for hardware/software changes.
Hosting Provider
Offers various services to merchants and other service providers. Services range from simple to complex; from shared space on a server to a whole range of "shopping cart" options; from payment applications to connections to payment gateways and processors; and for hosting dedicated to just one customer per server. A hosting provider may be a shared hosting provider, who hosts multiple entities on a single server.
Funding
Once the acquirer has been paid, the acquirer pays the merchant. The merchant receives the amount totaling the funds in the batch in total or less the discount fees charged.
Policy
Organization-wide rules governing acceptable use of computing resources, security practices, and guiding development of operational procedures
What contact information must be on a merchant application?
Owner's or Principal's name and home address, alternate phone number, date of birth (DOB), and social security number, as a credit report will be obtained.
PED
PIN entry device.
What are some typical peripheral devices?
PIN pad, printer, check reader, contactless reader
What are the two types of debit card authorizations?
PIN-based and signature-based?
Default Password
Password on system administration, user, or service accounts predefined in a system, application, or device; usually associated with default account. Default accounts and passwords are published and well known, and therefore easily guessed.
What are some of the risks related to chargebacks?
Payment card fraud is estimated to cost the United States $8.6 billion per year. These losses are typically taken through unfunded chargebacks. However, many small business owners have limited awareness regarding chargeback rules and subsequent fines, which are not included in the number above. Unfortunately, chargebacks are a fact of life for most businesses
How you can assess the risk related to the "financial strength of the business"?
Periodically checking the financial health of your merchant and watching trends in processing volume can help protect against unexpected financial loss. If the merchant is struggling to cover their costs of goods it is possible owed fees may be returned as NSF (non-sufficient funds). For a mid-sized restaurant, this could be thousands of dollars in fees left uncollectible by the acquirer. Risk mitigates may include daily discount, reduced processing volume or delayed funding.
With face-to-face transactions, why is the "financial strength of the business" an important risk factor?
Periodically checking the financial health of your merchant and watching trends in processing volume can help protect against unexpected financial loss. If the merchant is struggling to cover their costs of goods it is possible owed fees may be returned as NSF (non-sufficient funds). For a mid-sized restaurant, this could be thousands of dollars in fees left uncollectible by the acquirer. Risk mitigates may include daily discount, reduced processing volume or delayed funding.
Relative to merchant onboarding, what types of onboarding guidelines are typcially in place?
Permitted, prohibited, and restricted.
Network Administrator
Personnel responsible for managing the network within an entity. Responsibilities typically include but are not limited to network security, installations, upgrades, maintenance and activity monitoring.
How can "smart cards" be used?
Physical card, over the internet, in mobile phones enabled with NFC, in ancillary devices such as key fobs, and integrated with loyalty, rewards and banking functionality, all local on the chip itself.
Installing on IP (Ethernet)
Plug one end of the Ethernet cable into the back of the terminal base and the other end into router/switch/hub/internal wiring - whatever is applicable to your location. Due to common communication issues, processing over IP is faster and eliminates most connection issues, except when downloading, which is recommended to take place on an Analog line.
" What are the advantages of POS systems?
Point-of- Sale (POS) systems provide merchants with functionality that is more sophisticated than that available in the traditional terminal. Most POS systems are primarily Developed and used for specific, such as the hospitality industry or for the restaurant industry. When recommending or preparing to support an existing POS solution for your merchant, the following should be considered.
Separation of Duties
Practice of dividing steps in a function among different individuals, so as to keep a single individual from being able to subvert the process.
Security Officer
Primary person responsible for an entity's security-related matters.
Network Security Scan
Process by which an entity's systems are remotely checked for vulnerabilities through use of manual or automated tools. Security scans that include probing internal and external systems and reporting on services exposed to the network. Scans may identify vulnerabilities in operating systems, services, and devices that could be used by malicious individuals.
Re-keying
Process of changing cryptographic keys. Periodic re-keying limits the amount of data encrypted by a single key.
Scoping
Process of identifying all system components, people, and processes to be included in a PCI DSS assessment. The first step of a PCI DSS assessment is to accurately determine the scope of the review.
Hashing
Process of rendering cardholder data unreadable by converting data into a fixed-length message digest. Hashing is a one-way (mathematical) function in which a non-secret algorithm takes any arbitrary length message as input and produces a fixed length output (usually called a "hash code" or "message digest"). A hash function should have the following properties: (1) It is computationally infeasible to determine the original input given only the hash code, (2) It is computationally infeasible to find two inputs that give the same hash code. In the context of PCI DSS, hashing must be applied to the entire PAN for the hash code to be considered rendered unreadable. It is recommended that hashed cardholder data include an input variable (for example, a "salt") to the hashing function to reduce or defeat the effectiveness of pre-computed rainbow table attacks (see Input Variable). For further guidance, refer to industry standards, such as current versions of NIST Special Publications 800-107 and 800-106, Federal Information Processing Standard (FIPS) 180-4 Secure Hash Standard (SHS), and FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions.
Dual Control
Process of using two or more separate entities (usually persons) operating in concert to protect sensitive functions or information. Both entities are equally responsible for the physical protection of materials involved in vulnerable transactions. No single person is permitted to access or use the materials (for example, the cryptographic key). For manual key generation, conveyance, loading, storage, and retrieval, dual control requires dividing knowledge of the key among the entities. (See also Split Knowledge.)
Authentication
Process of verifying identity of an individual, device, or process. Authentication typically occurs through the use of one or more authentication factors such as: . Something you know, such as a password or passphrase . Something you have, such as a token device or smart card . Something you are, such as a biometric
Risk Analysis / Risk Assessment
Process that identifies valuable system resources and threats; quantifies loss exposures (that is, loss potential) based on estimated frequencies and costs of occurrence; and (optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure.
Change Control
Processes and procedures to review, test, and approve changes to systems and software for impact before implementation.
What types of regulations may be relevant to a particular merchant's cardholder data, overall regulatory environment, and the merchant's responsibility to those regulations?
Processing, storage and transmission of sensitive information, physical security, network security, monitoring, consumer harm protocol, licensing requirements based on vertical, proper policies and procedures,. and the auditing and testing of all relevant elements.
Anti-Virus
Program or software capable of detecting, removing, and protecting against various forms of malicious software (also called "malware") including viruses, worms, Trojans or Trojan horses, spyware, adware, and rootkits.
Information Security
Protection of information to ensure confidentiality, integrity, and availability.
What is not within the definition of "Peronal Identifying Information"?
Publicly available information that is lawfully made available to the general public from federal, state or local government records, or widely distributed media.
Input Variable
Random data string that is concatenated with source data before a one-way hash function is applied. Input variables can help reduce the effectiveness of rainbow table attacks. See also Hashing and Rainbow Tables.
DMZ
Refer to ASV Program Guide for more information. Data-Flow Diagram A diagram showing how data flows through an application, system, or network.
Public Network
Refer to ASV Program Guide for more information. Data-Flow Diagram A diagram showing how data flows through an application, system, or network.
Non-Console Access
Refers to logical access to a system component that occurs over a network interface rather than via a direct, physical connection to the system component. Non-console access includes access from within local/internal networks as well as access from external, or remote, networks.
" In addition to Acquirer Standards, what else should be considered?
Regulatory Risk
" What should never be used in place of proper merchant education and chargeback reduction?
Reserves should NEVER be used in place of proper merchant education and chargeback reduction.
What are the standard types of merchant accounts?
Retail, Restaurant, Mail Order/Telephone Order (MOTO) or Internet, Supermarket, and Lodging.
What should you look for when monitoring "Maximum ticket" reports?
Risk systems must monitor the average ticket and a maximum ticket. Transactions above the maximum ticket may be an indicator of misinformation during the application process, a change in the merchant product, cardholder fraud, a bust-out scheme, or perhaps collusion and should be reviewed and possible investigated.
What is considered "Personal Identifiying Information"?
SSN, Driver's License or State ID Number, account number (or credit/debit card number) combined with any security code, access code, PIN, or password.
What are the standard terminal functions?
Sale, void last sale, and credit refund.
What are some of the key factors to be evaluated by risk management, particularly during underwriting?
Sales volumes, transaction volumes, method of processing, previous processing history, inventory, credit history, payables history, debt, income and expected transaction processing volumes all should be evaluated and captured for future use by the risk management team or processing systems.
Console
Screen and keyboard which permits access and control of a server, mainframe computer or other system type in a networked environment.
Sensitive Authentication Data
Security-related information (including but not limited to card validation codes/values, full track data (from the magnetic stripe or equivalent on a chip), PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions.
Audit Trail
See Audit Log.
Log
See Audit Log.
Virtual Hypervisor
See Hypervisor.
Account Number
See Primary Account Number (PAN).
Dynamic Packet Filtering
See Stateful Inspection.
Magnetic-Stripe Data
See Track Data.
Security Policy
Set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information
Operating System / OS
Software of a computer system that is responsible for the management and coordination of all activities and the sharing of computer resources. Examples of operating systems include Microsoft Windows, Mac OS, Linux and Unix.
Malicious Software / Malware
Software or firmware designed to infiltrate or damage a computer system without the owner's knowledge or consent, with the intent of compromising the confidentiality, integrity, or availability of the owner's data, applications, or operating system. Such software typically enters a network during many business-approved activities, which results in the exploitation of system vulnerabilities. Examples include viruses, worms, Trojans (or Trojan horses), spyware, adware, and rootkits.
Hypervisor
Software or firmware responsible for hosting and managing virtual machines. For the purposes of PCI DSS, the hypervisor system component also includes the virtual machine monitor (VMM).
" What are software, e-commerce, and card-not-present solutions?
Software, e-commerce and card-not-present (CNP) solutions range from those completely managed and supported by thirdparty providers to software installed and supported by the merchant.
What does "processing software" mean in the payments world?
Something as simple as a PC-based application loaded to a computer by CD to an enterprise-wide system integrated with supply chain management, marketing and financial systems.
Payment Processor
Sometimes referred to as "payment gateway" or "payment service provider (PSP)". Entity engaged by a merchant or other entity to handle payment card transactions on their behalf. While payment processors typically provide acquiring services, payment processors are not considered acquirers unless defined as such by a payment card brand. See also Acquirer.
" What other considerations should be taken in place for technical training in regards to wireless solutions?
Special attention should be paid to the application in use, the swipe devices and the diagnostic tools available, including those from the application and hardware providers, not just the processor.
How can you differentiate between "noise" and opportunity?
Staying abreast of market developments by reading card industry trade magazines, blogs, RSS feeds and websites is almost a must-do for any payments professional. Further, depending on your vertical market strategy, you should utilize similar resources in order to understand the environment in which your merchant operates and how you can correlate the other needs to the payment space.
Database
Structured format for organizing and maintaining easily retrievable information. Simple database examples are tables and spreadsheets.
Disk Encryption
Technique or technology (either software or hardware) for encrypting all stored data on a device (for example, a hard disk or flash drive). Alternatively, File-Level Encryption or Column-Level Database Encryption is used to encrypt contents of specific files or columns.
Column-Level Database Encryption
Technique or technology (either software or hardware) for encrypting contents of a specific column in a database versus the full contents of the entire database. Alternatively, see Disk Encryption or File-Level Encryption.
File-Level Encryption
Technique or technology (either software or hardware) for encrypting the full contents of specific files. Alternatively, see Disk Encryption or Column-Level Database Encryption.
File Integrity Monitoring
Technique or technology under which certain files or logs are monitored to detect if they are modified. When critical files or logs are modified, alerts should be sent to appropriate security personnel.
Entity
Term used to represent the corporation, organization or business which is undergoing a PCI DSS review.
What is a common misconception about "face to face" transactions?
That there is no measurable risk to an acquirer when signing retail merchants. While the risk is reduced, there are instances when retail processing presents risk that the acquirer needs to anticipate and monitor.
" What is the "Address Verification Service (AVS)"?
The Address Verification System (AVS) is a system used to verify the billing address assigned to a credit card. The system compares the credit card company's records for the billing address of the cardholder against user input at the time of sale. Merchant providers use the AVS code to determine if there is elevated risk associated with a mismatched transaction and if further diligence is required. Codes which cause the greatest concern are those where the merchant was unable to verify the cardholder's address, either partial or in full.
" How may card brands respond to excessive chargeback rates?
The Card Brands may impose substantial financial penalties on processing banks that fail to reduce their merchants' excessive chargeback rates, providing another incentive to help ensure that merchants' chargeback rates are kept within acceptable limits.
Who typically assigns the "MCC" to a merchant?
The MCC is assigned by the acquiring bank or sales organization when a merchant initially begins accepting credit cards.
How is a MCC typically assigned?
The MCC is assigned to the merchant based on its primary business (i.e. Goods or services sold).
Virtual Machine Monitor (VMM)
The VMM is included with the hypervisor and is software that implements virtual machine hardware abstraction. It manages the system's processor, memory, and other resources to allocate what each guest operating system requires.
What does Visa's high risk merchant program require?
The Visa high risk merchant program requires merchant acquirers that support high risk merchants to register any merchant with specific MCC Codes.
How must an acquirer using Mastercard manage chargebacks?
The acquirer must notify MasterCard in a predetermined format. Fines begin at $25 per chargeback above the 1.5% in the second month and include a fine calculated by MasterCard.
Clearing and Settlement
The acquirer sends the batch transactions through the card brand, which debits/credits (if chargebacks and returns exceed sales for the day) the issuer for payment and credits/debits the acquirer. Essentially, the issuer pays the acquirer for the transaction.
Who typically sets "credit risk" policy for merchants?
The acquiring bank, who passes it down to the sales organization.
Who are the primary overseers that govern credit card acceptance?
The card brands (Visa, Mastercard, Amex, Discover)
Who is liable when a "Chip" card is used at "Chip" terminal?
The card issuer has "limited" liability, which means that not all instances of chip-on-chip transactions will result in full financial liability on the card issuer. For instance, fallback transactions—where chip-on-chip devices are used but the transaction is not processed using chip technology— will not always result in a card issuer being liable for all costs. The acquirer or merchant must notify the issuer of the fallback transaction and the issuer will only be liable if they approve it.
If the merchant is EMV certified with a chip-enabled POS terminal, and the customer pays with a chip-enabled card, and fraud still takes place, who will be liable for fraud?
The card issuer will be liable, much like today.
Who is liable when a "Non-Chip" card is used at "Chip" terminal?
The card issuer.
What is a PIN-based authorization?
The cardholder enters a 4 digit pin number and the transaction, is routed through a debit networkreal time posted
Authorization
The cardholder presents the card as payment to the merchant; merchant submits the transaction to the acquirer (acquiring bank) through the payment processor. The acquirer verifies the credit card number, the transaction type and the amount with the issuer (card-issuing bank) and reserves that amount of the cardholder's credit limit for the merchant by use of an authorization code. An authorization will generate an approval code, which follows the life of the transaction through the processing systems.
How long has the magnetic stripe been in existence?
The early 1960's.
If the merchant is EMV ready, but the financial institution card issuer has not supplied the customer with a chip-enabled card, who will be held liable for the costs of the fraudulent transaction?
The financial institution card issuer.
If a merchant is not EMV certified with a chip-enabled POS terminal, and a customer pays with a chip-enabled card, who will bear the liability for any resulting fraud?
The merchant (or its acquirer).
" Who is liable when a "Chip" card is used at "Non Chip" terminal?
The merchant acquirer.
Why is it important to ask "How fast do the transactions need to be processed?"
The merchant may accept a minimal number of credit cards, but if the processing ties up resources, they may want a highspeed solution. Consider the impact of batch processing at night for MOTO merchants. Do they need real time authorizations, or is an internet based secure processing solution that can store and process in a batch environment sufficient? Do they have a need to store cards for recurring billing, and what mechanism do they have in place to work with a suggested third party.
What is an integral resource for properly pricing and monitoring activity?
The merchant statement is an integral resource to properly price and monitor activity.
Who is responsible for providing all applicable documentation?
The merchant.
How should "Technical Support" be approached?
The payments professional should maintain contact with technical support to ensure the customer is receiving assistance during and after normal business hours. The payments professional may not always be able to be onsite, so an extension of the relationship is optimal to maintain trust and performance.
Secure Coding
The process of creating and implementing applications that are resistant to tampering and/or compromise.
Sampling
The process of selecting a cross-section of a group that is representative of the entire group. Sampling may be used by assessors to reduce overall testing efforts, when it is validated that an entity has standard, centralized PCI DSS security and operational processes and controls in place. Sampling is not a PCI DSS requirement.
" Why is it important to undertand these resources?
The process of supporting a merchant is no longer as simple as telling the merchant to call a single 1-800 number for support. The complexities of software systems, web environments and the various applications used by merchants mandate an understanding of the multiple touch points affecting the merchant and the responsibility of each touch point in supporting the merchant. The bullet points above are illustrative of many elements of support, but are not intended to be all inclusive.
" How can you assess the risk related to "PIN debit transactions"?
The regulations for PIN debit and the PIN debit network rules allow for cardholder disputes in certain instances. You should be aware of these regulations and understand the potential impact on your business.
" With face-to-face transactions, why is the "PIN debit transactions" an important risk factor?
The regulations for PIN debit and the PIN debit network rules allow for cardholder disputes in certain instances. You should be aware of these regulations and understand the potential impact on your business.
RFC 1918
The standard identified by the Internet Engineering Task Force (IETF) that defines the usage and appropriate address ranges for private (non-internet routable) networks.
Cryptoperiod
The time span during which a specific cryptographic key can be used for its defined purpose based on, for example, a defined period of time and/or the amount of cipher-text that has been produced, and according to industry best practices and guidelines (for example, NIST Special Publication 800- 57).
" What are the industry pricing methodologies?
There are many pricing methodologies employed in the industry today. These can vary from tiered pricing and cost-plus (often referred to as interchange plus) to ERR or Billback pricing methods. Any of these methods may provide advantages to the merchant and to the acquirer and are often deployed on a merchant by merchant basis. A payments professional should be able to determine rather quickly what pricing method is being utilized on the merchant's statement, and be able to easily suggest and explain why a particular pricing method may be better for that particular merchant. An understanding of qualified, non-qualified, mid qualified, rewards, or discount rates and what downgrades mean from a pricing perspective is important. It is important to understand how a statement format that is different from your processor correlates to the statement presented by the merchant in order to ensure proposed pricing is accurately conveyed to the merchant. Along with the interchange pricing, the acquirer has the option of bundling all the various fees or listing them a la carte or as line items on the statement. Obviously, if the statement you are viewing is a la carte AND cost plus, your job is much easier, as you can compare line items against your billing items. When a statement has bundled pricing, it is important to consider your "all-in" costs in a bundled fashion against the merchant statement presented, even if you intend to move the merchant to an unbundled program.
How many types of "payment processors" are there? And what are they called?
There are two types of processors: front-end and back-end.
Why is it important to ask "What inefficiencies exist in the current processes?"
This question gives you the opportunity to provide a solution that not only fits their payments needs, but addresses inefficiencies of the existing processes.
What is the importance of asking " number of transactions processed along with peak transaction volume"?
This question is asked to help understand the technical throughput required for the merchant's processing volume. If you suggest a dial terminal and they process a hundred transactions a day, your merchant may not have enough throughputsthroughputs. Is a high-speed option a better choice? If thousands of transactions perper day will be processed, do they need a more dedicated solution to the processor?
Why is it important to ask "What type of fraud protection tools might be required?"
This question, designed to ensure you have the appropriate solution, also provides you with an opportunity to educate the merchant and to understand what pain points they have so that you may build a solution to fit what they know and what they don't know.
What is a "Face to face" transaction?
Those where the cardholder is present, the card is able to be swiped or chip read (EMV cards), and authorizations take place in real time.
Service Code
Three-digit or four-digit value in the magnetic-stripe that follows the expiration date of the payment card on the track data. It is used for various things such as defining service attributes, differentiating between international and national interchange, or identifying usage restrictions.
How does Visa manage excessive chargebacks?
Through their "Merchant Chargeback Monitoring Program" (MCMP). MCMP monitors chargeback levels for all merchants on a monthly basis. If a merchant reaches excessive chargeback rates within month, and 100 sales transactions (minimum), and 100 chargebacks (minimum), and 1% chargeback/sales ratio in month (equal to or greater than).
What is the ultimate reason for most payment regulations?
To help safe guard and protect the consumer from harm and the loss of their sensitive data.
What terminals are the most prevalent for small to mid-sized merchants?
Traditional terminals such as countertop, wireless, mobile, and Point-of-Sale are the most prevalent for processing for the small to midsized merchant. A variety of terminal applications are available for these devices including those specific for restaurant, hotel, retail, check card, Check21, and gift/loyalty.
Network
Two or more computers connected together via physical or wireless means.
Rootkit
Type of malicious software that when installed without authorization, is able to conceal its presence and gain administrative control of a computer system.
Spyware
Type of malicious software that when installed, intercepts or takes partial control of the user's computer without the user's consent.
Adware
Type of malicious software that, when installed, forces a computer to automatically display or download advertisements.
" How can you determine the best pricing fit for a merchant?
Understand, address and convey a cost benefit analysis of a recommended payments solution, given a particular merchant's payments processing needs.
What is the imporatance of understanding billing and funding?
Understanding how the customer is billed and funded is essential to identifying when expectations are falling below forecasted performance.
What is the importance of understanding the "payment environment"?
Understanding the payments processing environment is just as critical as understanding the variety of payment types. Selling a solution designed specifically for a merchant is the preferred method. Additionally, the differences between restaurants, hotels, e-commerce, MOTO or petroleum merchants are significant, and each requires individual solutions to meet their specific needs.
Where does understanding risk start?
Underwriting policy aligned with your corporate goals, the requirements of your acquirer and your financial strength.
Patch
Update to existing software to add functionality or to correct a defect.
Monitoring
Use of systems or processes that constantly oversee computer or network resources for the purpose of alerting personnel in case of outages, alarms, or other predefined events.
Who are the secondary governors of the payments ecosystem?
Various USA federal regulators ex: OCC, FDIC, FFIEC, CFPB or the FTC.
What is the purpose of a site survey?
Verify the physical location address belonging to the business name provided.
Virtualization
Virtualization refers to the logical abstraction of computing resources from physical constraints. One common abstraction is referred to as virtual machines or VMs, which takes the content of a physical machine and allows it to operate on different physical hardware and/or along with other virtual machines on the same physical hardware. In addition to VMs, virtualization can be performed on many other computing resources, including applications, desktops, networks, and storage.
Where does Visa differ from MasterCard and American Express as it relates to liability?
Visa does not hold the merchant liable for lost/stolen card fraud.
How does Visa respond to excessive chargebacks?
Visa will notify the respective processing bank in writing. First notification of excessive chargebacks for a specific merchant is considered a warning. Visa imposes fines only if remedial actions do not result in a reduction of chargebacks (below the level listed above) within three months. Fines begin at $50 per chargeback in the 4th month and graduate up from there.
Cross-Site Request Forgery (CSRF)
Vulnerability that is created from insecure coding methods that allows for the execution of unwanted actions through an authenticated session. Often used in conjunction with XSS and/or SQL injection.
Buffer Overflow
Vulnerability that is created from insecure coding methods, where a program overruns the buffer's boundary and writes data to adjacent memory space. Buffer overflows are used by attackers to gain unauthorized access to systems or data.
Injection Flaws
Vulnerability that is created from insecure coding techniques resulting in improper input validation, which allows attackers to relay malicious code through a web application to the underlying system. This class of vulnerabilities includes SQL injection, LDAP injection, and XPath injection.
Cross-Site Scripting (XSS)
Vulnerability that is created from insecure coding techniques, resulting in improper input validation. Often used in conjunction with CSRF and/or SQL injection.
What are the three categories of "qualifying" questions?
What payment types or ancillary services need to be supported and/or are desired? What is the payment processing environment? What is the impact of change or addition of services on staff and support teams?
When do Payment Cards Industry (PCI) standards apply?
When an entity comes into contact with Primary Account Number (PAN).
How should compliance regulations be viewed?
While compliance regulations are a good place to start with regard to securing payment channels, they are generally considered "security minimums," and as such may not protect the business adequately.
Bluetooth
Wireless protocol using short-range communications technology to facilitate transmission of data over short distances.
How can you assess and mitigate the risks related to "data security"?
With the increase in merchants using point of sale systems (not just a terminal) comes an increase in the likelihood that you will experience a data breach at a retail merchant. Diligence should be used in ensuring software and hardware in use is PCI compliant and that your merchant follows proper procedures and guidelines for protecting cardholder data. If your merchant is breached and is found to be noncompliant, fines could be levied. If the merchant cannot afford to pay the fines, the acquirer/ISO is responsible. If the merchant cannot pay the fines and closes their business, non-receipt of goods/service chargebacks could become an unexpected loss to the portfolio.
With face-to-face transactions, why is the "data security" an important risk factor?
With the increase in merchants using point of sale systems (not just a terminal) comes an increase in the likelihood that you will experience a data breach at a retail merchant. Diligence should be used in ensuring software and hardware in use is PCI compliant and that your merchant follows proper procedures and guidelines for protecting cardholder data. If your merchant is breached and is found to be noncompliant, fines could be levied. If the merchant cannot afford to pay the fines, the acquirer/ISO is responsible. If the merchant cannot pay the fines and closes their business, non-receipt of goods/service chargebacks could become an unexpected loss to the portfolio.
Must Cardholder Storage and PCIDSSPCI-DSSPCIDSS questions be answered?
Yes.
How does merchant risk level relate to enhance due diligence?
You are typically able to support merchants under the permitted category with less stringent underwriting, and minimal restrictions. Restricted merchants can be on-boarded with enhanced due diligence controls (examples are: volume restrictions, reserves, additional financial guarantees) in place. Prohibited merchant types are prohibited by the acquirer and may not be solicited.
Why is it important to ask "What type of IT staff is available for the merchant?"
You may be able to provide a comprehensive processing solution that ties inventory, accounting, payments processing and customer services into a seamless package. However, if the merchant does not have the ability to integrate their components or the staff to manage the solution, perhaps a more streamlined solution is in order. On the other hand, if the merchant has an in-house IT staff it is important to understand their capabilities and willingness to support outside solutions. Take the time to communicate up front to ensure your solution works for their environment.
Why is regulatory knowledge important?
You must be able to present regulations in a clear and organized manner to the merchant.
payments processor
a company (often a third party) appointed by a merchant to handle payment card transactions for acquiring banks.
service provider (a.k.a. "Merchant Service Provider", "MSP")
a company or organization that provides transaction processing solutions to merchants; any sales office that offers payment services to merchants.
wireless terminal
a device that processes transactions with a debit or a credit card via a cellular (wireless) data network, typically powered by battery pack.
Point of Sale (POS) terminal
a device that processes transactions with a debit or a credit card, via a telephone line or Internet connection, typically powered by a power cord.
IP Terminal
a landline terminal does the same thing as a dial terminal except that the terminal communicates transaction information to the frontend platform and receives authorization instructions by utilizing the merchant's connection to the internet.
EMV Terminal
a landline terminal that has the ability to take cardholder data from a chip embedded within the card and communicate transaction information to the frontend platform and receives authorization instructions by utilizing the merchant's phone line or Internet connection.
What is a gift/loyalty program?
a magnetic-stripe or smart (chip) card that replaces traditional paper gift certificates. The program is based on gift card usage that generates points in exchange for products and services.
What are checks (in the context of merchant processing)?
a negotiable paper document drawn against deposited funds exchanged with a merchant for payment of products or services.
Card brand
a network of issuing banks and acquiring banks that processes brand-specific payments. The best known card brands are Visa, MasterCard, American Express, Discover, JCB and China UnionPay.
Virtual Terminal
a payment gateway service provider allowing merchants to accept credit card and electronic check payments through their website over an IP (Internet Protocol) connection.
Internet solution
a processing method using a secure web server that provides an interface for merchant websites and shopping carts that require realtime transaction processing. Depending on the merchant's software they can connect to a frontend via either an SSL server or payment gateway to get a realtime credit card authorization.
On a merchant statement, what is in the Deposit Item Summary?
a summary of the month's transactions
What is a signature-based authorization?
a transaction is routed through the credit networks.
What is important to understand about third parties?
a working knowledge of third party risk mitigation, as well as the card brand specific approved service provider listings. Remember, in the payments system each entity is responsible, regardless of contractual agreements, for the actions of their 3rd parties. For example, a bank that contracts with an ISO must ensure the ISO performs all duties within the boundaries of the card brands' regulations as well as the various governmental organizations mentioned previously.
Back-end processors
accept settlements from front-end processors and, via The Federal Reserve Bank, move the money from the issuing bank to the merchant bank.
Mobile solution
allows a merchant to accept credit cards using a cell phone with or without a card swipe mechanism.
What is a credit card (in the context of merchant processing)?
allows the cardholder to buy goods and services based on the cardholder's promise to pay for these goods and services at a later date. The card issuer creates a revolving account and grants a line of credit to the cardholder from which the user can borrow money to pay a merchant or use as a cash advance. Examples include Visa or MasterCard credit cards issued by a bank and attached to a line of credit.
What is a debit card?
an ATM bankcard, also known as a check card, that allows a merchant to deduct money directly from a consumer's bank account. The use of a true debit card requires the cardholder to enter a PIN to complete the transaction.
Restaurant
an eating establishment where food and drink are being sold to customers
PIN pad
an electronic device used in a debit or smart card-based transaction to input and encrypt the cardholder's PIN (personal identification number). The PIN pad is required so that the customer's card can be accessed and the PIN can be securely entered and encrypted before it is sent to the transaction manager of the switch or the bank.
Cardholder
an end user or consumer.
Chargeback
an event in which money in a merchant account is held due to a dispute relating to the transaction. Chargebacks are initiated by the cardholder or the issuing bank. In the event of a chargeback, the issuer returns the transaction to the acquirer for resolution. The acquirer then forwards the chargeback to the merchant, who must either accept the chargeback or contest it.
Independent Sales Organization (ISO)
an organization or individual registered with a card brand (Visa or MasterCard), and has a payment card relationship with an acquirer or issuer to perform functions on behalf of the acquirer or issuer (i.e., the ISO soliciting merchant accounts, arranging for terminal purchases or leases, providing customer service, and soliciting cardholders). Examples of ISOs include Total Merchant Services and North American Bankcard.
What should you consider when evaluating "merchant information changes"?
another area to monitor is when merchants change checking accounts, contact information, or websites. It is important to understand why the changes are being made, how often, who is authorizing the changes, and what impact the changes might have on the business.
card issuer
any banking institution that provides credit or debit cards to a consumer. Examples of card issuers include Chase, Capital One, Bank of America and credit unions.
Merchant
any business that accepts credit or debit cards for payment in exchange for goods or services. Examples include Amazon, Target and Best Buy.
Contactless reader
any pocket sized card with embedded integrated circuits that can process and store data and communicate with a terminal via radio waves.
Card Not Present (CNP) Transactions
any transaction where the card cannot be physically processed. These may be where the mag stripe cannot be read, the chip cannot be read, mail or telephone order (MOTO), e-commerce or recurring transactions (where the first sale was not card present).
QSA
are qualified by PCI SSC to assess payment applications against the PA- DSS. Refer to the PA-DSS Program Guide and PA-QSA Qualification Requirements for details about requirements for PA-QSA Companies and Employees.
NMAP
based on their user rights, and accounting for a user's consumption of network resources.
What are the most common issues with merchants?
billing, funding, account maintenance and technical issues.
What business information must be on a merchant application?
business name (DBA), physical location address, business telephone number and Tax Identification Number (TIN)/ Employer Identification Number (EIN).
What are some common maintenance occurrences?
cancellation requests, sales partner complaints (opportunity to improve one-on-one relationship), request to review and amend rates and fees, ownership changes (opportunity for retention, which would require a new merchant application to be signed by the new owner).
Who are the participants and stakeholders with completing a payment transaction?
cardholder, card issuer, acquiring bank, payments processor (both front and back end), merchant, card brand, independent sales organizatoin, and the Merchant Service Provider.
mobile payment solution
consists of a device and software application (typically a smart phone application and card reader) that process transactions with a debit or a credit card via a cellular (wireless) data network. Examples include Payment Jack and Square
On a merchant statement, what is in the deposit information?
daily account of the month's transaction information
On a merchant statement, what is in the "surcharges" information?
downgraded transactions. These include: descriptions, items, and fees per each downgrade type.
What is EBT?
electronic acceptance of government benefits (e.g., food stamps and/or cash). These cards are generally accepted at grocery stores.
PIN Pads / PIN Entry Devices (PEDs)
electronic devices used in debit or smart card-based transactions to input and encrypt the cardholder's Personal Identification Number (PIN).
Printer
ensures that both the merchant and the customer receive copies of the receipt and that the merchant can print their reports.
What should you consider when evaluating "repeat or excessive authorizations"?
evaluate authorization logs to help determine whether your merchant has software problems that cause repeated authorizations or whether your merchant is being targeted by a fraudster seeking to find good card numbers. Monitoring excessive authorizations is also a way to help your merchant avoid brand fees associated with non-settled transactions.
Sale
for a sale, swipe the customer card or manually enter the credit card number, input sale amount, then press enter. The terminal will then transmit information through the network for approval, and a merchant receipt will be printed.
Front-end processors
have connections to various card issuers and supply authorization and capture services to the acquiring banks' merchants.
What should you look for when evaluating the "average ticket of the merchant"?
if the application shows a $30 average ticket and you see an average ticket of $400, you should investigate to ensure they are selling what the application stated. Alternately, it could be a fraudulent cardholder transaction.
acquiring bank (or acquirer)
is the bank or financial institution that processes credit and/or debit card payments for a merchant. Examples of acquirers include HSBC and Wells Fargo.
" Supermarket
large self-service retail store selling food and household goods
On a merchant statement, what is in the header information?
merchant's business information
What should you consider when evaluating "Large dollar or excessive credits"?
monitoring credits is a good way to gauge the satisfaction of your merchant's customer with the products and/or services sold. Excessive credits may indicate money problems at your merchant. Large dollar credits may be an indicator of a merchant utilizing the card schemes to layer money amongst their various accounts. It is required that all credits have an offsetting sale. Credits without an offsetting sale may be an indicator of employee theft, merchant system hack, or a fraudulent merchant. Frequent credits for large amounts may be an indicator of money laundering.
What should you look for when monitoring"Percentage keyed vs. swiped" activity?
monitoring the percentage of swiped transactions vs. keyed transactions is a simple way to tell whether your merchant has shifted from retail to MOTO (mail or telephone order) or internet. If you see more keyed transactions than indicated and subsequently approved on the application, you should talk with your merchant to understand why transactions are being keyed. Increased key-entered transactions may also be an indicator of factoring or money laundering where the cards are not present.
What are the 5 categories of technologies and products in the payment processing realm?
n Card technologies n Processing hardware n Processing software n Communications technologies n Value added programs
Penetration Test
points, network appliances, and other security appliances. Network Diagram A diagram showing system components and connections within a networked environment.
What does "value added programs" mean in the payments world?
programs that provide your merchant with operating efficiencies as well as programs that surround the consumer experience with the merchant. While many of these are not part of the actual card processing solution, the importance of the impact of these types of solutions cannot be underestimated. When considering the following, do so with an understanding of the consumer experience, the merchant benefits, integration requirements, and back office support and associated reporting for each mechanism:
Wireless terminal
provides the ideal solution for businesses seeking the most effective way to complete credit card transactions offsite. Most wireless credit card terminals support credit and debit transactions and are equipped with an internal PIN pad. Wireless terminals can be used on the countertop or in a mobile environment.
Lodging
sleeping accommodations, furnished rooms to rent for the night
Landline terminal
the card is swiped through a magnetic strip on the terminal, which connects to the processor's computer.
On a merchant statement, what is in the "Settlement/Discount" information?
the month's transactions sorted by card type and fees associated
Retail
the selling of goods directly to the customer; face-to-face transaction
Why should account maintenance requests be monitored?
they are the first alert of an opportunity to further assist the customer and optimize account performance for increased revenue.
What is "Check 21" (in the context of merchant processing)?
this is the process of capturing a check at the point of entry (can be point of sale scanner or a picture on a mobile phone). The check image is transmitted to the issuer and paid through the settlement process.
What is a "check guarantee"?
this is the process of issuing approval codes for check acceptance for merchants. With Check Guarantee, if a check is returned to a merchant for any reason and they followed the proper acceptance procedures, they are automatically credited for the 'bad' check and collection efforts are pursued directly with the check writer. While this process is better than regular check verification, the cost is higher.
What is "check verification"?
this is the process of issuing verification codes for check acceptance for merchants. With Check Verification, if a check is returned to a merchant, they are typically not reimbursed by the processor. Collection efforts will be made on behalf of the merchant at an additional cost, however there is no 'guarantee' of payment on uncollected items. Therefore, this service is less expensive than Check Guarantee
What is an "ACH Debit" (in the context of merchant processing)?
this is the process whereby the consumer gives a pre-approval to have funds debited from either their checking or savings account. This is not a real-time transaction and can be subject to non-sufficient funds rejection.
Credit refund
to credit a refund, press the screen button next to refund, swipe the customer card, input return amount, press enter, and print merchant receipt.
Void last sale
to void the last sale, press the screen button next to void, choose last, verify transaction information on the display screen, then press enter. The transaction will be voided and a receipt showing the void will be printed.
How does merchant fraud prevention start?
with underwriting and evaluating the merchant application. Underwriting is more than simply checking the credit history of the owner and long term viability of the business. You are underwriting the product and/or service sold as well as the merchant's current and future ability to sell goods and services and to subsequently support the products sold.
" What are some elements of Retail or card present gateway solutions?
❍ Software as a Service (SAAS)