Service Providers

The definition for a service provider is a business entity directly involved in the processing, storage, or transmission of transaction data or cardholder data on behalf of another merchant or service provider. Service providers also include companies that provide services which control or could impact the security of cardholder data. Examples may include providers of… Read More »

Card Processing – Settlement

The final step in the payment process is settlement. The merchant’s bank pays the merchant for the cardholder purchase and the cardholder’s bank bills the cardholder. This step in the process is usually complete within two days or less in North America and may vary in other countries. The process includes: The issuer determines the… Read More »

Card Processing – Clearing

In the clearing process, the acquirer and issuer need to exchange purchase information to complete the transaction. This process usually occurs within one day in North America and may vary in other countries. The process includes: The acquirer sends purchase information to the payment brand network. The payment brand network sends purchase information to the… Read More »

Card Processing – Authorization

At the time of purchase, the merchant requests and receives authorization to allow the purchase to be conducted, and an authorization code is provided. The process includes: The cardholder swipes or dips card at the merchant location. The acquirer (merchant’s bank) asks the payment brand network to determine the issuer (carholder’s bank). The payment brand… Read More »

Common Acquirer Responsibilities

Acquirers, including those payment brands who are acquirers, are ultimately responsible for their merchants’ compliance, and this is very important to remember. It is ultimately up to a merchant’s acquirer, processor, or whatever name they carry, to ensure their merchants are compliant. The acquirers must report back to each of the payment brands on their… Read More »

Common Payment Industry Terminology

The cardholder is the person that actually has the payment card. They are going to purchase goods either through a “Card-Present”, or a “Card Not Present” transaction. The issuer is the bank or other organization that issues that payment card on behalf of the payment brand or directly by the payment brand. Visa and MasterCard… Read More »

PCI Standards

Now let’s look at these standards in more detail. PCI DSS covers security of the environments that store, process, or transmit account data. The scope of PCI DSS covers environments receiving account data from payment applications and other sources – acquirers, for example. PCI PA-DSS covers secure payment applications to support PCI DSS compliance. The… Read More »

What is PCI SSC?

The PCI Security Standards Council or “PCI SSC” is an independent industry standards body that develops and manages the payment card industry security standards on a global basis. The PCI SSC consists of five founding payment brand members: -Visa, Inc. -Discover Financial -American Express -MasterCard Worldwide -JCB International They maintain a very high level of… Read More »

How is Payment Data Monetized?

Attackers have developed complex and successful methods to monetize the stolen card data once it’s been captured. Stolen payment card values are often warehoused and sold wholesale to other criminals who each have their own fraud network. Common methods for monetizing stolen card data: -Skimmed full track data and transaction information used to replicate a… Read More »

Payment Card Data is a Target

Payment card data is very desirable target for criminals. According to 2013 Verizon Data Breach Investigation Report, payment cards have consistently been at the top of the list for the most often stolen data type since their studies into breach investigations began. The methods used to extract data are often combined to exploit security weaknesses… Read More »