In recent years, the electronic payments industry has become highly regulated, which only makes sense as it manages and transmits sensitive personal and financial data. The purpose of the imposed regulations is to protect all parties in the electronic payments chain, (i.e., cardholders, merchants, processors and banks) from breaches that can result in identity theft and fraud. CMS makes it a priority to maintain the highest level of security measures and controls to protect sensitive data and we are diligent in remaining compliant with all government and industry regulations.
We strive to assist all of our merchants to do the same. The CMS Security & Compliance Center provides you with resources to help you maintain strong security controls as well. We believe knowledge is power. Look around and learn how you can ensure a safer experience.
Card Brand Compliance
Please see the below links for the latest Visa and MasterCard rules and regulations:
Merchant Learning Center
Merchant Operating Regulations
Individuals seeking to steal credit/ debit card data are increasingly targeting point-of-sale terminals and computer equipment. They will either replace your existing equipment with an identical looking machine or insert micro readers into your equipment that skims or reproduces cardholder data and even PIN numbers which they will in turn use themselves or sell to fraud rings.
Below are some tips to help protect you from such tactics:
TERMINAL OR EQUIPMENT PROTECTION
- Verify and track all service and repair technicians that handle your point-of-sale equipment.
- Make a record of the serial numbers on your equipment and inspect your equipment on a regular basis to confirm the serial numbers haven’t changed and ensure there are no signs of tampering.
- Ensure that your point-of-sale zone has security cameras to record all activity.
- Periodically inspect your countertop or point-of-sale area for hidden recording devices.
- Utilize security cables or some type of tether to prevent your equipment from being exchanged.
- Train your staff to be aware of strange behavior from customers (as well as other employees). Breaches are often the result of employee abuse.
PAYMENT GATEWAY OR SOFTWARE PROTECTION
- Ensure your provider maintains the proper SSL certifications and is PCIDSS Level 1 compliant.
- Disable remote access from the Internet.
- Ensure you are using the most current version of the software or gateway.
- Always change the system default passwords.
- Restrict access to as few employees as possible.
- Enable data encryption and login features.
- Implement a hardware-based firewall with advance security features.
Keeping your computer and network safe is one of the most important steps in protecting sensitive information. Using the resources provided here can help you keep your system up to date and your digital resources safe.
Protecting your computer
Protecting your Identity
If you don’t currently have Anti-Virus and Anti-Malware software on your computer, we recommend installing a free product from each category:
Vulnerability Scanning is a method of scanning your computer and/or network for any vulnerabilities, included un-patched operating systems, programs, ports, and any many other flaws in a secure system.
- Secunia Online Software Inspector: Fast, easy web-based scanner.
- OpenVAS: Full Featured, programmable, open source vulnerability scanning.
Malware is short for Malicious Software. It is any software designed to secretly access a computer without the owner’s consent. Malware includes viruses, trojans, worms, spyware, adware, rootkits, crime-ware, and any other hostile, intrusive, or annoying software or code.
- Malwarebytes’ Anti-Malware: Powerful malware removal scanner
- Spybot Search & Destroy: Spyware and Malware removal with real-time protection
- SUPERAntiSpyware: Powerful Spyware and Malware removal (Recommended only if above two fail to remove malware and spyware)
Real-Time Virus Scans
A Computer Virus is a malicious program that can copy itself and infect other computers, similar to natural viruses. Computers connected to networks and the Internet are all high targets for virus attacks.
- Avast! Anti-Virus: Powerful, lightweight Anti-Virus
- AVG Anti-Virus: Full Featured Anti-Virus
- Microsoft Security Essentials: Powerful Microsoft-based realtime scanner
* Complete Merchant Solutions is NOT responsible for your computer security, data integrity, or software. Use of any software or information found on this page is your own responsibility. Complete Merchant Solutions shall not be liable for any data loss, system failure, data corruption, inadequate protection, identity fraud, infections, hacking, or any other form of malicious issues.
What is PCI DSS?
PCI DSS stands for ‘Payment Card Industry Data Security Standard’. This is a set of security requirements created by the Payment Card Industry, laying out what Merchants need to do to protect customer information. The PCI Council (which is an industry body made up of organizations like Visa, MasterCard, American Express, Discover, etc.) requires that Merchants meet this set of security requirements if their business accepts, transmits, or processes customer payment cards (such as credit cards or debit cards). Merchants that do not comply with these requirements can be penalized in a number of ways, up and including having their card-processing privileges revoked, leaving them unable to accept customer payment cards.
Get a copy of the PCI DSS. It should be noted that this site gives Merchants additional tools and advice to help them deal with the requirements of the PCI DSS.
What is a Data Compromise?
A data compromise or breach occurs when cardholder data has been lost or stolen. The most common breaches occur by:
- Theft of property which included cardholder data
- Stolen laptop or computer files
- Missing or stolen reports that may contain cardholder data
- Unlawful theft of cardholder data by an employee
How You Can Protect Yourself
As a business, your customers and employees trust you with sensitive information. Learn more about what you can do to keep their data safe by visiting the FAQ section or contact our PCI Compliance department at 1-877-267-4324 (option 8) for assistance.
Step 1 Determine Your Level
|Merchant Level||Criteria||Onsite Security Assessment||Self-Assessment Questionnaire (SAQ)||Network Vulnerability Scan|
|Level 1||At least 6 million transactions annually from any acceptance channel for Visa, MasterCard or Discover||Required Annually||Not Applicable||Required Quarterly|
|Level 2||1 million to 6 million transactions annually from any acceptance channel for Visa, MasterCard or Discover||At Merchant Discretion*||Required Annually*||Required Quarterly|
|Level 3||20K to 1 million ecommerce transactions annually from any acceptance channel for Visa, MasterCard or Discover||Not Applicable||Required Annually||Required Quarterly|
|Level 4||Less than 20k ecommerce annually or less than 1 million transactions from any acceptance channel for Visa, MasterCard or Discover||Not Applicable||Required Annually||Required Quarterly|
* Effective 30 June 2012, Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC-offered merchant training programs and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual self-assessment questionnaire.
|Service Provider Level||Criteria||Onsite Security Assessment||Self-Assessment Questionnaire||Network Vulnerability Scan|
|Level 1||More than 300,000 transactions annually for Visa or MC||Required Annually||Not Applicable||Required Quarterly|
|Level 2||300,000 or less transactions annually for Visa or MC||Not Applicable||Required Annually (SAQ – D)||Required Quarterly|
Step 2 Identify your validation type, determine which Self-Assessment Questionnaire is appropriate for your business, and complete the SAQ
|SAQ Validation Type||Description||SAQ|
|Type 1||Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.||A|
|Type 2||Imprint-only merchants with no cardholder data storage||B|
|Type 3||Stand-alone dial-up terminal merchants, no cardholder data storage||B|
|Type 4||Merchant with payment application systems connected to the internet, no cardholder data storage.||C|
|Type 5||All other merchants (not included in descriptions for SAQs A – C above) and all service providers defined by payment brand as eligible to complete an SAQ.||D|
Step 3 Complete and obtain evidence of passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV).
It is required for Validation Type 4 and 5—those merchants with external facing IP addresses.
Please contact our PCI Compliance department at 1-877-267-4324 (option 8) for assistance in obtaining a passing vulnerability scan or for general inquires.
On January 1, 2011, the IRS enacted section 6050W, an amendment to the Federal Housing Assistance Tax Act of 2008. This IRS mandate requires all merchant service providers to validate the legal name and Tax Identification Number (TIN) for every merchant in their portfolio, and report to the IRS all annual revenues associated with these accounts. At the onset of 2012 and each year thereafter, merchants will receive form 1099-K reporting their total gross sales of credit card transactions for the previous year.
How does 6050W affect me?
Section 6050W of the IRS Code requires reporting of all payment card and third party network transactions. Reporting entities will be required to file an annual information return with the IRS and provide all merchants with form 1099-K, reporting monthly and annual gross sales. To comply with this new law, it is critical that we have your correct taxpayer ID number (TIN) and business tax filing name. For additional details regarding this reporting and the validation of your tax information, contact us at 1-877-267-4324.
What happens if I do not provide the requested information?
As an IRS requirement, effective 2013, merchants who have not provided their correct and matching Tax Identification Number (TIN) will incur a 28% withholding tax, from their gross credit card sales, for the previous year (2012). The 28% withholding tax will be held by our Sponsor Bank(s) and released only when notified by the IRS to do so or if not rectified, ultimately submitted to the IRS. CMS has no access to or control over these withheld funds. CMS has and will continue to attempt to reach each merchant to verify this information but it is ultimately the merchant’s responsibility to furnish the required information to avoid backup withholding tax and/or penalties.
To correct missing or unmatched Tax ID information, call CMS Customer Service at 1-877-267-4324.