Live chat by BoldChat

Credit Cards

The buzzword in the credit card processing industry today is PCI Compliance. This affects every business on the planet and is a new standard to help protect credit card and other personal financial data from unauthorized uses. This document has been created to help you understand and prepare for the critical changes that will be affecting you soon.

Compatible Credit Card Companies

Advantage Route Systems wants to help you protect your customers.  We have developed a program within Route Manager that will allow you to give your customers the reassurance that their credit card information is secure.  We work with a variety of credit card companies that are PCI Compliant. Click here for a list of the companies.

PCI Compliance

Overview

This document provides useful information to you about credit card processing and the data you store in your system. If you have been contacted by your bank or credit card processor, then you already know that this is critical to your business if you take credit cards today. We will share with you helpful background information, what you need to do, and also the Advantage Route Systems strategy to being compliant and safeguard your ability to continue to take credit cards in 2011.
The sections of this document:
  1. Some Background
  2. Our strategy
  3. Our timeline
  4. On the desktop
  5. On paper
  6. Using Handhelds and taking credit cards

What does PCI compliance mean to you? Some Background

In December of 2007, TJX, parent company to TJ Maxx and Marshals, alerted authorities that more than 45 million consumer records had been stolen by data thieves. Since then, TJX has spent more than $20 million on investigation, consumer notification, and an expert legal team to protect them against the multitude of lawsuits the breach generated.
Since 2005, more than 80 percent of unauthorized access to card data has involved small merchants. According to Visa, these businesses account for 85 percent of the seven million locations nationwide that accept plastic. This can be attributed to neglect in upholding necessary security measures.
Data pirating has become a serious threat in today’s business world. As more people use plastic to pay for their services and goods, the risk continues to grow. Yet, countless professionals, retail shops, restaurateurs, and Internet merchants are ill prepared for the safeguarding of people’s personal data and credit card information. As a result, stories of breached systems and/or stolen data like the TJX account are becoming more commonplace. Consequently, business owners are facing steep and sometimes crippling fines from processing authorities who have no other choice, but to take a stand.
“When a consumer makes an electronic purchase, they trust the merchant to securely complete the transaction without compromising their financial security,” states Derek Fisher, PCI Compliance Specialist for FrontStream Payments.
Recognizing how severely at risk this trust is, Visa and MasterCard have now established a Security Standards Council that has identified Payment Card Industry (PCI) requirements each merchant must meet to certify compliance. All merchants (regardless of business size) are required to adopt the security standards established by the PCI to prevent account information from falling into the wrong hands. It is common for merchants to be provided with inadequate or erroneous information regarding this important issue and many are not even aware that these standards exist. Nevertheless, security requires vigilance and most security breaches can be prevented.
Adopting these standards can be relatively easy. Visa and MasterCard now require the following from merchants who process their cards:
Build and Maintain a Secure Network:
  • Install and maintain a firewall configuration to protect data.
  • Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data:
  • Protect stored data.
  • Encrypt transmission of cardholder data and sensitive information across public networks.
Maintain a Vulnerability Management Program:
  • Use and regularly update anti-virus software.
  • Develop and maintain secure systems and applications.
Implement Strong Access Control Measures:
  • Restrict access to data by business need-to-know.
  • Assign a unique ID to each person with computer access.
  • Restrict physical access to cardholder data.
Regularly Monitor and Test Networks:
  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.
Maintain an Information Security Policy:
  • Maintain a policy that addresses information security.
These steps can easily be met through the help of a qualified service provider. Not only should your merchant services provider be assisting you with your annual compliance review, but they are required to enforce compliance and report your participation.
Many of these providers are also using leading edge technologies to help merchants and their software providers avoid the direct handling of cardholder data. One such technology is called “tokenization”. This process is gaining traction within the payments industry as a way to strengthen the security of a credit card transaction, while also minimizing costs to a merchant and/or software company to fully meet PCI compliance standards within their technology platform. This process generates a unique token that replaces sensitive information. The token is tied to an individual card, so recurring billings and authentication can occur again at a later date, but it uses a unique cast of alphanumeric characters and symbols to emulate essential data needed to carry each transaction to completion. When card data is swiped or keyed in, the number is encrypted immediately and the token then replaces it in the technology rhythm, ensuring sensitive data is never present in a merchant’s IT environment.
Although there are many such technologies emerging in the marketplace, only a few providers use end-to-end encryption to ensure the process happens completely independent of the merchant’s system. Fewer still, have taken the lead to create even more robust proprietary tokenization technologies that seamlessly integrate with their merchant account products. Thereby, providing a 100% compliant, convenient and secure packaged solution to help their merchants achieve and sustain regulatory compliance.
This solution merges the payment gateway (a platform that acts like a virtual gatekeeper to safely download, store and process customer transactions), the input device or software, and a robust merchant account technology into an affordable and fully compliant processing solution. State-of-the-art tokenization methods are “built in” without compromising existing speed or convenience to the merchant or their customer. Transaction history and cardholder information is kept safe, but critical accounting data and batch history is still readily available through an easy to use and accessible web portal.
As the realities of PCI compliance continue to emerge into the mainstream business world, merchants of all types are beginning to realize the importance of addressing this requirement sooner versus later. As a result, they are evaluating their current processing relationships and seeking education and referrals through member associations and/or their software providers. Many business owners see how critical this business decision is and fully appreciate the value and peace of mind associated with avoiding compliance fines and penalties, or worse yet, an unexpected security breach.
Many payment providers stand ready to offer best fit technologies to help merchants not only do business in this new regulation intensive processing environment, but also take pride in providing their customers with a processing environment they can entrust to protect their private information.

Our Strategy

ARS is committed to proper storage of credit card and other financial data that is PCI compliant on the desktop and the handheld. For the desktop, this means compliance at any web site we are associated with (i.e. eStoreFront) and the back-end system (Route Manager). We will only co-exist with systems that use a token based system to store data. We will encourage our customers to become, and stay, PCI compliant in their offices.
We will make our customers aware of the industry tools available to them to likewise protect their customer’s private information. We will only partner with companies that have the same standards and customer interest in mind.

Our Timeline

Not only is it important for us to have a clear strategy to safeguard your data, but it is important that we do it in a timely manner. Many of you have been presented with deadlines from your credit card processor indicating that you must comply or be terminated from your services with them.
Realizing this, we now have both RM2000 and RMA compliant and ready to use the token based system. We also have tools available to you to convert your current data from any ‘old’ method to a token based system. We have several vendors who will work with you to make this change.
Beginning with Series 6 RMA, you will only be allowed to store credit card information using this method. All existing credit card data will be lost from your RMA system. This means, in February 2011, you must select a credit card vendor who will store your data using this secure method. If you do not do this, you will not be able to move to Series 6 if you do store credit card data currently in RMA.
For RM2000 users, we have the same deadline. For RM2000 Version 11.5 or later, you will not be able to use credit card processing programs that do not use the token method of data storage. We expect to release Version 11.5 in March of 2011, which will only work with token based suppliers.

On the Desktop

In the fall of 2010, Advantage Route Systems began to make the transition from a credit card number based storage system to the storage of tokens in its software. This means that you will not have any credit card numbers stored in any of your local databases. Even though this information has always been encrypted, there are too many printouts and temporary files that could have non-encrypted data on them to ever be PCI compliant. That is why in early 2010, we began the move to only store tokens in the software. Through all versions of the Series 5, you have the option of storing card numbers or tokens. However, in Series 6 of RMA we will only store tokens. With RM2000, the story is the same. In Version 11.5 and later you can only store tokens.
To help you migrate to this new method, there are several steps:
  1. Talk to your bank or current credit card processor about your options.
  2. Decide on a plan to migrate to the use of tokens.
  3. Use our tools to migrate your existing data to tokens.
  4. Upgrade your RMA or RM2000 software as needed to use the tokens.
  5. Run a test to make sure that it works properly.
  6. Implement it into your live area.
As you journey down this road, feel free to contact us or contact ARS support. We can point you in the right direction as to which processors allow you to store tokens, and who might be able to help you. Also, there are some different rules if you are in Canada, too.
Once you make the transition, the day-to-day processing is about the same. You can still generate credit card payments, they will still apply to Route Manager and you can even get an expiring credit card report. There are a few things that you will need to get used to. Even though it is slightly limiting, it does protect you and your customers!

On Paper

Even paper records are subject to PCI rules for storage. You need to keep important documents under lock and key so that access is limited. If you provide a document for your customers that will let them ‘sign up’ for credit card processing and have card numbers and other relevant information on it, then you need to safeguard these items as well. If you are not sure what to do with a piece of paper, shred it!
Be careful what you do with your garbage! Thieves love to harvest credit card data from unlocked trash bins. Make sure that print-outs, receipt copies and any other piece of paper that could have credit card data on it is shredded before you throw it away. One slip could cost you many thousands of dollars in grief and resources.

On the Handheld

Some of you may wish to collect credit card payments at the time you make a delivery in the field. With the proper equipment, and connections, it is possible. This section will describe all of the components that you will need.
Collecting credit card payments in the field requires the following:
  1. Handheld computer.
  2. A magnetic card (or smart card) reader.
  3. Connection to a live network (GPRS, CDMA, GSM).
  4. Access to a credit card processing gateway.
  5. Software to glue all of these components together.
Each of these elements is described in more detail, in the sections that follow.

1. Handheld computer

The primary component required to take credit cards in the field is a handheld computer. This is the basic hardware platform needed that allows the other components to do their job. Quite possibly, the handhelds you have today will do the job. There is one special component that will be required: the handheld must have real-time communication capability. Typically, Wi-Fi is not a good choice (unless you are using it around your plant, factory showroom or office where you can establish your own wireless network). Generally, this requires WAN access through a cellular network. This means that your handheld must have the hardware to connect to that network. Often times, this requires you have a SIM card in your handhelds that grants access to the ‘public’ network.

2. A magnetic card (or smart card) reader

Once you have a handheld with GPRS or other communication, you will also need a device to scan the magnetic strip on the credit card. This can be accomplished in one of three ways:
  1. Built-in card reader on the handheld device.
  2. A card reader associated with your printer.
  3. A stand-alone credit card reader that interfaces to the handheld via Bluetooth, infrared or other short distance communication.
While the first two options are the most common, there have been several other tools on the market over the years.
Let’s look at these options in more detail. Some hardware has been designed specifically for retail applications, and will offer as standard equipment (or perhaps as an additional cost option) a magnetic card reader that is integrated into the handheld device. This will give the user a reliable piece of equipment that has no external wires, radios or other points of failure. Typically, the magnetic card reader is not an expensive option, compared to a scanner or RFID reader. The pictures below show two devices that have an integrated credit card reader.

If your device of choice does not have an integrated magnetic card reader, then another affordable option is to choose a printer with a magnetic stripe reader built into it. Many printers come with this as an option. The handheld – using a bidirectional communication signal – will tell the printer to start scanning the card when it is detected. Often times, the printer will beep or perhaps a light will flash indicating the printer is ready. The user then swipes the card and the credit card data is transferred from the printer to the handheld.
When using the third option (a separate credit card reading device), it works essentially the same way as a magnetic strip reader on a printer. You simply would not have the ability to print.
Throughout most of this document, the term Magnetic Strip Reader has been used. In some countries, it is more popular to use a smart card with a computer chip embedded on it. If this is the case, then it will function basically the same way, except the card is inserted into the device and not swiped for the magnetic stored data. You will also find all three devices that are capable of doing smart card reading – integrated into the PDA, associated with a printer or as a stand-alone device.

3. Connection to a live network (GPRS, CDMA, GSM)

With the proper hardware, you will also need to connect to a live network. In most countries, this means having cellular network access. This is typically provided by a company such as T-Mobile, AT&T, O2, Verizon, or a dozen other companies depending on your location. Each device must have its own plan. It may require a SIM (Subscriber Information Module) chip or other verification of access.
You must also have a Data Plan (as opposed to voice service only) that will give you access to the Internet. This is required so that you can access a Gateway to the credit card processor (described in the next section). As long as you can connect to the Internet, it does not matter what service plan you choose. Often, there are variations based on minutes of use. If you are using the Internet exclusively to process credit card data, you will not be transferring very much data each month. If you are using it for RMLive, then it will be more.

4. Access to a credit card processing gateway

Access to a credit card processing gateway is another required component. This is done by the company who receives and authorizes the credit card. This is the company that puts the funds into your bank. This gateway is typically a secure connection from the handhelds over the network to the processor.
As they receive your request for payment, they typically do the following steps:
  1. Identify who you are.
  2. Confirm that the credit card is valid.
  3. Confirm that the cardholder has sufficient credit (or funds amiable if a debit card).
  4. Process the transaction so that funds can be transferred to your bank account.
Some names that are industry leaders are: Authoize.net, Argofire, etc.

5. Software to glue all of these components together.

Once you have all of these pieces laid out and available, you then will need software to tie them all together. Your Route Manager software is what does this task. It allows the various hardware and software to work harmoniously together. While your field sales representative simply swipes the credit card and returns it to the customer, everything behind the scenes goes into motion to make it easy, fast and reliable.
On the handheld, the credit card is taken as another payment type. When this is selected by a salesperson, they will then be prompted to swipe the cad. Within a few seconds, the salesperson will know if it has been approved or declined.

Some general comments on the process:

It is not possible to swipe the credit card and save the data to be processed when the handheld is returned at the end of the day. This is due to PCI compliance problems. The data on the handheld cannot be kept secure enough to meet the stringent requirements of the Security Standards Council. All of these components are required to function within the Route Manager environment.
If you have a device that you are not sure will work with the Route Manager environment, contact us ahead of time so that we can advise you on its compatibility.

About Us

For over 23 years Advantage Route Systems has been providing quality software to route companies like yours. Our customers include companies that span across several continents, from small one-truck operations to large corporations. We have solutions, products, and modules that address business needs for delivery companies. We have become “the handheld experts” and are #1 in the route delivery industry. We enjoy the opportunity to work with companies across the globe and we tailor our software to meet their needs.

Contact Info

3201 Liberty Square Parkway Turlock, CA 95380 USA

888-294-7688 or +1-209-632-1122 (outside US)

Sales@AdvantageRoute.com

Request a free demo

false