The buzzword in the credit card processing industry today is PCI Compliance. This affects every business on the planet and is a standard to help protect credit card and other personal financial data from unauthorized uses. Advantage Route Systems wants to help you protect your customers. We have developed a program within Route Manager that will allow you to give your customers the reassurance that their credit card information is secure. We work with a variety of credit card companies that are PCI Compliant.
What is PCI Compliance?
Visa and MasterCard have established a Security Standards Council that has identified Payment Card Industry (PCI) requirements each merchant must meet to certify compliance. All merchants (regardless of business size) are required to adopt the security standards established by the PCI to prevent account information from falling into the wrong hands. It is common for merchants to be provided with inadequate or erroneous information regarding this important issue and many are not even aware that these standards exist. Nevertheless, security requires vigilance and most security breaches can be prevented. Adopting these standards can be relatively easy. Visa and MasterCard now require the following from merchants who process their cards:
- Install and maintain a firewall configuration to protect data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored data
- Encrypt transmission of cardholder data and sensitive information across public networks
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Restrict access to data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
PCI Compliance on the Desktop
In the fall of 2010, Advantage Route Systems began to make the transition from a credit card number based storage system to the storage of tokens in its software. This means that you will not have any credit card numbers stored in any of your local databases. Even though this information has always been encrypted, there are too many printouts and temporary files that could have non-encrypted data on them to ever be PCI compliant. That is why in early 2010, we began the move to only store tokens in the software. Through all versions of the Series 5, you have the option of storing card numbers or tokens. However, in Series 6 of RMA and newer, we will only store tokens. To help you migrate to this new method, there are several steps:
- Talk to your bank or current credit card processor about your options
- Decide on a plan to migrate to the use of tokens
- Use our tools to migrate your existing data to tokens
- Upgrade your RMA software as needed to use the tokens
- Run a test to make sure that it works properly
- Implement it into your live area
PCI Compliance on Paper
Even paper records are subject to PCI rules for storage. You need to keep important documents under lock and key so that access is limited. If you provide a document for your customers that will let them ‘sign up’ for credit card processing and have card numbers and other relevant information on it, then you need to safeguard these items as well. If you are not sure what to do with a piece of paper, shred it! Be careful what you do with your garbage! Thieves love to harvest credit card data from unlocked trash bins. Make sure that print-outs, receipt copies and any other piece of paper that could have credit card data on it is shredded before you throw it away. One slip could cost you many thousands of dollars in grief and resources.
On the Handheld
Some of you may wish to collect credit card payments at the time you make a delivery in the field. With the proper equipment and connections, it is possible. This section will describe all of the components that you will need. Collecting credit card payments in the field requires the following:
Each of these elements is described in more detail in the according menu below:
- Handheld computer
- Connection to a live network (GPRS, CDMA, GSM)
- Access to a credit card processing gateway
- Software to glue all of these components together
Compliance on the Handheld
The primary component required to take credit cards in the field is a handheld computer. This is the basic hardware platform needed that allows the other components to do their job. Quite possibly, the handhelds you have today will do the job. There is one special component that will be required: the handheld must have real-time communication capability. Typically, Wi-Fi is not a good choice (unless you are using it around your plant, factory showroom or office where you can establish your own wireless network). Generally, this requires WAN access through a cellular network. This means that your handheld must have the hardware to connect to that network. Often times, this requires you have a SIM card in your handhelds that grants access to the ‘public’ network.
With the proper hardware, you will also need to connect to a live network. In most countries, this means having cellular network access. This is typically provided by a company such as T-Mobile, AT&T, O2, Verizon, or a dozen other companies depending on your location. Each device must have its own plan. It may require a SIM (Subscriber Information Module) chip or other verification of access. You must also have a Data Plan (as opposed to voice service only) that will give you access to the Internet. This is required so that you can access a Gateway to the credit card processor (described in the next section). As long as you can connect to the Internet, it does not matter what service plan you choose. Often, there are variations based on minutes of use. If you are using the Internet exclusively to process credit card data, you will not be transferring very much data each month. If you are using it for RMLive, then it will be more.
Access to a credit card processing gateway is another required component. This is done by the company who receives and authorizes the credit card. This is the company that puts the funds into your bank. This gateway is typically a secure connection from the handhelds over the network to the processor. As they receive your request for payment, they typically do the following steps:
- Identify who you are.
- Confirm that the credit card is valid.
- Confirm that the cardholder has sufficient credit (or funds amiable if a debit card).
- Process the transaction so that funds can be transferred to your bank account.
Compatible Credit Card Companies
Advantage Route Systems wants to help you protect your customers. We have developed a program within Route Manager that will allow you to give your customers the reassurance that their credit card information is secure. We work with a variety of credit card companies that are PCI Compliant.Click here for a list of companies