The Merchant Processing Guru Tip# 33: The 12 requirements of PCI Compliance – Requirement #4
Encrypt transmission of cardholder data across open public networks. I will explain first what the open, public network means and the different ways you can be transmitting across your network and how this affects you. An open public network basically means any network connected to the internet as once your data leaves your network, even if your network’s sole use is for transmitting credit card data, you are transmitting over the public internet. If you are transmitting cardholder data via the internet in your business, either via an internet enabled terminal, a virtual terminal or a wireless device that is either Wifi enabled or has a dedicated data connection you should be using an industry accepted form of encryption such as IEEE 802.11 for wireless, otherwise known as WPA2. WEP is no longer accepted as an approved encryption method for wireless where the transmission of cardholder data is conducted.
When using a virtual terminal or selling items on the web you must have an SSL secured gateway where your customer’s cardholder information is entered for purchase of your product or service. You will know if it is secured when you are on the payment screen and in the URL at the beginning you will see https:// (The `s’ indicates an SSL secured page).
You might say that you are using a dial up terminal through a phone line so this does not apply to you. Well if you are using an analog POTS line (Plain Old Telephone Service), you may be right but should you be on a system such as VoIP then you are in fact transmitting the data over the internet as VoIP translates your sound waves to a digital signal and sends it as packets over the internet which is then vulnerable to hackers.
There are terminals that are emerging in the market that are End-to-End Encrypted so that no matter what happens to the data, it cannot be decrypted by anyone other than the processor with the key in their own data centers. This is the wave of the future as even a WPA2 encrypted wireless network is still not 100% secure. The best example of this is Verifone’s Vx510 VSP, this terminal uses SSL encryption as well as triple DES encryption. It encrypts the information as you swipe the card on the card reader itself, before it goes anywhere else and the encrypted card information is transmitted from the terminal over the internet to the processor directly and only then as it reaches the processor is it decrypted in their secure data center. This terminal is tamper proof and will not allow anyone to change it’s configuration. It can only be programmed at the processor’s secure facility, so no one who is not authorized can load anything into the terminal. Verifone has also recently launched a new line of Vx terminals that they are calling the Vx Evolution, I have yet to try any of these so I cannot talk about them yet. These newer Vx Evolution terminals are reported to be PCI PTS 3.0 certified and are all End-to-End encrypted which just confirms the industry shift to a higher level of encryption. Verifone is the industry leader in credit card processing terminals manufacturing and has recently purchased Hypercom their largest US competitor.
Russell Harverson has over 9 years experience in the credit card processing industry and has built a reputation for “being there” for all his merchants! The goal of The Merchant Processing Guru is to provide you with the right, cost effective processing solution for your individual business needs, no matter how large, small or different, he has done it all. He is your Guru of Merchant Services, shedding light on the credit card processing industry. To contact him via email: [email protected]
Or call him at: 1-888-368-GURU (4878)