Support

SECURITY FAQ

  • What can my staff and I do to prevent fraud?
    • The basics of fraud prevention can be broken down into two sections: Face-to-Face Transactions and Mail/Telephone Order/Internet Fraud
    • For Face-to-Face transactions

      Remember to keep your eyes and ears open; here are some signs to watch out for:

    • – Customer has randomly collected merchandise without the usual care
      – Customer may appear nervous or in a hurry
      – Customer may take the card from their pocket instead of their wallet
      – Customer signatures may not match
      – Customer makes large, random, expensive purchases

    • All cards are designed with special security features to deter counterfeiting and alteration. When you are presented with a card – look for the following elements:

    • On the Front:
      – Verifying the match of print and embossing
      – Embossing
      – Hologram
      – Valid Date
      – Compare Account Numbers

    • On the Back:
      – Signature Panel
      – Signature

  • Proper Processing Procedures
    • – Check the card’s security features
      – Always swipe through a terminal
      – For manual transactions, always get an imprint of the card
      – Compare the signature with the back of the card
      – Keep your card reader in proper working order
  • For Mail/Telephone and Internet Fraud
    • Identifying fraud in these mannerisms may seem difficult, but there are identifiers that you can watch for:
      – Larger than normal purchases, large quantities of the same item
      – Orders of “big ticket” items shipped Rush or Overnight
      – Transactions on similar account numbers
      – Orders shipped to a single address, but made from multiple cards
      – A shipping address that is different from the cardholders address, especially where the countries differ

    • Credit card fraud continues to be a significant issue for businesses and consumers and that is why it’s important to know that there are ways that you can help prevent fraud and ensure that you and your customers are better protected.

    • A fraudulent credit card transaction could involve an invalid account number, unauthorized use of a valid account number or a lost or stolen card. Card skimming is the most common form of debit card fraud. Fraudulent transactions normally occur within hours of loss or theft and in most cases the card has not yet been reported as missing or stolen.

    • Fortunately, credit and debit cards issued in Canada are designed with special security features to help deter counterfeiting and fraud, and your actions can further protect your business and your customers.

  • About Cardholder Data Security
    • As part of MONEXgroup’s ongoing commitment in assisting our merchants in their processing needs, we want to provide you with some critical information regarding the Payment Card Industry (PCI) Data Security Standard (DSS) and the Card Association Compliance Programs.
    • It is important to note that all Merchants and Service Providers that store, process or transmit cardholder data must comply with PCI DSS and the Card Association Compliance Programs. Certification requirements vary by business and are contingent upon your ‘Merchant Level’ or ‘Service Provider Level.’ Failure to comply with PCI DSS and the Card Brand Compliance Programs may result in a Merchant being subject to fines, fees or assessments and/or termination of processing services.
    • MONEXgroup has taken the steps to provide our valued merchants with the necessary information and associated links to assist in assessing the actions your business should ensure that you are compliant.
  • About PCI SSC
    • The PCI Security Standards Council (PCI SSC) is an independent body founded in September 2006 by five major credit card networks – American Express, Discover Financial, JCB, Master Card Worldwide, and Visa International. The PCI SSC is responsible for the development and ongoing evolution of security standards for account data protection.
  • The PCI SCC currently manages the following security standards
    • – PCI Data Security Standard (DSS)
      – PCI PIN Entry Devices Program (PED)
      – PCI Payment Application Data Security Standard (PA-DSS)

      The PCI SSC is also responsible for the training and qualification of security assessors and vendors that validate merchant and service provider compliance against these standards. The PCI SSC is not responsible for enforcing compliance to these standards. Enforcement of compliance is managed independently by the Card Associations.

  • Six Principle Requirements of PCI DSS
    • • Build and Maintain a Secure Network
      – Install and maintain a firewall configuration to protect cardholder data
      – Do not use vendor-supplied defaults for system passwords and other security parameters

      • Protect Cardholder Data
      – Protect stored cardholder data
      – Encrypt transmission of cardholder data across open public networks

      • Maintain a Vulnerability Management Program
      – Use and regularly update anti-virus software
      – Develop and maintain secure systems and applications

      • Implement Strong Access Control Measures
      – Restrict access to cardholder data by business need-to-know
      – Assign a unique ID to each person with computer access
      – Restrict physical access to cardholder data

      • Regularly Monitor and Test Networks
      – Track and monitor all access to network resources and cardholder data
      – Regularly test security systems and processes

      • Maintain an Information Security Policy
      – Maintain a policy that addresses information security

  • Merchant Levels and Validation Requirements
    • All merchants that store, process, or transmit cardholder data must comply with the PCI DSS and validate their compliance & certification requirements using the appropriate Merchant Level for their business.
  • Merchant Level Description
    • Any merchant regardless of acceptance channel, processing over 6,000,000 Visa or MasterCard transactions per year
      Any merchant that has suffered an unauthorized intrusion that resulted in an account data compromise
      Any merchant that is a member of a Card Association, at its sole discretion, determines should meet the Level 1 merchant requirements

      Any merchant that is a member of a Card Association, at its sole discretion, determines should meet the Level 1 merchant requirements

      Any merchant processing between 20,000 and 1,000,000 Visa or MasterCard E-Commerce Transactions per year

      Any E-Commerce merchant processing fewer than 20,000 Visa or MasterCard E-Commerce transactions per year
      Any merchant (regardless of acceptance channel) processing less than 1,000,000 Visa or MasterCard transactions per year

  • Merchant Validation Requirements
    • Merchant Level Validation Requirements Validations Performed by

      1 – Annual PCI Self Assessment Questionnaire
      – Quarterly Network Scan
      – Annual On-Site PCI Data Security Assessment
      – Quarterly Assessor (QSA) – Approved Scanning Vendor (ASV)

      2 – Annual PCI Self Assessment Questionnaire
      – Quarterly Network Scan
      – Qualified Security Assessor (QSA)
      – Approved Scanning Vendor (ASV)

      3 – Annual PCI Self Assessment Questionnaire
      – Quarterly Network Scan
      – Qualified Security Assessor (QSA)
      – Approved Scanning Vendor (ASV)

      4 – (Acquirer’s Discretion)
      – Annual PCI Self Assessment Questionnaire
      – Quarterly Network Scan
      – Qualified Security Assessor (QSA)
      – Approved Scanning Vendor (ASV)

  • Service Providers Compliance Requirements
    • A service provider is defined by an organization that stores, processes or transmits cardholder data on behalf of merchants or other service providers. As a result, all service providers are required to comply with PCI DSS including validating their compliance to PCI DSS through the services of a Qualified Security Assessor (QSA).
  • Payment Application Data Security Standard
    • The Payment Application Data Security Standard (PA-DSS) is a standard managed by the PCI SSC. This standard is based on Visa and Payment Application Best Practices (PABP). Many merchants deploy third party payment applications that are tailored to their business needs to assist them in accepting credit card payments.

      The goal of PA-DSS is to assist software vendors develop secure payment applications that do not store prohibited data, such as full magnetic stripe data, card verification values, or PIN data, and ensure their payment applications support compliance with the PCI DSS. Vulnerable payment applications that store prohibited are the leading cause of account data compromises among small merchants.

      Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. In-house payment applications developed by merchants or service providers that are not sold to third parties are not subject to the PA-DSS requirements, but must still be secured in accordance with the PCI DSS. PA-DSS is not applicable to standalone point-of-sale terminals, database software or web server software.

      Further information on PA-DSS including a list of payment applications that have validated their compliance to PA-DSS can be found at:
      PCI Security Standards
      Visa

  • Visa Canada Payment Application Compliance Program
    • Visa Canada has established timeframe’s by which acquirers must ensure that all merchants (new and existing) who use payment application software to process with their acquirers only use such software that has been validated against PA-DSS or PABP requirements.

      Phase Compliance Mandate Effective Date
      1 By October 1, 2008, all acquirers must ensure that any newly boarded merchant that uses payment application software only uses payment application software that has been validated to comply with PABP or PA-DSS requirements October 1, 2008
      2 By July 1, 2010, all acquirers must ensure that all merchants (new and existing) who use payment application software only use payment application software that has been validated to comply with PABP or PA-DSS requirements July 01, 2010