Blog Feed Post

The ABC’s of PCI and EMV compliance. What do small businesses need to know?

There are some very basic steps you can take towards making your payment processing solution compliant with PCI and EMV. Payment Card Industry (PCI) and Europay, MasterCard and Visa (EMV) compliance are concerns of any payment processing solution today. 

$20,752 IS THE AVERAGE COST TO A SMALL BUSINESS DUE TO HACKING, UP FROM $8,600 IN 2013 (National Small Business Association)

It’s essential small businesses have an end-to-end payment solution in place that allows for PCI and EMV to be addressed. Cyberattacks are no longer just a problem for large, global enterprises they are a problem for any company of any size with a payment processing solution. Businesses of all sizes can take steps to protect customer information. This was the case for long-time, Banyan customer Franchise Entertainment Group (FEG).

Franchise Entertainment Group (FEG) is Australia’s premier home entertainment group encompassing such iconic brands as Video Ezy, Blockbuster and EzyDVD. FEG’s DVD rental kiosk solution needed to integrate a new EMV-compliant hardware and gateway for payments and have supporting infrastructure. They also needed their team trained on processes to support ongoing compliance.

Here are some of the steps FEG took towards becoming PCI and EMV compliant. Sometimes it is as easy as ABC. Don’t be intimidated by hackers, be prepared.

‘A’ Always be aware of your vulnerabilities

Your business and the customer experience revolve around the point of transaction. It’s where revenue is made and where you can build trust. Whether your point of transaction is a point-of-sale (POS) system or a vending machine, or DVD rental kiosk like FEG, always be aware of points of vulnerability surrounding your devices. Criminals can steal data in a number of ways like inserting “malware” onto the payment system to steal credit card data. Mag stripe readers are at greater risk for data breaches than chip readers. There are several other points of vulnerably shown in this illustration.

Illustration-HowCriminalsGet your Datahttp://banyanhills.com/wp-content/uploads/2016/08/Illustration-HowCrimin... 150w, http://banyanhills.com/wp-content/uploads/2016/08/Illustration-HowCrimin... 300w" sizes="(max-width: 827px) 100vw, 827px" />

‘B’ Bring on a partner that has expertise in PCI and EMV compliance

As the payments landscape continues to evolve, standards and compliance are insurance to your business and your customers that operations will continue to run smoothly and securely. Whether you’re starting out, or scaling up, it can be hard to keep up with the latest standards. You can vastly simplify any PCI concerns about your payment processing environment by going with EMV. However, it’s not without its challenges, especially if current business processes rely on the availability of data obtained directly from the credit card. So don’t go it alone, work with a partner that has expertise in this area. Here are some key learnings from FEG’s integration of EMV.

How you can identify the customer

For FEG, the situation required the payment system to identify the customer (the human) based on the credit card they presented. In a non-EMV world, that is generally accomplished by reading the card data and matching it against data already stored. Similarly, data obtained via a token for the card can also be matched against previously stored data. Conversely, with an EMV situation it’s unlikely you’ll have access to the card data nor you will not have access to the card number. Further, many providers have yet to implement a tokenization routine for EMV-based transactions. We solved for this by partnering closely with the payment provider to develop their technology to support both a limited card read (name, bin, and last 4) as well as a tokenization solution.

What you can do to support recurring billing

Another challenge is recurring billing with an EMV solution. This mirrors the first problem, because you will not have access to the full card information, and the payment processor must provide some means to effectuate a follow-on payment or refund when the card is not present. In FEG’s case, the payment processor had a secondary API that allowed for those payments to be processed, which we had to implement in parallel with the card reader integration.

Consider the impact of network and infrastructure changes

There may be network and other infrastructure related changes that you’ll need to make in order for the EMV transactions to flow through the environment, depending on the solution that is chosen. For example, some card readers may connect directly from the endpoint to the payment processor without first passing through a central enterprise service. Additionally, if you have a large network of terminals, finding a suitable set of hardware could be a challenge. In most cases the hardware needs to fit in existing devices or mounts, and it can be expensive to replace a large number of hardware units. At this time options are limited, as the hardware is mostly available directly from the payment processor as opposed to being able to choose from a set of generally available hardware.

‘C’ Continuously improve to comply

For FEG, finding the right partner put them on the path to PCI and EMV compliance. Their payment processing solution is fully compliant with PCI standards and the team has been trained on processes that will enable them to support evolving requirements to maintain their certification. Additionally, they have a complete, multichannel strategy that enables customers to reserve movies online or from their mobile device.

The PCI Security Standards Council (SSC) announced a significant advancement in its efforts to foster small-business cybersecurity: A set of payment protection resources that acquirers can use to educate and empower the small merchants they serve to fight cybercrime. It’s all about creating a better understanding of the real risks that go along with the method(s) merchants rely on to process payment transactions. To learn more about how EMV can help reduce fraud check out the Merchant Guide: Stepping Up to EMV Chip with PCI.

Take a look at this case study of FEG’s transformation and how they are enabling their business operations with Canopy IoT platform.

Read the original blog entry...

More Stories By Steve Latham

Steve Latham, founder, and CEO of Banyan Hills Technologies, is an Internet of Things expert and strategic technology leader. He founded the company in 2013 to impact the world through technology and a deep commitment to social responsibility. He has a strong track record of leveraging cloud-based technologies to optimize and accelerate business strategy and is highly regarded by his peers for his deep industry knowledge in Retail, Entertainment, Healthcare, and Financial Services.

Latham has successfully led architecture, implementation and delivery for one of the largest self-service, retail exchange kiosk systems in the world. Earlier, he served as CTO for the Entertainment division of NCR, where he helped orchestrate a successful divestiture of the business to Redbox for $125M. Prior to NCR, he held various technology leadership positions at Harland Clarke and led the consolidation of their e-commerce platform to a unified product offering for its customers. Latham serves on the board of directors for various businesses and academic institutions providing technical leadership.

Latest Stories
In his session at @DevOpsSummit at 20th Cloud Expo, Kelly Looney, director of DevOps consulting for Skytap, showed how an incremental approach to introducing containers into complex, distributed applications results in modernization with less risk and more reward. He also shared the story of how Skytap used Docker to get out of the business of managing infrastructure, and into the business of delivering innovation and business value. Attendees learned how up-front planning allows for a clean sep...
Blockchain is a shared, secure record of exchange that establishes trust, accountability and transparency across supply chain networks. Supported by the Linux Foundation's open source, open-standards based Hyperledger Project, Blockchain has the potential to improve regulatory compliance, reduce cost and time for product recall as well as advance trade. Are you curious about Blockchain and how it can provide you with new opportunities for innovation and growth? In her session at 20th Cloud Exp...
IoT is at the core or many Digital Transformation initiatives with the goal of re-inventing a company's business model. We all agree that collecting relevant IoT data will result in massive amounts of data needing to be stored. However, with the rapid development of IoT devices and ongoing business model transformation, we are not able to predict the volume and growth of IoT data. And with the lack of IoT history, traditional methods of IT and infrastructure planning based on the past do not app...
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. Jack Norris reviews best practices to show how companies develop, deploy, and dynamically update these applications and how this data-first...
Intelligent Automation is now one of the key business imperatives for CIOs and CISOs impacting all areas of business today. In his session at 21st Cloud Expo, Brian Boeggeman, VP Alliances & Partnerships at Ayehu, will talk about how business value is created and delivered through intelligent automation to today’s enterprises. The open ecosystem platform approach toward Intelligent Automation that Ayehu delivers to the market is core to enabling the creation of the self-driving enterprise.
"At the keynote this morning we spoke about the value proposition of Nutanix, of having a DevOps culture and a mindset, and the business outcomes of achieving agility and scale, which everybody here is trying to accomplish," noted Mark Lavi, DevOps Solution Architect at Nutanix, in this SYS-CON.tv interview at @DevOpsSummit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
In IT, we sometimes coin terms for things before we know exactly what they are and how they’ll be used. The resulting terms may capture a common set of aspirations and goals – as “cloud” did broadly for on-demand, self-service, and flexible computing. But such a term can also lump together diverse and even competing practices, technologies, and priorities to the point where important distinctions are glossed over and lost.
Internet-of-Things discussions can end up either going down the consumer gadget rabbit hole or focused on the sort of data logging that industrial manufacturers have been doing forever. However, in fact, companies today are already using IoT data both to optimize their operational technology and to improve the experience of customer interactions in novel ways. In his session at @ThingsExpo, Gordon Haff, Red Hat Technology Evangelist, shared examples from a wide range of industries – including en...
"We're here to tell the world about our cloud-scale infrastructure that we have at Juniper combined with the world-class security that we put into the cloud," explained Lisa Guess, VP of Systems Engineering at Juniper Networks, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Enterprise architects are increasingly adopting multi-cloud strategies as they seek to utilize existing data center assets, leverage the advantages of cloud computing and avoid cloud vendor lock-in. This requires a globally aware traffic management strategy that can monitor infrastructure health across data centers and end-user experience globally, while responding to control changes and system specification at the speed of today’s DevOps teams. In his session at 20th Cloud Expo, Josh Gray, Chie...
Consumers increasingly expect their electronic "things" to be connected to smart phones, tablets and the Internet. When that thing happens to be a medical device, the risks and benefits of connectivity must be carefully weighed. Once the decision is made that connecting the device is beneficial, medical device manufacturers must design their products to maintain patient safety and prevent compromised personal health information in the face of cybersecurity threats. In his session at @ThingsExpo...
All organizations that did not originate this moment have a pre-existing culture as well as legacy technology and processes that can be more or less amenable to DevOps implementation. That organizational culture is influenced by the personalities and management styles of Executive Management, the wider culture in which the organization is situated, and the personalities of key team members at all levels of the organization. This culture and entrenched interests usually throw a wrench in the work...
"We're a cybersecurity firm that specializes in engineering security solutions both at the software and hardware level. Security cannot be an after-the-fact afterthought, which is what it's become," stated Richard Blech, Chief Executive Officer at Secure Channels, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
In his session at 20th Cloud Expo, Mike Johnston, an infrastructure engineer at Supergiant.io, discussed how to use Kubernetes to set up a SaaS infrastructure for your business. Mike Johnston is an infrastructure engineer at Supergiant.io with over 12 years of experience designing, deploying, and maintaining server and workstation infrastructure at all scales. He has experience with brick and mortar data centers as well as cloud providers like Digital Ocean, Amazon Web Services, and Rackspace. H...
You know you need the cloud, but you’re hesitant to simply dump everything at Amazon since you know that not all workloads are suitable for cloud. You know that you want the kind of ease of use and scalability that you get with public cloud, but your applications are architected in a way that makes the public cloud a non-starter. You’re looking at private cloud solutions based on hyperconverged infrastructure, but you’re concerned with the limits inherent in those technologies.