If your credit card processing terminal is out of regulatory compliance, you’re putting your customer information and possibly your entire business in jeopardy. Businesses that use noncompliant credit card processing equipment are at high risk for a data security breach. A data breach while out of compliance could result in
- fines and penalties up to $500,000
- monthly noncompliance fees
- damage to your reputation
Even if you do not suffer a data breach, noncompliant credit card processing terminals can cause major headaches including
- slower payment transactions
- longer downtimes
- loss of service
- inability to find replacement parts
Are you at risk for a data security breach?
The slippery slope of noncompliance is a steep one that can lead to disaster before you know it. The scale below shows how quickly bad can lead to worse once you let your credit card processing equipment fall out of compliance.
Core terminals are fully updated, and receive Class A support from the manufacturer and your merchant services provider, including troubleshooting and technical support.
Non-Class A terminals are no longer in production and do not have manufacturer support. Replacement parts and inventory are increasingly difficult to find, and performance steadily degrades.
Noncompliant terminals no longer meet the standards for regulatory compliance. Merchants using noncompliant equipment are at risk for data security breaches and subsequent penalties up to $100,000.
Unsupported terminals are noncompliant and are not supported by the manufacturer or your merchant services provider. These terminals may be supported by a third-party service provider, but still put you at risk for breaches and penalties.
Obsolete terminals are outdated, noncompliant and wholly unsupported, making them ineligible for updates, modifications, troubleshooting or repairs. These terminals pose the highest risk for security breaches and subsequent fines. Continued use of these terminals may lead to the inability to accept credit cards and the potential failure of your business.
What devices need to be in compliance?
Any equipment that you use to process credit card payments must meet industry and government compliance requirements, particularly the Payment Card Industry Data Security Standards (PCI DSS). Following are the basics of compliance for credit card processing equipment.
The PCI DSS clearly states that sensitive information (including credit card numbers and expiration dates) cannot be stored on any credit card processing equipment. Specific compliance requirements are outlined in the PCI DSS. Credit card processing equipment that does not adhere to these security standards is classified as noncompliant and puts your business at risk for fines and data security breaches.
The data security standards outline specific requirements for the printing of credit card receipts. Only the last four digits of a credit card number may be shown and the expiration date must be obscured on all copies of a receipt. Use of noncompliant equipment that does not adhere to these standards can lead to fines and limited processing capability.
Debit cards (often referred to as bank cards) and electronic benefits transfers (EBTs) require customers to enter a personal identification number (PIN) into a PIN pad or other PIN entry device (PED). PED compliance calls for rigorous security measures, such as triple DES encryption, fixed key security and authentication software. Using a noncompliant PED could result in fines and the inability to process PIN-based cards.
Triple DES Encryption
Visa and MasterCard stipulate that all PEDs encode PIN data using a multilayer data encryption standard (DES) algorithm. Failure to use triple DES encryption knocks your PED out of compliance and puts you at risk for the consequences listed above.