PCI Compliance, get the facts

Did you know...
The credit card processing industry now requires that you change the way that you handle and process sensitive customer data including credit card numbers. These new regulations are referred to as PCI DSS (Payment Card Industry Data Security Standards) and were designed to reduce credit card fraud. All merchants are being required to demonstrate they are PCI compliant Non-compliant businesses can and will be held financially responsible for every breach or loss of data that occurs traced back to your system.

Risks of Non-Compliance
Merchants across the country, including several ticket brokers, have already been fined over $100,000 for security breaches as a result of stolen credit card information. We urge you to watch this brief 12 min. video filmed by the credit card industry that explains what PCI DSS is, and what it means for your business. This informative video walks you through:

• The risks of using non-PCI compliant Point-of-Sale software – the source of over 60% of security breaches
• Examples of vendors held liable for more than $100K in fines!
• How to become PCI compliant

TicketNetwork – PCI Overview
Please read carefully the sections below as they contain important information regarding:
     (1) PCI Compliance Check-list;
     (2) FAQs list on PCI compliance;
     (3) Information on TicketNetwork support to become PCI-compliant.

PCI Compliance check-list

In order for you to avoid penalties, here is the complete list of components pertaining to your business which you must demonstrate are PCI DSS certified:

(1) Self-Assessment Questionnaire (SAQ)	You are required to complete a SAQ, a mechanism for getting the information about the level of your compliance to your merchant bank or to Visa. You can either work with an Approved Scanning Vendor who will assist you in this process or refer to instructions at https://www.pcisecuritystandards.org/saq/index.shtml
(2) Point-of-Sale software	TicketNetwork Point-of-Sale is the only software provider in the secondary ticket market that is PCI compliant. If you are not a TicketNetwork Point-of-Sale software user, it is your responsibility 1) to determine if your platform is compliant OR 2) make sure it is not able to store or transmit credit card information.
(3) Merchant Processor	You (the merchant) are responsible for verifying that your merchant processor (e.g., Elavon) is PCI-compliant. Call 860-870-3400 x149 (Kathy Sullivan) to learn more about PCI-compliant merchant processors.
(4) Credit Card Processing Gateway	You must obtain certification from your processing gateway (e.g., Authorize.net) proving that they are PCI-certified. No action is required if you are using TicketNetwork’s secure processing gateway, IPCharge.
(5) Scheduled Scanning	As part of PCI certification, you must also contract an Approved Scanning Vendor (ASV) (e.g., ControlScan) to have your business website and data system scanned to determine if your system is vulnerable to data security breaches. Scans are then scheduled to run on a quarterly basis. Visit the ControlScan site to schedule your scan.
(6) Paperwork	After you have completed the PCI compliance process you will be asked to complete an Attestation of Compliance (AOC). You must keep this document on file and be ready to present the AOC upon request .

Please note that you must meet ALL of the requirements above in order to be considered PCI-compliant. If you have completed some, but not all, of the criteria, you are still at risk! To learn more about PCI compliance and how it can affect your business, call TicketNetwork headquarters at 860-870-3400 (Option 5).

FAQs - About PCI compliance

What is PCI compliance?
PCI stands for Payment Card Industry, an organization made up of the major card brands, such as VISA, MasterCard, and American Express. PCI DSS (Data Security Standards) refers to the security measures established by the Payment Card Industry that businesses need to follow to ensure that customer credit card data and account information is protected. Therefore, if a business has complied with these PCI standards, they are considered to be "PCI compliant".

What are the risks for merchants that are non-compliant?
If and when a data breach occurs, the merchant is the entity held primary responsible for the breach. The fines are passed on from the credit card companies, to the acquirer/processor, to the ISOs, ending with the merchant who is held accountable for the full cost of the breach, as displayed below:

Only if a merchant is not able to assume these costs are the fees covered by the upper tiers in this structure, generally after the merchant in question has declared bankruptcy.

What do I have to do to become compliant? In order to become PCI compliant, please refer to the items on the PCI Compliance Check-list above. Items include: (1) Self-Assessment Questionnaire (SAQ), (2) PCI compliant Point-of-Sale software, (3) merchant processor PCI certification, (4) credit card processing gateway PCI certification, (5) scheduled scanning, (6) paperwork attesting to all of the above.

How large are the fines if I am not PCI compliant?
If you are not PCI-compliant, you are at risk for hefty fines, including but not limited to:

• Cost of forensic audit (approximately $10,000)
• Cost of the fraudulent charges made
• Additional fines by the Payment Card Industry (PCI), generally $50 for every credit card breach
• Punitive legal costs in the event of a lawsuit

Merchants affected by data breaches have already experienced fines in the upwards of $100,000.

What if I meet only part of these criteria? Can I still be considered compliant?
No. You need to meet all of the six (6) components above to be considered fully PCI-compliant.

I am a small merchant who only processes a handful of credit cards. Do I still need to be PCI compliant?
Yes. Whether you are a small merchant or a big merchant, if your business requires processing credit card information, you need to be PCI-compliant.

Can I still keep customer data, including credit card information?
PCI rules state that you cannot store unencrypted credit card data, CVV codes, pin codes/numbers or any magnetic stripe data. Storing that information is a violation of state and federal privacy laws.

FAQs - Getting started

I understand the need for paperwork certification. But what is the purpose of the scanning?
Your business may be breached by a computer hacker getting into your server without permission, an unauthorized employee with access to credit card information, or someone posing as a support representative calling to connect to your computer/server. There are numerous ways your system can be breached, and a scanning helps detect the specific areas of vulnerability in your system.

What do I need to do to get a scheduled scanning?
When looking for a company to scan your website and data system, make sure it is an Approved Scanning Vendor (ASV). A list of ASVs can be found at www.pcisecuritystandards.org. TicketNetwork has partnered with ControlScan as our official ASV in an effort to assist you in completing the process step-by-step. Visit ControlScan.

What happens during a "scan"?
Once you have contracted an ASV, they will attempt to intentionally "hack" into your system in order to determine the vulnerable areas in your website and data management system. After each scan, you will receive a report as to what areas need to be addressed, if applicable, and their level of urgency. The scanning is done through your IP address and does not disrupt the day-to-day functioning of your website and data system.

Overall, how much does it cost to become PCI compliant?
We have found that, on average, the cost is approximately $150 to certify your business.

FAQs - TicketNetwork and PCI Compliance

What efforts has TicketNetwork made to become compliant?
TicketNetwork has invested approximately $2.5 million over the past two years to become PCI compliant. As TicketNetwork is both a merchant as well as a software provider, our system went through far more rigorous scrutiny that your average merchant. We are proud to say we meet all PCI compliance criteria and currently stand as the leading PCI-compliant compliant company in the secondary ticket market. For TicketNetwork to become PCI compliant, multiple components of the company had to be tested for compliance including our:

• Point-of-Sale software – This was accomplished in version 8.0 in June 2008.
• TicketNetwork Exchange – Also accomplished in June, 2008.
• Credit Card Processing Gateway – Our system was switched from PC Charge to IPCharge, a PCI-compliant credit card processing gateway simultaneously integrated with Point-of-Sale™ 8.0.

Overall, TicketNetwork has done 95% of the work and put up 99% of the expense to be the only PCI compliant company in the secondary ticket market.

If TicketNetwork is PCI compliant, why do I have to prove compliance?
PCI DSS compliance includes all merchants who accept, capture, store, transmit or process credit and debit card data. While TicketNetwork provides services that are PCI-compliant, you, as individual merchants, must all go through the certification process.

Have ticket brokers already become affected?
Yes. Brokers using First Data and Elavon have already received notification that they will be fined until they prove they are PCI-compliant.

TicketNetwork Point-of-Sale and PCI Compliance

Our signature Indux software solution, TicketNetwork Point-of-Sale, is the only PCI compliant software in the secondary ticket market. In order to minimize our risk, TicketNetwork is asking all brokers who use our products and services to take the necessary steps to become PCI compliant OR to submit a PCI compliance plan to us by December 15, 2008.

TicketNetwork has partnered with ControlScan, an Approved Scanning Vendor (ASV) to help you through this process quickly. Visit ControlScan to learn more about the PCI compliance process and register directly for a no-cost trial with ControlScan.

To select an ASV other than ControlScan, visit www.pcisecuritystandards.org. PCI Compliance instructions can also be found on the following websites:
www.pcisecuritystandards.org
www.pcicomplianceguide.org/merchants-20071022-gaining-pci-compliance.php