PCI Compliance and your Convention

It seems lately, that everyone and their dog wants their convention to use square, or whatever the trendy telephone-credit card processing system is. This is a major point of risk for fandom conventions, and in this document we will explain why.



What is PCI Complaince?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store ortransmit credit card information maintain a secure environment.  [Source]


Does it apply to our convention?

PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply. [Source]


We Already accept payments, does adding a new method really add rules?

Yes! It may seem strange at first that simply starting to accept credit cards on site requires you to adhear to new rules. However, when thought about further, it makes sense. After all there are rules in place like "Employees (this includes volunteers) must never ever write down the CVV or credit card number".  Once you remember that rules like that exist, it's very easy to realize there must be other rules.


What's the worst that could happen?

How does between $5,000.00 and $50,000.00 fines per month sound to you?   Yes if you are determined to be in breach of PCI compliance, you can get hit with fines between 5k and 50k PER MONTH that you were non-compliant.   If you had been processing credit cards through a phone or some other device, for say 1 year, you could be seeing fines starting at $415,000.00.  [Source] Starting to understand now?


Okay, so why are these card readers so bad anyway?

If you're a one-person organziation, these card readers really aren't that bad. In fact the mom and pop organizations were exactly what these card readers were invented for. However, if you're a fandom convention, you definatly have more than one staffer taking money from you're guests and then all sorts of issues come into play.

  1. Who's device is this?  It doesn't matter what you try, from Gluing the reader in place, to painting your logo on the device, the customer will never know the precautions you took to identify a device as the OFFFICAL convention device.  A such,  if a staffer swapped the official convention device with their own, the customer would never be able to tell the difference.   The customer would walk away with their product, and possibly a compromised device was used, or the staffer potentially put the money into their own account.
  2. Unencrypted readers?  Less off a issue lately, but some devices, (especially older square devices) would send the stripe data through to the phone entirely unecrypted. The result is that with a simple audio recording program, you can steal the entire card. This is a serious security issue.
  3. Card stripe theft; It is possible for a virus (regardless of whether you feel it's un-possible for iphone to get a virus) to simply record all data, a simple keylogger (which on a touch device records where pushes were) could not only get the card data, but also siganture or pins collected on the device.  Whether there are already, or simply willbe soon. Virii will be written that simply lay in wait to listen for card stripe data, and then send that off to hackers.
  4. Change of account;It is very possible that the staffer could simply change the account that is used on the device, so that money is sent to their own account rather than the convention account.

Not all of the things listed above are PCI compliance issues, but they're issue that should not be ignored!


How do I remain PCI compliant?

Two simple things:

  1. Before the convention; Obtain and use a SSL certificate for your website, (or at least your registration kiosks) and use a integrated payment processor. Authorize.net, worldpay, paypal, etc.
  2. At the convention; Use only PCI compliant credit card terminals. (Yes actual real, hardware credit card terminals) [List of PCI compliant credit card terminals]


Can we use paypal through the registration kiosks at the con!

Nope. This at first seems like a reasonable idea. After all, the online credit processor (Worldpay, Authorize.net, paypal etc) are PCI compliant, and logically would remain so if they were used at the conevntion.  This assumption is NOT accurate.

The change here occurs because the ownership of the computer that is used to enter cardholder data.  At home, the customer is using their computer to enter their credit card data or passwords. This makes anti-virus and fraud THEIR issue.  Even if their computer was compromised, the number of customers affected is one. (Or maybe one family). While at a convention, the convention owns the keyboard, PC, and the network all the way to the webserver. If any one of those things is compromised, then you have just compromised the security of the cardholder data.

The issue also is related to the volume of credit cards that could be obtained. If the customers computer was compromised, then hacker would get at most one-victim's worth of credit cards.  If the convention's computer is compromised, then the attacker would obtain all the credit cards processed on the computer.


Where can I find the PCI documenation online?

There is a whole library of documents that you may need to reference available ad this link --> [Source]