PCI Certification

[Morticia]

I'll need to call SuperInn about this, too..

I'll need to call SuperInn about this, too.

Do tell when you've talked with them.
.

I spoke with SuperInn.... they said if I use SuperInn for processing my cc's that that info would be erased after processing. Because I am only using it as a database, the info is secure. So it is secure, until someone hacks into it, right? Anyone else using SuperInn and what is your process in handling cc info there?
.

Did they say that it "would be" (meaning the system will do it) or that it "should be" (meaning you have to erase it by hand)? The system right now does not expunge this data on its own. You have to do it by hand, which is a pain.
(hmmm I should go resurect the thread from that other place about our wish lists for availibility systems)
.

I heard that the system would do it. At what point do you delete the info if the cc info is in as a data base info?
.

I try to do it after I check them out. (in the evening after the daily batch for the day goes through). The problem is I am sure there are some I've forgotten to delete out and there is no way to search for ones that may have been missed.
The problem is you have to delete it out under "Account" for each transaction (once for deposit, once for final payment if they used a card for each) and you also have to go under "Registration Information" and delete it out from there too. It is a lot of clicks and actions to delete out three of the four fields for the card number (so you kep the last 4 digits), the exp date and the vcode three separate times.
That is one of the features that impresses me with the Rezovation system as you can set it to automatically purge the info at checkout, a certain number of days after checkout, or as soon as the payment is processed.
.

Swirt, you can go to si under contacts then profiles then search by credit card. Just put in 3 to check Amx, 4 to check visa, 5 to check mc & then 6 for discover. Scarey when you see how many cc #'s you have. Also we can not delete the history which used to have all of the cc digits and not just the last 4.
.

Thanks Landmark. That's an interesting undocumented Easter Egg. And yes, the data stuck there is a bit scary and overwhelming.

.

Thanks Landmark. That's an interesting undocumented Easter Egg. And yes, the data stuck there is a bit scary and overwhelming.

I checked a few of those. Most of them are expired cards, as in the expiry date is out of date.
.

I have entered a made up good expiration on a expired card many times if the card had an expired date on it. Most of the time it works, but not everytime.
.

I have entered a made up good expiration on a expired card many times if the card had an expired date on it. Most of the time it works, but not everytime.

It is fairly easy...same month, 4 years later. I have been deleting the card numbers this year, so I only have a few left from previous years to go after. Not realizing that 'feature' was in there it will now be so much easier to finish up the ones from last year.

 

[Landmark]

I'll need to call SuperInn about this, too..

I'll need to call SuperInn about this, too.

Do tell when you've talked with them.
.

I spoke with SuperInn.... they said if I use SuperInn for processing my cc's that that info would be erased after processing. Because I am only using it as a database, the info is secure. So it is secure, until someone hacks into it, right? Anyone else using SuperInn and what is your process in handling cc info there?
.

Did they say that it "would be" (meaning the system will do it) or that it "should be" (meaning you have to erase it by hand)? The system right now does not expunge this data on its own. You have to do it by hand, which is a pain.
(hmmm I should go resurect the thread from that other place about our wish lists for availibility systems)
.

I heard that the system would do it. At what point do you delete the info if the cc info is in as a data base info?
.

I try to do it after I check them out. (in the evening after the daily batch for the day goes through). The problem is I am sure there are some I've forgotten to delete out and there is no way to search for ones that may have been missed.
The problem is you have to delete it out under "Account" for each transaction (once for deposit, once for final payment if they used a card for each) and you also have to go under "Registration Information" and delete it out from there too. It is a lot of clicks and actions to delete out three of the four fields for the card number (so you kep the last 4 digits), the exp date and the vcode three separate times.
That is one of the features that impresses me with the Rezovation system as you can set it to automatically purge the info at checkout, a certain number of days after checkout, or as soon as the payment is processed.
.

Swirt, you can go to si under contacts then profiles then search by credit card. Just put in 3 to check Amx, 4 to check visa, 5 to check mc & then 6 for discover. Scarey when you see how many cc #'s you have. Also we can not delete the history which used to have all of the cc digits and not just the last 4.
.

Thanks Landmark. That's an interesting undocumented Easter Egg. And yes, the data stuck there is a bit scary and overwhelming.

.

Thanks Landmark. That's an interesting undocumented Easter Egg. And yes, the data stuck there is a bit scary and overwhelming.

I checked a few of those. Most of them are expired cards, as in the expiry date is out of date.
.

I have entered a made up good expiration on a expired card many times if the card had an expired date on it. Most of the time it works, but not everytime.
.

I have entered a made up good expiration on a expired card many times if the card had an expired date on it. Most of the time it works, but not everytime.

It is fairly easy...same month, 4 years later. I have been deleting the card numbers this year, so I only have a few left from previous years to go after. Not realizing that 'feature' was in there it will now be so much easier to finish up the ones from last year.
.

Bree, check your history, the cc # may still be there especially if you use group payments

 

[Morticia]

I'll need to call SuperInn about this, too..

I'll need to call SuperInn about this, too.

Do tell when you've talked with them.
.

I spoke with SuperInn.... they said if I use SuperInn for processing my cc's that that info would be erased after processing. Because I am only using it as a database, the info is secure. So it is secure, until someone hacks into it, right? Anyone else using SuperInn and what is your process in handling cc info there?
.

Did they say that it "would be" (meaning the system will do it) or that it "should be" (meaning you have to erase it by hand)? The system right now does not expunge this data on its own. You have to do it by hand, which is a pain.
(hmmm I should go resurect the thread from that other place about our wish lists for availibility systems)
.

I heard that the system would do it. At what point do you delete the info if the cc info is in as a data base info?
.

I try to do it after I check them out. (in the evening after the daily batch for the day goes through). The problem is I am sure there are some I've forgotten to delete out and there is no way to search for ones that may have been missed.
The problem is you have to delete it out under "Account" for each transaction (once for deposit, once for final payment if they used a card for each) and you also have to go under "Registration Information" and delete it out from there too. It is a lot of clicks and actions to delete out three of the four fields for the card number (so you kep the last 4 digits), the exp date and the vcode three separate times.
That is one of the features that impresses me with the Rezovation system as you can set it to automatically purge the info at checkout, a certain number of days after checkout, or as soon as the payment is processed.
.

Swirt, you can go to si under contacts then profiles then search by credit card. Just put in 3 to check Amx, 4 to check visa, 5 to check mc & then 6 for discover. Scarey when you see how many cc #'s you have. Also we can not delete the history which used to have all of the cc digits and not just the last 4.
.

Thanks Landmark. That's an interesting undocumented Easter Egg. And yes, the data stuck there is a bit scary and overwhelming.

.

Thanks Landmark. That's an interesting undocumented Easter Egg. And yes, the data stuck there is a bit scary and overwhelming.

I checked a few of those. Most of them are expired cards, as in the expiry date is out of date.
.

I have entered a made up good expiration on a expired card many times if the card had an expired date on it. Most of the time it works, but not everytime.
.

I have entered a made up good expiration on a expired card many times if the card had an expired date on it. Most of the time it works, but not everytime.

It is fairly easy...same month, 4 years later. I have been deleting the card numbers this year, so I only have a few left from previous years to go after. Not realizing that 'feature' was in there it will now be so much easier to finish up the ones from last year.
.

Bree, check your history, the cc # may still be there especially if you use group payments
.

Bree, check your history, the cc # may still be there especially if you use group payments

No group payments. The way I do it is to delete the cc number BEFORE I do the checkout, so no history of the number should exist. Prior to this year, I never did checkouts. I'm only now taking advantage of more of the features. So, when a guest rebooks, I always have to ask for the cc number.

 

[swirt]

I'll need to call SuperInn about this, too..

I'll need to call SuperInn about this, too.

Do tell when you've talked with them.
.

I spoke with SuperInn.... they said if I use SuperInn for processing my cc's that that info would be erased after processing. Because I am only using it as a database, the info is secure. So it is secure, until someone hacks into it, right? Anyone else using SuperInn and what is your process in handling cc info there?
.

Did they say that it "would be" (meaning the system will do it) or that it "should be" (meaning you have to erase it by hand)? The system right now does not expunge this data on its own. You have to do it by hand, which is a pain.
(hmmm I should go resurect the thread from that other place about our wish lists for availibility systems)
.

I heard that the system would do it. At what point do you delete the info if the cc info is in as a data base info?
.

I try to do it after I check them out. (in the evening after the daily batch for the day goes through). The problem is I am sure there are some I've forgotten to delete out and there is no way to search for ones that may have been missed.
The problem is you have to delete it out under "Account" for each transaction (once for deposit, once for final payment if they used a card for each) and you also have to go under "Registration Information" and delete it out from there too. It is a lot of clicks and actions to delete out three of the four fields for the card number (so you kep the last 4 digits), the exp date and the vcode three separate times.
That is one of the features that impresses me with the Rezovation system as you can set it to automatically purge the info at checkout, a certain number of days after checkout, or as soon as the payment is processed.
.

Swirt, you can go to si under contacts then profiles then search by credit card. Just put in 3 to check Amx, 4 to check visa, 5 to check mc & then 6 for discover. Scarey when you see how many cc #'s you have. Also we can not delete the history which used to have all of the cc digits and not just the last 4.
.

Thanks Landmark. That's an interesting undocumented Easter Egg. And yes, the data stuck there is a bit scary and overwhelming.

.

Thanks Landmark. That's an interesting undocumented Easter Egg. And yes, the data stuck there is a bit scary and overwhelming.

I checked a few of those. Most of them are expired cards, as in the expiry date is out of date.
.

I have entered a made up good expiration on a expired card many times if the card had an expired date on it. Most of the time it works, but not everytime.
.

I have entered a made up good expiration on a expired card many times if the card had an expired date on it. Most of the time it works, but not everytime.

It is fairly easy...same month, 4 years later. I have been deleting the card numbers this year, so I only have a few left from previous years to go after. Not realizing that 'feature' was in there it will now be so much easier to finish up the ones from last year.
.

Bree, check your history, the cc # may still be there especially if you use group payments
.

Bree, check your history, the cc # may still be there especially if you use group payments

No group payments. The way I do it is to delete the cc number BEFORE I do the checkout, so no history of the number should exist. Prior to this year, I never did checkouts. I'm only now taking advantage of more of the features. So, when a guest rebooks, I always have to ask for the cc number.
.

Very smart. I wish I had gotten into that habit. Of course I take deposits so that is a completely separate history item as well There ought to be a built-in better way.

 

[Morticia]

I'll need to call SuperInn about this, too..

I'll need to call SuperInn about this, too.

Do tell when you've talked with them.
.

I spoke with SuperInn.... they said if I use SuperInn for processing my cc's that that info would be erased after processing. Because I am only using it as a database, the info is secure. So it is secure, until someone hacks into it, right? Anyone else using SuperInn and what is your process in handling cc info there?
.

Did they say that it "would be" (meaning the system will do it) or that it "should be" (meaning you have to erase it by hand)? The system right now does not expunge this data on its own. You have to do it by hand, which is a pain.
(hmmm I should go resurect the thread from that other place about our wish lists for availibility systems)
.

I heard that the system would do it. At what point do you delete the info if the cc info is in as a data base info?
.

I try to do it after I check them out. (in the evening after the daily batch for the day goes through). The problem is I am sure there are some I've forgotten to delete out and there is no way to search for ones that may have been missed.
The problem is you have to delete it out under "Account" for each transaction (once for deposit, once for final payment if they used a card for each) and you also have to go under "Registration Information" and delete it out from there too. It is a lot of clicks and actions to delete out three of the four fields for the card number (so you kep the last 4 digits), the exp date and the vcode three separate times.
That is one of the features that impresses me with the Rezovation system as you can set it to automatically purge the info at checkout, a certain number of days after checkout, or as soon as the payment is processed.
.

Swirt, you can go to si under contacts then profiles then search by credit card. Just put in 3 to check Amx, 4 to check visa, 5 to check mc & then 6 for discover. Scarey when you see how many cc #'s you have. Also we can not delete the history which used to have all of the cc digits and not just the last 4.
.

Thanks Landmark. That's an interesting undocumented Easter Egg. And yes, the data stuck there is a bit scary and overwhelming.

.

Thanks Landmark. That's an interesting undocumented Easter Egg. And yes, the data stuck there is a bit scary and overwhelming.

I checked a few of those. Most of them are expired cards, as in the expiry date is out of date.
.

I have entered a made up good expiration on a expired card many times if the card had an expired date on it. Most of the time it works, but not everytime.
.

I have entered a made up good expiration on a expired card many times if the card had an expired date on it. Most of the time it works, but not everytime.

It is fairly easy...same month, 4 years later. I have been deleting the card numbers this year, so I only have a few left from previous years to go after. Not realizing that 'feature' was in there it will now be so much easier to finish up the ones from last year.
.

Bree, check your history, the cc # may still be there especially if you use group payments
.

Bree, check your history, the cc # may still be there especially if you use group payments

No group payments. The way I do it is to delete the cc number BEFORE I do the checkout, so no history of the number should exist. Prior to this year, I never did checkouts. I'm only now taking advantage of more of the features. So, when a guest rebooks, I always have to ask for the cc number.
.

Very smart. I wish I had gotten into that habit. Of course I take deposits so that is a completely separate history item as well There ought to be a built-in better way.
.

Very smart. I wish I had gotten into that habit. Of course I take deposits so that is a completely separate history item as well There ought to be a built-in better way.

I called and asked if they (SI) would delete ALL the cc numbers prior to today's date (I called back in the spring/early summer). That was a feature they were working on...an auto delete button. Still not in production, from what I can see. I may just call back...I don't need any cc numbers stored from years ago. Those payments have all been made and none have been contested.

 

[Copperhead]

I am a little confused by some of these posts, your res system, - even if you can process credit cards through it, is generally NOT the credit card processing company - most of these places contract with a credit card processor in order to process the credit cards through the banking system.
Now if (like me) you don't process your CC through your res system, but your res system does do the "check sum" (which means it verifies the sequence and makeup of the cc numbers, makes sure the exp date is valid and may or may not check that the card is reported stolen) - the res system company does also need to follow some of the compliance rules.
But if your res company is saying they actually do the processing, I would check on that ....... and remember, every "other link in the chain" means you are paying higher rates because everyone is taking their little bite along the way..

All I am saying here is don't start getting into big panics about this - the PCI requirements started many years ago and basically these letters are saying "you better get your act together (on our parts - make sure your numbers are masked (responsibility of your processor or your res co, don't leave credit card info lying around - your responsibility, don't incl cc numbers in email - your responsibility, don't store CID codes in guest comment areas on res systems - your responsibility, or don't store CID numbers in credit card data fields - your res companies responsibility ... etc etc) because we as banks / processors / res systems have been told we have to get ours together".
I am a little confused by some of these posts, your res system, - even if you can process credit cards through it, is generally NOT the credit card processing company - most of these places contract with a credit card processor in order to process the credit cards through the banking system.
Now if (like me) you don't process your CC through your res system, but your res system does do the "check sum" (which means it verifies the sequence and makeup of the cc numbers, makes sure the exp date is valid and may or may not check that the card is reported stolen) - the res system company does also need to follow some of the compliance rules.
But if your res company is saying they actually do the processing, I would check on that ....... and remember, every "other link in the chain" means you are paying higher rates because everyone is taking their little bite along the way.
I am not getting beligerent or going for anyone's throat. This is just a statement - period and these quotes higlight what I mean. You are not in this line of work any longer. It would be like me, who has not touched a mainframe or been involved with data processing in 15 years, telling Swirt how t run a computer. (and back in my day, I could make those puppies sing!)
These statements are examples of why I post what i do. I got the letter and I know what it said - I invite anyone who thinks this is BS that cannot be done to us to pay the $19.95 per month they promised to charge me if I was not compliant by Nov 1. I got the letter a couple weeks ago and had procrastinated until I was not too tired to understand what I was reading.
I was not totally unaware of what I was reading because I had gone to the workshop at Gov Conference - but had thought it applied mainly to the big boys! Silly me. They will juice the little guy first because he does not have the $$ nor the power to buck them!
The posts from John B, Tom W, and Swirt should be enough to convince everyone that this is serious crap and make no mistake about it. We WILL get greased somewhere along the way - the only question is by who, how many who, and how much!
Edited to add: one question on the compliance form was about third parties which thankfully I do not have.
.

Gillum said:
"got the letter and I know what it said - I invite anyone who thinks this is BS that cannot be done to us to pay the $19.95 per month they promised to charge me if I was not compliant by Nov 1."
Wow - did they say that? Technically it is up to each processor when to enforce this onto Level 4 merchants. You can see this right on the Visa website here: http://usa.visa.com/merchants/risk_management/cisp_merchants.html. The quote is: "Validation requirements and dates are determined by the merchant's acquirerValidation requirements and dates are determined by the merchant's acquirer."
I hadn't heard that anyone was going to start charging if you are not compliant. The plot thickens... Who is your processor? I didn't see it in the threads - sorry if I missed it. I have not heard this from PAI, or Intuit. Although - I have noticed that the Visa website (I should be taking screen shots daily - because it changes often) now calls some of the programs the "accelerated" programs...
I know for certain that existing merchants processing before October 1, 2008, do not have to use "PABP or PA-DSS applications" until July of 2010 - which is the date it really hits the fan, and Acquirers MUST ensure everyone is using PA-DSS applications. Right now only new are supposed to. (Which means if you are using an application like a PMS to capture your card in any way at all - it is supposed to be compliant...) You can see that information here on the Visa website here http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html, and I cut and pasted it below. :
[tr]III[/td][td]Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS-compliant applications*[/td][td]10/1/08[/td][/tr]IV[/td][td]VNPs and agents must decertify all vulnerable payment applications**[/td][td]10/1/09[/td][/tr][tr]V[/td][td]Acquirers must ensure their merchants, VNPs and agents use only PA compliant applications***[/td][td]7/1/10[/td][/tr][/table]
.

I switched to First Data Huntington Merchant Services this Spring. I am with them less than a year and the person I talked to told me I was a level 3 after he checked my webervations to see there was not cc number inputted! I have been procrastinating with Regions who is still charging me $5 per month and tell me it is going to cost me $195 to stop doing business with them even though I was out of contract. I have to call them and get another set of cancil forms sent to me. DH did one of his "you know you should..." that lit my fire & ire and I lost them! I do not need to have $195 removed from my account and start bouncing all over the State!
.

Just got to this thread (lots to read) since returning from vacation. GH - I use First Data Merchant Services (mine does not have Huntington in the name). I have not received the letter you are discussing here. - Interesting!
I am though, totally at a loss on this issue. The only place I have CC# stored electronicly is through Webervations and they are removed each month after guest departs. My CC# machine is a swipe type and I do not think it stores any numbers once the batch is sent.
What about the hard copy receipt that the merchant keeps, it has the complete CC# on our copy. This has to be kept for chargeback issues. I had an inquiry about a charge made over 2 years prior, I asked Discover at that time how far back could a card holder make an inquiry or chargeback request...the answer - anytime!
Now am I missing something I should be doing? This all boggles my mind.

 

[gillumhouse]

I am a little confused by some of these posts, your res system, - even if you can process credit cards through it, is generally NOT the credit card processing company - most of these places contract with a credit card processor in order to process the credit cards through the banking system.
Now if (like me) you don't process your CC through your res system, but your res system does do the "check sum" (which means it verifies the sequence and makeup of the cc numbers, makes sure the exp date is valid and may or may not check that the card is reported stolen) - the res system company does also need to follow some of the compliance rules.
But if your res company is saying they actually do the processing, I would check on that ....... and remember, every "other link in the chain" means you are paying higher rates because everyone is taking their little bite along the way..

All I am saying here is don't start getting into big panics about this - the PCI requirements started many years ago and basically these letters are saying "you better get your act together (on our parts - make sure your numbers are masked (responsibility of your processor or your res co, don't leave credit card info lying around - your responsibility, don't incl cc numbers in email - your responsibility, don't store CID codes in guest comment areas on res systems - your responsibility, or don't store CID numbers in credit card data fields - your res companies responsibility ... etc etc) because we as banks / processors / res systems have been told we have to get ours together".
I am a little confused by some of these posts, your res system, - even if you can process credit cards through it, is generally NOT the credit card processing company - most of these places contract with a credit card processor in order to process the credit cards through the banking system.
Now if (like me) you don't process your CC through your res system, but your res system does do the "check sum" (which means it verifies the sequence and makeup of the cc numbers, makes sure the exp date is valid and may or may not check that the card is reported stolen) - the res system company does also need to follow some of the compliance rules.
But if your res company is saying they actually do the processing, I would check on that ....... and remember, every "other link in the chain" means you are paying higher rates because everyone is taking their little bite along the way.
I am not getting beligerent or going for anyone's throat. This is just a statement - period and these quotes higlight what I mean. You are not in this line of work any longer. It would be like me, who has not touched a mainframe or been involved with data processing in 15 years, telling Swirt how t run a computer. (and back in my day, I could make those puppies sing!)
These statements are examples of why I post what i do. I got the letter and I know what it said - I invite anyone who thinks this is BS that cannot be done to us to pay the $19.95 per month they promised to charge me if I was not compliant by Nov 1. I got the letter a couple weeks ago and had procrastinated until I was not too tired to understand what I was reading.
I was not totally unaware of what I was reading because I had gone to the workshop at Gov Conference - but had thought it applied mainly to the big boys! Silly me. They will juice the little guy first because he does not have the $$ nor the power to buck them!
The posts from John B, Tom W, and Swirt should be enough to convince everyone that this is serious crap and make no mistake about it. We WILL get greased somewhere along the way - the only question is by who, how many who, and how much!
Edited to add: one question on the compliance form was about third parties which thankfully I do not have.
.

Gillum said:
"got the letter and I know what it said - I invite anyone who thinks this is BS that cannot be done to us to pay the $19.95 per month they promised to charge me if I was not compliant by Nov 1."
Wow - did they say that? Technically it is up to each processor when to enforce this onto Level 4 merchants. You can see this right on the Visa website here: http://usa.visa.com/merchants/risk_management/cisp_merchants.html. The quote is: "Validation requirements and dates are determined by the merchant's acquirerValidation requirements and dates are determined by the merchant's acquirer."
I hadn't heard that anyone was going to start charging if you are not compliant. The plot thickens... Who is your processor? I didn't see it in the threads - sorry if I missed it. I have not heard this from PAI, or Intuit. Although - I have noticed that the Visa website (I should be taking screen shots daily - because it changes often) now calls some of the programs the "accelerated" programs...
I know for certain that existing merchants processing before October 1, 2008, do not have to use "PABP or PA-DSS applications" until July of 2010 - which is the date it really hits the fan, and Acquirers MUST ensure everyone is using PA-DSS applications. Right now only new are supposed to. (Which means if you are using an application like a PMS to capture your card in any way at all - it is supposed to be compliant...) You can see that information here on the Visa website here http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html, and I cut and pasted it below. :
[tr]III[/td][td]Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS-compliant applications*[/td][td]10/1/08[/td][/tr]IV[/td][td]VNPs and agents must decertify all vulnerable payment applications**[/td][td]10/1/09[/td][/tr][tr]V[/td][td]Acquirers must ensure their merchants, VNPs and agents use only PA compliant applications***[/td][td]7/1/10[/td][/tr][/table]
.

I switched to First Data Huntington Merchant Services this Spring. I am with them less than a year and the person I talked to told me I was a level 3 after he checked my webervations to see there was not cc number inputted! I have been procrastinating with Regions who is still charging me $5 per month and tell me it is going to cost me $195 to stop doing business with them even though I was out of contract. I have to call them and get another set of cancil forms sent to me. DH did one of his "you know you should..." that lit my fire & ire and I lost them! I do not need to have $195 removed from my account and start bouncing all over the State!
.

Just got to this thread (lots to read) since returning from vacation. GH - I use First Data Merchant Services (mine does not have Huntington in the name). I have not received the letter you are discussing here. - Interesting!
I am though, totally at a loss on this issue. The only place I have CC# stored electronicly is through Webervations and they are removed each month after guest departs. My CC# machine is a swipe type and I do not think it stores any numbers once the batch is sent.
What about the hard copy receipt that the merchant keeps, it has the complete CC# on our copy. This has to be kept for chargeback issues. I had an inquiry about a charge made over 2 years prior, I asked Discover at that time how far back could a card holder make an inquiry or chargeback request...the answer - anytime!
Now am I missing something I should be doing? This all boggles my mind.
.

Huntington is my bank. They are not concerned with PAPER as much as the electronic. We are supposed to keep paper secure but it is not specified how. I think the big thing is the electronics because of hackers.
They are probably targeting us here in WV. My personal opinion is that these companies think West Virgiians are stupid and will panic to do whatever they tell them to do and pay whatever they are told to pay. I guess they do not know that this State has a lot of very well-educated AND street-smart people in it.

 

[egoodell]

I am a little confused by some of these posts, your res system, - even if you can process credit cards through it, is generally NOT the credit card processing company - most of these places contract with a credit card processor in order to process the credit cards through the banking system.
Now if (like me) you don't process your CC through your res system, but your res system does do the "check sum" (which means it verifies the sequence and makeup of the cc numbers, makes sure the exp date is valid and may or may not check that the card is reported stolen) - the res system company does also need to follow some of the compliance rules.
But if your res company is saying they actually do the processing, I would check on that ....... and remember, every "other link in the chain" means you are paying higher rates because everyone is taking their little bite along the way..

All I am saying here is don't start getting into big panics about this - the PCI requirements started many years ago and basically these letters are saying "you better get your act together (on our parts - make sure your numbers are masked (responsibility of your processor or your res co, don't leave credit card info lying around - your responsibility, don't incl cc numbers in email - your responsibility, don't store CID codes in guest comment areas on res systems - your responsibility, or don't store CID numbers in credit card data fields - your res companies responsibility ... etc etc) because we as banks / processors / res systems have been told we have to get ours together".
I am a little confused by some of these posts, your res system, - even if you can process credit cards through it, is generally NOT the credit card processing company - most of these places contract with a credit card processor in order to process the credit cards through the banking system.
Now if (like me) you don't process your CC through your res system, but your res system does do the "check sum" (which means it verifies the sequence and makeup of the cc numbers, makes sure the exp date is valid and may or may not check that the card is reported stolen) - the res system company does also need to follow some of the compliance rules.
But if your res company is saying they actually do the processing, I would check on that ....... and remember, every "other link in the chain" means you are paying higher rates because everyone is taking their little bite along the way.
I am not getting beligerent or going for anyone's throat. This is just a statement - period and these quotes higlight what I mean. You are not in this line of work any longer. It would be like me, who has not touched a mainframe or been involved with data processing in 15 years, telling Swirt how t run a computer. (and back in my day, I could make those puppies sing!)
These statements are examples of why I post what i do. I got the letter and I know what it said - I invite anyone who thinks this is BS that cannot be done to us to pay the $19.95 per month they promised to charge me if I was not compliant by Nov 1. I got the letter a couple weeks ago and had procrastinated until I was not too tired to understand what I was reading.
I was not totally unaware of what I was reading because I had gone to the workshop at Gov Conference - but had thought it applied mainly to the big boys! Silly me. They will juice the little guy first because he does not have the $$ nor the power to buck them!
The posts from John B, Tom W, and Swirt should be enough to convince everyone that this is serious crap and make no mistake about it. We WILL get greased somewhere along the way - the only question is by who, how many who, and how much!
Edited to add: one question on the compliance form was about third parties which thankfully I do not have.
.

Gillum said:
"got the letter and I know what it said - I invite anyone who thinks this is BS that cannot be done to us to pay the $19.95 per month they promised to charge me if I was not compliant by Nov 1."
Wow - did they say that? Technically it is up to each processor when to enforce this onto Level 4 merchants. You can see this right on the Visa website here: http://usa.visa.com/merchants/risk_management/cisp_merchants.html. The quote is: "Validation requirements and dates are determined by the merchant's acquirerValidation requirements and dates are determined by the merchant's acquirer."
I hadn't heard that anyone was going to start charging if you are not compliant. The plot thickens... Who is your processor? I didn't see it in the threads - sorry if I missed it. I have not heard this from PAI, or Intuit. Although - I have noticed that the Visa website (I should be taking screen shots daily - because it changes often) now calls some of the programs the "accelerated" programs...
I know for certain that existing merchants processing before October 1, 2008, do not have to use "PABP or PA-DSS applications" until July of 2010 - which is the date it really hits the fan, and Acquirers MUST ensure everyone is using PA-DSS applications. Right now only new are supposed to. (Which means if you are using an application like a PMS to capture your card in any way at all - it is supposed to be compliant...) You can see that information here on the Visa website here http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html, and I cut and pasted it below. :
[tr]III[/td][td]Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS-compliant applications*[/td][td]10/1/08[/td][/tr]IV[/td][td]VNPs and agents must decertify all vulnerable payment applications**[/td][td]10/1/09[/td][/tr][tr]V[/td][td]Acquirers must ensure their merchants, VNPs and agents use only PA compliant applications***[/td][td]7/1/10[/td][/tr][/table]
.

I switched to First Data Huntington Merchant Services this Spring. I am with them less than a year and the person I talked to told me I was a level 3 after he checked my webervations to see there was not cc number inputted! I have been procrastinating with Regions who is still charging me $5 per month and tell me it is going to cost me $195 to stop doing business with them even though I was out of contract. I have to call them and get another set of cancil forms sent to me. DH did one of his "you know you should..." that lit my fire & ire and I lost them! I do not need to have $195 removed from my account and start bouncing all over the State!
.

Just got to this thread (lots to read) since returning from vacation. GH - I use First Data Merchant Services (mine does not have Huntington in the name). I have not received the letter you are discussing here. - Interesting!
I am though, totally at a loss on this issue. The only place I have CC# stored electronicly is through Webervations and they are removed each month after guest departs. My CC# machine is a swipe type and I do not think it stores any numbers once the batch is sent.
What about the hard copy receipt that the merchant keeps, it has the complete CC# on our copy. This has to be kept for chargeback issues. I had an inquiry about a charge made over 2 years prior, I asked Discover at that time how far back could a card holder make an inquiry or chargeback request...the answer - anytime!
Now am I missing something I should be doing? This all boggles my mind.
.

Although we are still using the knuckle buster (manual) machine on the road for our tours, I think the new way is that when you give the guest their receipt it is only supposed to have the last four digits. I guess I should be carrying a pen and blacking it out to comply.
riki

 

[Samster]

I'll need to call SuperInn about this, too..

I'll need to call SuperInn about this, too.

Do tell when you've talked with them.
.

I spoke with SuperInn.... they said if I use SuperInn for processing my cc's that that info would be erased after processing. Because I am only using it as a database, the info is secure. So it is secure, until someone hacks into it, right? Anyone else using SuperInn and what is your process in handling cc info there?
.

Did they say that it "would be" (meaning the system will do it) or that it "should be" (meaning you have to erase it by hand)? The system right now does not expunge this data on its own. You have to do it by hand, which is a pain.
(hmmm I should go resurect the thread from that other place about our wish lists for availibility systems)
.

I heard that the system would do it. At what point do you delete the info if the cc info is in as a data base info?
.

I try to do it after I check them out. (in the evening after the daily batch for the day goes through). The problem is I am sure there are some I've forgotten to delete out and there is no way to search for ones that may have been missed.
The problem is you have to delete it out under "Account" for each transaction (once for deposit, once for final payment if they used a card for each) and you also have to go under "Registration Information" and delete it out from there too. It is a lot of clicks and actions to delete out three of the four fields for the card number (so you kep the last 4 digits), the exp date and the vcode three separate times.
That is one of the features that impresses me with the Rezovation system as you can set it to automatically purge the info at checkout, a certain number of days after checkout, or as soon as the payment is processed.
.

Swirt, you can go to si under contacts then profiles then search by credit card. Just put in 3 to check Amx, 4 to check visa, 5 to check mc & then 6 for discover. Scarey when you see how many cc #'s you have. Also we can not delete the history which used to have all of the cc digits and not just the last 4.
.

Thanks Landmark. That's an interesting undocumented Easter Egg. And yes, the data stuck there is a bit scary and overwhelming.

.

Thanks Landmark. That's an interesting undocumented Easter Egg. And yes, the data stuck there is a bit scary and overwhelming.

I checked a few of those. Most of them are expired cards, as in the expiry date is out of date.
.

I have entered a made up good expiration on a expired card many times if the card had an expired date on it. Most of the time it works, but not everytime.
.

I have entered a made up good expiration on a expired card many times if the card had an expired date on it. Most of the time it works, but not everytime.

It is fairly easy...same month, 4 years later. I have been deleting the card numbers this year, so I only have a few left from previous years to go after. Not realizing that 'feature' was in there it will now be so much easier to finish up the ones from last year.
.

Bree, check your history, the cc # may still be there especially if you use group payments
.

Bree, check your history, the cc # may still be there especially if you use group payments

No group payments. The way I do it is to delete the cc number BEFORE I do the checkout, so no history of the number should exist. Prior to this year, I never did checkouts. I'm only now taking advantage of more of the features. So, when a guest rebooks, I always have to ask for the cc number.
.

Very smart. I wish I had gotten into that habit. Of course I take deposits so that is a completely separate history item as well There ought to be a built-in better way.
.

Very smart. I wish I had gotten into that habit. Of course I take deposits so that is a completely separate history item as well There ought to be a built-in better way.

I called and asked if they (SI) would delete ALL the cc numbers prior to today's date (I called back in the spring/early summer). That was a feature they were working on...an auto delete button. Still not in production, from what I can see. I may just call back...I don't need any cc numbers stored from years ago. Those payments have all been made and none have been contested.
.

They should provide that feature as the keeper of the data on their server. Hopefully, they'll get with the program!! It's a pain to delete all that info.

 

[gillumhouse]

I am a little confused by some of these posts, your res system, - even if you can process credit cards through it, is generally NOT the credit card processing company - most of these places contract with a credit card processor in order to process the credit cards through the banking system.
Now if (like me) you don't process your CC through your res system, but your res system does do the "check sum" (which means it verifies the sequence and makeup of the cc numbers, makes sure the exp date is valid and may or may not check that the card is reported stolen) - the res system company does also need to follow some of the compliance rules.
But if your res company is saying they actually do the processing, I would check on that ....... and remember, every "other link in the chain" means you are paying higher rates because everyone is taking their little bite along the way..

All I am saying here is don't start getting into big panics about this - the PCI requirements started many years ago and basically these letters are saying "you better get your act together (on our parts - make sure your numbers are masked (responsibility of your processor or your res co, don't leave credit card info lying around - your responsibility, don't incl cc numbers in email - your responsibility, don't store CID codes in guest comment areas on res systems - your responsibility, or don't store CID numbers in credit card data fields - your res companies responsibility ... etc etc) because we as banks / processors / res systems have been told we have to get ours together".
I am a little confused by some of these posts, your res system, - even if you can process credit cards through it, is generally NOT the credit card processing company - most of these places contract with a credit card processor in order to process the credit cards through the banking system.
Now if (like me) you don't process your CC through your res system, but your res system does do the "check sum" (which means it verifies the sequence and makeup of the cc numbers, makes sure the exp date is valid and may or may not check that the card is reported stolen) - the res system company does also need to follow some of the compliance rules.
But if your res company is saying they actually do the processing, I would check on that ....... and remember, every "other link in the chain" means you are paying higher rates because everyone is taking their little bite along the way.
I am not getting beligerent or going for anyone's throat. This is just a statement - period and these quotes higlight what I mean. You are not in this line of work any longer. It would be like me, who has not touched a mainframe or been involved with data processing in 15 years, telling Swirt how t run a computer. (and back in my day, I could make those puppies sing!)
These statements are examples of why I post what i do. I got the letter and I know what it said - I invite anyone who thinks this is BS that cannot be done to us to pay the $19.95 per month they promised to charge me if I was not compliant by Nov 1. I got the letter a couple weeks ago and had procrastinated until I was not too tired to understand what I was reading.
I was not totally unaware of what I was reading because I had gone to the workshop at Gov Conference - but had thought it applied mainly to the big boys! Silly me. They will juice the little guy first because he does not have the $$ nor the power to buck them!
The posts from John B, Tom W, and Swirt should be enough to convince everyone that this is serious crap and make no mistake about it. We WILL get greased somewhere along the way - the only question is by who, how many who, and how much!
Edited to add: one question on the compliance form was about third parties which thankfully I do not have.
.

Gillum said:
"got the letter and I know what it said - I invite anyone who thinks this is BS that cannot be done to us to pay the $19.95 per month they promised to charge me if I was not compliant by Nov 1."
Wow - did they say that? Technically it is up to each processor when to enforce this onto Level 4 merchants. You can see this right on the Visa website here: http://usa.visa.com/merchants/risk_management/cisp_merchants.html. The quote is: "Validation requirements and dates are determined by the merchant's acquirerValidation requirements and dates are determined by the merchant's acquirer."
I hadn't heard that anyone was going to start charging if you are not compliant. The plot thickens... Who is your processor? I didn't see it in the threads - sorry if I missed it. I have not heard this from PAI, or Intuit. Although - I have noticed that the Visa website (I should be taking screen shots daily - because it changes often) now calls some of the programs the "accelerated" programs...
I know for certain that existing merchants processing before October 1, 2008, do not have to use "PABP or PA-DSS applications" until July of 2010 - which is the date it really hits the fan, and Acquirers MUST ensure everyone is using PA-DSS applications. Right now only new are supposed to. (Which means if you are using an application like a PMS to capture your card in any way at all - it is supposed to be compliant...) You can see that information here on the Visa website here http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html, and I cut and pasted it below. :
[tr]III[/td][td]Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS-compliant applications*[/td][td]10/1/08[/td][/tr]IV[/td][td]VNPs and agents must decertify all vulnerable payment applications**[/td][td]10/1/09[/td][/tr][tr]V[/td][td]Acquirers must ensure their merchants, VNPs and agents use only PA compliant applications***[/td][td]7/1/10[/td][/tr][/table]
.

I switched to First Data Huntington Merchant Services this Spring. I am with them less than a year and the person I talked to told me I was a level 3 after he checked my webervations to see there was not cc number inputted! I have been procrastinating with Regions who is still charging me $5 per month and tell me it is going to cost me $195 to stop doing business with them even though I was out of contract. I have to call them and get another set of cancil forms sent to me. DH did one of his "you know you should..." that lit my fire & ire and I lost them! I do not need to have $195 removed from my account and start bouncing all over the State!
.

Just got to this thread (lots to read) since returning from vacation. GH - I use First Data Merchant Services (mine does not have Huntington in the name). I have not received the letter you are discussing here. - Interesting!
I am though, totally at a loss on this issue. The only place I have CC# stored electronicly is through Webervations and they are removed each month after guest departs. My CC# machine is a swipe type and I do not think it stores any numbers once the batch is sent.
What about the hard copy receipt that the merchant keeps, it has the complete CC# on our copy. This has to be kept for chargeback issues. I had an inquiry about a charge made over 2 years prior, I asked Discover at that time how far back could a card holder make an inquiry or chargeback request...the answer - anytime!
Now am I missing something I should be doing? This all boggles my mind.
.

Although we are still using the knuckle buster (manual) machine on the road for our tours, I think the new way is that when you give the guest their receipt it is only supposed to have the last four digits. I guess I should be carrying a pen and blacking it out to comply.
riki
.

Get one of those black markers or bring a scissors and cut it out because it is imprinted it will still show otherwise.

 

[swirt]

I am a little confused by some of these posts, your res system, - even if you can process credit cards through it, is generally NOT the credit card processing company - most of these places contract with a credit card processor in order to process the credit cards through the banking system.
Now if (like me) you don't process your CC through your res system, but your res system does do the "check sum" (which means it verifies the sequence and makeup of the cc numbers, makes sure the exp date is valid and may or may not check that the card is reported stolen) - the res system company does also need to follow some of the compliance rules.
But if your res company is saying they actually do the processing, I would check on that ....... and remember, every "other link in the chain" means you are paying higher rates because everyone is taking their little bite along the way..

All I am saying here is don't start getting into big panics about this - the PCI requirements started many years ago and basically these letters are saying "you better get your act together (on our parts - make sure your numbers are masked (responsibility of your processor or your res co, don't leave credit card info lying around - your responsibility, don't incl cc numbers in email - your responsibility, don't store CID codes in guest comment areas on res systems - your responsibility, or don't store CID numbers in credit card data fields - your res companies responsibility ... etc etc) because we as banks / processors / res systems have been told we have to get ours together".
I am a little confused by some of these posts, your res system, - even if you can process credit cards through it, is generally NOT the credit card processing company - most of these places contract with a credit card processor in order to process the credit cards through the banking system.
Now if (like me) you don't process your CC through your res system, but your res system does do the "check sum" (which means it verifies the sequence and makeup of the cc numbers, makes sure the exp date is valid and may or may not check that the card is reported stolen) - the res system company does also need to follow some of the compliance rules.
But if your res company is saying they actually do the processing, I would check on that ....... and remember, every "other link in the chain" means you are paying higher rates because everyone is taking their little bite along the way.
I am not getting beligerent or going for anyone's throat. This is just a statement - period and these quotes higlight what I mean. You are not in this line of work any longer. It would be like me, who has not touched a mainframe or been involved with data processing in 15 years, telling Swirt how t run a computer. (and back in my day, I could make those puppies sing!)
These statements are examples of why I post what i do. I got the letter and I know what it said - I invite anyone who thinks this is BS that cannot be done to us to pay the $19.95 per month they promised to charge me if I was not compliant by Nov 1. I got the letter a couple weeks ago and had procrastinated until I was not too tired to understand what I was reading.
I was not totally unaware of what I was reading because I had gone to the workshop at Gov Conference - but had thought it applied mainly to the big boys! Silly me. They will juice the little guy first because he does not have the $$ nor the power to buck them!
The posts from John B, Tom W, and Swirt should be enough to convince everyone that this is serious crap and make no mistake about it. We WILL get greased somewhere along the way - the only question is by who, how many who, and how much!
Edited to add: one question on the compliance form was about third parties which thankfully I do not have.
.

Gillum said:
"got the letter and I know what it said - I invite anyone who thinks this is BS that cannot be done to us to pay the $19.95 per month they promised to charge me if I was not compliant by Nov 1."
Wow - did they say that? Technically it is up to each processor when to enforce this onto Level 4 merchants. You can see this right on the Visa website here: http://usa.visa.com/merchants/risk_management/cisp_merchants.html. The quote is: "Validation requirements and dates are determined by the merchant's acquirerValidation requirements and dates are determined by the merchant's acquirer."
I hadn't heard that anyone was going to start charging if you are not compliant. The plot thickens... Who is your processor? I didn't see it in the threads - sorry if I missed it. I have not heard this from PAI, or Intuit. Although - I have noticed that the Visa website (I should be taking screen shots daily - because it changes often) now calls some of the programs the "accelerated" programs...
I know for certain that existing merchants processing before October 1, 2008, do not have to use "PABP or PA-DSS applications" until July of 2010 - which is the date it really hits the fan, and Acquirers MUST ensure everyone is using PA-DSS applications. Right now only new are supposed to. (Which means if you are using an application like a PMS to capture your card in any way at all - it is supposed to be compliant...) You can see that information here on the Visa website here http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html, and I cut and pasted it below. :
[tr]III[/td][td]Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS-compliant applications*[/td][td]10/1/08[/td][/tr]IV[/td][td]VNPs and agents must decertify all vulnerable payment applications**[/td][td]10/1/09[/td][/tr][tr]V[/td][td]Acquirers must ensure their merchants, VNPs and agents use only PA compliant applications***[/td][td]7/1/10[/td][/tr][/table]
.

I switched to First Data Huntington Merchant Services this Spring. I am with them less than a year and the person I talked to told me I was a level 3 after he checked my webervations to see there was not cc number inputted! I have been procrastinating with Regions who is still charging me $5 per month and tell me it is going to cost me $195 to stop doing business with them even though I was out of contract. I have to call them and get another set of cancil forms sent to me. DH did one of his "you know you should..." that lit my fire & ire and I lost them! I do not need to have $195 removed from my account and start bouncing all over the State!
.

Just got to this thread (lots to read) since returning from vacation. GH - I use First Data Merchant Services (mine does not have Huntington in the name). I have not received the letter you are discussing here. - Interesting!
I am though, totally at a loss on this issue. The only place I have CC# stored electronicly is through Webervations and they are removed each month after guest departs. My CC# machine is a swipe type and I do not think it stores any numbers once the batch is sent.
What about the hard copy receipt that the merchant keeps, it has the complete CC# on our copy. This has to be kept for chargeback issues. I had an inquiry about a charge made over 2 years prior, I asked Discover at that time how far back could a card holder make an inquiry or chargeback request...the answer - anytime!
Now am I missing something I should be doing? This all boggles my mind.
.

Copperhead I would check with them on the full CC # printing out. I don't think it should be doing it on your copy or the guest copy. Those details are not required for a chargeback challenge. All you need are the last four digits, the transaction number, date, and the authorization code from your processor. The processor can access the CC# if needed.

 

[Morticia]

I am a little confused by some of these posts, your res system, - even if you can process credit cards through it, is generally NOT the credit card processing company - most of these places contract with a credit card processor in order to process the credit cards through the banking system.
Now if (like me) you don't process your CC through your res system, but your res system does do the "check sum" (which means it verifies the sequence and makeup of the cc numbers, makes sure the exp date is valid and may or may not check that the card is reported stolen) - the res system company does also need to follow some of the compliance rules.
But if your res company is saying they actually do the processing, I would check on that ....... and remember, every "other link in the chain" means you are paying higher rates because everyone is taking their little bite along the way..

All I am saying here is don't start getting into big panics about this - the PCI requirements started many years ago and basically these letters are saying "you better get your act together (on our parts - make sure your numbers are masked (responsibility of your processor or your res co, don't leave credit card info lying around - your responsibility, don't incl cc numbers in email - your responsibility, don't store CID codes in guest comment areas on res systems - your responsibility, or don't store CID numbers in credit card data fields - your res companies responsibility ... etc etc) because we as banks / processors / res systems have been told we have to get ours together".
I am a little confused by some of these posts, your res system, - even if you can process credit cards through it, is generally NOT the credit card processing company - most of these places contract with a credit card processor in order to process the credit cards through the banking system.
Now if (like me) you don't process your CC through your res system, but your res system does do the "check sum" (which means it verifies the sequence and makeup of the cc numbers, makes sure the exp date is valid and may or may not check that the card is reported stolen) - the res system company does also need to follow some of the compliance rules.
But if your res company is saying they actually do the processing, I would check on that ....... and remember, every "other link in the chain" means you are paying higher rates because everyone is taking their little bite along the way.
I am not getting beligerent or going for anyone's throat. This is just a statement - period and these quotes higlight what I mean. You are not in this line of work any longer. It would be like me, who has not touched a mainframe or been involved with data processing in 15 years, telling Swirt how t run a computer. (and back in my day, I could make those puppies sing!)
These statements are examples of why I post what i do. I got the letter and I know what it said - I invite anyone who thinks this is BS that cannot be done to us to pay the $19.95 per month they promised to charge me if I was not compliant by Nov 1. I got the letter a couple weeks ago and had procrastinated until I was not too tired to understand what I was reading.
I was not totally unaware of what I was reading because I had gone to the workshop at Gov Conference - but had thought it applied mainly to the big boys! Silly me. They will juice the little guy first because he does not have the $$ nor the power to buck them!
The posts from John B, Tom W, and Swirt should be enough to convince everyone that this is serious crap and make no mistake about it. We WILL get greased somewhere along the way - the only question is by who, how many who, and how much!
Edited to add: one question on the compliance form was about third parties which thankfully I do not have.
.

Gillum said:
"got the letter and I know what it said - I invite anyone who thinks this is BS that cannot be done to us to pay the $19.95 per month they promised to charge me if I was not compliant by Nov 1."
Wow - did they say that? Technically it is up to each processor when to enforce this onto Level 4 merchants. You can see this right on the Visa website here: http://usa.visa.com/merchants/risk_management/cisp_merchants.html. The quote is: "Validation requirements and dates are determined by the merchant's acquirerValidation requirements and dates are determined by the merchant's acquirer."
I hadn't heard that anyone was going to start charging if you are not compliant. The plot thickens... Who is your processor? I didn't see it in the threads - sorry if I missed it. I have not heard this from PAI, or Intuit. Although - I have noticed that the Visa website (I should be taking screen shots daily - because it changes often) now calls some of the programs the "accelerated" programs...
I know for certain that existing merchants processing before October 1, 2008, do not have to use "PABP or PA-DSS applications" until July of 2010 - which is the date it really hits the fan, and Acquirers MUST ensure everyone is using PA-DSS applications. Right now only new are supposed to. (Which means if you are using an application like a PMS to capture your card in any way at all - it is supposed to be compliant...) You can see that information here on the Visa website here http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html, and I cut and pasted it below. :
[tr]III[/td][td]Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS-compliant applications*[/td][td]10/1/08[/td][/tr]IV[/td][td]VNPs and agents must decertify all vulnerable payment applications**[/td][td]10/1/09[/td][/tr][tr]V[/td][td]Acquirers must ensure their merchants, VNPs and agents use only PA compliant applications***[/td][td]7/1/10[/td][/tr][/table]
.

I switched to First Data Huntington Merchant Services this Spring. I am with them less than a year and the person I talked to told me I was a level 3 after he checked my webervations to see there was not cc number inputted! I have been procrastinating with Regions who is still charging me $5 per month and tell me it is going to cost me $195 to stop doing business with them even though I was out of contract. I have to call them and get another set of cancil forms sent to me. DH did one of his "you know you should..." that lit my fire & ire and I lost them! I do not need to have $195 removed from my account and start bouncing all over the State!
.

Just got to this thread (lots to read) since returning from vacation. GH - I use First Data Merchant Services (mine does not have Huntington in the name). I have not received the letter you are discussing here. - Interesting!
I am though, totally at a loss on this issue. The only place I have CC# stored electronicly is through Webervations and they are removed each month after guest departs. My CC# machine is a swipe type and I do not think it stores any numbers once the batch is sent.
What about the hard copy receipt that the merchant keeps, it has the complete CC# on our copy. This has to be kept for chargeback issues. I had an inquiry about a charge made over 2 years prior, I asked Discover at that time how far back could a card holder make an inquiry or chargeback request...the answer - anytime!
Now am I missing something I should be doing? This all boggles my mind.
.

Just got to this thread (lots to read) since returning from vacation. GH - I use First Data Merchant Services (mine does not have Huntington in the name). I have not received the letter you are discussing here. - Interesting!
I am though, totally at a loss on this issue. The only place I have CC# stored electronicly is through Webervations and they are removed each month after guest departs. My CC# machine is a swipe type and I do not think it stores any numbers once the batch is sent.
What about the hard copy receipt that the merchant keeps, it has the complete CC# on our copy. This has to be kept for chargeback issues. I had an inquiry about a charge made over 2 years prior, I asked Discover at that time how far back could a card holder make an inquiry or chargeback request...the answer - anytime!
Now am I missing something I should be doing? This all boggles my mind.

Right on the cc fine print that all cc companies send out with the bill, it says you have 60 days to dispute, not 'anytime'. (I'm not arguing with what Discover told you, just saying that is what MY cc statements say.) And you must dispute in writing. You should NOT have the complete cc number on any paper documentation. (I think that's a regulation.) However, cc info should be obtainable online thru your processor. (That really depends on the processor, I have found as the new owners of the processor I use do not allow me access to ANYTHING except dollar amounts.)

 

[muirford]

I am a little confused by some of these posts, your res system, - even if you can process credit cards through it, is generally NOT the credit card processing company - most of these places contract with a credit card processor in order to process the credit cards through the banking system.
Now if (like me) you don't process your CC through your res system, but your res system does do the "check sum" (which means it verifies the sequence and makeup of the cc numbers, makes sure the exp date is valid and may or may not check that the card is reported stolen) - the res system company does also need to follow some of the compliance rules.
But if your res company is saying they actually do the processing, I would check on that ....... and remember, every "other link in the chain" means you are paying higher rates because everyone is taking their little bite along the way..

All I am saying here is don't start getting into big panics about this - the PCI requirements started many years ago and basically these letters are saying "you better get your act together (on our parts - make sure your numbers are masked (responsibility of your processor or your res co, don't leave credit card info lying around - your responsibility, don't incl cc numbers in email - your responsibility, don't store CID codes in guest comment areas on res systems - your responsibility, or don't store CID numbers in credit card data fields - your res companies responsibility ... etc etc) because we as banks / processors / res systems have been told we have to get ours together".
I am a little confused by some of these posts, your res system, - even if you can process credit cards through it, is generally NOT the credit card processing company - most of these places contract with a credit card processor in order to process the credit cards through the banking system.
Now if (like me) you don't process your CC through your res system, but your res system does do the "check sum" (which means it verifies the sequence and makeup of the cc numbers, makes sure the exp date is valid and may or may not check that the card is reported stolen) - the res system company does also need to follow some of the compliance rules.
But if your res company is saying they actually do the processing, I would check on that ....... and remember, every "other link in the chain" means you are paying higher rates because everyone is taking their little bite along the way.
I am not getting beligerent or going for anyone's throat. This is just a statement - period and these quotes higlight what I mean. You are not in this line of work any longer. It would be like me, who has not touched a mainframe or been involved with data processing in 15 years, telling Swirt how t run a computer. (and back in my day, I could make those puppies sing!)
These statements are examples of why I post what i do. I got the letter and I know what it said - I invite anyone who thinks this is BS that cannot be done to us to pay the $19.95 per month they promised to charge me if I was not compliant by Nov 1. I got the letter a couple weeks ago and had procrastinated until I was not too tired to understand what I was reading.
I was not totally unaware of what I was reading because I had gone to the workshop at Gov Conference - but had thought it applied mainly to the big boys! Silly me. They will juice the little guy first because he does not have the $$ nor the power to buck them!
The posts from John B, Tom W, and Swirt should be enough to convince everyone that this is serious crap and make no mistake about it. We WILL get greased somewhere along the way - the only question is by who, how many who, and how much!
Edited to add: one question on the compliance form was about third parties which thankfully I do not have.
.

Gillum said:
"got the letter and I know what it said - I invite anyone who thinks this is BS that cannot be done to us to pay the $19.95 per month they promised to charge me if I was not compliant by Nov 1."
Wow - did they say that? Technically it is up to each processor when to enforce this onto Level 4 merchants. You can see this right on the Visa website here: http://usa.visa.com/merchants/risk_management/cisp_merchants.html. The quote is: "Validation requirements and dates are determined by the merchant's acquirerValidation requirements and dates are determined by the merchant's acquirer."
I hadn't heard that anyone was going to start charging if you are not compliant. The plot thickens... Who is your processor? I didn't see it in the threads - sorry if I missed it. I have not heard this from PAI, or Intuit. Although - I have noticed that the Visa website (I should be taking screen shots daily - because it changes often) now calls some of the programs the "accelerated" programs...
I know for certain that existing merchants processing before October 1, 2008, do not have to use "PABP or PA-DSS applications" until July of 2010 - which is the date it really hits the fan, and Acquirers MUST ensure everyone is using PA-DSS applications. Right now only new are supposed to. (Which means if you are using an application like a PMS to capture your card in any way at all - it is supposed to be compliant...) You can see that information here on the Visa website here http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html, and I cut and pasted it below. :
[tr]III[/td][td]Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS-compliant applications*[/td][td]10/1/08[/td][/tr]IV[/td][td]VNPs and agents must decertify all vulnerable payment applications**[/td][td]10/1/09[/td][/tr][tr]V[/td][td]Acquirers must ensure their merchants, VNPs and agents use only PA compliant applications***[/td][td]7/1/10[/td][/tr][/table]
.

I switched to First Data Huntington Merchant Services this Spring. I am with them less than a year and the person I talked to told me I was a level 3 after he checked my webervations to see there was not cc number inputted! I have been procrastinating with Regions who is still charging me $5 per month and tell me it is going to cost me $195 to stop doing business with them even though I was out of contract. I have to call them and get another set of cancil forms sent to me. DH did one of his "you know you should..." that lit my fire & ire and I lost them! I do not need to have $195 removed from my account and start bouncing all over the State!
.

Just got to this thread (lots to read) since returning from vacation. GH - I use First Data Merchant Services (mine does not have Huntington in the name). I have not received the letter you are discussing here. - Interesting!
I am though, totally at a loss on this issue. The only place I have CC# stored electronicly is through Webervations and they are removed each month after guest departs. My CC# machine is a swipe type and I do not think it stores any numbers once the batch is sent.
What about the hard copy receipt that the merchant keeps, it has the complete CC# on our copy. This has to be kept for chargeback issues. I had an inquiry about a charge made over 2 years prior, I asked Discover at that time how far back could a card holder make an inquiry or chargeback request...the answer - anytime!
Now am I missing something I should be doing? This all boggles my mind.
.

Huntington is my bank. They are not concerned with PAPER as much as the electronic. We are supposed to keep paper secure but it is not specified how. I think the big thing is the electronics because of hackers.
They are probably targeting us here in WV. My personal opinion is that these companies think West Virgiians are stupid and will panic to do whatever they tell them to do and pay whatever they are told to pay. I guess they do not know that this State has a lot of very well-educated AND street-smart people in it.
.

We have not received any such notice from our credit card processor at this time. We are also in West Virginia. Other innkeepers have reported receiving similar letters on the PAII forums - none of them in West Virginia. One was in Mass and one was in NH.

 

[Copperhead]

Thanks Swirt & Bree - I will contact my processor tomorrow about that issue. They just did an update of my terminal about a month (maybe 2) ago, but will check anyway.
Bree - yes, my (V&MC) statements state the same but when we received that inquiry (not chargeback) about a charge over 2 years ago I was shocked about it and called. It was then that I was told that there was no 'real' deadline to question a charge. After providing the info, nothing further happened, but it has puzzled me ever since.

 

[JBanczak]

We spoke to Intuit on this - they do not have an insurance offering or requirement at this time, and this was the first our contact had ever heard of anything like this.
In terms of printing the full cc number on your machine - by law - they cannot be doing this. There is now a Federal law that prohibits this - so if your machine is doing this, then I would strongly recommend you get it changed immediately.
You can see the law here: http://www.ncsl.org/programs/lis/privacy/CreditCardReceipts.htm. There have been various state laws prohibiting this since 1999 as you can see on that page as well. I do not believe the black marker would be enough. Shocked your processor is not proactively contacting you to get you to do this.

 

[swirt]

We spoke to Intuit on this - they do not have an insurance offering or requirement at this time, and this was the first our contact had ever heard of anything like this.
In terms of printing the full cc number on your machine - by law - they cannot be doing this. There is now a Federal law that prohibits this - so if your machine is doing this, then I would strongly recommend you get it changed immediately.
You can see the law here: http://www.ncsl.org/programs/lis/privacy/CreditCardReceipts.htm. There have been various state laws prohibiting this since 1999 as you can see on that page as well. I do not believe the black marker would be enough. Shocked your processor is not proactively contacting you to get you to do this..

Thanks for the info John.

 

[Landmark]

We spoke to Intuit on this - they do not have an insurance offering or requirement at this time, and this was the first our contact had ever heard of anything like this.
In terms of printing the full cc number on your machine - by law - they cannot be doing this. There is now a Federal law that prohibits this - so if your machine is doing this, then I would strongly recommend you get it changed immediately.
You can see the law here: http://www.ncsl.org/programs/lis/privacy/CreditCardReceipts.htm. There have been various state laws prohibiting this since 1999 as you can see on that page as well. I do not believe the black marker would be enough. Shocked your processor is not proactively contacting you to get you to do this..

I believe this applies to the customer's receipt and not the merchants' receipt. Here is the copy of the text of the link above: only the last five digits of the card account number can be printed on electronically printed receipts provided to the customer. The new truncation requirement does not apply to handwritten receipts or receipts imprinted with a copy of the credit card. Is this your understanding?

 

[JBanczak]

We spoke to Intuit on this - they do not have an insurance offering or requirement at this time, and this was the first our contact had ever heard of anything like this.
In terms of printing the full cc number on your machine - by law - they cannot be doing this. There is now a Federal law that prohibits this - so if your machine is doing this, then I would strongly recommend you get it changed immediately.
You can see the law here: http://www.ncsl.org/programs/lis/privacy/CreditCardReceipts.htm. There have been various state laws prohibiting this since 1999 as you can see on that page as well. I do not believe the black marker would be enough. Shocked your processor is not proactively contacting you to get you to do this..

I believe this applies to the customer's receipt and not the merchants' receipt. Here is the copy of the text of the link above: only the last five digits of the card account number can be printed on electronically printed receipts provided to the customer. The new truncation requirement does not apply to handwritten receipts or receipts imprinted with a copy of the credit card. Is this your understanding?
.

I think you are correct, although isn't that what we were talking about here? I am having a hard time getting through all of the posts now, might be a good topic for another thread, but isn't that what was in question? Innkeepers were blacking out the credit card numbers on the receipts before giving to consumers?
Either way - whether it is paper for the consumer or the innkeeper - don't they print at the same time? Can't imagine it is not allowed to give the consumer a copy with their cc number on it, but it IS okay to keep one at property?

 

[Landmark]

We spoke to Intuit on this - they do not have an insurance offering or requirement at this time, and this was the first our contact had ever heard of anything like this.
In terms of printing the full cc number on your machine - by law - they cannot be doing this. There is now a Federal law that prohibits this - so if your machine is doing this, then I would strongly recommend you get it changed immediately.
You can see the law here: http://www.ncsl.org/programs/lis/privacy/CreditCardReceipts.htm. There have been various state laws prohibiting this since 1999 as you can see on that page as well. I do not believe the black marker would be enough. Shocked your processor is not proactively contacting you to get you to do this..

I believe this applies to the customer's receipt and not the merchants' receipt. Here is the copy of the text of the link above: only the last five digits of the card account number can be printed on electronically printed receipts provided to the customer. The new truncation requirement does not apply to handwritten receipts or receipts imprinted with a copy of the credit card. Is this your understanding?
.

I think you are correct, although isn't that what we were talking about here? I am having a hard time getting through all of the posts now, might be a good topic for another thread, but isn't that what was in question? Innkeepers were blacking out the credit card numbers on the receipts before giving to consumers?
Either way - whether it is paper for the consumer or the innkeeper - don't they print at the same time? Can't imagine it is not allowed to give the consumer a copy with their cc number on it, but it IS okay to keep one at property?
.

my cc machine prints a customer receipt with the 4 digits only then the merchants with all digits that they sign. Sorry if I am getting confused on the posts!

 

[gillumhouse]

We spoke to Intuit on this - they do not have an insurance offering or requirement at this time, and this was the first our contact had ever heard of anything like this.
In terms of printing the full cc number on your machine - by law - they cannot be doing this. There is now a Federal law that prohibits this - so if your machine is doing this, then I would strongly recommend you get it changed immediately.
You can see the law here: http://www.ncsl.org/programs/lis/privacy/CreditCardReceipts.htm. There have been various state laws prohibiting this since 1999 as you can see on that page as well. I do not believe the black marker would be enough. Shocked your processor is not proactively contacting you to get you to do this..

I believe this applies to the customer's receipt and not the merchants' receipt. Here is the copy of the text of the link above: only the last five digits of the card account number can be printed on electronically printed receipts provided to the customer. The new truncation requirement does not apply to handwritten receipts or receipts imprinted with a copy of the credit card. Is this your understanding?
.

I think you are correct, although isn't that what we were talking about here? I am having a hard time getting through all of the posts now, might be a good topic for another thread, but isn't that what was in question? Innkeepers were blacking out the credit card numbers on the receipts before giving to consumers?
Either way - whether it is paper for the consumer or the innkeeper - don't they print at the same time? Can't imagine it is not allowed to give the consumer a copy with their cc number on it, but it IS okay to keep one at property?
.

my cc machine prints a customer receipt with the 4 digits only then the merchants with all digits that they sign. Sorry if I am getting confused on the posts!
.

Mine does likewise.