Vantiv eprotect iframe Technical Assessment Paper Prepared for:
|
|
- Katherine Deirdre Fisher
- 8 years ago
- Views:
Transcription
1 Vantiv eprtect iframe Technical Assessment Paper Prepared fr: Octber 13, 2015
2 P a g e 2 Cntents EXECUTIVE SUMMARY...3 OVERVIEW... 3 ABOUT VANTIV EPROTECT... 4 OPERATIONAL FLOW... 5 TECHNICAL ASSESSMENT...6 AUDIENCE... 6 ASSESSMENT SCOPE... 6 MERCHANT PCI DSS COMPLIANCE APPLICABILITY... 7 TECHNICAL SECURITY ASSESSMENT... 7 RECOMMENDED BEST PRACTICES SUMMARY FINDINGS AND CONCLUSIONS U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e w w w. c a l f i r e. c m Calfire v
3 P a g e 3 E X E C U T I V E S U M M A R Y Overview As f July 2015, all eligible merchants and service prviders are required t be cmpliant with PCI DSS v3.1, which defines new scping guidelines fr utsurced web payment capture slutins that are nw cnsidered part f Cardhlder Data Envirnment (CDE). As a result, merchants and service prviders must define their respnsibilities in alignment with PCI DSS 3.1 when utsurcing their payment prcessing respnsibilities t validated third parties. Merchants wh utsurce their payment prcessing respnsibilities t PCI DSS-cmpliant third parties may still have t validate applicable security cntrls f their ecmmerce envirnment based n their specific implementatin apprach. Payment brands allw Level 2 1, Level 3, and Level 4 merchants wh d nt electrnically stre, prcess, r transmit cardhlder data n any f their systems r premises t validate their cmpliance using SAQ A r SAQ A-EP. Level 1 merchants wh utsurce their payment prcessing must discuss the validatin requirements with their QSAs, acquirers, r payment brands t cnfirm which applicable cntrls remain. Vantiv engaged Calfire Systems Inc., a respected Payment Card Industry (PCI) Qualified Security Assessr (QSA) cmpany, t cnduct an independent technical review f Vantiv s eprtect slutin (frmally knwn as Vantiv PayPage). Vantiv eprtect prvides card-nt-present data security fr merchants needing t reduce their risk by cmpletely eliminating the presence f cardhlder data frm their systems. Vantiv eprtect ffers multiple integratin appraches, and this technical assessment specifically addresses the Vantiv eprtect iframe integratin methdlgy. Calfire s findings describe hw the use f Vantiv eprtect iframe, implemented in alignment with the eprtect Integratin Guide (v4.5/1.2), will significantly reduce the risk f accunt data cmprmise within a merchant s ecmmerce envirnment, and hw merchants will expect t receive applicable cntrl reductin under PCI DSS v Level 2 merchants that chse t cmplete annual self-assessment questinnaire must ensure staff engaged in self-assessment attend PCI SSC ISA Training and pass assciated accreditatin prgram annually in rder t cntinue ptin f self-assessment fr cmpliance validatin. Alternatively, Level 2 merchants may, at their wn discretin, cmplete an annual nsite assessment cnducted by a PCI SSCapprved Qualified Security Assessr (QSA) rather than cmplete an annual self-assessment questinnaire. MasterCard.cm U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e w w w. c a l f i r e. c m Calfire v
4 P a g e 4 Abut Vantiv eprtect Vantiv eprtect is a cmprehensive card-nt-present data security slutin that helps merchants slve initial data capture and cardhlder data strage challenges by eliminating cardhlder data frm their systems, significantly reducing the threat f accunt data cmprmise and PCI applicable cntrls under PCI DSS v3.1. T eliminate capture f cardhlder data n their systems, merchants embed the iframe URL n their web page hsted by Vantiv s servers. Rich custmizatin f the style and layut f the checkut experience allws the merchant s site t lk and feel like the merchant s brand, while eliminating cardhlder data frm their systems. T eliminate pst-authrizatin cardhlder data strage, Vantiv s OmniTken slutin replaces clear cardhlder values with tkens that can be used in place f payment data thrughut merchant systems that virtually eliminate the risk f data theft. The Vantiv eprtect envirnment is validated against PCI DSS (Vantiv ecmmerce/litle & C. Attestatin f Cmpliance) until Dec. 19, 2015). Figure 1: Vantiv eprtect iframe Data Flw U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e w w w. c a l f i r e. c m Calfire v
5 P a g e 5 Operatinal Flw 1. When a custmer is ready t enter their cardhlder data int the merchant's web page, the merchant web server delivers a frm t the custmer's web brwser. The brwser lads the iframe hsted by the eprtect server utilizing a third-party Cntent Delivery Netwrk (CDN) prvider t accelerate the cntent delivery. 2. The custmer enters their PAN, ptinal security cde (card verificatin values), and ptinal expiratin date int the iframe fields and clicks the submit buttn n the merchant's page calling the eprtect server. Within the hsted iframe, JavaScript encrypts cardhlder data with a 24-hur public-private key pair knwn nly by Vantiv (RSA/ECB/PKCS1 Padding 2048 bits) and sends the encrypted message t the eprtect server via HTTPS/TLS v1.2* (Getrust Glbal CA, SHA-1 with RSA 2048 bit encryptin) thrugh a third party CDN, using an HTTPS GET request. eprtect returns a nn-sensitive, lw-value tken called a Registratin ID in place f the Primary Accunt Number (PAN). 3. The merchant page submits the Registratin ID and nn-cardhlder data elements t their web server fr rder prcessing. 4. Once the authrizatin request arrives at Vantiv, the Registratin ID is cnverted t a high-value tken called an OmniTken and returned t the merchant with the authrizatin respnse. N cardhlder data is ever transmitted t the merchant s servers, since the page never had access t the payment infrmatin submitted via the Vantiv eprtect iframe. * eprtect supprts TLS v1.0 and higher as it utilizes field-level encryptin with a public-private key pair prir t transmissin, and is nt limited by the TLS prtcl versin t meet applicable cntrl reductin under PCI DSS v3.1. U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e w w w. c a l f i r e. c m Calfire v
6 P a g e 6 T E C H N I C A L A S S E S S M E N T As part f the technical assessment, Calfire perfrmed applicatin and vulnerability testing, reviewed technical dcumentatin (including the eprtect Integratin Guide, v4.5/1.2), and interviewed subject matter experts t identify ptential risks t cardhlder data and reductin f applicable PCI DSS cntrls. Audience This technical assessment reprt has tw relevant audiences. I. Merchants, Develpers, and Integratrs: This audience will be able t clearly understand the reductin f applicable PCI DSS cntrls under v3.1 they will receive frm implementing this slutin. II. QSAs and the Internal Audit Cmmunity: This audience will be able t clearly identify the impact n PCI DSS v3.1 validatin n behalf f their merchants. Assessment Sc pe The scpe f Calfire s assessment fcused n the critical elements that validate the security and effectiveness f the Vantiv eprtect iframe slutin, the impact t the merchant s PCI respnsibility when implementing eprtect, and remaining nn-pci required security best practices. Calfire incrprated in-depth analysis f cmpliance fundamentals that are essential fr evaluatin. Calfire als utilized reviews and feedback btained frm members f the PCI cmmunity. Vantiv s eprtect iframe was assessed by Calfire between April 6-18, Calfire perfrmed testing n the iframe slutin via the Vantiv prvided test website: ( The testing fcused n packet captures, data cntained in brwser requests (GET and POST), and web applicatin testing t cnfirm that Vantiv iframe is nt vulnerable t attacks. Calfire cnducted technical remte lab testing in Vantiv labs in Lwell, Mass., encmpassing merchant web pages, integratin, transactin testing, and encryptin in transmissin. U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e w w w. c a l f i r e. c m Calfire v
7 P a g e 7 Merchant PC I D S S Cmpliance Applicability Based n analysis and testing, Calfire recmmends that merchant ecmmerce envirnments that d nt electrnically stre, prcess, r transmit cardhlder data n their systems, and prvide an iframe t a PCI DSS cmpliant third-party prcessr fr payment prcessing, will be eligible t validate cmpliance with an SAQ A under PCI DSS v3.1. Discussed belw are tw use-cases when Vantiv iframe is deplyed by merchants. U s e Case I: Level 2 1, Level 3, and Level 4 merchants defined by the payment brands that d nt electrnically stre, prcess, and transmit cardhlder data in their ecmmerce envirnment, and implement eprtect iframe, will be eligible fr SAQ A in alignment with the PCI DSS 3.1 standard. Merchants are required t cnsult their acquirer(s) r payment brands abut individual PCI DSS validatin requirements and their eligibility fr submitting an SAQ. U s e Case II: Level 1 merchants will achieve reductin f applicable PCI cntrls fr their ecmmerce envirnment where cardhlder data is nt electrnically stred, prcessed, r transmitted n systems when eprtect iframe has been implemented t handle all cardhlder data respnsibilities. Eligible merchant envirnments with Vantiv s eprtect iframe can be validated against applicable cntrls t the SAQ A. Technical Security Assessment Calfire evaluated and tested Vantiv s eprtect iframe slutin t determine applicable cntrls fr PCI DSS v3.1. Verificatin f Vantiv eprtect iframe: Calfire simulated transactins that culd ccur n a merchant web page using knwn cardhlder data and fund nn-sensitive plain text-data n the web pages. Encrypted cardhlder data was bserved thrugh the sampled web pages. eprtect utilizes HTTPS TLS v1.2 as per PCI DSS 3.1 fr all cmmunicatins t and frm the eprtect envirnment. Cnfirmed Vantiv eprtect envirnment is PCI DSS validated. (Vantiv ecmmerce Attestatin f Cmpliance (AOC) valid until Dec. 19, 2015). Registratin ID (a nn-sensitive value as defined by the PCI DSS Tkenizatin Standard) in place f the accunt number was returned frm the Vantiv envirnment. eprtect iframe entirely remves expsure and strage f cardhlder data n merchant servers by securely transmitting cardhlder data directly frm the custmer s web brwser t the Vantiv eprtect server, returning nly tkenized data t the merchant envirnment. U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e w w w. c a l f i r e. c m Calfire v
8 P a g e 8 Perfrmed web applicatin penetratin test using Burp Suite applicatin scanning tl and cnfirmed that n vulnerabilities related t ecmmerce applicatin exist; hwever, culd be vulnerable t knwn susceptibilities like clickjacking, if merchants d nt handle their initiating web pages in a secure manner. Figure 2: Vantiv eprtect iframe Brwser Request frm a Sample Transactin GET Request t Vantiv eprtect frm merchant envirnment shws thse parameters cntaining PAN and Sensitive Authenticatin Data (CVV/ CVV /CVV2) are encrypted using public private key pair implemented by Vantiv. Figure 3: Vantiv eprtect iframe Request Parameters with Encrypted Data Calfire bserved and analyzed traffic via Wireshark tl and cnfirmed that the transmissin f data ccurs ver TLS v1.2. U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e w w w. c a l f i r e. c m Calfire v
9 P a g e 9 Figure 4: Wireshark Transactin Capture Assessment testing used transactins frm Visa and Discver cards. N PAN r Sensitive Authenticatin Data (CVC/CVV/CVV2) was fund unencrypted ver public netwrks. Cardhlder data was captured and transmitted n the Vantiv web pages, and n cardhlder data was returned t the merchant test web pages. Data parameters received n merchant pages included first six and last fur digits f initiating primary accunt number, registratin ID, transactin ID, and ther data elements essential fr perfrming peratins like returns, reversals, card verificatins, refunds, data analytics, and reprting. U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e w w w. c a l f i r e. c m Calfire v
10 P a g e 10 Figure 5: POST Request Data frm Vantiv eprtect iframe (N Full Credit Card Number r Sensitive Authenticatin Data Exist) U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e w w w. c a l f i r e. c m Calfire v
11 P a g e 11 R E C O M M E N D E D B E S T P R A C T I C E S While merchants that implement Vantiv iframe may nt be required t validate applicable cntrls fr systems that d nt tuch cardhlder data, it is recmmended they review PCI DSS requirements fr elements f their ecmmerce infrastructure since cmprmise f the merchant s web pages culd ptentially result in a cmprmise f the iframe, and failure t implement the slutin in alignment with the eprtect Integratin Guide culd intrduce risk t the envirnment, and merchants may n lnger be eligible fr cntrl reductin. T help mitigate such risks within the merchant envirnment, Calfire and Vantiv recmmend the fllwing additinal security best practices fr merchants that have implemented Vantiv iframe slutin: Reviewing web pages peridically: Review the Vantiv eprtect surce that is called frm the merchant envirnment t validate the fllwing surce has nt changed. (Please nte the belw is URL frm test envirnment, merchants needs t ensure that the URL prvided by Vantiv fr prductin envirnment is apprpriately reviewed.) <script type="text/javascript" src=" </script> Initiating new website and servers, including applicable PCI DSS requirements. Having written agreements with Vantiv (third-party service prvider in this case) and ensuring they prtect cardhlder data n behalf f the merchant, in accrdance with PCI DSS. Securing the web page(s) cntaining the iframe. iframes culd be hijacked by sending custmers t false payment pages where credit card data culd be stlen. Calfire recmmends that merchants deply and maintain the web pages in a secure manner. Ensuring transactins are received by acquirer n regular basis. Recnciliatin f transactins can be perfrmed frequently t knw that surce n merchant website has nt been altered. Using TLS v1.2 r higher when transmitting cardhlder data. Cnsider implementing a web applicatin firewall r ther intrusin-detectin technlgies t ensure web server s initiating requests are prtected against attacks. Develping applicatins in alignment with PCI DSS cmpliance. Regularly mnitring links (URLs, iframes, APIs) frm a merchant s website t the payment prcessr t ensure they have nt been altered t redirect t unauthrized lcatins. Perfrm peridic web applicatin penetratin testing fr the hsted ecmmerce website. U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e w w w. c a l f i r e. c m Calfire v
12 P a g e 12 Requirement 9 and 12 f PCI DSS are cvered under SAQ-A. SAQ A-EP fcuses n the fllwing additinal areas: Requirement 1: Install and maintain a firewall cnfiguratin t prtect data (firewall and ruter cnfiguratins hardening). Requirement 2: D nt use vendr-supplied defaults fr system passwrds and ther security parameters (initiating web server cnfiguratins hardening). Requirement 3: Prtect stred cardhlder data (ensure card verificatin values r Persnal Identificatin Number (PIN) is nt stred after authrizatin). Requirement 4: Encrypt transmissin f cardhlder data acrss pen, public netwrks (ensure cardhlder data is transmitted nly thrugh Vantiv, and des nt facilitate transmissin via any ther means). Requirement 5: Prtect all systems against malware and regularly update anti-virus sftware prgrams. Requirement 6: Develp and maintain secure systems and applicatins (have prcess fr identifying security vulnerabilities, patching f systems, change cntrl prcesses, develp applicatins based n secure cding guidelines, and web applicatin firewall). Requirement 7: Restrict access t cardhlder data by business need t knw (access t cardhlder data envirnment systems shuld be limited). Requirement 8: Identify and authenticate access t system cmpnents (assign unique IDs, enable remte access nly when needed, fllw tw-factr and passwrd prcedures). Requirement 10: Track and mnitr all access t netwrk resurces and cardhlder data (mnitr the security f the server and applicatin ensuring that audit trails and alerts are in place - such as detecting and alerting upn unauthrized changes t the payment page). Requirement 11: Regularly test security systems and prcesses (engage an Apprved Scanning Vendr [ASV] t perfrm quarterly external vulnerability scans, and perfrm the penetratin testing and have change detectin mechanism deplyed within the cardhlder data envirnment, especially initiating web server). U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e w w w. c a l f i r e. c m Calfire v
13 P a g e 13 S U M M A R Y F I N D I N G S A N D C O N C L U S I O N S Based upn interviews with Vantiv persnnel and review f supprted dcumentatin, it is Calfire s pinin that merchants wh prperly utilize Vantiv data security technlgies will reduce their risk f accunt data cmprmise and receive PCI DSS applicable cntrl reductin. Merchant ecmmerce envirnments that d nt tuch cardhlder data and implement Vantiv s eprtect iframe will be eligible fr SAQ A. The remaining security respnsibilities f the merchant s envirnment are nt applicable t PCI DSS. The fllwing are imprtant highlights f Calfire s technical evaluatin. A prperly designed and deplyed Vantiv iframe slutin can: Reduce the risk f cmprmise f cardhlder data fr a merchant envirnment. Reduce the attack surface and threat envirnment fr a merchant. Significantly reduce the number f applicable PCI DSS cntrls and validatin requirements fr merchants. Minimize the expsure f plain text cardhlder data fr the merchant when Vantiv eprtect is used. While achieving risk and PCI applicable cntrl reductin, implementing Vantiv eprtect des nt fully utsurce the merchant s payment respnsibilities. Vantiv eprtect iframe shuld nt lwer a merchant s sensitivity t the security f their ecmmerce envirnment, nr des it fully utsurce all their PCI DSS cmpliance respnsibilities. L e g a l Discl ai m er The pinins and findings within this evaluatin are slely thse f Calfire and d nt represent any assessment findings, r pinins, frm any ther parties. Calfire is slely respnsible fr the cntents f this dcument as f the date f publicatin. The cntents f this dcument are subject t change at any time based n revisins t the applicable regulatins and standards (HIPAA, PCI-DSS, et.al). Cnsequently, any frward-lking statements are nt predictins and are subject t change withut ntice. While Calfire has endeavred t ensure that the infrmatin cntained in this dcument has been btained frm reliable surces, there may be regulatry, cmpliance, r ther reasns that prevent us frm ding s. Cnsequently, Calfire is nt respnsible fr any errrs r missins, r fr the results btained frm the use f this infrmatin. Calfire reserves the right t revise any r all f this dcument t reflect an accurate representatin f the cntent relative t the current technlgy landscape. In rder t maintain cntextual accuracy f this dcument, all references t this dcument must explicitly reference the entirety f the dcument inclusive f the title and publicatin date; Neither party will publish a press release referring t the ther party r excerpting highlights frm the dcument withut prir written apprval f the ther party. If yu have questins with regard t any legal r cmpliance matters referenced herein, yu shuld cnsult legal cunsel, yur security advisr, and/r yur relevant standard authrity. U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e w w w. c a l f i r e. c m Calfire v
PCI - Why You Need to be Compliant When Accepting Credit Card Payments. Agenda. Breaches in the Headlines. Breach Events & Commonalities
PCI - Why Yu Need t be Cmpliant When Accepting Credit Card Payments Tuesday, March 27, 2012 Agenda Breach Events & Cmmnalities Evlutin f PCI PCI Requirements Risks f Nn-cmpliance Industry Initiatives t
More informationVCU Payment Card Policy
VCU Payment Card Plicy Plicy Type: Administrative Respnsible Office: Treasury Services Initial Plicy Apprved: 12/05/2013 Current Revisin Apprved: 12/05/2013 Plicy Statement and Purpse The purpse f this
More informationProcess of Setting up a New Merchant Account
Prcess f Setting up a New Merchant Accunt Table f Cntents PCI DSS... 3 Wh t cntact?... 3 Bakcgrund n PCI... 3 Why cmply?... 3 Hw t cmply?... 3 PCI DSS Scpe... 4 Des PCI DSS Apply t Me?... 4 What if I am
More informationGUIDANCE FOR BUSINESS ASSOCIATES
GUIDANCE FOR BUSINESS ASSOCIATES This Guidance fr Business Assciates dcument is intended t verview UPMCs expectatins, as well as t prvide additinal resurces and infrmatin, t UPMC s HIPAA business assciates.
More informationBAMS Third Party Service Providers (TPSPs) FAQs
BAMS Third Party Service Prviders (TPSPs) FAQs 1) What is the Third Party Service Prvider (TPSP) Agent Registratin Prgram? The TPSP Agent Registratin Prgram is a Card Brand (Visa USA Inc and MasterCard
More informationUNT Payment Card Merchant Handbook
UNT Payment Card Merchant Handbk University f Nrth Texas January 2014 Vlume 4, Issue 1 STUDENT ACCOUNTING & UNIVERSITY CASHIERING SERVICES Cntents The Purpse f the Handbk...1 General Overview...2 Hw des
More informationUniversity of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments
University f Texas at Dallas Plicy fr Accepting Credit Card and Electrnic Payments Cntents: Purpse Applicability Plicy Statement Respnsibilities f a Merchant Department Prcess t Becme a Merchant Department
More informationHIPAA HITECH ACT Compliance, Review and Training Services
Cmpliance, Review and Training Services Risk Assessment and Risk Mitigatin: The first and mst imprtant step is t undertake a hlistic risk assessment that examines the risks and cntrls related t fur critical
More informationTrustED Briefing Series:
TrustED Briefing Series: Since 2001, TrustCC has prvided IT audits and security assessments t hundreds f financial institutins thrugh ut the United States. Our TrustED Briefing Series are white papers
More informationOptimal Payments Extension. Supporting Documentation for the Extension Package. 20140225 v1.1
Optimal Payments Extensin Supprting Dcumentatin fr the Extensin Package 20140225 v1.1 Revisin Histry v1.1 Updated Demac Media branding v1.0 Initial Dcument fr Distributin supprt@ptimalpayments.cm Page
More informationVersion: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013
Versin: Mdified By: Date: Apprved By: Date: 1.0 Michael Hawkins Octber 29, 2013 Dan Bwden Nvember 2013 Rule 4-004J Payment Card Industry (PCI) Patch Management (prpsed) 01.1 Purpse The purpse f the Patch
More informationPROTIVITI FLASH REPORT
PROTIVITI FLASH REPORT The PCI Security Standards Cuncil Releases PCI DSS Versin 3.2 May 9, 2016 On April 28, 2016, the PCI Security Standards Cuncil (PCI SSC) released PCI Data Security Standard (PCI
More informationBit9 Security Solution Technology Whitepaper Date: September 17, 2015
P a g e 1 Bit9 Security Slutin Technlgy Whitepaper Date: September 17, 2015 Atlanta Bstn Dallas Denver Ls Angeles Manchester (U.K.) New Yrk San Francisc Seattle Washingtn, D.C. 877.224.8077 inf@calfire.cm
More informationFirewall/Proxy Server Settings to Access Hosted Environment. For Access Control Method (also known as access lists and usually used on routers)
Firewall/Prxy Server Settings t Access Hsted Envirnment Client firewall settings in mst cases depend n whether the firewall slutin uses a Stateful Inspectin prcess r ne that is cmmnly referred t as an
More informationexpertise hp services valupack consulting description security review service for Linux
expertise hp services valupack cnsulting descriptin security review service fr Linux Cpyright services prvided, infrmatin is prtected under cpyright by Hewlett-Packard Cmpany Unpublished Wrk -- ALL RIGHTS
More informationPENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK
Department f Health and Human Services OFFICE OF INSPECTOR GENERAL PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK Inquiries abut this reprt may be addressed t the Office f Public Affairs
More informationRetail Security and Compliance Where On Earth is it Headed?
Retail Security and Cmpliance Where On Earth is it Headed? An verview f the retail sectr s IT threats and hw t be mre effective in preventing them. Agenda Intrductin Retail in the news Why cyber security
More informationIT Account and Access Procedure
IT Accunt and Access Prcedure Revisin Histry Versin Date Editr Nature f Change 1.0 3/23/06 Kelly Matt Initial Release Table f Cntents 1.0 Overview... 1 2.0 Purpse... 1 3.0 Scpe... 1 4.0 Passwrds... 1 4.1
More informationThe user authentication process varies from client to client depending on internal resource capabilities, and client processes and procedures.
Learn Basic Single Sign-On Authenticatin Tale s Basic SSO applicatin grants Learn access t users withut requiring that they enter authenticatin lgin credentials (username and passwrd). The access pint
More informationCOPIES-F.Y.I., INC. Policies and Procedures Data Security Policy
COPIES-F.Y.I., INC. Plicies and Prcedures Data Security Plicy Page 2 f 7 Preamble Mst f Cpies FYI, Incrprated financial, administrative, research, and clinical systems are accessible thrugh the campus
More informationMaaS360 Cloud Extender
MaaS360 Clud Extender Installatin Guide Cpyright 2012 Fiberlink Cmmunicatins Crpratin. All rights reserved. Infrmatin in this dcument is subject t change withut ntice. The sftware described in this dcument
More informationIMPLEMENTATION DETAILS
Plicy: Title: Status: 1. Intrductin ISP-I10 Payment Card Security Apprved Infrmatin Security Plicy Dcumentatin IMPLEMENTATION DETAILS 1.1. This dcument supprts implementatin f the "Payment Card Industry
More informationComtrex Systems Corporation. CISP/PCI Implementation Guidance for Odyssey Suite
CISP/PCI Implementatin Guidance fr Odyssey Suite Applicable Applicatin Versin This dcument supprts the fllwing applicatin versin: Odyssey Suite Versin 2.0 Intrductin Systems which prcess payment transactins
More informationiphone Mobile Application Guide Version 2.2.2
iphne Mbile Applicatin Guide Versin 2.2.2 March 26, 2014 Fr the latest update, please visit ur website: www.frte.net/mbile Frte Payment Systems, Inc. 500 West Bethany, Suite 200 Allen, Texas 75013 (800)
More informationInformation Services Hosting Arrangements
Infrmatin Services Hsting Arrangements Purpse The purpse f this service is t prvide secure, supprted, and reasnably accessible cmputing envirnments fr departments at DePaul that are in need f server-based
More informationHIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions 724-942-1337
HIPAA Cmpliance 101 Imprtant Terms Cvered Entities (CAs) The HIPAA Privacy Rule refers t three specific grups as cvered entities, including health plans, healthcare clearinghuses, and health care prviders
More informationTo Receive CPE Credit
Trends in ACH Fraud & Risk Management Jhn A. Mills, AAP Supervising Cnsultant jmills@bkd.cm 314.231.5544 March 28, 2013 T Receive CPE Credit Participate in entire webinar Answer plls when they are prvided
More informationA96 CALA Policy on the use of Computers in Accredited Laboratories Revision 1.5 August 4, 2015
A96 CALA Plicy n the use f Cmputers in Accredited Labratries Revisin 1.5 August 4, 2015 A96 CALA Plicy n the use f Cmputers in Accredited Labratries TABLE OF CONTENTS TABLE OF CONTENTS... 1 CALA POLICY
More informationPersonal Data Security Breach Management Policy
Persnal Data Security Breach Management Plicy 1.0 Purpse The Data Prtectin Acts 1988 and 2003 impse bligatins n data cntrllers in Western Care Assciatin t prcess persnal data entrusted t them in a manner
More informationTHE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM
THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM 1. Prgram Adptin The City University f New Yrk (the "University") develped this Identity Theft Preventin Prgram (the "Prgram") pursuant
More informationSystems Support - Extended
1 General Overview This is a Service Level Agreement ( SLA ) between and the Enterprise Windws Services t dcument: The technlgy services the Enterprise Windws Services prvides t the custmer. The targets
More informationCustomer Service Description
Page: 1 f 10 Hewlett-Packard Cmpany HP Services Slutin Center Custm Prjects Prgram http://www.hp.cm/hps/ perfrmance & availability sftware services per event supprt & cnsulting Custmer Service Descriptin
More informationMulti-Year Accessibility Policy and Plan for NSF Canada and NSF International Strategic Registrations Canada Company, 2014-2021
Multi-Year Accessibility Plicy and Plan fr NSF Canada and NSF Internatinal Strategic Registratins Canada Cmpany, 2014-2021 This 2014-21 accessibility plan utlines the plicies and actins that NSF Canada
More informationPCI Compliance Merchant User Guide
PCI Cmpliance Merchant User Guide Table f Cntents Intrductin... 5 PCI Prgram Overview... 5 PCI10 2.0 Applicatin Tl Overview... 6 Lgin Prcess... 6 Update My Prfile... 7 Frgt Yur Passwrd... 8 Welcme Pages...
More informationSecurity Services. Service Description Version 1.00. Effective Date: 07/01/2012. Purpose. Overview
Security Services Service Descriptin Versin 1.00 Effective Date: 07/01/2012 Purpse This Enterprise Service Descriptin is applicable t Security Services ffered by the MN.IT Services and described in the
More informationUsing Shift4 with Magento
D O L L A R S O N T H E N E T Using Shift4 with Magent Using Shift4 with Magent Cpyright Ntice Shift4 Crpratin 1491 Center Crssing Rad Las Vegas, NV 89144 702.597.2480 www.shift4.cm inf@shift4.cm Dcument
More informationIMPLEMENTATION DETAILS
Plicy: Title: Status: 1. Intrductin ISP-I10 Payment Card Security Apprved Infrmatin Security Plicy Dcumentatin IMPLEMENTATION DETAILS 1.1. This dcument supprts implementatin f the "Payment Card Industry
More informationIn addition to assisting with the disaster planning process, it is hoped this document will also::
First Step f a Disaster Recver Analysis: Knwing What Yu Have and Hw t Get t it Ntes abut using this dcument: This free tl is ffered as a guide and starting pint. It is des nt cver all pssible business
More informationFirst Global Data Corp.
First Glbal Data Crp. Privacy Plicy As f February 23, 2015 Ding business with First Glbal Data Crp. ("First Glbal", First Glbal Mney, "we" r "us", which includes First Glbal Data Crp. s subsidiary, First
More informationUsing PayPal Website Payments Pro UK with ProductCart
Using PayPal Website Payments Pr UK with PrductCart Overview... 2 Abut PayPal Website Payments Pr & Express Checkut... 2 What is Website Payments Pr?... 2 Website Payments Pr and Website Payments Standard...
More informationDurango Merchant Services QuickBooks SyncPay
Durang Merchant Services QuickBks SyncPay Gateway Plug-In Dcumentatin April 2011 Durang-Direct.cm 866-415-2636-1 - QuickBks Gateway Plug-In Dcumentatin... - 3 - Installatin... - 3 - Initial Setup... -
More informationJunos Pulse Instructions for Windows and Mac OS X
Juns Pulse Instructins fr Windws and Mac OS X When yu pen the Juns client fr the first time yu get the fllwing screen. This screen shws yu have n cnnectins. Create a new cnnectin by clicking n the + icn.
More informationSPECIFICATION. Hospital Report Manager Connectivity Requirements. Electronic Medical Records DRAFT. OntarioMD Inc. Date: September 30, 2010
OntariMD Inc. Electrnic Medical Recrds SPECIFICATION Hspital Reprt Manager Cnnectivity Requirements DRAFT Date: September 30, 2010 Versin: 1.0 2007-2010 OntariMD Inc. All rights reserved HRM EMR Cnnectivity
More informationMigrationWiz HIPAA Compliant Migration. Focus on data migration, not regulation. BitTitan Global Headquarters: 3933 Lake Washington Blvd NE Suite 200
MigratinWiz HIPAA Cmpliant Migratin Fcus n data migratin, nt regulatin. BitTitan Glbal Headquarters: 3933 Lake Washingtn Blvd NE Suite 200 Table f Cntents Kirkland, WA 98033 www.bittitan.cm sales@bittitan.cm
More informationMerchant Processes and Procedures
Merchant Prcesses and Prcedures Table f Cntents EXHIBIT C 1. MERCHANT INTRODUCTION TO T-CHEK 3 1.1 Wh is T-Chek Systems? 3 1.2 Hw t Cntact T-Chek Systems 3 1.3 Hw t Recgnize T-Chek Frms f Payment 3 1.3.1
More informationIN-HOUSE OR OUTSOURCED BILLING
IN-HOUSE OR OUTSOURCED BILLING Medical billing is ne f the mst cmplicated aspects f running a medical practice. With thusands f pssible cdes fr diagnses and prcedures, and multiple payers, the ability
More informationSymantec User Authentication Service Level Agreement
Symantec User Authenticatin Service Level Agreement Overview and Scpe This Symantec User Authenticatin service level agreement ( SLA ) applies t Symantec User Authenticatin prducts/services, such as Managed
More informationService Level Agreement (SLA) Hosted Products. Netop Business Solutions A/S
Service Level Agreement (SLA) Hsted Prducts Netp Business Slutins A/S Cntents 1 Service Level Agreement... 3 2 Supprt Services... 3 3 Incident Management... 3 3.1 Requesting service r submitting incidents...
More informationIT Help Desk Service Level Expectations Revised: 01/09/2012
IT Help Desk Service Level Expectatins Revised: 01/09/2012 Overview The IT Help Desk team cnsists f six (6) full time emplyees and fifteen (15) part time student emplyees. This team prvides supprt fr 25,000+
More informationPlus500CY Ltd. Statement on Privacy and Cookie Policy
Plus500CY Ltd. Statement n Privacy and Ckie Plicy Statement n Privacy and Ckie Plicy This website is perated by Plus500CY Ltd. ("we, us r ur"). It is ur plicy t respect the cnfidentiality f infrmatin and
More informationStarterPak: Dynamics CRM Opportunity To NetSuite Sales Order
StarterPak: Dynamics CRM Opprtunity T NetSuite Sales Order Versin 1.0 7/20/2015 Imprtant Ntice N part f this publicatin may be reprduced, stred in a retrieval system, r transmitted in any frm r by any
More informationFINRA Regulation Filing Application Batch Submissions
FINRA Regulatin Filing Applicatin Batch Submissins Cntents Descriptin... 2 Steps fr firms new t batch submissin... 2 Acquiring necessary FINRA accunts... 2 FTP Access t FINRA... 2 FTP Accunt n FINRA s
More informationData Protection Policy & Procedure
Data Prtectin Plicy & Prcedure Page 1 Prcnnect Marketing Data Prtectin Plicy V1.2 Data prtectin plicy Cntext and verview Key details Plicy prepared by: Adam Haycck Apprved by bard / management n: 01/01/2015
More informationFCA US INFORMATION & COMMUNICATION TECHNOLOGY MANAGEMENT
EDI ROADMAP FCA US INFORMATION & COMMUNICATION TECHNOLOGY MANAGEMENT FCA US EDI Radmap Business Requirement All FCA suppliers and carriers are required t establish an Electrnic Data Interchange (EDI) cnnectin.
More informationPresentation: The Demise of SAS 70 - What s Next?
Presentatin: The Demise f SAS 70 - What s Next? September 15, 2011 1 Presenters: Jeffrey Ziplw - Partner BlumShapir Jennifer Gerasimv Senir Manager Delitte. SAS 70 Backgrund and Overview Purpse f a SAS
More informationHP ValuPack Consulting Description OpenVMS Engineering Change Order (ECO) Patch List
HP ValuPack Cnsulting Descriptin OpenVMS Engineering Change Order (ECO) Patch List HP ValuPacks are standardized cnsulting services, prvided by HP Slutin Center Service Prfessinals, with pre-defined custm
More informationFINANCIAL SERVICES FLASH REPORT
FINANCIAL SERVICES FLASH REPORT Draft Regulatry Cmpliance Management Guideline Released by the Office f the Superintendent f Financial Institutins May 5, 2014 On April 30, 2014, the Office f the Superintendent
More informationLicensing Windows Server 2012 for use with virtualization technologies
Vlume Licensing brief Licensing Windws Server 2012 fr use with virtualizatin technlgies (VMware ESX/ESXi, Micrsft System Center 2012 Virtual Machine Manager, and Parallels Virtuzz) Table f Cntents This
More informationData Protection Act Data security breach management
Data Prtectin Act Data security breach management The seventh data prtectin principle requires that rganisatins prcessing persnal data take apprpriate measures against unauthrised r unlawful prcessing
More informationCloud Services Frequently Asked Questions FAQ
Clud Services Frequently Asked Questins FAQ Revisin 1.0 6/05/2015 List f Questins Intrductin What is the Caradigm Intelligence Platfrm (CIP) clud? What experience des Caradigm have hsting prducts like
More informationNuance Healthcare Services Project Delivery Methodology
NUANCE PROFESSIONAL SERVICES Nuance Healthcare Services 2008 Nuance Cmmunicatins, Inc. All rights reserved. Nuance Healthcare Services 1 INTRODUCTION This dcument describes the prject management methdlgy
More informationPCI DSS Cloud Computing Guidelines
Standard: PCI Data Security Standard (PCI DSS) Versin: 2.0 Date: February 2013 Authr: Clud Special Interest Grup PCI Security Standards Cuncil Infrmatin Supplement: PCI DSS Clud Cmputing Guidelines Table
More informationElectronic Data Interchange (EDI) Requirements
Electrnic Data Interchange (EDI) Requirements 1.0 Overview 1.1 EDI Definitin 1.2 General Infrmatin 1.3 Third Party Prviders 1.4 EDI Purchase Order (850) 1.5 EDI PO Change Request (860) 1.6 Advance Shipment
More informationInternal Audit Charter and operating standards
Internal Audit Charter and perating standards 2 1 verview This dcument sets ut the basis fr internal audit: (i) the Internal Audit charter, which establishes the framewrk fr Internal Audit; and (ii) hw
More informationSupport Services. v1.19 / 2015-07-02
Supprt Services v1.19 / 2015-07-02 Intrductin - Table f Cntents 1 Intrductin... 3 2 Definitins... 4 3 Supprt Prgram Feature Overview... 5 4 SLA fr the Supprt Services... 6 4.1 Standard Supprt... 6 4.2
More informationImplementing SQL Manage Quick Guide
Implementing SQL Manage Quick Guide The purpse f this dcument is t guide yu thrugh the quick prcess f implementing SQL Manage n SQL Server databases. SQL Manage is a ttal management slutin fr Micrsft SQL
More informationBill Payment Agreement & Disclosures
Bill Payment Agreement & Disclsures Welcme t Online Banking Bill Payment Service. Use f the Bill Payment Service indicates acceptance f terms and cnditins set frth in the Online Banking Agreement & Disclsures
More informationIntel Hybrid Cloud Management Portal Update FAQ. Audience: Public
Intel Hybrid Clud Management Prtal Update FAQ Audience: Public Purpse: Prepare fr the launch f the Intel Hybrid Clud Platfrm multi-user/multi-tier update Versin: Final FAQs What s new in the Intel Hybrid
More informationOffice Use Only Account # Approved By:
Office Use Only Accunt # Apprved By: Dealer Applicatin Please cmplete and submit this applicatin alng with a cpy f yur (EIN) Federal Tax Id Number certificate befre placing yur 1 st rder. We will review
More informationImproved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1
Imprved Data Center Pwer Cnsumptin and Streamlining Management in Windws Server 2008 R2 with SP1 Disclaimer The infrmatin cntained in this dcument represents the current view f Micrsft Crpratin n the issues
More informationHP ValuPack Consulting Description Red Hat Linux System Performance Monitoring & Tuning
HP ValuPack Cnsulting Descriptin Red Hat Linux System Perfrmance Mnitring & Tuning HP ValuPacks are standardized cnsulting services, prvided by HP Slutin Center Service Prfessinals, with pre-defined custm
More informationDates Visa MasterCard Discover American Express. Acquirers, subprocessors. support EMV International ATM liability shift 2
Netwrk Updates Summer 2015 We are cmmitted t wrking clsely with yu n achieving yur business gals. As a part f this cmmitment, we carefully mnitr Netwrk changes and summarize them fr yur cnvenience. Fllwing
More informationHP ValuPack Consulting Description Security Vulnerability Solution ValuPack
HP ValuPack Cnsulting Descriptin Security Vulnerability Slutin ValuPack HP ValuPacks are standardized cnsulting services, prvided by HP Cntact Center Service Prfessinals, with pre-defined custm deliverables
More informationFORM ADV (Paper Version) UNIFORM APPLICATION FOR INVESTMENT ADVISER REGISTRATION AND REPORT FORM BY EXEMPT REPORTING ADVISERS
APPENDIX A FORM ADV (Paper Versin) UNIFORM APPLICATION FOR INVESTMENT ADVISER REGISTRATION AND REPORT FORM BY EXEMPT REPORTING ADVISERS Frm ADV: General Instructins Read these instructins carefully befre
More informationPROCESSING THROUGH MPS and AVIMARK
Befre using McAllister Payment Slutins (MPS) as yur pint-f-sale and/r integrated credit card prcess slutin, the McAllister Payment Slutins PA- DSS Implementatin Guide must be reviewed in its entirety.
More information9 ITS Standards Specification Catalog and Testing Framework
New Yrk State ITS Standards Specificatin Develpment Guide 9 ITS Standards Specificatin Catalg and Testing Framewrk This chapter cvers cncepts related t develpment f an ITS Standards Specificatin Catalg
More informationPayment Card Industry (PCI) Qualified Integrators and Resellers
Payment Card Industry (PCI) Qualified Integratrs and Resellers Prgram Guide Versin 3.0 September 2015 Dcument Changes Date Versin Descriptin August 2012 1.0 Initial release f the PCI Qualified Integratrs
More informationUsing McAllister Payment Solutions and Updating to AVImark version 2009.0.0.7263
Using McAllister Payment Slutins and Updating t AVImark versin 2009.0.0.7263 Befre the cnfiguratin f McAllister Payment Slutins (MPS) and AVImark, the McAllister Payment Slutins PA-DSS Implementatin Guide
More informationCSC IT practix Recommendations
CSC IT practix Recmmendatins CSC Healthcare 28th January 2014 Versin 3 www.csc.cm/glbalhealthcare Cntents 1 Imprtant infrmatin 3 2 IT Specificatins 4 2.1 Wrkstatins... 4 2.2 Minimum Server with 1-5 wrkstatins
More informationAccess to the Ashworth College Online Library service is free and provided upon enrollment. To access ProQuest:
PrQuest Accessing PrQuest Access t the Ashwrth Cllege Online Library service is free and prvided upn enrllment. T access PrQuest: 1. G t http://www.ashwrthcllege.edu/student/resurces/enterlibrary.html
More informationISO Management Systems. Guidance on understanding the benefits of an ISO Management System
ISO Management Systems Guidance n understanding the benefits f an ISO Management System Welcme & Intrductins 4031 University Drive, 206, Fairfax, VA 22030 3 Grant Square, 243, Hinsdale, IL 60521 www.radiancmpliance.cm
More informationAgency Fund (Non-Student Org X-Fund) Guidelines Last Revision: 12/7/2009
Agency Fund (Nn-Student Org X-Fund) Guidelines Last Revisin: 12/7/2009 Definitin f Agency Fund: An Agency Fund cnsists f funds held by Eastern Michigan University as custdian r fiscal agent fr thers, such
More informationHP Point of Sale FAQ Warranty, Care Pack Service & Support. Limited warranty... 2 HP Care Pack Services... 3 Support... 3
HP Pint f Sale FAQ Warranty, Care Pack Service & Supprt Limited warranty... 2 HP Care Pack Services... 3 Supprt... 3 Limited warranty Q: What des a 3/3/3 limited warranty mean? A: HP Retail Pint f Sale
More informationHP ValuPack Consulting Description OpenVMS Replacement Software Distribution Kit
HP ValuPack Cnsulting Descriptin OpenVMS Replacement Sftware Distributin Kit HP ValuPacks are standardized cnsulting services, prvided by HP Cntact Center Service prfessinals, with pre-defined custm deliverables
More informationSaaS Listing CA Cloud Service Management
SaaS Listing CA Clud Service Management 1. Intrductin This dcument prvides standards and features that apply t the CA Clud Service Management (CSM) SaaS ffering prvided t the Custmer and defines the parameters
More informationAn Introduction To Credit Card Processing
An Intrductin T Credit Card Prcessing Davisware 514 Market Lp West Dundee, IL 60118 Phne: (847) 426-6000 Fax: (847) 426-6027 Cntents are the exclusive prperty f Davisware. Cpyright 2011. All Rights Reserved.
More informationUsing PayPal Website Payments Pro with ProductCart
Using PayPal Website Payments Pr with PrductCart Overview... 2 Abut PayPal Website Payments Pr & Express Checkut... 3 What is Website Payments Pr?... 3 Website Payments Pr and Website Payments Standard...
More informationChristchurch Polytechnic Institute of Technology Access Control Security Standard
CPIT Crprate Services Divisin: ICT Christchurch Plytechnic Institute f Technlgy Access Cntrl Security Standard Crprate Plicies & Prcedures Sectin 1: General Administratin Dcument CPP121a Principles Infrmatin
More informationFAYETTEVILLE STATE UNIVERSITY
FAYETTEVILLE STATE UNIVERSITY IDENTITY THEFT PREVENTION (RED FLAGS RULE) Authrity: Categry: Issued by the Fayetteville State University Bard f Trustees. University-Wide Applies t: Administratrs Faculty
More informationWEB APPLICATION SECURITY TESTING
WEB APPLICATION SECURITY TESTING Cpyright 2012 ps_testware 1/7 Intrductin Nwadays every rganizatin faces the threat f attacks n web applicatins. Research shws that mre than half f all data breaches are
More informationIntroduction to Mindjet MindManager Server
Intrductin t Mindjet MindManager Server Mindjet Crpratin Tll Free: 877-Mindjet 1160 Battery Street East San Francisc CA 94111 USA Phne: 415-229-4200 Fax: 415-229-4201 mindjet.cm 2013 Mindjet. All Rights
More informationService Request Form
New Prfessinal Services Order Frm Editable PDF Service Request Frm If yu have any questins while filling ut this frm, please cntact yur CDM, email Prfessinal Services at PS@swipeclck.cm, r call 888-223-3250
More informationInstallation Guide Marshal Reporting Console
Installatin Guide Installatin Guide Marshal Reprting Cnsle Cntents Intrductin 2 Supprted Installatin Types 2 Hardware Prerequisites 2 Sftware Prerequisites 3 Installatin Prcedures 3 Appendix: Enabling
More informationSession 9 : Information Security and Risk
INFORMATION STRATEGY Sessin 9 : Infrmatin Security and Risk Tharaka Tennekn B.Sc (Hns) Cmputing, MBA (PIM - USJ) POST GRADUATE DIPLOMA IN BUSINESS AND FINANCE 2014 Infrmatin Management Framewrk 2 Infrmatin
More informationLicensing Windows Server 2012 R2 for use with virtualization technologies
Vlume Licensing brief Licensing Windws Server 2012 R2 fr use with virtualizatin technlgies (VMware ESX/ESXi, Micrsft System Center 2012 R2 Virtual Machine Manager, and Parallels Virtuzz) Table f Cntents
More informationGETTING STARTED With the Control Panel Table of Contents
With the Cntrl Panel Table f Cntents Cntrl Panel Desktp... 2 Left Menu... 3 Infrmatin... 3 Plan Change... 3 Dmains... 3 Statistics... 4 Ttal Traffic... 4 Disk Quta... 4 Quick Access Desktp... 4 MAIN...
More informationIntroduction LIVE MAPS UNITY PORTAL / INSTALLATION GUIDE. 2015 Savision B.V. savision.com All rights reserved.
Rev 7.5.0 Intrductin 2 LIVE MAPS UNITY PORTAL / INSTALLATION GUIDE 2015 Savisin B.V. savisin.cm All rights reserved. This manual, as well as the sftware described in it, is furnished under license and
More informationIMT Standards. Standard number A000014. GoA IMT Standards. Effective Date: 2010-09-30 Scheduled Review: 2011-03-30 Last Reviewed: Type: Technical
IMT Standards IMT Standards Oversight Cmmittee Gvernment f Alberta Effective Date: 2010-09-30 Scheduled Review: 2011-03-30 Last Reviewed: Type: Technical Standard number A000014 Electrnic Signature Metadata
More informationBLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS
BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS SERIES: 1 General Rules RULE: 17.1 Recrd Retentin Scpe: The purpse f this rule is t establish the systematic review, retentin and destructin
More information