PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Transcription

1 What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers through an evolving set of mandatory requirements & guidelines covering security, policies, procedures, network/software design and other critical protective measures. PCI security standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all organizations that store, process or transmit cardholder data with guidance for software developers and manufacturers of applications and devices used in those transactions. The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council, American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS. The twelve requirements of the PCI DSS are defined as follows: The PCI Data Security Standard GOAL Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Control Measures Regularly Monitor and Test REQUIREMENT 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network Updated May17.10 Page 1

2 Networks Maintain an Information Security Policy resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for employees and contractors What are the Associations or brands that participate in PCI DSS? American Express, Discover Financial Services, JCB International (Japanese Credit Bureau), MasterCard Worldwide, and Visa, Inc. Who is affected? All UM Merchants and staff members with access to cardholder information and Service Providers that store, process, or transmit cardholder data must comply with PCI DSS. This essentially means that if your unit or department accepts credit or debit cards as a form of payment, you are affected. What if we are not compliant? Non-compliance can result in fines (up to $500K for a breach), fees (up to $10K/month for noncompliance) or assessments and/or termination of processing services ( ie. the merchant will be unable to accept credit as payment). In the event of a breach and depending on existing assessment level, the assessment level of the organization will also increase requiring on-site security audits of all aspects involved. When do we need to be compliant? July 1, After that, compliance will be reviewed on an annual basis. What is meant by Cardholder Data? Cardholder data refers to any information contained on a customer s payment card. The data is printed on either side of the card and is contained in digital format on the magnetic stripe embedded in the backside of the card. Some payment cards store data in chips embedded on the front side. The front side usually has the primary account number (PAN), cardholder name and expiration date and the 3-4 digit card verification number (CVV2). The CVV2 may be on the back, depending on the card. The magnetic stripe or chip holds these plus other sensitive data for authentication and authorization. Updated May17.10 Page 2

3 What are the Basic PCI Data Storage Guidelines for UM Merchants In general, no payment card data should ever be stored by a merchant unless it s necessary to meet the needs of the business. Sensitive data on the magnetic stripe or chip must never be stored. Only the PAN, expiration date, service code, or cardholder name may be stored, and merchants must use technical precautions for safe storage. Other storage guidelines include: paper media containing cardholder data must be securely stored; responsibility is assigned for ensuring that storage standards are maintained and strict control is maintained over access to the stored documents; documents are shredded or destroyed in a manner that prevents reconstruction of the information once the receipt information is no longer required for business purposes. Data must not be disclosed except for business purposes. Printed personal account numbers must be encrypted to ensure that all but the last 4 digits are suppressed or masked. University employees with access to cardholder data are responsible for holding the data securely and confidentially at all times. Never leave credit card information unattended To view technical requirements for data storage: How Long May I Retain Cardholder Information? Per the University s Merchant Agreement with TD bank, VISA transaction records should be retained for a 12 month period; Master Card transactions for 18 months, to coincide with the chargeback period. What information is Required on a POS Terminal Receipt? Each copy of a terminal receipt shall satisfy all requirements of applicable law, and shall contain the following information: Doing Business As (DBA) merchant name, city and state, country, or the point of banking location Transaction date The primary account number (PAN) Transaction amount in the original transaction currency Adequate space for the customer s signature (required on merchant copy only) Authorization approval code (except on credit receipts). Merchant s signature on credit receipts only. Each receipt shall clearly identify the transaction as a retail sale, credit, or cash disbursement Updated May17.10 Page 3

4 In addition, the cardholder receipt generated by all electronic POS terminals, whether attended or unattended, must reflect only the last four (4) digits of the PAN. All preceding digits of the PAN must be replaced with fill characters, such as X, *, or #, that are neither blank spaces nor numeric characters. Receipts must also exclude the card expiration date. What are the different methods of accepting payment and where is the risk? 1. Manual Processing using Interactive Voice Recognition (IVR) Merchants accept credit card information over the phone, by fax or in person and phone in the data to TD for authorization using a touch tone phone. The merchant uses a manual imprinter to provide a receipt to the customer. (aka Card not Present processing) The risk is associated with storage of paper media containing credit cardholder information. 2. TD POS terminals Merchants accept credit card information over the phone, by fax or in person and process the transaction using a standalone POS terminal. All terminals supplied by TD are PCI compliant. This assumes that credit card data is not being stored electronically. Ie. the POS terminal is not electronically feeding cardholder information to storage media attached to the terminal. Electronic storage of data on the University s servers is NOT ADVISED. Where Card not Present (CNP) transactions are keyed, not swiped, the CVV2 should also be included with the information requested. However, the CVV2 may not be stored for any purpose. 3. E-commerce merchants (web merchants): Payments are processed through a web application developed with the cooperation and assistance of UM s IST department. The web application utilizes Beanstream.com as the payment service provider and deposits are directed to the UM bank account. Sales transaction activity should take place only on Beanstream s site. Paper records need not be retained. Transaction information is available from Beanstream. Updated May17.10 Page 4

5 Beanstream provides a PCI compliant service and all web sites developed through appropriate channels at UM are certified by TD bank as PCI compliant before being permitted to go live. Therefore the inherent risks for web merchants are either with paper storage (the same as for methods 1 & 2) or electronic data storage. PCI DSS Compliance for electronic data storage requires that Web Merchants not store electronic credit card data on UM servers. 4. Standalone systems provided by third party vendors. Each third party vendor must provide assurance that their product is PCI DSS compliant. For example, vendors will be asked to confirm that software is not storing any prohibited data (chip, magnetic stripe data, or the CVV2) after a transaction is authorized. If it does, these data elements must be removed immediately, including any historical data that has been stored in a database or in log files. In addition, account numbers transmitted over public networks such as internet or wireless must be encrypted during transmission. For most systems, the transmission of data is through Beanstream, which is considered to be PCI compliant. Non compliant products must be upgraded, replaced, or discontinued within a reasonable time frame. Depending on the nature of non compliance, discontinuance may be immediate. Updated May17.10 Page 5

6 What are the PCI Data Storage Dos and Don ts : Requirement 3 of the Payment Card Industry s Data Security Standard (PCI DSS) is to protect stored cardholder data. The matrix below shows basic do s and don ts for data storage security. Data Do s Data Don ts Do understand where payment card data flows for the entire transaction process Do verify that your payment card terminals comply with the PCI personal identification number (PIN) entry device (PED) security requirements Do verify that your payment applications comply with the Payment Application Data Security Standard (PA-DSS) Do retain (if you have a legitimate business need) cardholder data only if authorized, and ensure it is protected Do use strong cryptography to render unreadable cardholder data that you store, and use other layered security technologies to minimize the risk of exploits by criminals Do ensure that third parties who process your customers payment cards comply with PCI DSS, PED and/or PA-DSS as applicable. Have clear access and password protection policies Do not store cardholder data unless it s absolutely necessary Do not store sensitive authentication data contained in the payment card s storage chip or full magnetic stripe, including the printed 3-4 digit card validation code on the front or back of the payment card after authorization Do not have PED terminals print out personally identifiable payment card data; printouts should be truncated or masked Do not store any payment card data in payment card terminals or other unprotected endpoint devices, such as PCs, laptops or smart phones Do not locate servers or other payment card system storage devices outside of a locked, fully secured and access-controlled room Do not permit any unauthorized people to access stored cardholder data Updated May17.10 Page 6

7 Technical Guidelines for PCI Data Storage Element Sto Data Element Storage Permitted Cardholder Data Primary Account Number (PAN) Protection Required Yes Yes Yes PCI DSS Req. 3.4 Sensitive Authentication Data[2] Cardholder Name[1] Yes Yes No Service Code1 Yes Yes No Expiration Date1 Yes Yes No Full Magnetic Stripe Data No N/A N/A [3] CAV2/CVC2/CVV2/CID No N/A N/A PIN/PIN Block No N/A N/A [1] These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for general protection of the cardholder data environment. Additionally, other legislation (e.g., related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company s practices if consumer related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted. [2] Sensitive authentication data must not be stored after authorization (even if encrypted). [3] Full track data from the magnetic stripe, magnetic stripe image on the chip, or elsewhere. Technical Guidelines for Protecting Stored Payment Card Data At a minimum, PCI DSS requires PAN to be rendered unreadable anywhere it is stored including portable digital media, backup media, and in logs. Software solutions for this requirement may include one of the following: One-way hash functions based on strong cryptography also called hashed index, which displays only index data that point to records in the database where sensitive data actually reside. Truncation removing a data segment, such as showing only the last four digits. Index tokens and securely stored pads encryption algorithm that combines sensitive plain text data with a random key or pad that works only once. Strong cryptography with associated key management processes and procedures. Refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations and Acronyms for the definition of strong cryptography. Some cryptography solutions encrypt specific fields of information stored in a database; others encrypt a singular file or even the entire disk where data is stored. If full-disk encryption is used, logical access must be managed independently of native operating system access control mechanisms. Updated May17.10 Page 7

8 Decryption keys must not be tied to user accounts. Encryption keys used for encryption of cardholder data must be protected against both disclosure and misuse. All key management processes and procedures for keys used for encryption of cardholder data must be fully documented and implemented. For more details, see PCI DSS Requirement 3. Useful Information Links: PCI Quick reference guide: A guide to recognizing credit card fraud: Credit Card Security Features: Updated May17.10 Page 8