DRAFT. Six Recommendations to MasterCard and Visa to Improve Credit and Debit Cardholder Security. Presented by

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "DRAFT. Six Recommendations to MasterCard and Visa to Improve Credit and Debit Cardholder Security. Presented by"

Transcription

1 DRAFT Six Recommendations to MasterCard and Visa to Improve Credit and Debit Cardholder Security Presented by The American Bankers Association National Bank Card Fraud Task Force in an effort to give consumers better protection and comfort while using the payment system. November 2010

2 Decision Item 1 LIABILITY SHIFT IN ACCOUNT DATA COMPROMISED CASES Business Owners: Impact Anticipated Implementation Date Proposal Background Benefit Security and Risk Management Financial accountability has been the linchpin that holds all competing entities together in the payment industry. When one side does not uphold their agreement, the end result can be a shift in the delicate balance resulting in increased liability where it did not belong. This is the impact that recent cases of account data compromises have caused as a result of merchant mismanagement and negligence. As a result, literally millions of dollars in fraud losses have come to bear on unsuspecting consumer cardholders and Issuers. To be determined In cases of confirmed account data compromises not only would Issuers re-coup monitoring costs and re-issuance costs but they also could charge back any fraud losses directly related to the merchant compromise. A separate chargeback reason code would be established for these charge-backs. As the number of account data compromises increase, Issuers clearly are feeling the negative financial effects of these cases and subsequently the consumer. Large numbers of accounts could easily cost an Issuer thousands of dollars per compromise in actual fraud losses. Today those losses are the responsibility of the Issuer even though they were the direct result of Merchant negligence. While holding Acquirers responsible for the actions of their Merchants has long been an established principle of the payment industry, these examples are the one exception to their rule. The consequences of this have lead to merchant complacency as they realize they have limited liability should a compromise occur. This puts the consumer data security at risk. If we held them totally accountable for ALL fraud losses they caused, Merchants would have a greater incentive to ensure their systems were totally secure. Fraud losses will only decrease if all parties, Merchants, Acquirers and Issuers, do their utmost to limit risk. Financial incentives or penalties have long been the catalyst for change. If

3 Merchants/Acquirers are fully accountable for all losses they cause this will lead to behavioral changes which will ultimately lead to lower losses. This will benefit the entire Bankcard community and most importantly, consumers, the unsuspecting victim. Recommendation Pending Action To hold Merchants liable for all fraud losses that are caused as a direct result of an account data compromise. A separate chargeback reason code would be established for Issuers to use in these cases. Both the MasterCard International Security Committee and Visa Risk Advisory Committee are asked to evaluate this proposal and approve it at their next meetings.

4 Decision Item 2 COMMUNICATION REGARDING ALERT NOTIFICATION Business Owners: Impact Anticipated Implementation Date Proposal Background Security and Risk Management Many small and medium sized Issuers do not receive timely notification regarding security breaches thus impacting their ability to protect their customer. Smaller institutions (affiliates) sponsored by another financial institution may never be officially notified of the problem. Better communication between MasterCard and Visa and ALL Issuing Members, regardless of size or sponsoring status, would lead to better consumer notification and information, quicker blocking of potential fraud accounts and less fraud losses. To be determined To allow the direct notification concurrently of all MasterCard and Visa and Issuers principal members, affiliate and agent banks, including processors in instances where an account has been compromised. Immediately upon notification of a security breach, MasterCard through MasterCard Alerts and Visa through CAMS will electronically notify all Issuers of the card numbers that have been affected. The notification will include a Universal Compromise Reference Number (UNICORN) developed by the card brands to indentify each incident. As soon as the source and location of a security breach is determined, that information should be communicated to all affected banks and financial institutions via the UNICORN, so they can protect their customers and themselves. Information must include, but not limited to actual information that was possibly compromised along with the card number (i.e., expiration date, name, address, etc.) With this information, during the process of contacting victimized consumers, banks will be able to properly explain to them how their cards were compromised and what information is at risk. This method of communicating to all Issuers will not supersede the other mechanisms and procedures in place for all other operating procedures. Specifically, these procedures are authorizations, charge-backs, settlement, etc. and they will continue under existing communications lines to Processors, Issuers or Affiliates.

5 Benefit Recommendation Pending Action This simple, but powerful, rule change will enable all MasterCard Members and Visa members, irrespective of status, the ability to provide immediate customer attention on accounts that have been compromised and reduce their risk. Issuers can be proactive in providing positive public relations and customer information instead of reacting and having customers hear about compromised accounts though the news media. These mediums negatively portray banks efforts to safeguard account information and put banks on the defensive. Being informed immediately from MasterCard and Visa would counter and eliminate these negative influences. Both the MasterCard International Security Committee and Visa Risk Advisory Committee are asked to evaluate this proposal and approve it at their next meetings. Mandate that banks receive notification directly from MasterCard or Visa regarding compromised accounts.

6 Decision Item 3 MERCHANT SOFTWARE SYSTEM CERTIFICATION Business Owners: Impact Implementation Date Proposal Background Benefit Recommendation Pending Action Merchant Services The payment systems are losing millions of dollars on a yearly basis due to neglect and poorly designed merchant software systems. MasterCard and Visa s inability to have any control over this vital segment has created a risk to members that needs to be addressed. To be determined All merchant software vendors must register with MasterCard and Visa that they are compliant with minimum standards as set forth by each association. Failure to do so would lead to de-certification and publication of the vendor name and software system in an operation and financial bulletin to all members. In certain instances merchants have purchased software inventory systems that manage multiple tasks including payments, inventory control and billing. To their surprise this software also captures full magnetic stripe data and stores that data. Other examples include third party vendors that provide payment services that are also capturing the data. Neither ignorance of their own system capabilities, or shortcomings, nor that of any third party they contract with should absolve the merchant from liability. All merchants must be certified as PCI compliant as soon as possible. Only by holding merchants financially accountable for all actions that originate with them will they have a vested interest in helping solve this growing risk. By ensuring each vendor and merchant software provider meets stringent standards the threat of penalties will be lessened and the industry will be able to mitigate losses and keep them to a minimum. MasterCard and Visa will establish minimum data requirements and standards for all merchant software systems. After a short grace period each Acquirer must certify, through an audit, they meet these minimum standards. Both the MasterCard International Security Committee and Visa Risk Advisory Committee are asked to evaluate this proposal and approve it at their next meetings.

7 Decision Item 4 COMMUNICATION TO BANKS ON THE SEVERITY OF SECURITY BREACH AND DISCLOSING NAME OF THE MERCHANT Business Owners: Impact Anticipated Implementation Date Proposal Background Benefit Security and Risk Management Security breaches of merchant databases concerning consumer cardholder data have become far too common. Issuers receive so many notices from MasterCard and Visa that security and fraud staffs can sometimes become complacent due to the regularity of these notices. The impact of not understanding the severity of these breaches and not knowing the merchant name can cost members millions of dollars. To be determined MasterCard and Visa must set up a system to more accurately portray the severity of breaches in compromised account data cases. In addition, the Merchant name must be disclosed. The system and definitions must be clearly communicated to all members. This can be accomplished with a non-disclosure agreement. The burden has rested on the Issuing Banks to make a determination, with limited information at best, regarding the actions to be taken regarding account data compromises. A wrong decision, to monitor accounts rather than block and re-issue, could cost Issuers millions of dollars in future losses and place an unfair burden on the consumer. The opposite decision, to block and reissue all affected accounts, could cost the Issuer thousands of dollars in card issuance costs and communication costs to their cardholders. At times these actions provide no tangible benefit. After some cardholders have had their cards re-issued two or three times, these cardholders have lost their trust in the payment systems and no longer use their plastic. Issuers must be informed of the severity of a breach to prevent these all too often occurrences. This problem is compounded by the myriad of state data security statutes that have recently been enacted in response to this problem. Keeping consumers happy is paramount to a successful issuing program. Informed decision making due to better and more

8 complete information from both MasterCard and Visa regarding the security of account data compromise would go a long way in keeping consumers satisfied and their personal information safe. Recommendation Pending Action MasterCard and Visa must set up a system to more accurately describe the severity of a security breach at a merchant and also disclose the merchant name. Both the MasterCard International Security Committee and Visa Risk Advisory Committee are asked to evaluate this proposal and approve it at their next meetings.

9 Decision Item 5 CHANGE IN METHODOLOGY FOR SECURITY BREACHES Business Owners: Impact Anticipated Implementation Date Proposal Background Security and Risk Management Issuers are unfairly bearing the brunt of costs associated with Merchant/Acquirer security breaches. The pre-compliance process devised to allow banks an opportunity to seek reimbursement for expenses related to a security breach they are not responsible for seems to be designed to make it highly unlikely that any financial institution will ever recover any expenses. The process needs to be streamlined for Issuers to seek recovery of costs associated with security breaches for card replacement. As Issuers receive fairer reimbursement, Merchants/Acquirers will be forced to protect customer data or risk extreme financial penalties or liabilities. To be determined To shorten the time frame where Issuers receive reimbursement for monitoring accounts and card losses from compromised accounts. In addition Issuers need to be granted more time to file compromised account data cases, partly because the administrative effort has become more complex. The number of known security incidents has grown from a relatively few cases in 2000 to over 260 million records by one account in 2009, and increases every year. In almost all cases the Merchant/Processor/Acquirer stored cardholder data and this has been acknowledged to be in violation of MasterCard and Visa rules. Despite the massive negative publicity and harm to the consumer these cases have generated, the storage of cardholder data continues, and MasterCard and Visa have been powerless to stop it. As with all business decisions the only true remedy is a financial one. The cost of storing cardholder data must be increased dramatically to ensure all relevant parties cease this practice immediately. Issuers must be given better, more complete and timely information on merchant name, city and state and details of how the data was compromised. This will enable Issuers to respond more proactively with their cardholder, the media and their shareholders and give them an opportunity to better protect their accounts. The time frame must also be extended for Issuers to file a claim and a timetable must be established where by Issuers will be reimbursed. Today a great many months go by before an

10 Issuer is paid and the whole process may take one to two years. In the mean time the Issuer is out these funds and is bankrolling the merchant during this period. Benefit Recommendation Pending Action The current process for reimbursement is long, cumbersome and costly for Issuers. Changing and expediting the reimbursement period, while also providing Issuers additional time to prepare claim submission would lower operational and administration costs and therefore increase profits. Merchants/Acquirers would be held more accountable financially for their actions. To provide a 90 day time frame for Issuers to be reimbursed after claim submission and a 90 period after the security bulletin for a claim to be filed. The committees are asked to evaluate and pass the proposed new rules on changes in methodology.

11 Decision Item 6 SECURE CODE AND VERIFIED BY VISA Business Owners: Impact Implementation Date: Proposal Background Benefits Security and Risk Management The internet is still considered unsafe by many cardholders who constantly are reminded via media (television, newspapers and radio) of identity theft and merchant data base compromises. Consumers are quickly losing confidence in the ability of the payment system to protect their account information and the impact of this is enormous. To be determined All MasterCard and Visa E-Commerce merchants must register that they have complied with all requirements for Secure Code or Verified by Visa. Numerous major vendors/merchants have publicly admitted to withholding the full extent of the number of compromised accounts that have occurred to their databases. This has lead to consumer outrage and congressional hearings on this subject. Merchants can no longer be trusted to protect cardholder data by themselves. The only proper way to achieve full compliance is to mandate that merchants must register and comply with these programs. If they do not, Acquirers must either be forced to terminate their merchant relationship and no longer let them accept MasterCard and Visa Cards and present them into settlement or accept a $25,000 fine per month. (This is the same penalty that Issuers face). While E-Commerce transactions show a steady increase, the number of consumers that will embrace purchasing via non face to face methods will not reach its potential without better security measures. MasterCard, Visa, Acquirers, and Issuers have spent great sums of money on Secure Code and Verified by Visa but have seen relatively few merchants avail themselves of this optional service. While making their programs mandatory will surely decrease the number of merchants accepting credit and debit cards, it will make the merchants left more secure. This will result in greater profitability for Merchants, Acquirers, Issuers, MasterCard and Visa and renewed commitment by consumers to use their debit cards.

12 Recommendation Pending Action Effective as soon as possible, all merchants must register for either Secure Code or Verified by Visa or face a $25,000 fine per month or be terminated. Both the MasterCard International Security Committee and Visa Risk Advisory Committee are asked to evaluate this proposal and approve it at their next meetings.

VISA EUROPE ACCOUNT INFORMATION SECURITY (AIS) PROGRAMME FREQUENTLY ASKED QUESTIONS (FAQS)

VISA EUROPE ACCOUNT INFORMATION SECURITY (AIS) PROGRAMME FREQUENTLY ASKED QUESTIONS (FAQS) VISA EUROPE ACCOUNT INFORMATION SECURITY (AIS) PROGRAMME FREQUENTLY ASKED QUESTIONS (FAQS) Q1: What is the purpose of the AIS programme? Q2: What exactly is the Payment Card Industry (PCI) Data Security

More information

Sales Rep Frequently Asked Questions

Sales Rep Frequently Asked Questions V 02.21.13 Sales Rep Frequently Asked Questions OMEGA Processing Data Protection Program February 2013 - Updated In response to a national rise in data breaches and system compromises, OMEGA Processing

More information

Privacy Legislation and Industry Security Standards

Privacy Legislation and Industry Security Standards Privacy Legislation and Issue No. 3 01010101 01010101 01010101 Information is generated about and collected from individuals at an unprecedented rate in the ordinary course of business. In most cases,

More information

SWEDBANK AS TERMS AND CONDITIONS FOR PAYMENT CARDS SERVICING Valid from 01.12.2014

SWEDBANK AS TERMS AND CONDITIONS FOR PAYMENT CARDS SERVICING Valid from 01.12.2014 SWEDBANK AS TERMS AND CONDITIONS FOR PAYMENT CARDS SERVICING Valid from 01.12.2014 1. TERMS AND DEFINITIONS 1.1 Account is a current account of the Merchant specified in the Agreement. 1.2 Agreement is

More information

University Policy Accepting Credit Cards to Conduct University Business

University Policy Accepting Credit Cards to Conduct University Business BROWN UNIVERSITY University Policy Accepting Credit Cards to Conduct University Business Purpose Brown University requires all departments that are involved with credit card handling to do so in compliance

More information

Payment Card Industry Data Security Standards

Payment Card Industry Data Security Standards Payment Card Industry Data Security Standards January 19, 2011 Marc S. Reisler, Holland & Knight Copyright 2011 Holland & Knight LLP All Rights Reserved Data Breaches Remain a Serious Concern PCI Standards

More information

FIGHTING FRAUD: IMPROVING INFORMATION SECURITY TESTIMONY OF JOHN J. BRADY VICE PRESIDENT, MERCHANT FRAUD CONTROL MASTERCARD INTERNATIONAL

FIGHTING FRAUD: IMPROVING INFORMATION SECURITY TESTIMONY OF JOHN J. BRADY VICE PRESIDENT, MERCHANT FRAUD CONTROL MASTERCARD INTERNATIONAL FIGHTING FRAUD: IMPROVING INFORMATION SECURITY TESTIMONY OF JOHN J. BRADY VICE PRESIDENT, MERCHANT FRAUD CONTROL MASTERCARD INTERNATIONAL Before the Subcommittee on Financial Institutions and Consumer

More information

Card Network Update Chip (EMV) Acceptance in the United States At-A-Glance

Card Network Update Chip (EMV) Acceptance in the United States At-A-Glance Card Network Update Chip (EMV) Acceptance in the United States At-A-Glance Allegiance Merchant Services is committed to assisting you in navigating through the various considerations that you may face

More information

Frequently Asked Questions

Frequently Asked Questions PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply

More information

Prepared testimony of W. Joseph Majka Head of Fraud Control and Investigations Visa Inc.

Prepared testimony of W. Joseph Majka Head of Fraud Control and Investigations Visa Inc. Prepared testimony of W. Joseph Majka Head of Fraud Control and Investigations Visa Inc. Before the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the House Committee on

More information

CERTIFICATION OF ENROLLMENT ENGROSSED SECOND SUBSTITUTE HOUSE BILL 1149. Chapter 151, Laws of 2010. 61st Legislature 2010 Regular Session

CERTIFICATION OF ENROLLMENT ENGROSSED SECOND SUBSTITUTE HOUSE BILL 1149. Chapter 151, Laws of 2010. 61st Legislature 2010 Regular Session CERTIFICATION OF ENROLLMENT ENGROSSED SECOND SUBSTITUTE HOUSE BILL 1149 Chapter 151, Laws of 2010 61st Legislature 2010 Regular Session FINANCIAL INFORMATION--SECURITY BREACHES--CREDIT AND DEBIT CARDS

More information

University Policy Accepting and Handling Payment Cards to Conduct University Business

University Policy Accepting and Handling Payment Cards to Conduct University Business BROWN UNIVERSITY University Policy Accepting and Handling Payment Cards to Conduct University Business Table of Contents Purpose... 2 Scope... 2 Authorization... 2 Establishing a new account... 2 Policy

More information

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

WHITE PAPER. PCI Basics: What it Takes to Be Compliant WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through

More information

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS) Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS) What is PCI DSS? The 12 Requirements Becoming compliant with SaferPayments Understanding the jargon SaferPayments Be smart.

More information

PCI DSS COMPLIANCE DATA

PCI DSS COMPLIANCE DATA PCI DSS COMPLIANCE DATA AND PROTECTION EagleHeaps FROM CONTENTS Overview... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns and Opportunities

More information

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Data Breach Cost. Risks, costs and mitigation strategies for data breaches Data Breach Cost Risks, costs and mitigation strategies for data breaches Tim Stapleton, CIPP/US Deputy Global Head of Professional Liability Zurich General Insurance Data Breaches: Greater frequency,

More information

D. DFA: Mississippi Department of Finance and Administration.

D. DFA: Mississippi Department of Finance and Administration. MISSISSIPPI DEPARTMENT OF FINANCE AND ADMINISTRATION ADMINISTRATIVE RULE PAYMENTS BY CREDIT CARD, CHARGE CARD, DEBIT CARDS OR OTHER FORMS OF ELECTRONIC PAYMENT OF AMOUNTS OWED TO STATE AGENCIES The Department

More information

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants Appendix 2 PCI DSS Payment Card Industry Data Security Standard Merchant compliance guidelines for level 4 merchants CONTENTS 1. What is PCI DSS? 2. Why become compliant? 3. What are the requirements?

More information

CSR Breach Reporting Service Frequently Asked Questions

CSR Breach Reporting Service Frequently Asked Questions CSR Breach Reporting Service Frequently Asked Questions Quick and Complete Reporting is Critical after Data Loss Why do businesses need this service? If organizations don t have this service, what could

More information

PAI Secure Program Guide

PAI Secure Program Guide PAI Secure Program Guide A complete guide to understanding the Payment Card Industry Data Security Requirements and utilizing the PAI Secure Program. Letter From the CEO Welcome to PAI Secure. As you

More information

WISCONSIN ACCOUNTING MANUAL Department of Administration State Controller s Office

WISCONSIN ACCOUNTING MANUAL Department of Administration State Controller s Office BACKGROUND State of Wisconsin agencies accepted more than 6 million credit/debit card payments annually through the following payment channels: Point of Sale (State agency location) Point of Sale (Retail-agent

More information

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements

More information

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY PURPOSE The Payment Card Industry Data Security Standard was established by the credit card industry in response to an increase in identify theft

More information

Sage ERP MAS I White Paper. Payment Processing Trends, Tips, and Tricks: What You Need to Know

Sage ERP MAS I White Paper. Payment Processing Trends, Tips, and Tricks: What You Need to Know I White Paper What You Need to Know Over the past few years, credit and debit card acceptance has come on the scene as a required payment option. Similarly, the number of customers using credit and debit

More information

May 14, 2015. Statement for the Record. On behalf of the. American Bankers Association. Consumer Bankers Association

May 14, 2015. Statement for the Record. On behalf of the. American Bankers Association. Consumer Bankers Association Statement for the Record On behalf of the American Bankers Association Consumer Bankers Association Credit Union National Association Independent Community Bankers of America National Association of Federal

More information

Payment Card Industry Update and Cyber Risk Management

Payment Card Industry Update and Cyber Risk Management Payment Card Industry Update and Cyber Risk Management CRAIG A. HOFFMAN, ESQ. BAKERHOSTETLER ADAM COTTINI, MANAGING DIRECTOR, CYBER LIABILITY PRACTICE, ARTHUR J GALLAGHER & CO. OCTOBER 22, 2015 2014 ARTHUR

More information

TERMS AND CONDITIONS OF PAYMENT CARD ACQUIRING SERVICES AGREEMENT Valid from 16.02.2015

TERMS AND CONDITIONS OF PAYMENT CARD ACQUIRING SERVICES AGREEMENT Valid from 16.02.2015 TERMS AND CONDITIONS OF PAYMENT CARD ACQUIRING SERVICES AGREEMENT Valid from 16.02.2015 1. DEFINITIONS 1.1 Settlement Day a day on which the Bank is open for general banking operations. Generally, the

More information

Visa Account Information Security Tool Kit. Welcome to the Visa Account Information Security Program

Visa Account Information Security Tool Kit. Welcome to the Visa Account Information Security Program Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)

More information

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History

More information

Failure to follow the following procedures may subject the state to significant losses, including:

Failure to follow the following procedures may subject the state to significant losses, including: SUBJECT: Policy and Procedures PAGE: 1 of 5 INTRODUCTION During fiscal year 2014, State of Wisconsin agencies accepted approximately 6 million credit/debit card payments through the following payment channels:

More information

Target Data Breach Survey of Illinois Banks. Executive Summary

Target Data Breach Survey of Illinois Banks. Executive Summary Target Data Breach Survey of Illinois Banks Executive Summary February 2014 www.ilbanker.com Target Data Breach Survey of Illinois Banks Executive Summary In December of 2013, just days before the holidays,

More information

Statement of. Carlos Minetti. Discover Financial Services. Before the. Subcommittee on Oversight and Investigations. of the

Statement of. Carlos Minetti. Discover Financial Services. Before the. Subcommittee on Oversight and Investigations. of the Statement of Carlos Minetti Discover Financial Services Before the Subcommittee on Oversight and Investigations of the Committee on Financial Services United States House of Representatives July 21, 2005

More information

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to: What is the PCI standards council? The Payment Card Industry Standards Council is an institution set-up by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International

More information

AISA Sydney 15 th April 2009

AISA Sydney 15 th April 2009 AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks

More information

Target Breach Impact Survey

Target Breach Impact Survey Target Breach Impact Survey July 2014 Prepared by Benchmarking & Survey Research. Table of Contents Page Survey Methodology 3 Profile of Survey Participants 4 Impact of Target Breach 5 16 Reimbursement

More information

Westpac Merchant. A guide to meeting the new Payment Card Industry Security Standards

Westpac Merchant. A guide to meeting the new Payment Card Industry Security Standards Westpac Merchant A guide to meeting the new Payment Card Industry Security Standards Contents Introduction 01 What is PCIDSS? 02 Why does it concern you? 02 What benefits will you receive from PCIDSS?

More information

Solutions Brief. PC Encryption Regulatory Compliance. Meeting Statutes for Personal Information Privacy. Gerald Hopkins Cam Roberson

Solutions Brief. PC Encryption Regulatory Compliance. Meeting Statutes for Personal Information Privacy. Gerald Hopkins Cam Roberson Solutions Brief PC Encryption Regulatory Compliance Meeting Statutes for Personal Information Privacy Gerald Hopkins Cam Roberson March, 2013 Personal Information at Risk Legislating the threat Since the

More information

Payment Card Industry Compliance Overview

Payment Card Industry Compliance Overview January 31, 2014 11:30am 12:30pm Central Hosted by: Texas.gov Presented by: Jayne Holland Barbara Brinson Payment Card Industry Compliance Overview Securing Government Payments Audio Dial In: 866-740-1260

More information

PCI: It Never Ends. Why?

PCI: It Never Ends. Why? PCI: It Never Ends. Why? How to stay prepared? Shekar Swamy American Technology Corporation St. Louis, MO January 13, 2011 PCI compliance basics It s all about Data Security 12 major areas of compliance

More information

Visa global Compromised Account

Visa global Compromised Account Visa global Compromised Account RECOVERY PROGRAM WHAT EVERY MERCHANT SHOULD KNOW ABOUT GCAR WHAT EVERY MERCHANT SHOULD KNOW ABOUT GCAR WHAT The Visa Global Compromised Account Recovery (GCAR) program offers

More information

Your Single Source. for credit, debit and pre-paid services. Fraud Risk and Mitigation

Your Single Source. for credit, debit and pre-paid services. Fraud Risk and Mitigation Your Single Source for credit, debit and pre-paid services Fraud Risk and Mitigation Agenda Types of Fraud Fraud Identification Notifications Next Steps 11/8/2013 2 Types of Fraud Lost and Stolen Cards

More information

EMV FAQs. Contact us at: CS@VancoPayments.com. Visit us online: VancoPayments.com

EMV FAQs. Contact us at: CS@VancoPayments.com. Visit us online: VancoPayments.com EMV FAQs Contact us at: CS@VancoPayments.com Visit us online: VancoPayments.com What are the benefits of EMV cards to merchants and consumers? What is EMV? The acronym EMV stands for an organization formed

More information

A Glossary of Key Terms for the Vendor to Surcharge to Make Card Payments a Price Competitive Payment Channel By: Scott Blakeley, Esq.

A Glossary of Key Terms for the Vendor to Surcharge to Make Card Payments a Price Competitive Payment Channel By: Scott Blakeley, Esq. A Glossary of Key Terms for the Vendor to Surcharge to Make Card Payments a Price Competitive Payment Channel By: Scott Blakeley, Esq. & Brad Boe Abstract Customers have payment channel choices, whether

More information

POLICY & PROCEDURE DOCUMENT NUMBER: 3.3101. DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

POLICY & PROCEDURE DOCUMENT NUMBER: 3.3101. DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants POLICY & PROCEDURE DOCUMENT NUMBER: 3.3101 DIVISION: Finance & Administration TITLE: Policy & Procedures for Credit Card Merchants DATE: October 24, 2011 Authorized by: K. Ann Mead, VP for Finance & Administration

More information

And Take a Step on the IG Career Path

And Take a Step on the IG Career Path How to Develop a PCI Compliance Program And Take a Step on the IG Career Path Andrew Altepeter Any organization that processes customer payment cards must comply with the Payment Card Industry s Data Security

More information

Sage 100 ERP I White Paper. Payment Processing Trends, Tips, and Tricks: What You Need to Know

Sage 100 ERP I White Paper. Payment Processing Trends, Tips, and Tricks: What You Need to Know Sage 100 ERP I White Paper What You Need to Know Over the past few years, credit and debit card acceptance has come on the scene as a required payment option. Similarly, the number of customers using credit

More information

A8.700 TREASURY. This directive applies to all campuses of the University of Hawai i.

A8.700 TREASURY. This directive applies to all campuses of the University of Hawai i. Prepared by Treasury Office. This amends A8.710 dated July 2001. A8.710 April 2005 A8.700 TREASURY P 1 of 5 A8.710 Credit Card Program 1. Purpose To provide uniform procedures for the processing of credit

More information

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc. Payment Methods The cost of doing business Michelle Powell - BASYS Processing, Inc. You ve got to spend money, to make money Major Industry Topics Industry Process Flow PCI DSS Compliance Risks of Non-Compliance

More information

Merchant Gateway Services Agreement

Merchant Gateway Services Agreement Merchant Gateway Services Agreement This Merchant Gateway Services Agreement ( Agreement ) is made as of, 20 ( Effective Date ), by and between American POS Alliance, LLC ( Reseller ) and the merchant

More information

Your Compliance Classification Level and What it Means

Your Compliance Classification Level and What it Means General Information What are the Payment Card Industry (PCI) Data Security Standards? The PCI Data Security Standards represents a common set of industry tools and measurements to help ensure the safe

More information

PCI Compliance : What does this mean for the Australian Market Place? Nov 2007

PCI Compliance : What does this mean for the Australian Market Place? Nov 2007 Sense of Security Pty Ltd (ABN 14 098 237 908) 306, 66 King St Sydney NSW 2000 Australia Tel: +61 (0)2 9290 4444 Fax: +61 (0)2 9290 4455 info@senseofsecurity.com.au PCI Compliance : What does this mean

More information

UTAH VALLEY UNIVERSITY Policies and Procedures

UTAH VALLEY UNIVERSITY Policies and Procedures Page 1 of 7 Proposed Policy Number and Title: 457 PCI DSS Compliance Existing Policy Number and Title: Not applicable Approval Process* X Regular Temporary Emergency Expedited X New New New Revision Revision

More information

PCI-DSS Compliance. Ron Dinwiddie Chief Technology Officer J. Spargo & Associates

PCI-DSS Compliance. Ron Dinwiddie Chief Technology Officer J. Spargo & Associates PCI-DSS Compliance Ron Dinwiddie Chief Technology Officer J. Spargo & Associates Agenda What is PCI Compliance Why is PCI Important How does this impact me? Becoming PCI Compliant JSA PCI Strategy Risk

More information

Actorcard Prepaid Visa Card Terms & Conditions

Actorcard Prepaid Visa Card Terms & Conditions Actorcard Prepaid Visa Card Terms & Conditions These Terms & Conditions apply to your Actorcard prepaid Visa debit card. Please read them carefully. In these Terms & Conditions: "Account" means the prepaid

More information

The Dark Side of a Payment Card Breach

The Dark Side of a Payment Card Breach The Dark Side of a Payment Card Breach Road Map Introduction The Rules of the Game Pitfalls & Strategies Takeaways Q&A The Rules of the Game What is the Game? Payment Card Industry Data Security Standard

More information

PCI General Policy. Effective Date: August 2008. Approval: December 17, 2015. Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

PCI General Policy. Effective Date: August 2008. Approval: December 17, 2015. Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS: Effective Date: August 2008 Approval: December 17, 2015 PCI General Policy Maintenance of Policy: Office of Student Accounts PURPOSE: To protect against the exposure and possible theft of account and personal

More information

PCI DSS Compliance. 2015 Information Pack for Merchants

PCI DSS Compliance. 2015 Information Pack for Merchants PCI DSS Compliance 2015 Information Pack for Merchants This pack contains general information regarding PCI DSS compliance and does not take into account your business' particular requirements. ANZ recommends

More information

MAINE DATA BREACH STUDY Pursuant to Resolve 2007, Chapter 152

MAINE DATA BREACH STUDY Pursuant to Resolve 2007, Chapter 152 MAINE DATA BREACH STUDY Pursuant to Resolve 2007, Chapter 152 PREPARED BY THE STAFF OF THE MAINE BUREAU OF FINANCIAL INSTITUTIONS November 24, 2008 John Elias Baldacci Governor Anne L. Head Commissioner

More information

Payment Card Industry Data Security Standards

Payment Card Industry Data Security Standards Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This

More information

WASHINGTON STATE UNIVERSITY MERCHANT ACCOUNT AGREEMENT FOR UNIVERSITY DEPARTMENTS

WASHINGTON STATE UNIVERSITY MERCHANT ACCOUNT AGREEMENT FOR UNIVERSITY DEPARTMENTS WASHINGTON STATE UNIVERSITY MERCHANT ACCOUNT AGREEMENT FOR UNIVERSITY DEPARTMENTS I. Introduction, Background and Purpose This Merchant Account Agreement (the Merchant Agreement or Agreement ) is entered

More information

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure. Payment Card Industry Security Standards Over the past years, a series of new rules and regulations regarding consumer safety and identify theft have been enacted by both the government and the PCI Security

More information

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches

More information

PCI Compliance: How to ensure customer cardholder data is handled with care

PCI Compliance: How to ensure customer cardholder data is handled with care PCI Compliance: How to ensure customer cardholder data is handled with care Choosing a safe payment process for your business Contents Contents 2 Executive Summary 3 PCI compliance and accreditation 4

More information

Data security: A growing liability threat

Data security: A growing liability threat Data security: A growing liability threat Data security breaches occur with alarming frequency in today s technology-laden world. Even a comparatively moderate breach can cost a company millions of dollars

More information

WHITE PAPER. PCI Compliance: Are UK Businesses Ready?

WHITE PAPER. PCI Compliance: Are UK Businesses Ready? WHITE PAPER PCI Compliance: Are UK Businesses Ready? Executive Summary The Payment Card Industry Data Security Standard (PCI DSS), one of the most prescriptive data protection standards ever developed,

More information

WISCONSIN IDENTITY THEFT RANKING BY STATE: Rank 15, 175.9 Complaints Per 100,000 Population, 9852 Complaints (2007) Updated January 16, 2009

WISCONSIN IDENTITY THEFT RANKING BY STATE: Rank 15, 175.9 Complaints Per 100,000 Population, 9852 Complaints (2007) Updated January 16, 2009 WISCONSIN IDENTITY THEFT RANKING BY STATE: Rank 15, 175.9 Complaints Per 100,000 Population, 9852 Complaints (2007) Updated January 16, 2009 Current Laws: It is unlawful to intentionally use or attempt

More information

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES This special report examines the cyber risk disclosures made by the retail sector of the Fortune 1000.

More information

MERCHANT SERVICES, LEASING AND OPERATING AGREEMENT. ( Blackboard ). In this Agreement, the words; BbOne Card means a stored-value account

MERCHANT SERVICES, LEASING AND OPERATING AGREEMENT. ( Blackboard ). In this Agreement, the words; BbOne Card means a stored-value account MERCHANT SERVICES, LEASING AND OPERATING AGREEMENT This Agreement is between the Business set forth on the first page ( Business ) and Blackboard Inc., having offices at 650 Massachusetts Ave, N.W., 6th

More information

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect

More information

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration

More information

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW David Kittle Chief Information Officer Chris Ditmarsch Network & Security Administrator Smoker Friendly International / The Cigarette Store Corp

More information

Credit Card Acceptance & Chargeback Prevention

Credit Card Acceptance & Chargeback Prevention Credit Card Acceptance & Chargeback Prevention Tips for Travel Agents July 2010 About this Guidebook... 3 Credit Card Acceptance... 4 Fraud Prevention Tips... 7 Credit Card Chargebacks Tips...11 Payment

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard Abhinav Goyal, B.E.(Computer Science) MBA Finance Final Trimester Welingkar Institute of Management ISACA Bangalore chapter 13 th February 2010 Credit Card

More information

Dear Valued Merchant,

Dear Valued Merchant, Dear Valued Merchant, Welcome to Central Payment thank you for becoming our client. We are committed to providing our merchants with outstanding customer service and superior products. It is our company

More information

White Paper #6. Privacy and Security

White Paper #6. Privacy and Security The Complexity of America s Health Care Industry White Paper #6 Privacy and Security www.nextwavehealthadvisors.com 2015 Next Wave Health Advisors and Lynn Harold Vogel, Ph.D. The Complexity of America

More information

Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standard (PCI DSS) Payment Card Industry Data Security Standard (PCI DSS) WARNING: Your company may be in noncompliance with the Payment Card Industry Data Security Standard (PCI DSS), placing it at risk of brand damage,

More information

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind Page1 Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind The use of electronic medical records (EMRs) to maintain patient information is encouraged today and

More information

PROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN

PROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN PCI Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information

More information

SecurityMetrics Business Associate HIPAA compliance program

SecurityMetrics Business Associate HIPAA compliance program SecurityMetrics Business Associate HIPAA compliance program IS YOUR PHI SAFE? Business associates help your business succeed, but are they a liability? When your BAs are not HIPAA compliant, your business

More information

Powering e-commerce Globally. What Can I Do to Minimize E-Commerce Chargebacks?

Powering e-commerce Globally. What Can I Do to Minimize E-Commerce Chargebacks? Powering e-commerce Globally What Can I Do to Minimize E-Commerce Chargebacks? Chargebacks are not going away. And now there are new rules. Selling products and services online and using credit cards for

More information

What is EMV? What is different?

What is EMV? What is different? U.S. consumers are receiving new debit and credit cards with embedded chip technology that better stores and protects cardholder information. These new chip cards are part of the new card standard, Europay,

More information

PCI Compliance Overview

PCI Compliance Overview PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)

More information

PCI and EMV Compliance Checkup

PCI and EMV Compliance Checkup PCI and EMV Compliance Checkup ATM Security Jim Pettitt Director, ATM Security Diebold Incorporated Agenda ATM threats today Top of mind risk PCI Impact on Security U.S. EMV Migration Conclusions / recommendations

More information

Statement for the Record

Statement for the Record Statement for the Record of the AMERICAN BANKERS ASSOCIATION Committee on Small Business U.S. House of Representatives For the hearing Electronic Payments Tax Reporting: Another Tax Burden for Small Businesses

More information

University of Oregon Policy Statement Development Form

University of Oregon Policy Statement Development Form University of Oregon Policy Statement Development Form Policy Title: Electronic Commerce Policy submitted by: Name: Mark McCulloch Phone: 541 346 6249 Email: mmccullo@uoregon.edu Organization: Business

More information

Accepting Payment Cards and ecommerce Payments

Accepting Payment Cards and ecommerce Payments Policy V. 4.1.1 Responsible Official: Vice President for Finance and Treasurer Effective Date: September 29, 2010 Accepting Payment Cards and ecommerce Payments Policy Statement The University of Vermont

More information

Sage Payment Solutions. Reduce Your PCI Liability with Integrated Payment Solutions

Sage Payment Solutions. Reduce Your PCI Liability with Integrated Payment Solutions Sage Payment Solutions Reduce Your PCI Liability with Integrated Payment Solutions I know payments security is important, but I don t think I knew what measures needed to be in place to be compliant at

More information

CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008

CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008 CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008 Current Laws: A person commits identity theft when he intentionally

More information

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the

More information

Developments in Merchant Acquiring

Developments in Merchant Acquiring September 2008 Developments in Merchant Acquiring by Terri Bradford, Payments System Research Specialist, and Christian Hung, Research Associate II hen thinking about the participants involved in card-payment

More information

Ball State University Credit/Debit Card Handling Policy and Procedures

Ball State University Credit/Debit Card Handling Policy and Procedures Ball State University Credit/Debit Card Handling Policy and Procedures I. Background Ball State University accepts payments in various forms including cash, checks and electronic fund transfers. University

More information

GUIDANCE FOR MANAGING THIRD-PARTY RISK

GUIDANCE FOR MANAGING THIRD-PARTY RISK GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,

More information

An Acquirer s view: Payment security best practice and PCI DSS compliance. PCI London 23 January 2014

An Acquirer s view: Payment security best practice and PCI DSS compliance. PCI London 23 January 2014 An Acquirer s view: Payment security best practice and PCI DSS compliance PCI London 23 January 2014 Looking back over the years that the Barclaycard Payment Security team has presented at the PCI London

More information

Appendix 1 Payment Card Industry Data Security Standards Program

Appendix 1 Payment Card Industry Data Security Standards Program Appendix 1 Payment Card Industry Data Security Standards Program PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect

More information

Agent Registration. Program Guidelines. (For use in Asia Pacific, Central Europe, Middle East and Africa)

Agent Registration. Program Guidelines. (For use in Asia Pacific, Central Europe, Middle East and Africa) (For use in Asia Pacific, Central Europe, Middle East and Africa) January 2012 Contents 1 INTRODUCTION... 3 1.1 BACKGROUND... 3 1.2 PURPOSE OF DOCUMENT... 4 1.3 WHO NEEDS TO BE REGISTERED?... 5 1.4 WHY

More information

Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standard (PCI DSS) Payment Card Industry Data Security Standard (PCI DSS) Compliance Guide for Merchants Presented by: www.complianceforge.com Copyright 2015. BlackHat Consultants, LLC Table of Contents PAYMENT CARD INDUSTRY

More information