A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)"

Transcription

1 A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS) The mandatory guide for storing, processing or transmitting cardholder information

2 Overview and applicability Any application that stores, processes, or transmits cardholder data falls within the scope of the Payment Card Industry Data Security Standards (PCI DSS). If this application is sold to 3rd parties it falls within the compliance program known as Payment Application Data Security Standard or PA-DSS (formally known as Visa's Payment Application Best Practices [PABP]). The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS. It is important to note that PA-DSS validated payment applications alone do not guarantee PCI DSS compliance and that the validated payment application must be implemented in a PCI DSS compliant environment. If you are a merchant it is your responsibility to ensure you use PA-DSS compliant payment software, but it is the software developers responsibility to ensure it is built to meet the standard. In scope Payment applications that are sold, distributed or licensed to third parties are subject to the requirements of PA-DSS. Out of scope In-house payment applications developed by merchants or service providers that are not sold to a third party are not subject to the PA-DSS requirements, but must still be secured in accordance with the PCI DSS. What does PA-DSS Compliance involve? PA-DSS ensures that the payment software is compliant with 14 specific requirements (similar to PCI DSS). Some of the headings you may recognise from PCI DSS and each requirement have sub sections. The headline requirements are: 1. Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2), or PIN block data Ensure that Sensitive Authentication Data is not stored and securely deleted 2. Protect stored cardholder data Render the card number unreadable where it is stored and key management 3. Provide secure authentication features Must facilitate the use of unique IDs and passwords 4. Log payment application activity Produce an audit log of user access 5. Develop secure payment applications Payment applications must be designed in line with PCI DSS and Industry best practices 6. Protect wireless transmissions If wireless permitted must be implemented in line with PCI DSS and industry best practices. 7. Test payment applications to address vulnerabilities Software vendors must establish a process to identify newly discovered security vulnerabilities and have timely development and deployment of security patches and upgrades

3 8. Facilitate secure network implementation The application must not interfere with use of devices, applications, or configurations required for PCI DSS compliance. For example, payment application cannot interfere with anti-virus protection 9. Cardholder data must never be stored on a server connected to the Internet The payment application must be developed such that the database server and web server are not required to be on the same server 10. Facilitate secure remote software updates If payment application updates are delivered via remote access into customers systems, software vendors must tell customers to turn on remote-access technologies only when needed for downloads from vendor, and to turn off immediately after download completes. 11. Facilitate secure remote access to payment application If vendors or customers can access customers payment applications remotely, the remote access must be implemented securely. 12. Encrypt sensitive traffic over public networks If the payment application sends, or facilitates sending, cardholder data over public networks, the PA must support use of strong cryptography and security protocols 13. Encrypt all non-console administrative access If payment application or server allows non-console administration, the vendor recommends use of SSH, VPN, or SSL/TLS for encryption of non-console administrative access. 14. Maintain instructional documentation/training programs for customers, resellers, and integrators The Vendor must develop, maintain, and disseminate a PADSS Implementation Guide(s) for its customers Is the PA-DSS mandatory? Yes. If you are in scope of the PA-DSS, there is a mandatory requirement to achieve compliance. If you use a payment application there are key deadline dates to note. Please contact the Payment Security team at and we can discuss them with you. Who mandates security review and approval of payment applications? The PCI Security Standards Council (PCI SSC) has established the guidelines and the Card Schemes (Visa Europe and MasterCard) serve as the source of enforcement. Processors, Acquirers and manufacturers are the mechanisms by which the regulations will be implemented. What protection does a PA-DSS application provide? Applications that have successfully completed a PA-DSS audit are certified to not retain or compromise what is considered to be secure elements of the card s track data [full magnetic stripe data, card validation codes and values (CAV2, CID, CVC2, and CVV2), PINs and PIN blocks. A PA-DSS certified application can also facilitate merchants in meeting a number of requirements included in PCI DSS. In particular;

4 R1: Don t retain full magnetic stripe, card validation code/value (SAD), or PIN block data R2: Do not use computer passwords that have been provided by external suppliers R3: Protect stored cardholder data R4: Encrypt transmission of cardholder data across open, public net-works R6: Develop and maintain secure systems and applications R7: Restrict access to cardholder data by business need-to-know R10: Regularly check who accesses your computers and cardholder data that you hold R12: Create/maintain own security policy to ensure you remain compliant with PCI DSS For further clarification and guidance it is always advisable to make contact with a Payment Application Qualified Security Assessor (PA-QSA). For a full list of approved assessors please visit the official Security Standard Councils website - Benefits of using PA-DSS software include: Prevents storage of sensitive cardholder data Reduces opportunities for compromise and misuse Ensures payment solutions meet the highest levels of security Supports merchants PCI DSS compliance Where can I find more information on PA-DSS? You can contact your payment software supplier or you should engage with a PA-QSA for more detailed information and specific requirements for your business. If you are already using a QSA to confirm compliance, speak to them about PA-DSS too. The PCI Security Standards Council (PCI SSC) is also a reliable place to read more detail on PA-DSS. Some useful links include: Guide to whether PA-DSS applies to a given payment application: PA-DSS does apply to payment applications that are typically sold and installed off the shelf without much customisation by software vendors. PA-DSS does apply to payment applications provided in modules, which typically includes a baseline module and other modules specific to customer types or functions, or customised per customer request. PA-DSS may only apply to the baseline module if that module is the only one performing payment functions (once confirmed by a PA-QSA). If other modules also perform payment functions, PA-DSS applies to those modules as well. Note that it is considered a best practice for software vendors to isolate payment functions into a single or small number of baseline modules, reserving other modules for non-payment functions. This best practice (though not a requirement) can limit the number of modules subject to PA-DSS. PA-DSS does NOT apply to payment applications offered by application or service providers only as a service (unless such applications are also sold, licensed, or distributed to third parties) because:

5 1. The application is a service offered to customers (typically merchants) and the customers do not have the ability to manage, install, or control the application or its environment; 2. The application is covered by the application or service provider s own PCI DSS review (this coverage should be confirmed by the customer); and/or 3. The application is not sold, distributed, or licensed to third parties. Examples of these software as a service payment applications include: Those offered by Application Service Providers (ASP) who host a payment application on their site for their customers use. Note that PA-DSS would apply, however, if the ASP s payment application is also sold to, and implemented on, a third-party site, and the application was not covered by the ASP s PCI DSS review. Virtual terminal applications that reside on a service providers site and are used by merchants to enter payment transactions. Note that PA-DSS would apply if the virtual terminal application has a portion that is distributed to, and implemented on, the merchant s site, and was not covered by the virtual terminal provider s PCI DSS review. PA-DSS does NOT apply to non-payment applications that are part of a payment application suite. Such applications (e.g. a fraud-monitoring, scoring, or detection application included in a suite) can be, but are not required to be, covered by PA-DSS if the whole suite is assessed together. However, if a payment application is part of a suite that relies on PA-DSS requirements being met by controls in other applications in the suite, a single PA-DSS assessment should be performed for the payment application and all other applications in the suite upon which it relies. These applications should not be assessed separately from other applications they rely upon since all PA-DSS requirements are not met within a single application PA-DSS does NOT apply to a payment application developed for and sold to only one customer since this application will be covered as part of the customer s normal PCI DSS compliance review. Note that such an application (which may be referred to as a bespoke ) is sold to only one customer (usually a large merchant or service provider), and it is designed and developed according to customer-provided specifications. PA-DSS does NOT apply to payment applications developed by merchants and service providers if used only in-house (not sold, distributed, or licensed to a third party), since this in-house developed payment application would be covered as part of the merchant s or service provider s normal PCI DSS compliance.

AIS Webinar PA-DSS Program Overview

AIS Webinar PA-DSS Program Overview AIS Webinar PA-DSS Program Overview Hap Huynh Business Leader Visa Inc. December 2009 Visa Public Agenda PCI Standards PA-DSS Program PA-DSS Applicability PA-DSS Roles & Responsibilities Visa Public 2

More information

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01 PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01 Information updated: 21 October 2012 SAFEGUARDING CARDHOLDER

More information

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009 AIS Webinar Payment Application Security Hap Huynh Business Leader Visa Inc. 1 April 2009 1 Agenda Security Environment Payment Application Security Overview Questions and Comments Payment Application

More information

Becoming PCI Compliant

Becoming PCI Compliant Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History

More information

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS The PCI Security Standards Council http://www.pcisecuritystandards.org The OWASP Foundation http://www.owasp.org Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS Omar F. Khandaker,

More information

Josiah Wilkinson Internal Security Assessor. Nationwide

Josiah Wilkinson Internal Security Assessor. Nationwide Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges

More information

Payment Card Industry (PCI) Payment Application Data Security Standard

Payment Card Industry (PCI) Payment Application Data Security Standard Payment Card Industry (PCI) Payment Application Data Security Standard Requirements and Security Assessment Procedures Version 2.0 October 2010 Document Changes Date Version Description Pages October 1,

More information

Implementation Guide

Implementation Guide Implementation Guide PayLINK Implementation Guide Version 2.1.252 Released September 17, 2013 Copyright 2011-2013, BridgePay Network Solutions, Inc. All rights reserved. The information contained herein

More information

Standard: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: March 2011. Information Supplement: Protecting Telephone-based Payment Card Data

Standard: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: March 2011. Information Supplement: Protecting Telephone-based Payment Card Data Standard: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: March 2011 Information Supplement: Protecting Telephone-based Payment Card Data Table of Contents Executive Summary 3 Clarification of

More information

PCI Compliance Training

PCI Compliance Training PCI Compliance Training 1 PCI Training Topics Applicable PCI Standards Compliance Requirements Compliance of Unitec products Requirements for compliant installation and use of products 2 PCI Standards

More information

Payment Application Data Security Standard

Payment Application Data Security Standard Payment Card Industry (PCI) Payment Application Data Security Standard ROV Reporting Instructions for PA-DSS v2.0 March 2012 Changes Date March 2012 Version Description Pages 1.0 To introduce PA-DSS ROV

More information

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration

More information

Visa Asia Pacific Account Information Security (AIS) Program Payment Application Best Practices (PABP)

Visa Asia Pacific Account Information Security (AIS) Program Payment Application Best Practices (PABP) Visa Asia Pacific Account Information Security (AIS) Program Payment Application Best Practices (PABP) This document is to be used for payment application vendors to validate that the payment application

More information

Information Sheet. PCI DSS Overview

Information Sheet. PCI DSS Overview The payment card industry (PCI) protects cardholder data through technical and operations standard set by its Council. Compliance with PCI standards is mandatory. It is enforced by the major payment card

More information

Need to be PCI DSS compliant and reduce the risk of fraud?

Need to be PCI DSS compliant and reduce the risk of fraud? Need to be PCI DSS compliant and reduce the risk of fraud? NCR Security lessens your PCI compliance burden and protects the integrity of your network An NCR White Paper Experience a new world of interaction

More information

Qualified Integrators and Resellers (QIR) Implementation Statement

Qualified Integrators and Resellers (QIR) Implementation Statement Qualified Integrators and Resellers (QIR) Implementation Statement For each Qualified Installation performed, the QIR Employee must complete this document and confirm whether the validated payment application

More information

Safe and Sound Processing Telephone Payments Securely. A white paper from Barclaycard and Visa Europe leading the way in secure payments April 2015

Safe and Sound Processing Telephone Payments Securely. A white paper from Barclaycard and Visa Europe leading the way in secure payments April 2015 Safe and Sound Processing Telephone Payments Securely A white paper from Barclaycard and Visa Europe leading the way in secure payments April 2015 Executive summary The following information and guidance

More information

University of Sunderland Business Assurance PCI Security Policy

University of Sunderland Business Assurance PCI Security Policy University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial

More information

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions PCI/PA-DSS FAQs Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions What is PCI DSS? The Payment Card Industry Data

More information

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to: What is the PCI standards council? The Payment Card Industry Standards Council is an institution set-up by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International

More information

Payment Card Industry (PCI) Payment Application Data Security Standard (PA-DSS) Program Guide Version 2.0

Payment Card Industry (PCI) Payment Application Data Security Standard (PA-DSS) Program Guide Version 2.0 Payment Card Industry (PCI) Payment Application Data Security Standard (PA-DSS) Program Guide Version 2.0 January 2012 Document Changes Date Version Description October 1, 2008 1.2 To align content with

More information

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer Complying with the PCI DSS All the Moving Parts Don Roeber Vice President, PCI Compliance Manager Lisa Tedeschi Assistant Vice President, Compliance Officer Types of Risk Operational Risk Normal fraud

More information

Catapult PCI Compliance

Catapult PCI Compliance Catapult PCI Compliance Table of Contents Catapult PCI Compliance...1 Table of Contents...1 Overview Catapult (PCI)...2 Support and Contact Information...2 Dealer Support...2 End User Support...2 Catapult

More information

Credit Card Security

Credit Card Security Credit Card Security Created 16 Apr 2014 Revised 16 Apr 2014 Reviewed 16 Apr 2014 Purpose This policy is intended to ensure customer personal information, particularly credit card information and primary

More information

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments Security in the Payment Card Industry OWASP AppSec Seattle Oct 2006 Hap Huynh, Information Security Specialist, Visa USA hhuynh@visa.com Copyright 2006 - The OWASP Foundation Permission is granted to copy,

More information

PA-DSS Implementation Guide

PA-DSS Implementation Guide PayEx Norge AS Wergelandsveien 1 0167 Oslo Norway PA-DSS Implementation Guide Mynt Nordic Payment Copyright 2013 PayEx Norge AS Page 2 (15) Revision History Ver. Name Date Comments 0.1 Cecilie Tyldum 15.01.2012

More information

PCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers.

PCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers. PCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers. White Paper January 2013 1 INTRODUCTION The PCI SSC (Payment

More information

PCI PA - DSS. Point ipos Implementation Guide. Version 1.01. VeriFone Vx820 using the Point ipos Payment Core

PCI PA - DSS. Point ipos Implementation Guide. Version 1.01. VeriFone Vx820 using the Point ipos Payment Core PCI PA - DSS Point ipos Implementation Guide VeriFone Vx820 using the Point ipos Payment Core Version 1.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page

More information

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1) PDQ has created an Answer Guide for the Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C to help wash operators complete questionnaires. Part of the Access Customer Management

More information

Your Compliance Classification Level and What it Means

Your Compliance Classification Level and What it Means General Information What are the Payment Card Industry (PCI) Data Security Standards? The PCI Data Security Standards represents a common set of industry tools and measurements to help ensure the safe

More information

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows: What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers

More information

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy Payment Card Industry - Data Security Standard () Security Policy Version 1-0-0 3 rd February 2014 University of Leeds 2014 The intellectual property contained within this publication is the property of

More information

PAYMENT CARD INDUSTRY (PCI) ANNUAL TRAINING DECEMBER 10, 2009 WESTERN ILLINOIS UNIVERSITY OFFICE OF THE CTSO & BUSINESS SERVICES

PAYMENT CARD INDUSTRY (PCI) ANNUAL TRAINING DECEMBER 10, 2009 WESTERN ILLINOIS UNIVERSITY OFFICE OF THE CTSO & BUSINESS SERVICES PAYMENT CARD INDUSTRY (PCI) ANNUAL TRAINING DECEMBER 10, 2009 WESTERN ILLINOIS UNIVERSITY OFFICE OF THE CTSO & BUSINESS SERVICES AGENDA PCI Players and Roles Merchant Requirements Keys To Successful PCI

More information

PCI PA-DSS Requirements. For hardware vendors

PCI PA-DSS Requirements. For hardware vendors PCI PA-DSS Requirements For hardware vendors PCI security services UL's streamlined PCI PA-DSS certification services get your product to market faster. UL is world leader in advancing safety. Through

More information

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing

More information

paypoint implementation guide

paypoint implementation guide paypoint implementation guide PCI PA-DSS Implementation guide 1. Introduction This PA-DSS Implementation Guide contains information for proper use of the paypoint application. Point Transaction Systems

More information

Credit Card Processing Overview

Credit Card Processing Overview CardControl 3.0 Credit Card Processing Overview Overview Credit card processing is a very complex and important system for anyone that sells goods. This guide will hopefully help educate and inform new

More information

White Paper On. PCI DSS Compliance And Voice Recording Implications

White Paper On. PCI DSS Compliance And Voice Recording Implications White Paper On PCI DSS Compliance And Voice Recording Implications PCI DSS within the UK is becoming a hot topic of conversation, with many contradictions and confusions being issued by suppliers and professionals

More information

Payment Card Industry Payment Application Data Security Standard (PA-DSS) FAQs for use with ROV Reporting Instructions for PA-DSS version 2.

Payment Card Industry Payment Application Data Security Standard (PA-DSS) FAQs for use with ROV Reporting Instructions for PA-DSS version 2. Payment Card Industry Payment Application Data Security Standard (PA-DSS) FAQs for use with ROV Reporting Instructions for PA-DSS version 2.0 ROV Reporting Instructions for PA-DSS v2.0 Frequently Asked

More information

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00 PCI PA - DSS Point XSA Implementation Guide Atos Worldline Banksys XENTA SA Version 1.00 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page number 2 (16)

More information

PCI PA - DSS. Point BKX Implementation Guide. Version 2.01. Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

PCI PA - DSS. Point BKX Implementation Guide. Version 2.01. Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core PCI PA - DSS Point BKX Implementation Guide Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core Version 2.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566

More information

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices This document is to be used to verify that a payment application has been validated against Visa U.S.A. Payment Application Best Practices and to create the Report on Validation. Please note that payment

More information

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0 Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire C-VT Version 2.0 October 2010 Attestation of Compliance, SAQ C-VT Instructions for Submission

More information

Project Title slide Project: PCI. Are You At Risk?

Project Title slide Project: PCI. Are You At Risk? Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services

More information

Presented By: Bryan Miller CCIE, CISSP

Presented By: Bryan Miller CCIE, CISSP Presented By: Bryan Miller CCIE, CISSP Introduction Why the Need History of PCI Terminology The Current Standard Who Must Be Compliant and When What Makes this Standard Different Roadmap to Compliance

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Version

More information

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect

More information

Symposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda

Symposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda 2010 Finance & Business Operations Symposium (FBOS) PCI Compliance Cort M. Kane COO, designdata Judy Durham CFO, NPES Kymberly Bonzelaar, Sr. VP Capital One Richard Eggleston, Sr. Project Director, TMAR

More information

Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879. Appendix A

Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879. Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879 Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 2 of 116 PageID: 4880 Payment Card Industry (PCI)

More information

PC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA

PC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA PC-DSS Compliance Strategies 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA True or False Now that my institution has outsourced credit card processing, I don t have to worry about compliance?

More information

Enforcing PCI Data Security Standard Compliance

Enforcing PCI Data Security Standard Compliance Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security & VideoSurveillance Cisco Italy 2008 Cisco Systems, Inc. All rights reserved. 1 The

More information

CardControl. Credit Card Processing 101. Overview. Contents

CardControl. Credit Card Processing 101. Overview. Contents CardControl Credit Card Processing 101 Overview Credit card processing is a very complex and important system for anyone that sells goods. This guide will hopefully help educate and inform new and old

More information

PCI DSS Requirements - Security Controls and Processes

PCI DSS Requirements - Security Controls and Processes 1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data

More information

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008 Cyber - Security and Investigations Ingrid Beierly August 18, 2008 Agenda Visa Cyber - Security and Investigations Today s Targets Recent Attack Patterns Hacking Statistics (removed) Top Merchant Vulnerabilities

More information

Frequently Asked Questions

Frequently Asked Questions PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply

More information

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration

More information

05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013 05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of

More information

3M SelfCheck Self-Pay Software. Implementation Guide

3M SelfCheck Self-Pay Software. Implementation Guide 3M SelfCheck Self-Pay Software Implementation Guide 3M SelfCheck Self-Pay Software Implementation Guide, 78-8800-0302-1a 3M 2014. All rights reserved. 3M is a trademark of 3M. Microsoft, Windows, Vista,

More information

Why Is Compliance with PCI DSS Important?

Why Is Compliance with PCI DSS Important? Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These

More information

PA-DSS Implementation Guide. Version 1.2.1. Document Owners. Approval Date: January 2012

PA-DSS Implementation Guide. Version 1.2.1. Document Owners. Approval Date: January 2012 v Tuition Express PA-DSS Implementation Guide Version 1.2.1 Approval Date: January 2012 Document Owners Brad Olson Operations Director Darren Gapp Chief System/Software Engineer Procare Software Tuition

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other SAQ-Eligible Merchants and Service Providers Version 2.0 October 2010 Document

More information

PCI Data Security Standards

PCI Data Security Standards PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million

More information

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE AGENDA PCI DSS Basics Case Studies of PCI DSS Failure! Common Problems with PCI DSS Compliance

More information

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements

More information

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP 2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate

More information

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage

More information

6-8065 Payment Card Industry Compliance

6-8065 Payment Card Industry Compliance 0 0 0 Yosemite Community College District Policies and Administrative Procedures No. -0 Policy -0 Payment Card Industry Compliance Yosemite Community College District will comply with the Payment Card

More information

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements

More information

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment Card Industry Data Security Standards

More information

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants Appendix 2 PCI DSS Payment Card Industry Data Security Standard Merchant compliance guidelines for level 4 merchants CONTENTS 1. What is PCI DSS? 2. Why become compliant? 3. What are the requirements?

More information

Credit Card Handling Security Standards

Credit Card Handling Security Standards Credit Card Handling Security Standards Overview This document is intended to provide guidance to merchants (colleges, departments, auxiliary organizations or individuals) regarding the processing of charges

More information

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected officials, administrative officials and business managers.

More information

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Compliant? Bank Name

More information

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL PAYMENT CARD INDUSTRY COMPLIANCE (PCI) Effective June 1, 2011 Page 1 of 6 (1) Definitions a. Payment Card Industry Data Security Standards (PCI-DSS): A set of standards established by the Payment Card

More information

PCI Compliance. Top 10 Questions & Answers

PCI Compliance. Top 10 Questions & Answers PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements

More information

Visa Account Information Security Tool Kit. Welcome to the Visa Account Information Security Program

Visa Account Information Security Tool Kit. Welcome to the Visa Account Information Security Program Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)

More information

Information Technology

Information Technology Credit Card Handling Security Standards Overview Information Technology This document is intended to provide guidance to merchants (colleges, departments, organizations or individuals) regarding the processing

More information

P R O G R E S S I V E S O L U T I O N S

P R O G R E S S I V E S O L U T I O N S PCI DSS: PCI DSS is a set of technical and operational mandates designed to ensure that all organizations that process, store or transmit credit card information maintain a secure environment and safeguard

More information

Introduction to PCI DSS

Introduction to PCI DSS Month-Year Introduction to PCI DSS March 2015 Agenda PCI DSS History What is PCI DSS? / PCI DSS Requirements What is Cardholder Data? What does PCI DSS apply to? Payment Ecosystem How is PCI DSS Enforced?

More information

DalPay Internet Billing. Technical Integration Overview

DalPay Internet Billing. Technical Integration Overview DalPay Internet Billing Technical Integration Overview Version 1.3 Last revision: 01/07/2011 Page 1 of 10 Version 1.3 Last revision: 01/07/2011 Page 2 of 10 REVISION HISTORY... 4 INTRODUCTION... 5 DALPAY

More information

Automating Compliance Reporting for PCI Data Security Standard version 1.1

Automating Compliance Reporting for PCI Data Security Standard version 1.1 PCI Compliance Reporting Solution Brief Automating Regulatory Compliance and IT Best Practices Reporting Automating Compliance Reporting for PCI Data Security Standard version 1.1 The PCI Data Security

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers For use with PCI DSS Version 3.1 Revision 1.1 July 2015 Section 1: Assessment

More information

Template for PFI Final Incident Report for Remote Investigations

Template for PFI Final Incident Report for Remote Investigations Payment Card Industry (PCI) Data Security Standard PFI Final Incident Report for Remote Investigations Template for PFI Final Incident Report for Remote Investigations Version 1.1 February 2015 Document

More information

Ruby VASC Instructor Guide

Ruby VASC Instructor Guide Ruby VASC Instructor Guide Client Services, Training 300 S. Park Place Blvd. Suite 100 727.953.4000 Main Reception 727.953.4270 Training Administration 727.953.4001 - Fax i_trngregistration@smokestack.verifone.com

More information

PCI Compliance. by: David Koston

PCI Compliance. by: David Koston PCI Compliance by: David Koston PCI DSS Payment Card Industry Data Security Standard American Express Discover JCB MasterCard VISA Why? Continue to do business Retain Customers Legal Standards are Coming!

More information

PCI Quick Reference Guide

PCI Quick Reference Guide PCI Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 1.2 For merchants and organizations that store, process or transmit cardholder data Contents Copyright 2008

More information

Processing telephone payments securely

Processing telephone payments securely Processing telephone payments securely The following is a guide for Contact Centre Managers, IT Directors and Compliance Managers of businesses that trade over the telephone. It emphasises the key areas

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS) Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS) What is PCI DSS? The 12 Requirements Becoming compliant with SaferPayments Understanding the jargon SaferPayments Be smart.

More information

Payment Card Industry Data Security Standards (PCI-DSS) Guide for Contact Center Managers

Payment Card Industry Data Security Standards (PCI-DSS) Guide for Contact Center Managers Payment Card Industry Data Security Standards (PCI-DSS) January 2012 Reprinted for Table of Contents Executive Summary... 1 What is PCI-DSS?... 1 Violation Notification Requirements... 7 Is PCI-DSS a Law?...

More information

74% 96 Action Items. Compliance

74% 96 Action Items. Compliance Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated

More information

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing for Sage MAS 90 and 200 ERP Credit Card Processing Version 4.30.0.18 and 4.40.0.1 - January 28, 2010 Sage, the Sage logos and the Sage product and service names mentioned herein are registered trademarks

More information

SecurityMetrics Introduction to PCI Compliance

SecurityMetrics Introduction to PCI Compliance SecurityMetrics Introduction to PCI Compliance Card Data Compromise What is a card data compromise? A card data compromise occurs when payment card information is stolen from a merchant. Some examples

More information

PCI Compliance Top 10 Questions and Answers

PCI Compliance Top 10 Questions and Answers Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs

More information

Payment Card Industry (PCI) Data Security Standard PFI Final Incident Report. Template for PFI Final Incident Report. Version 1.1.

Payment Card Industry (PCI) Data Security Standard PFI Final Incident Report. Template for PFI Final Incident Report. Version 1.1. Payment Card Industry (PCI) Data Security Standard PFI Final Incident Report Template for PFI Final Incident Report Version 1.1 February 2015 Document Changes Date Version Description August 2014 1.0 To

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance Merchants with Web-Based Virtual Payment Terminals No Electronic Cardholder Data Storage

More information

PCI DSS and SSC what are these?

PCI DSS and SSC what are these? PCI DSS and SSC what are these? What does PCI DSS mean? PCI DSS is the English acronym for Payment Card Industry Data Security Standard. What is the PCI DSS programme? The bank card data, which are the

More information

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed

More information

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY PURPOSE The Payment Card Industry Data Security Standard was established by the credit card industry in response to an increase in identify theft

More information