I S O L AT E. RE M OV E. PRO T E C T: E-COMMERCE TOKENIZATION AND THE PAYMENT GATEWAY
|
|
- Kristian Bridges
- 8 years ago
- Views:
Transcription
1 I S O L AT E. RE M OV E. PRO T E C T: E-COMMERCE TOKENIZATION AND THE PAYMENT GATEWAY A Mercator Advisory Group Research Brief Sponsored by Transaction Network Services April 20111
2 TNSPay is one of the world s most widely used managed epayment services. It is focused on the needs of card-notpresent merchants (ecommerce, MOTO, IVR, Mobile Internet) and provides them with a simple way to authorize and settle card transactions, combat fraud, enhance card data security, and simplify their PCI DSS compliance efforts. The TNSPay gateway processes more than a quarter of a billion transactions a year for over 30,000 merchants, helping grow their business. What if card holder data could be removed from your ecommerce environment? It can with TNSPay. The challenges of storing, transporting or processing credit card information can be greatly simplified, and the investment needed to meet Payment Card Industry (PCI) compliance standards reduced, through the secure, flexible and empowering capabilities of TNSPay. Secure you can completely remove card holder data from your environment. The TNSPay platform is PCI DSS certified and enables your card holder data to be easily captured within your existing payment workflow, isolated so it never touches your payment environment and tokenized for your future use. This approach helps merchants reduce the scope of their PCI compliance, saving them expense and effort. Flexible one connection to TNSPay puts the power in your hands. Transaction Network Services (TNS) is a neutral partner, with diverse connectivity that gives you access to payment processors around the globe. TNSPay provides you the flexibility to send your tokenized payment transactions to one or more processors, regardless of who your processor is now or in the future. TNSPay provides connectivity to processors in the US and over 25 other countries. Empowering control your own branding and customer experience in order to grow sales. Unlike most hosted payment solutions that restrict a merchant s ability to control branding and customer experience during the checkout process, TNSPay Hosted Payment Forms has no impact on the appearance of your website or your ability to manage your customer interaction. At checkout, your customer never leaves your website pages, so you have complete control. You define the information fields on your page that you want TNSPay to directly capture and TNSPay handles the transaction authorization from there, so the card data is never entered into your environment when the order is submitted. If you choose, you can have TNSPay retain the card information in a PCI-DSS secured facility and return a token back to you for needs such as marketing or customer support, further helping to eliminate card data from your environment to reduce the scope of your PCI audits. And since the Hosted Payment Form solution gives you the flexibility to post data to the TNSPay server at multiple points during the checkout process, customer data is not lost when a customer navigates back and forth within a session. This also gives you the ability to validate certain customer data points prior to the end of the checkout session, helping to increase the likelihood that the sale will be authorized when the customer submits the order. All of this can help increase control, lower cost, and provide a better customer experience that can grow sales. 2
3 Table of Contents You Can t Completely Outsource PCI...4 Tokenization: Not Just for Card Numbers...4 The PCI Challenge...5 Tokenization in e-commerce...5 Deploying Tokenization...6 The Upsides of Tokenization...6 Tokenization Considerations...7 Isolate, Remove, Protect
4 You Can t Completely Outsource PCI Fully outsourcing PCI compliance is impossible. Every merchant is responsible for meeting PCI compliance and cannot turn over that responsibility to another entity. Every other participant in the payments chain - FIs, processors, gateway operators - is similarly responsible for their own PCI compliance. But the burden falls most broadly on the U.S. merchant cadre of over six million. Outsourcing portions of PCI compliance, on the other hand, is eminently doable. Tokenization and encryption are two technologies that enable a merchant to mitigate the risk of breach, and both approaches represent opportunities for third party providers to assume critical functions that reduce the merchant's need to store, transmit or process card numbers and associated customer data. This report addresses two issues. First, it briefly looks at merchant strategies to meet and lower their PCI compliance burden. Second, it examines tokenization in greater detail. Tokenization is an option gaining currency among merchants seeking to mitigate their PCI compliance costs. While there are issues with tokenization, its appeal is strong. Given the comparative simplicity of deploying tokenization vs. encryption, there are a number of vendors stepping up to provide tokenization to e-commerce, brick-and-mortar retailers as well as enterprises handling the wide range of personal data. End to End Encryption is Another Path An equally important approach under consideration by brick-and-mortar merchants is end-to-end encryption of card numbers. Multiple competing vendor camps have emerged to encrypt card numbers at the POS terminal and to pass those numbers, fully encrypted within the current encrypted communications links, through to either the merchant s central data center or to a third party gateway or processing provider. VeriFone and their partner RSA lead one approach. Magtek and its service subsidiary Magensa have partnered with POS terminal makers Hypercom and Ingenico to deliver a second approach. Heartland Payment Systems has deployed end-to-end encryption based on Voltage Security technology. Tokenization: Not Just for Card Numbers Tokenization replaces a PAN with another number. The merchant uses this new number to process and track the transaction on its own systems. This new number is called a token, a proxy, representing the customer's card number. Tokenization is a technique appropriate to handling any critical information. Social security numbers, a datum with high risk for identify theft, is a prime candidate for tokenization, used extensively in education, government, healthcare and insurance. Some of the tokenization vendors are taking their tools to these markets as compliance with Gramm-Leach-Bliley's privacy provisions is a major driver. Eliminating personal information through tokenization or any other technique from the complex systems of insurers, universities, government and other institutions is no trivial task. Systems routinely use these numbers as 4
5 key data elements for integration of disparate systems. These numbers are used as key fields for queries and reports. Changing these operationally critical functions is time consuming. But given the customer trust relationship these entities must maintain, the effort looks increasingly worthwhile. The PCI Challenge Merchants are confronted with two risks. The first is failure to meet PCI requirements represents an immediate downside outcome. PCI compliance is a requirement of accepting payment card transactions. If a merchant gets out of compliance the acquiring channel can raise the cost of processing, levy pass-through fines and stop processing consumer payments altogether. For merchants, that s a very bad thing. The second of course is a data breach, a damaging outcome with significant costs for merchants in terms of brand reputation and remediation. Keeping Up with PCI Requirements But a major challenge for merchants with PCI is the changing nature of PCI requirements. PCI s scope continues to expand each year, evolving in response to successful new intrusion techniques. This evolution (or scope creep for the fatigued merchant infosec team) creates a concomitant increase in the compliance burden. New security hardware, software and procedural requirements add new costs such as last year s addition of a hardware-based web application firewall for web merchants. Even with a month grace period, it is still real cost. Compensating controls essentially approved workarounds are possible but they must be reviewed once a year and can be revoked at any time if forensic analysis and experience demonstrate that the control is no longer adequate. So, any strategy that reduces PCI scope is a welcome alternative to this increasingly costly status quo. Tokenization in e-commerce e-commerce is a first rate application of tokenization. Online the process is quite straightforward and should be familiar to those responsible for shopping cart functionality. Once the customer has completed shopping and chooses to pay with a card, the control of the transaction shifts from the merchant to the tokenization provider. The customer enters the card data into a webpage or data field managed by the tokenization provider. Once the customer presses Submit, the tokenization provider sends the authorization request upstream as usual and returns a token to the merchant representing the transaction. Payment data is never stored on the merchant s servers. Today, shopping cart software captures the card number. While the shopping cart application may mask the full PAN when displaying the card number on the consumer s web page, the full PAN is in fact held by the shopping cart platform managed by the merchant. In this mode, the merchant is responsible for the care and control of the card numbers it collects on its servers. A superior approach is the use of hosted payment fields. Using this approach, the data entry fields displayed on the merchant s payment page are delivered by a third party payment services provider. The card number data entered by the user never touches the merchant s systems and is thus out of PCI scope. The payment services 5
6 provider returns a token, and not the source card number, to the merchant. Clearly, hosted payment fields and tokenization produce a better approach. They reduce the risk of card number compromise. Unlike hosted payments pages, hosted payment fields let the merchant easily manage the look and feel of the payments page. And, instead of injecting the additional step of the Verified by Visa experience or a new method of payment, the application of tokenization in e-ecommerce makes sure the card number never touches the merchant's servers. If there is a data breach, it is not, at last, the merchant s fault. Number Formats Typically, the token format obscures the first 12 digits of the card number and leaves in the clear the last 4 digits of the 16 digit card number. At least for the last four digits, this approach mimics standard truncation used for receipting. This approach is designed to minimize the impact on the merchant's internal reporting and database systems that rely on predictably formatted card data. Tokenization engines may be tuned to minimize the impact on existing merchant systems or optimize security. Deploying Tokenization While tokenization vendors obviously tout the simplicity of replacing PAN data with tokens, the extent to which the token mimics the card number format that drives the merchant's reporting systems has everything to do with the pain of adopting tokenization. For some merchants, the task is relatively painless. Once hosted payment fields are in use, the merchant sees no new card numbers, only tokens and no time consuming page redirections to hosted payments pages are required. But PCI requires that all systems that touch card data be compliant and enterprises with 20 such systems touching cardholder data are not unheard of. It may take six months and more to complete the task across the enterprise. The Upsides of Tokenization PCI Scope Reduction: Obscure the Numbers or Firewall the Network In terms of PCI scope reduction there are two principle avenues to take: card number obfuscation, like tokenization and encryption, and network segmentation. If a merchant s computer communication network requires a forklift upgrade of expensive routing gear, then the merchant may opt to follow the card number obfuscation route. Eliminating flat spots in the network with new routers and switches capable of VLAN segmentation that replace dumb Ethernet hubs is expensive. The hardware is costly and its configuration takes time to see through testing. Shifting the Liability and Risk Tokenization providers are willing to assume some level of liability that results from a data breach of the data stored on their systems on behalf of their merchant customers. That is, of course, one of the major attractions of the service offering. The upstream supplier would be at fault if its systems were breached and not the merchant itself. What s not to like in that scenario? 6
7 Tokenization when Sharing Keys is Impossible A potential application for tokenization is when multiple firms touch a single payment transaction. Property management companies who interact with outsourced contact center personnel must be able to share payment information when sending it to their hotel chain or rental property owners. There may be multiple security holes in this link if one or more are not PCI compliant. Even when numbers are encrypted in transit, they must be decrypted at each location because key management or shared keys are not available, further exposing the transaction to compromise. If tokenization is employed and each merchant uses the same tokenization provider, security improvements could result and business processes streamlined. Certainly, adding key management to a multi-merchant, multi-participant business process adds unwelcome and expensive process complexity. Tokenization Considerations Some considerations are downsides. Others are specific to the enterprise s need. Others just have to be factored into the enterprise s approach to PCI compliance and vendor decision making. It's MY Data Line of business managers and the application software they depend upon is reliant on card numbers for data access and reporting. The cost of changing over to a token format may not be justifiable after encryption is in place. Security managers, further down the political food chain, are hampered in their ability to push for tokenization. While tokenization reduces risk, the cost / benefit ratio of tokenization versus changing thousands of lines of business software is a challenging case to make. But, as the data breach problem continues to expand, that argument has become easier to make. It is highly unlikely the merchant's need for access to true card numbers can be entirely eliminated. For example, the Sales Audit department may need access to the tokenization server on a regular basis. With each access by these users logged and those logs reviewed regularly, risk may be mitigated. Because humans are not especially good at the routine, the more automation that is applied to routine reviews of log files, the better. Not Another Third Party Tokenization is a simple idea with complex execution. Merchants are attracted to that proposition but are looking for it to come from their most reliable partners. From a partner that won t lock them in to a larger relationship with limited flexibility because they have control of your critical payment or other customer data. Most tokenization providers are smaller firms and for larger merchants that in itself may increase perceived risk. What happens if the tokenization provider fails? Besides the merchant itself, acquirers and processors want to know that their merchants won't be left hanging should a provider fail. Therefore, business stability is critical for a tokenization provider because the enterprise s entire payments software system is now tied to an external party s platform that may disappear. As a third party service, standard software protections like escrow of source code are of no use. Given the comparative youth of some of these providers, careful vetting of their financial condition 7
8 is just one step in the due diligence process. Looking at the vendor s other revenue sources may also reveal clues to its sustainability. Until de facto standardization emerges caveat emptor must guide decision making. Token database portability is also an issue. If the merchant becomes dissatisfied with the tokenization provider after a year, for example, the merchant should be able to securely move its token database to a new provider. If the tokenization service is locked, by contract, into a larger relationship, this ability to move the token database becomes even more important. The Fat New Target or Centralizing the Risk Willie Sutton might have liked tokenization providers. They are, after all, where the money is in the form of the true PANs. Along with every processor, each one of these vendors is setting itself up as a target. The fact that they all must be PCI compliant is table stakes to be in this game; it says little about their security architecture. Processor breaches like Heartland provide sad evidence of that point. Vendors of tokenization solutions should expect hard questions from merchants, upstream processors and financial institutions on how they store and access PAN-related data. There should be a robust set of encryption steps and other techniques within the tokenization vendor s data center that make assembly of coherent payment data without owning the keys and the database impossible. Each merchant has to decide if this level of protection is adequate. While it reduces the PCI burden, how much does it reduce the risk of the business impacts associated with a data breach? Finally, these vendors may be a single point of failure unless redundant operation is assured. If the tokenization provider goes offline, what is the impact on payment acceptance? So Many Token Types to Choose From A significant concern for acquirers and merchants alike is the multiplicity of tokenization approaches. Between multiple vendors and internally developed approaches, there is no standard approach to tokenization. Many use a 12/4 format, obfuscating the first 12 digits of the PAN and leave the last 4 digits in the clear, essentially taking a page out of the card number truncation book. Others use different schemes entirely. How a token is created varies. What is most important is whether your provider can support the tokenization format that best fits your needs. More than Token Account Control? As these third parties add value, they also gain some level of account control. A merchant cannot easily switch from one tokenization provider to another unless there is 100% functional equivalency (what are the odds of that?). If a vendor ceases operation, gets acquired and stops employing a particular tokenization technique, it puts the merchant's card processing operations at some risk. For that reason, acquirers are also concerned. They do not want anything to interrupt their merchant s transaction flow. Portability, or at least guaranteed access to the token database, is desirable. 8
9 The Strong Buffer in the Gateway Tokenization may be delivered via a third party gateway provider. In this case, not only does the merchant make use of its token management services, it may also use the gateway as a buffer between the merchant and the acquiring bank. Of course, if the gateway operator hooks into multiple payment processors, it may also act as an interconnection point, giving merchants flexibility over which payment processor to use for different payment types. TNS, with its TNSPay epayment gateway, occupies this space. Isolate, Remove, Protect PCI and enterprise-wide information security are two different animals. PCI recommendations are the result of a thorough examination to produce a stronger payments ecosystem, both within a single organization and across multiple organizational lines. But because the payments infrastructure was not built with today s e-commerce security risks in mind, PCI is, to be harsh, about making the best of a bad job. The truth is that tokenization s short term benefits accrue to the merchant and its PCI compliance burden. The reduction in scope of the audit and the security monitoring posture taken by the merchant are welcome improvements and the results are worthwhile. Isolating the systems that handle card data within highly secure walls and removing card data from merchant systems protects the entire process with the merchant as the principle beneficiary. These benefits are especially relevant to the e-commerce merchant and e-commerce channel operator. Hosted payment fields maintain a seamless payment experience for the online consumer and give the online merchant a way to avoid card number handling entirely. By coupling those advantages with a flexible gateway partner relationship the e-commerce merchant s fraud management team is able to build a secure, PCI compliant e- commerce payments system that supports the business needs of the marketing function. Copyright Notice External publication terms for Mercator Advisory Group information and data: Any Mercator Advisory Group information that is to be used in advertising, press releases, or promotional materials requires prior written approval from the appropriate Mercator Advisory Group research director. A draft of the proposed document should accompany any such request. Mercator Advisory Group reserves the right to deny approval of external usage for any reason. Copyright 2011, Mercator Advisory Group, Inc. Reproduction without written permission is completely forbidden. 9
Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance
Payment Security White Paper Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance Breaches happen across all industries as thieves look for vulnerabilities.
More informationPayment Card Industry Data Security Standard (PCI DSS)
Payment Card Industry Data Security Standard (PCI DSS) WARNING: Your company may be in noncompliance with the Payment Card Industry Data Security Standard (PCI DSS), placing it at risk of brand damage,
More informationVoltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review
Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review Prepared for: Coalfire Systems, Inc. March 2, 2012 Table of Contents EXECUTIVE SUMMARY... 3 DETAILED PROJECT OVERVIEW...
More informationTokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism
Tokenization Amplified XiIntercept The ultimate PCI DSS cost & scope reduction mechanism Paymetric White Paper Tokenization Amplified XiIntercept 2 Table of Contents Executive Summary 3 PCI DSS 3 The PCI
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 1.1 February 2008 Table of Contents About this Document... 1 PCI Data Security Standard
More informationHow Multi-Pay Tokens Can Reduce Security Risks and the PCI Compliance Burden for ecommerce Merchants
How Multi-Pay Tokens Can Reduce Security Risks and the PCI Compliance Burden for ecommerce Merchants 2012 First Data Corporation. All trademarks, service marks and trade names referenced in this material
More informationTNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business
TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment
More informationPCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES
PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES CUTTING THROUGH THE COMPLEXITY AND CONFUSION Over the years, South African retailers have come under increased pressure to gain PCI DSS (Payment Card Industry
More informationPCI Compliance Overview
PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)
More informationFrequently Asked Questions
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
More informationWhite Paper Solutions For Hospitality
White Paper Solutions For Hospitality Foreword Addressing the complexity of a hospitality ecosystem as varied as the front desk to the parking garage, to the restaurant, the website, and the call center,
More informationWhy Is Compliance with PCI DSS Important?
Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These
More informationDalPay Internet Billing. Technical Integration Overview
DalPay Internet Billing Technical Integration Overview Version 1.3 Last revision: 01/07/2011 Page 1 of 10 Version 1.3 Last revision: 01/07/2011 Page 2 of 10 REVISION HISTORY... 4 INTRODUCTION... 5 DALPAY
More informationPROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN
PCI Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information
More informationQ: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?
Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain
More informationPlatform as a Service and PCI www.engineyard.com
Engine Yard White Paper Platform as a Service and PCI www.engineyard.com Purpose Achieving PCI compliance can be a complex, time-consuming, and expensive undertaking, but the right approach can make it
More information* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.
Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain
More informationPCI Solution for Retail: Addressing Compliance and Security Best Practices
PCI Solution for Retail: Addressing Compliance and Security Best Practices Executive Summary The Payment Card Industry (PCI) Data Security Standard has been revised to address an evolving risk environment
More informationAdyen PCI DSS 3.0 Compliance Guide
Adyen PCI DSS 3.0 Compliance Guide February 2015 Page 1 2015 Adyen BV www.adyen.com Disclaimer: This document is for guidance purposes only. Adyen does not accept responsibility for any inaccuracies. Merchants
More informationPAYMENT SECURITY. Best Practices
PAYMENT SECURITY Best Practices At VeriFone, the protection of cardholder information is a top priority. To ensure merchants have secure payment solutions for their customers, and to help protect merchants
More informationBottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.
Payment Card Industry Security Standards Over the past years, a series of new rules and regulations regarding consumer safety and identify theft have been enacted by both the government and the PCI Security
More informationCoalfire Systems Inc.
Security Review Web with Page-Integrated Encryption (PIE) Technology Prepared for HP Security Voltage by: Coalfire Systems Inc. March 2, 2012 Table of contents 3 Executive Summary 4 Detailed Project Overview
More informationThe 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance
Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand
More informationThe Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development
The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment Card Industry Data Security Standards
More informationPCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:
What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers
More informationPCI DSS Gap Analysis Briefing
PCI DSS Gap Analysis Briefing The University of Chicago October 1, 2012 Walter Conway, QSA 403 Labs, LLC Agenda The PCI DSS ecosystem - Key players, roles - Cardholder data - Merchant levels and SAQs UofC
More informationFlexible and secure. acceo tender retail. payment solution. tender-retail.acceo.com
Flexible and secure payment solution acceo tender retail payment solution tender-retail.acceo.com Take control of your payment transactions ACCEO Tender Retail is a specialized middleware that handles
More informationBest Practices for PCI DSS V3.0 Network Security Compliance
Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with
More informationPCI DSS COMPLIANCE DATA
PCI DSS COMPLIANCE DATA AND PROTECTION EagleHeaps FROM CONTENTS Overview... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns and Opportunities
More informationProject Title slide Project: PCI. Are You At Risk?
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
More informationThe Relationship Between PCI, Encryption and Tokenization: What you need to know
October 2014 The Relationship Between PCI, Encryption and Tokenization: What you need to know Mike English Executive Director, Product Development Heartland Payment Systems 2014 Heartland Payment Systems,
More informationEnd-to-end Encryption for E-Commerce Payments using Voltage SecureData Web
Technical Brief using Voltage SecureData Web Introduction Today, merchants accepting card-not-present payments on the web are concerned about three major issues affecting their business with respect to
More informationPCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com
PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com What What is PCI A global forum launched in September 2006 for ongoing enhancement
More informationTechnical breakout session
Technical breakout session Small leaks sink great ships Managing data security, fraud and privacy risks Tarlok Birdi, Deloitte Ron Borsholm, WTS May 27, 2009 Agenda 1. PCI overview: the technical intent
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationPCI v2.0 Compliance for Wireless LAN
PCI v2.0 Compliance for Wireless LAN November 2011 This white paper describes how to build PCI v2.0 compliant wireless LAN using Meraki. Copyright 2011 Meraki, Inc. All rights reserved. Trademarks Meraki
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationPCI General Policy. Effective Date: August 2008. Approval: December 17, 2015. Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:
Effective Date: August 2008 Approval: December 17, 2015 PCI General Policy Maintenance of Policy: Office of Student Accounts PURPOSE: To protect against the exposure and possible theft of account and personal
More informationJosiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
More informationCyberSource Payments & Security ONE POINT OF CONTACT CAN HELP YOU HIT YOUR
ONE POINT OF CONTACT CAN HELP YOU HIT YOUR MOST AMBITIOUS TARGETS Payments & Security PROCESS PAYMENTS AND SECURE PAYMENT DATA GLOBALLY WITH ONE CONNECTION To prepare for the omni-commerce world effectively,
More informationImportant Info for Youth Sports Associations
Important Info for Youth Sports Associations What the Heck is PCI DSS and Why Should I Care? Joe Posey Terrapin Financial Services Your Club is an ecommerce Business You accept online registration over
More informationWhat are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:
What is the PCI standards council? The Payment Card Industry Standards Council is an institution set-up by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International
More informationAchieving Compliance with the PCI Data Security Standard
Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),
More informationUnderstanding the Value of Tokens
Understanding the Value of Tokens 2012 First Data Corporation. All trademarks, service marks and trade names referenced in this material are the property of their respective owners. Introduction Credit
More informationHow To Protect Your Business From A Hacker Attack
Payment Card Industry Data Security Standards The payment card industry data security standard PCI DSS Visa and MasterCard have developed the Payment Card Industry Data Security Standard or PCI DSS as
More informationOutsourcing Payment Security. How outsourcing security technology is changing the face of epayment acceptance practices
Outsourcing Payment Security How outsourcing security technology is changing the face of epayment acceptance practices Paymetric White Paper Outsourcing Payment Security 2 able of Contents The Issue: Payments
More informationTwo Approaches to PCI-DSS Compliance
Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,
More informationPayment Security Solutions. Payment Tokenisation. Secure payment data storage and processing, while maintaining reliable, seamless transactions
Payment Security Solutions Payment Tokenisation Secure payment data storage and processing, while maintaining reliable, seamless transactions 02 Payment Security Solutions CyberSource Payment Tokenisation:
More informationPCI Compliance for Healthcare
PCI Compliance for Healthcare Best practices for securing payment card data In just five years, criminal attacks on healthcare organizations are up by a stunning 125%. 1 Why are these data breaches happening?
More informationPayment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.
Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History
More informationNetwork Segmentation
Network Segmentation The clues to switch a PCI DSS compliance s nightmare into an easy path Although best security practices should be implemented in all systems of an organization, whether critical or
More informationOXY GEN GROUP. pay. payment solutions
OXY GEN GROUP pay payment solutions hello. As UK CEO, I m delighted to welcome you to Oxygen8. We ve been at the forefront of multi-channel solutions since 2000. Headquartered in Birmingham, UK, we have
More informationPayment Card Industry Data Security Standards
Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This
More informationPuzzled about PCI compliance? Proactive ways to navigate through the standard for compliance
Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com
More informationOVERVIEW. With just 10,000 customers in your database, the cost of a data breach averages more than $2 million.
Security PLAYBOOK OVERVIEW Today, security threats to retail organizations leave little margin for error. Retailers face increasingly complex security challenges persistent threats that can undermine the
More informationwww.trustvesta.com VESTA CORPORATION WHITEPAPER Payment Card Industry Data Security Standards (PCI DSS) and Mobile Operators: Trends and Implications
www.trustvesta.com VESTA CORPORATION WHITEPAPER Payment Card Industry Data Security Standards (PCI DSS) and Mobile Operators: Trends and Implications About this paper There have been numerous data breaches
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 3.2 May 2016 Document Changes Date Version Description October 1, 2008 1.2 October 28,
More informationA Whitepaper by Vesta Corporation. Payment Card Industry Data Security Standards (PCI DSS) and Mobile Operators: Trends and Implications
A Whitepaper by Vesta Corporation Payment Card Industry Data Security Standards (PCI DSS) and Mobile Operators: Trends and Implications About This Paper There have been numerous data breaches both announced
More informationVERIFONE PAYWARE SOLUTIONS
VERIFONE PAYWARE SOLUTIONS PAYMENTS ARE JUST THE BEGINNING. Supports multiple applications, systems, users and locations. PAYware Solutions With a wide range of card acceptance software solutions, VeriFone
More informationUnderstanding and Managing PCI DSS
Understanding and Managing PCI DSS PCI DSS in Context Some History Key Players Validating Compliance Cardholder Data 2! 5 Stages of PCI Grief Denial: It doesn t apply to me PCI compliance is mandatory
More informationPCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers.
PCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers. White Paper January 2013 1 INTRODUCTION The PCI SSC (Payment
More informationCase Study: Fast Food Security Breach (Multiple Locations)
CASE STUDY Fast Food Security Breach (Multiple Locations) Case Study: Fast Food Security Breach (Multiple Locations) By Brad Cyprus, SSCP - Senior Security Architect, Netsurion Details Profile Case Study
More informationThe Cost of Compliance
The Cost of Compliance The Payment Card Industry Data Security Standard (PCI DSS) aims to protect sensitive cardholder data throughout the life cycle of ecommerce transactions. The standard puts heavy
More informationPayment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security
Payment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security John Mason Slides & Code - labs.fusionlink.com Blog - www.codfusion.com What is PCI-DSS? Created by the
More informationThe PCI Dilemma. COPYRIGHT 2009. TecForte
The PCI Dilemma Today, all service providers and retailers that process, store or transmit cardholder data have a legislated responsibility to protect that data. As such, they must comply with a diverse
More informationPCI 3.0 Making Payment Security Business As Usual
PCI 3.0 Making Payment Security Business As Usual Katie Todd, Office of the Treasurer, Columbia University Ruth Harpool, Managing Director, Treasury Operations, Indiana University Joseph Goodman, Outreach
More informationFighting Today s Cybercrime
SECURELY ENABLING BUSINESS Fighting Today s Cybercrime Ongoing PCI Compliance Using Data-Centric Security Technologies HOUSEKEEPING ITEMS All phone lines have been muted for the duration of the webinar.
More information7 things to ask when upgrading your ERP solution
Industrial Manufacturing 7 things to ask when upgrading your ERP solution The capabilities gap between older versions of ERP designs and current designs can create a problem that many organizations are
More informationTOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series
TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE ebook Series 2 Headlines have been written, fines have been issued and companies around the world have been challenged to find the resources, time and capital
More informationPCI Compliance: How to ensure customer cardholder data is handled with care
PCI Compliance: How to ensure customer cardholder data is handled with care Choosing a safe payment process for your business Contents Contents 2 Executive Summary 3 PCI compliance and accreditation 4
More informationPCI DSS Top 10 Reports March 2011
PCI DSS Top 10 Reports March 2011 The Payment Card Industry Data Security Standard (PCI DSS) Requirements 6, 10 and 11 can be the most costly and resource intensive to meet as they require log management,
More informationContinuous compliance through good governance
PCI DSS Compliance: A step into the payment ecosystem and Nets compliance program Continuous compliance through good governance Who are the PCI SSC? The Payment Card Industry Security Standard Council
More informationMEETING PCI COMPLIANCE WITH SONICWALL GLOBAL MANAGEMENT SYSTEM
MEETING PCI COMPLIANCE WITH SONICWALL GLOBAL MANAGEMENT SYSTEM PCI DSS 1.1 compliance requirements demand a new level of administration and oversight for merchants, banks and service providers to maintain
More informationIt is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.
PCI FAQ And MYTHS FREQUENTLY ASKED QUESTIONS (FAQ): Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process,
More informationSpokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Addendum #1 - Q&A
Spokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Request for Proposals (RFP) for PCI DSS COMPLIANCE SERVICES Project # 15-49-9999-016 Addendum #1 - Q&A May 29,
More informationYour guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)
Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions Version 5.0 (April 2011) Contents Contents...2 Introduction...3 What are the 12 key requirements of
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Abhinav Goyal, B.E.(Computer Science) MBA Finance Final Trimester Welingkar Institute of Management ISACA Bangalore chapter 13 th February 2010 Credit Card
More informationAnd Take a Step on the IG Career Path
How to Develop a PCI Compliance Program And Take a Step on the IG Career Path Andrew Altepeter Any organization that processes customer payment cards must comply with the Payment Card Industry s Data Security
More informationThoughts on PCI DSS 3.0. September, 2014
Thoughts on PCI DSS 3.0 September, 2014 Speaker Today Jeff Sanchez is a Managing Director in Protiviti s Los Angeles office. He joined Protiviti in 2002 after spending 10 years with Arthur Andersen s Technology
More informationP R O G R E S S I V E S O L U T I O N S
PCI DSS: PCI DSS is a set of technical and operational mandates designed to ensure that all organizations that process, store or transmit credit card information maintain a secure environment and safeguard
More informationAISA Sydney 15 th April 2009
AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks
More informationnpc npc NPC PCI Program Protecting Your Business from Card Data Breaches
npc A Vantiv Company npc A Vantiv Company NPC PCI Program Protecting Your Business from Card Data Breaches For more information about the NPC PCI Program, please contact our dedicated PCI Specialty Team
More informationEMV and Chip Cards Key Information On What This Is, How It Works and What It Means
EMV and Chip Cards Key Information On What This Is, How It Works and What It Means Document Purpose This document is intended to provide information about the concepts behind and the processes involved
More informationPCI DSS Compliance White Paper
PCI DSS Compliance White Paper 2012 Edition Copyright 2012, NetClarity, Inc. All rights reserved worldwide. Patents issued and pending. PCI DSS Compliance White Paper NetClarity, Inc. Page 1 Welcome to
More informationHow To Protect Visa Account Information
Account Information Security Merchant Guide At Visa, protecting our cardholders is at the core of everything we do. One of the many reasons people trust our brand is that we make buying and selling safer
More informationProtecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems
Page 1 of 5 Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems In July the Payment Card Industry Security Standards Council (PCI SSC) published
More informationPayment Application Data Security Standard
Payment Card Industry (PCI) Payment Application Data Security Standard ROV Reporting Instructions for PA-DSS v2.0 March 2012 Changes Date March 2012 Version Description Pages 1.0 To introduce PA-DSS ROV
More informationWhite Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI
White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:
More informationYour Compliance Classification Level and What it Means
General Information What are the Payment Card Industry (PCI) Data Security Standards? The PCI Data Security Standards represents a common set of industry tools and measurements to help ensure the safe
More informationPCI COMPLIANCE AND WHAT IT MEANS TO YOU IN ENGLISH
PCI COMPLIANCE AND WHAT IT MEANS TO YOU IN ENGLISH PCI COMPLIANCE AND WHAT IT MEANS TO YOU IN ENGLISH How do I -know if I m compliant? -what do I do to become compliant? -how do I know if the fee(s) I
More informationThe Comprehensive, Yet Concise Guide to Credit Card Processing
The Comprehensive, Yet Concise Guide to Credit Card Processing Written by David Rodwell CreditCardProcessing.net Terms of Use This ebook was created to provide educational information regarding payment
More informationEMV in Hotels Observations and Considerations
EMV in Hotels Observations and Considerations Just in: EMV in the Mail Customer Education: Credit Card companies have already started customer training for the new smart cards. 1 Questions to be Answered
More informationMerchant guide to PCI DSS
Merchant guide to PCI DSS Contents What is PCI DSS and why was it introduced?... 3 Who needs to become PCI DSS compliant?... 3 BOIPA Simple PCI DSS - 3 step approach to helping businesses... 3 What does
More informationReach more customers. Take quicker payments. Make it all easier With just one Click.
Reach more customers. Take quicker payments. Make it all easier With just one Click. By phone, online or mobile app, it doesn t matter when or where, Click allows you to reach more customers and take more
More informationWe believe First Data is well positioned to take advantage of all of these trends given the breadth of our solutions and our global operating
Given recent payment data breaches, clients are increasingly demanding robust security and fraud solutions; and Financial institutions continue to outsource and leverage technology providers given their
More informationEnd to End Encryption, Tokenization & EMV in the U.S. Vendor Analysis of Emerging Technologies and Best Hybrid Solutions
Brochure More information from http://www.researchandmarkets.com/reports/1206263/ End to End Encryption, Tokenization & EMV in the U.S. Vendor Analysis of Emerging Technologies and Best Hybrid Solutions
More informationPayment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008
Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements
More informationPC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA
PC-DSS Compliance Strategies 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA True or False Now that my institution has outsourced credit card processing, I don t have to worry about compliance?
More informationAgent Registration. Program Guide. (For use in Asia Pacific, Central Europe, Middle East, Africa)
Agent Registration Program Guide (For use in Asia Pacific, Central Europe, Middle East, Africa) Version 1 April 2014 Contents 1 INTRODUCTION... 3 1.1 ABOUT THIS GUIDE... 3 1.2 WHO NEEDS TO BE REGISTERED?...
More information