How To Protect Your Credit Card Information From Being Stolen

Transcription

1 Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program

2 2

3 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS) program AIS and the Payment Card Industry Data Security Standards (PCI DSS) The PCI DSS requirements What if organizations choose not to be involved in the AIS program? 8 3. The benefits of AIS to businesses and customers The feedback from merchants and payment processors How Visa s AIS program works How do you know if you meet the PCI DSS standards How often do the validation tasks need to be completed Required documentation How to get started with AIS Self-Assessment Questionnaire Vulnerability scan Onsite review What is the cost? Need more information or help? 15 3

4 1.0 Securing cardholder data is everyone s concern Data security is not a new issue and facilitating the protection of cardholder data has long been a priority for Visa. Over the last several years, Visa has developed a multi-layered product and services strategy to help safeguard data and prevent fraud. Today these data security efforts include the use of sophisticated neural networks that detects fraud patterns by comparing a transaction to a customer s typical spending pattern, as well as chip and PIN technology to authenticate transactions, and Verified by Visa for the authorization of Internet purchases, and many other activities. Through Visa s data security efforts, fraud as a percentage of Visa s volume has decreased in the last decade to an all-time low and now accounts for less than 6 basis points (6 cents in every USD100) of Visa s global sales volume. However, as global research sponsored by Visa shows, the protection of personal and private information is a major concern of consumers. While concern over data security is a broader issue than electronic payments alone, Visa knows that maintaining cardholder confidence is crucial to the success of the Visa system. Visa is therefore committed to working with all stakeholders in the payment chain including client banks, technology partners, merchants and consumers to safeguard sensitive cardholder data. 4

5 5

6 6

7 2.0 Visa Account Information Security When customers offer their bankcard at the point of sale, over the Internet, on the phone, or through the mail, they want assurance that their account information is safe. Recognizing this, Visa has instituted Account Information Security. Visa Account Information Security is a globally mandated program that focuses on helping clients, merchants and payment service providers improve their data security measures in order to safeguard Visa cardholder account and transaction information wherever it resides. Account Information Security, or AIS, is a Risk Management program sponsored by Visa and run by Visa s clients. The AIS program is a requirement for all entities participating in the Visa payment system including those entities that process, store or transmit Visa cardholder account and/or transaction information, including merchants and service providers. The Visa Account Information Security program is designed to provide guidelines for clients, merchants and service providers that help them to proactively protect themselves and the overall payment system against the threat of compromises. The program accomplishes this by identifying vulnerabilities in security processes, procedures and website configurations. The Visa Account Information Security program aims to eliminate unnecessary data storage, and ensure that entities who need to store data are doing so in accordance with the Payment Card Industry Data Security Standard (PCI Data Security Standard). 2.1 AIS and the Payment Card Industry Data Security Standards Visa has collaborated with other payment card companies to create a single set of industry requirements, called the Payment Card Industry (PCI) Data Security Standard, for consumer data protection. The PCI Data Security Standard forms the basis of the Visa s Account Information Security program, (also known as Cardholder Information Security Program in the U.S.), the MasterCard s Site Data Protection (SDP) program and other payment brands information security programs to create streamlined requirements, compliance criteria and validation processes. This PCI Data Security Standard also addresses the concerns of merchants and acquirers (financial institutions that enable merchants to accept Visa cards for payment) about having to meet more than one set of standards to accomplish a single goal. Since the aim of the AIS Program is compliance with the PCI Data Security Standard, merchants and service providers must demonstrate this compliance by using the following validation tools: y Onsite Reviews y Security Self-assessments y Security Scans 7

8 2.2 The Payment Card Industry Data Security Standards (PCI DSS) requirements At a basic level, PCI DSS consists of 12 key requirements for protecting Visa cardholder account and transaction information: PCI Data Security Standard Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholderdata 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across public open networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or program 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel The PCI DSS standards offered by the AIS program are designed to protect the confidentiality, availability and integrity of customer data. The standards represent the key requirements for handling or managing of Visa account information. 2.3 What if organizations choose not to be involved in the AIS program? Visa may levy financial penalties on acquirers and may require that specific actions be taken to protect account and transaction Information. Should a compromise occur and an organization has not taken the appropriate steps to ensure that account information was protected; the acquiring bank may be financially penalized and the organization s licence to accept card payments may be withdrawn. 8

9 9

10 3.0 The benefits of PCI DSS to businesses and customers Our ultimate goal is to protect the Visa brand and increase cardholder confidence while shopping in the physical and virtual marketplace. Continuing media reports of hacking incidences, stolen credit card numbers, and identity theft have triggered concern about information security, not only amongst consumers, merchants, Visa and its clients, but also government and regulators. The AIS program is designed to protect sensitive account and transaction information in the Visa acceptance environment. It protects the interests of all payment participants, including clients, merchants and cardholders - in both the physical and virtual worlds. 10 By implementing and adhering to the Payment Card Industry Data Security Standards (PCI DSS) requirements, organizations can take an important step towards better protecting their customers information from being stolen and used to commit fraud. Through following the industry-wide requirements of PCI DSS, organizations can recognize the following business benefits: y Protect their customers personal data y Boost customer confidence through a higher level of data security y Lower their exposure to financial losses and remediation costs y Maintain customer trust and safeguard the reputation of their brand y Provide a complete health check for any business that stores or transmits customer information. As well as protecting your customers, appropriate data security limits your risk exposure and minimizes the losses and operational expense that stem from compromised cardholder account information. The financial and resource outlay to meet the PCI DSS requirements is minimal compared with the costs associated with the reactive hiring of security and public relations specialists, or the loss of significant revenue and goodwill that can result from a compromise. Thus, the AIS program can help you by: y Promoting your brand s integrity and boosting consumer confidence in your business y Increasing sales and business due to increased consumer confidence y Protecting you against potential loss of revenue and unwanted investigative and legal costs y Reducing the risk of unwanted media attention as a result of a compromise y Providing you with greater awareness of security measures and preventative options available y Reducing cardholder disputes and associated costs resulting from fraudulent transactions generated by compromised data (upon global take-up of the AIS program). 3.1 The feedback from merchants and payment processors? Since the inception of the AIS Program, Visa has received positive feedback from merchants and service providers who have assessed their compliance with AIS program requirements. Their feedback has been that the assessment process has helped them identify and address important areas of vulnerability. Visa listened to the merchant community to develop a practical yet comprehensive program that would protect sensitive account and transaction information in the Visa acceptance environment. The AIS program establishes payment card industry data security standards for merchants and agents to protect the confidentiality, availability and integrity of sensitive cardholder data. The AIS program helps merchants and agents evaluate and improve their organizational, physical, and logical controls of data security and is a requirement for all merchants participating in the Visa acceptance environment. Cardholders ultimately win when their accounts are protected.

11 11

12 4.0 How Visa s AIS program works Compliance with the PCI DSS is a requirement for all entities that participate in the Visa payment system. Acquiring banks are responsible for ensuring that merchants and third-party service providers meet the PCI DSS standards and will be able to guide them through the validation process. 4.1 How do you know if you meet the PCI DSS standards To check whether an organization meets the PCI DSS standards, it must complete the following validation tasks (depending on the average yearly Visa transaction volume it process): y Self-assessment Questionnaire y Quarterly Network Vulnerability Scan y Onsite Review For Merchants More than 6 million Visa transactions per year* Between 1 million and 6 million Visa transactions per year* OR more than 20,000 Visa e-commerce transactions per year All others Self-assessment Questionnaire Optional Mandated Recommended Quarterly Network Vulnerability Scan Mandated Mandated Recommended Onsite Review Mandated Optional Optional For Service Providers More than 300,000 Visa transactions per year Less than 300,000 Visa transactions per year* Self-assessment Questionnaire Optional Mandated Quarterly Network Vulnerability Scan Mandated Mandated Onsite Review Mandated Recommended * includes all transactions, regardless of the type /channel 12

13 4.2 How often do the validation tasks need to be completed All entities that process, store or transmit Visa transactions should ensure they complete the validation tasks on an annual basis. It is expected that organizations already regularly review and test security procedures. Validation to the PCI DSS standards should be part of this process. 4.3 Required documentation Visa notifies its members bi-annually to certify the PCI DSS compliance of their merchants and service providers. Clients are required to submit the following documentation: 1. Certificate of Compliance (CoC) - indicating full or partial compliance of the Service Provider / Merchant 2. Summary of Findings - signed off by the Qualified Security Assessor (QSA) if onsite audit was performed. For entities that are not fully compliant at the time of validation, the following documents are required to be submitted in addition to the Certificate of Compliance: 1. Remediation plan signed off by the QSA 2. Letter confirming the target date of full compliance signed by client bank Once remediation tasks have been completed, a final Certificate of Compliance must be submitted indicating full compliance. Compliant service providers are listed on the Visa homepage website for a 12 month period. 13

14 5.0 How to get started with PCI DSS validation Check to see if you meet the PCI DSS standards. Visa recommends the use of: 1. PCI Self-Assessment Questionnaire 2. Quarterly Network Vulnerability Scan conducted by an Approved Vulnerability Scanning (AVS) vendor 3. Onsite Review conducted by a Qualified Security Assessor (QSA) as the most effective way for you to determine whether you meet the PCI standards. 5.1 Self-Assessment Questionnaire The Self-Assessment Questionnaire (SAQ) is a free, confidential tool that can be used to gauge your compliance with the PCI DSS standards. The Self- Assessment Questionnaire is made up of yes / no questions. The SAQ can be downloaded from pcisecuritystandards.org. To prepare for and complete the Self-Assessment Questionnaire, follow these steps: 1. Familiarize yourself with the Payment Card Industry Data Security Standards 2. The questions should be distributed to the appropriate experts within your company to obtain accurate answers. These experts frequently include individuals responsible for policy and compliance, physical security and information security. 3. Complete the Self-Assessment Questionnaire 5.2 Vulnerability Scan An external vulnerability scan enables you to assess the level of security from potential external threats. Scanning tools are used to generate traffic that tests network equipment, hosts, and applications for known vulnerabilities. The scan is intended to identify these vulnerabilities so they can be corrected. External / remote vulnerability scanning - if your network is connected to the Internet, you are susceptible to intrusions from external hackers. As such, all of your Internet based network accessible devices should be scanned for vulnerability from outside your perimeter protection, such as a firewall. The vulnerability scan will be a non-intrusive test. All scans must be conducted by an Approved Vulnerability Scanning (AVS) vendor. You can find the list of AVS on pcisecuritystandards.org. Quarterly scans are required for all service providers, merchants whose annual transaction volume is over 1 million and all merchants who process over 20,000 e-commerce transactions annually. The follow up vulnerability scans are to ensure the remediation was successful. If network or application modifications are made to the production environment, additional scans may be required to ensure that new vulnerabilities are not introduced into the infrastructure. Visa strongly recommends that you perform internal and external network vulnerability scans regularly, as new vulnerabilities are constantly discovered. 14

15 6.0 Need more information or help? By working with our acquiring banks, we are committed to making it as easy, convenient and secure as possible for businesses to accept payment cards. If you have any questions, your first point of contact should be Visa Payment System Risk. For further information relating to PCI DSS you can also visit Onsite Review The onsite review is an independent risk assessment required of service providers that have more than 300,000 Visa transactions per year and merchants that process, store or transmit over 6 million Visa transactions per year. Onsite reviews must be performed by a Qualified Security Assessor (QSA). During the onsite review, the QSA will follow a set testing procedure, built around the 12 PCI DSS requirements. You can find a detail list of approved QSAs on pcisecuritystandards.org. 5.4 What is the cost? The PCI online Self-Assessment Questionnaire and vulnerability scanning are provided by Visa Asia Pacific free of charge, the actual process of assessment, verification and remediation takes place at your organization s expense. Length of time and cost of compliance depend on the extent to which you are already compliant. The onsite review must be performed by a Qualified Security Assessor (QSA). It is recommended that merchants also use a QSA to perform the PCI DSS onsite review. Alternatively acquirers may elect to accept the Report of Compliance from merchants provided that it is signed by an officer of the merchant s company. It is up to you to negotiate the cost of the service with your preferred Qualified Security Assessor (QSA). 15

16 Payment System Risk Asia Pacific, Central Europe, Middle East & Africa Visa Worldwide Pte. Limited 71 Robinson Road, #09-01 Singapore