PCI DSS Compliance Information Pack for Merchants

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "PCI DSS Compliance. 2015 Information Pack for Merchants"

Transcription

1 PCI DSS Compliance 2015 Information Pack for Merchants This pack contains general information regarding PCI DSS compliance and does not take into account your business' particular requirements. ANZ recommends you seek advice from a PCI-approved Qualified Security Assessor if you have questions or concerns about your business' PCI DSS compliance obligations. ANZ does not warrant the accuracy of this information and accepts no liability if you choose to rely on it. You must not circulate this pack to anyone outside of your organisation without ANZ s written consent.

2 Contents Section 1: Introduction to PCI DSS Section 2: Being PCI DSS compliant? Section 3: How can ANZ assist? Section 4: Education Tools and References 2

3 Section 01 Introduction to PCI DSS 3 3

4 Overview of PCI DSS Roles and Responsibilities Each of the following stakeholders play an important role in ensuring PCI DSS compliance for all organisations that store, process or transmit payment card information. PCI DSS is an industry requirement for all acquiring banks and their merchants. PCI Security Standards Council (PCI SSC) Card Schemes Acquirer Merchant The PCI Security Standards Council publishes and manages the standard. Standards include: PCI DSS PCI PTS (Hardware) PA DSS (Software) Maintain lists of Approved Vendors for: External network scanning QSA Organisations, Internal Security Assessors Payment Devices Payment Applications Ensure adherence to PCI standards by mandating timeframes for compliance, incentives, penalties and regular progress reporting. Card Scheme Websites Provide: Merchant Levels Merchant Obligations Compliance Dates Education and training List of registered PCI DSS compliant Service Providers Manage implementation of PCI Data Security Standards and the card schemes mandates with our merchants. Report regularly to Visa and MasterCard on PCI DSS compliance progress of our merchants. Provide education and support to ensure our merchants validate and maintain PCI DSS compliance Complete an annual Self- Assessment Questionnaire or Onsite Audit Manage non-compliance remediation activities using the Prioritised Approach tool Complete a compliant network vulnerability scan each calendar quarter Report your compliance status to ANZ each quarter. Use of PCI-DSS compliant service providers Use of PA-DSS certified best practice applications. Note: For details of American Express requirements, please speak to your American Express account manager. 4

5 PCI DSS Compliance Is About Protecting Payment Card Data PCI DSS stands for Payment Card Industry Data Security Standard. The PCI DSS requirements are set by the PCI Security Standards Council (PCI SSC) whose founding members are international card schemes. PCI DSS is about how Merchants are expected to protect Payment Card Data. Security Code Magnetic Stripe Contains Track Data What is Payment Card Data? Chip PAN Expiry Date Security Code If you want to accept payments via cards issued by the Card Schemes then you need to understand and comply with these standards. They form part of your Merchant Agreement. PCIDSS applies to all merchants that store, process and/or transmit Payment Card Data - however the scope of its impact depends on what merchants solution you use and how you operate your business. 5

6 PCI DSS Regulates The Storing Of Payment Card Data To reduce your PCI DSS obligations outsource the capture and processing of card data using a PCI DSS compliant service provider. Where you must store card data the following table advises which elements can be stored and how the PCI DSS requirement section 3 relates to the security controls and key management required to store Payment Card Data. What Payment Card Data can be stored? Reference: PCI SSC PCI DSS Quick Reference Guide 6

7 PCI DSS Protects Data Through Data Security Controls PCIDSS consists of 6 core principles which are accompanied by 12 requirements. Becoming PCI DSS compliant requires that you can show that you have addressed all of the requirements that apply to you. Depending on how your business handles Payment Card Data will govern how many of these principles will need to be complied with. How you demonstrate compliance depends on your Merchant level and/or the type and number of payment channels. PCI Data Security Standard High Level Overview Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Implement String Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to systems components 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel Reference: PCI DSS Version 3.0 7

8 Examples Of How PCI DSS Non-compliance Can Lead To An Account Data Compromise Extract from Forensic Investigation Report The initial investigation has identified a number of non PCI DSS compliant practices within the merchant that could have contributed to unauthorised access to payment card data. These include: Multiple website vulnerabilities, identified using an ASV scan Lack of updating new software releases and security patches Stored based orders that contain cardholder data Use of non-compliant service providers such as a payment gateway, web host, shopping cart or POS application. Insecurely stored paper records used to take telephone orders Paper records used to transfer transaction details between systems Default passwords were never changed.

9 Consequences Of An Account Data Compromise (ADC) ADCs involve unauthorised access to cardholder data that is held within your business environment in either electronic or physical form. It is usually done by fraudsters who don t care how large or small the business is. If you don t protect payment card data and/or take steps to ensure that your service providers do the same, you could be subject to an ADC event. If you become the subject of an ADC event you risk financial penalties, the suspension or termination of your merchant facility and remediation costs. You also risk damage to your brand and reputation. While many cardholder data compromises in Australia go unpublicised some have resulted in adverse publicity through national media outlets. Audit / Forensics Costs Controlled Enhanced Brand and Reputation Increased Customer Confidence Suspension or termination Financial Costs: Remediation/ Penalties Brand Damage PCI DSS Compliance Non-compliant PCI DSS can help to minimise the occurrence and impact of the theft of Payment Card Data from you. Compliant 9

10 Financial consequences associated with PCI DSS noncompliance Account Data Compromises If you suffer an ADC event, the financial consequences of a data compromise include: Fines if you have an Account Data compromise Reason Visa assessments (up to in US$) MasterCard assessments (up to in US$) Account data compromise (ADC) Up to $400,000 $5,000 to $500,000 Additional PCI DSS non-compliance assessments post ADC ADC operational reimbursement NA Dependent upon number of accounts at risk/type of data at risk/number of accounts reported with confirmed fraud $100,000 per non-compliant requirement Dependent upon number of accounts at risk/type of data at risk/number of accounts reported with confirmed fraud Failure to report an ADC NA Up to US$25,000 per day of non-compliance PCI DSS non-compliance The financial consequences of PCI DSS non-compliance include: Fines for not validating compliance Violations per calendar year MasterCard (up to in US $) for L1 & L2 Merchants MasterCard (up to in US$) for L3 Merchants Visa ( up to in US $) for L1, L2 & L3 Merchants First violation 25,000 10, Second violation 50,000 20,000 5,000 Third violation 100,000 40,000 10,000 Fourth violation 200,000 80,000 25,000 Total of 4 violations per Merchant 375, ,000 40,500 In addition, we may have no choice but to terminate your merchant facility if PCI DSS compliance isn't achieved by any date communicated to you. If your merchant facility is terminated, a record will be created with the card schemes, which could limit your ability to gain a merchant facility from another bank. 10

11 PCI DSS Latest Developments News Flash PCI DSS Supplement Publications The PCI Security Standards Council develops supplement guides for emerging technologies and areas for improvement such as managing service providers or dealing with terminal tampering. Refer to below examples of recent publications: New guide for managing 3rd party service providers. Best Practice for maintaining compliance. Security Awareness Program Skimming Prevention Prioritised Approach version Historical Mandates Visa Enforcement Plan for Level 1 and 2 merchants as well as Service Providers. Effective 1 January 2015 all service providers must be registered with the schemes and have validated their PCI compliance, Level 1 and 2 merchants must have validated PCI compliance or have a firm plan and budget in place to reach compliance within an acceptable timeframe and the bank and Visa. PCI DSS version 3.0. Effective 1 January 2014, organisations must comply from 1 January Visa Safe Harbour for L3-L4 merchants are protected by Visa fines when fully outsourcing payments processing to PCI DSS compliant Service Providers: Effective 1 January PCI PTS (PIN Transaction Security) version 4: Released date, June PA DSS approved applications should only be used for payment processing: Effective 1 July PCI SSC ISA Certified for Level 1 & 2 internal assessments: Effective 30 June

12 Section 02 Being PCI DSS compliant 12 12

13 Determine Your Level And Reporting Obligations Step 1. Determine your merchant level Merchant Level Number of transactions per annum of either Visa or MasterCard transactions Level 1 > 6m Level 2 > 1m and <6m Level 3 Level 4 < 1m and >20,000 ecommerce <1m and <20,000 ecommerce Your level is determined using the number of either Visa or MasterCard transaction per annum. Begin by identifying your merchant level, and keep track as your business grows. The ANZ PCI team also tracks your level and reports this through to the card schemes. Your merchant level determines how you validate PCI compliance. The PCI compliance requirements are the same for everyone, regardless of the transactions volume. Merchants are suspected of a data compromise they automatically become a level 1 merchants.

14 Determine Your Level and Reporting Obligations, Continued Step 2. Understand the reporting obligations to validate compliance Merchant Level Level 1 Level 2 Level 3 Reports Annual AOC /SAQ ASV Scans every 90days Prioritised Approach Tool Validation Method and Obligation Must use an external Qualified Security Assessor (QSA) or a PCI qualified Internal Security Assessor (ISA) Mandatory status reporting to ANZ Must use an external Qualified Security Assessor (QSA) or a PCI qualified Internal Security Assessor (ISA) Mandatory status reporting to ANZ Self-Assessment Mandatory status reporting to ANZ Level 4 Self-Assessment Status reporting to ANZ upon request Assessments for level 1 require a Report of Compliance (ROC) and submission of the AOC. Assessment for level 2, 3 and 4 require a Self-Assessment Questionnaire (SAQ)to be submitted. Only PCI Security Council qualified assessors can validate compliance for level 1 and 2 merchants. Merchant must report their compliance status to ANZ each and every calendar quarter. Refer to reporting dates. Reports to be provided to ANZ include: An Attestation of Compliance (AOC) or Self Assessment Questionnaire (SAQ) to be provided each year on the anniversary date of the initial AOC. Quarterly external vulnerability scan results. Where non-compliant, quarterly updates using the Prioritise Approach tool. 14

15 How To Get Started With PCI DSS Step 3. Start assessing your business to determine the scope Recommended Actions 1 You will require good governance. Determine who in your business must be involved, you will require both technology, business/operations areas and SMEs. 2 Run the external vulnerability scan using the ANZ PCI portal. 3 Document your current transaction flows and understand your assessment scope. This should include cardholder data flows, processes, people and systems. Consider how to de-scope by utilising compliant service providers. 4 Remove all sensitive data and delete any stored PANs immediately to eliminate risk. 5 Use the ANZ PCI Portal Wizard to determine your SAQ type. 6 Complete the SAQ and Prioritised Approach tool, if you are not PCI compliant. 7 Develop a project plan for remediation activities, along with a target compliance date. 8 Submit your reports to ANZ on the due dates. When developing your project plan to remediate any gaps, consider changing business processes not just technology. Your website could be integrated with alternative integration methods to significantly reduce your efforts required to reach compliance, investigate hosted payment page and iframe options with your service provider. Utilise your PCI DSS compliant service providers to help reduce your scope. 15

16 PCI DSS SAQ Version 3.0 SAQ Guide SAQ Description Require ments Product Types A A-EP B Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant s systems or premises. Not applicable to face-to-face channels. E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant s systems or premises. Applicable only to e-commerce channels. Merchants using only: Imprint machines with no electronic cardholder data storage; and/or Standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels Payment Gateway Hosted Payment Page and iframe OR Hosted shopping cart PCI Complaint Software As a Service (SAS) Direct post from the client side directly to the payment gateway, bypassing the merchant s web server. 41 Standalone terminal B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels. 83 Standalone terminal with an IP connection C-VT C D Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels. Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels. SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types. Including: Merchant hosted ecommerce and cardholder data storage. 73 Virtual terminal using a payment gateway 140 Integrated terminal 326 All other products, integration methods and combination of products. 16

17 Mandatory PCI DSS Reporting Due Dates for 2015 ANZ prepares Schemes Reports about the PCI DSS compliance of its Merchants on a quarterly basis. Merchants are required to submit their reports to ANZ by the due dates in the below table. The 2015 reporting dates are set out below: Q1 Q2 Q3 Q4 Start of Quarter 1 January April July October 2015 Due date to submit Quarterly PCI DSS reports to ANZ 13 March June September December 2015 Reports to be submitted: External Vulnerability Scan PASS Results Signed SAQ or AOC Must be provided on the anniversary date (once every 12 months) Prioritised Approach report when not PCI compliant

18 Summary PCI DSS Compliance Requires Good Governance In order to meet the various PCI DSS validation requirements, most Merchants will need to do the following types of things: Understand your Merchant Level Determine the scope of your Card Data Environment that is, understand where and how Payment Card Data forms part of your payment processing activities Complete a compliant Network Vulnerability Scan (every 3 months (ongoing)) for externally facing IP addresses if they form part of your Card Data Environment Complete an annual PCI DSS Assessment of your Card Data Environment onsite or SAQ as required determine what SAQ applies to you If you are a Level 1 or Level 2 Merchant, you will need to decide whether you will engage a QSA or go down the ISA path Develop a plan to fix (remediate) any areas of non-compliance use the Prioritised Approach tool if required Quarterly submit your compliant Scan and PCI DSS assessment update to ANZ by report date Keeping good records and an audit trail will help you stay on top of your PCI DSS requirements 18

19 Section 03 How can ANZ assist? 19 19

20 ANZ Is Committed To Assist Merchants With PCI DSS Compliance ANZ is proud of its achievements to date in helping its merchants address their PCI DSS compliance obligations and can provide the following support services to assist attaining and maintaining PCI DSS compliance. Dedicated ANZ PCI Compliance Manager to assist your business in reaching compliance with PCI DSS. ANZ PCI Compliance Manager provides education, support, management and reporting frameworks and engagement with expert information security resources to assist your business with journey to and maintenance of PCI compliance. ANZ offers our customers regular planning session for PCI DSS, to identify activities, support requirements and reporting timeframes for the coming year. Progress meetings as required to support your PCI program. Access to industry benchmarks and best practice for PCI program management. Participate in ANZ PCI DSS Merchant Forums - network, learn and share experience with other merchants. 20

21 Introducing the ANZ PCI Portal ANZ can provide unlimited complimentary access to selected merchants to its ANZ PCI Portal (go to ANZ PCI Online Portal) with easy to follow User Guides. PCI Compliance Validation Task PCI Self Assessment How the ANZ PCI Portal can help you You can work out which SAQ is relevant to you by following the prompts in the ANZ PCI Portal or by calling the Vectra Service Desk. SAQs can be completed online, and then electronically filed in the Portal. Vulnerability Scans Fully supported by a Help Desk Save time, environmentally friendly - paperless. If you are required to perform a Vulnerability Scan you can do so through the ANZ PCI Portal by following the prompts in the ANZ PCI Portal. Many options for your ASV Scans, you can choose to run immediately; run at a specific scheduled date/time, or schedule every 90 days to run automatically. You can scan many IP Addresses concurrently. Save money! Convenient. Manned by friendly approachable PCI Subject Matter Experts (help-desk based in Australia). Phone and support provided on or Expertise. 21

22 Section 04 Education Tools & References 22 22

23 Determine the scope of your Payment Card Data Environment The PCI DSS (Full Requirements) v3 offers guidance in preparing for your annual PCI DSS assessment (pp 10-18). Guidance is offered on scoping, sampling, network segmentation, outsourcing relationships, wireless environments, use of third-party service providers/outsourcing, compensating controls and the conduct of the assessment. Extract from the document shown below: 23

24 Quarterly task perform an external vulnerability scan There are ongoing quarterly obligations associated with demonstrating (proving) your level of PCI compliance: To ensure PCI DSS compliance, your organisation is required to complete a Network Vulnerability Scan, fix any non-compliant vulnerabilities, and then conduct a final compliant scan each quarter. Quarterly Network Vulnerability Scan PCI DSS Requirement 11.2 An external vulnerability scan enables you to assess the level of security from potential external threats. PCI Approved scanning tools test network equipment, hosts, and applications for known vulnerabilities; the scan is intended to identify such vulnerabilities so they can be corrected. A network security scan is conducted in a non-intrusive way to remotely review networks and Web applications based on your external-facing Internet Protocol (IP) addresses provided. The scan will identify vulnerabilities in operating systems, services, and devices that could be exploited by hackers to target your company s private network. A full technical description of the scan scope can be found in this document on pages of the ASV Approved Scanning Vendors Program Guide. Note: a Vulnerability Scan may not be required if your payment processing page is bank hosted or hosted by a PCI certified payment gateway. This is usually merchants completing either the SAQ A, B, or C-VT versions. Quarterly Scans are compulsory if you qualify for either the SAQ C or SAQ D version 24

25 Recommendations For Planning Your Quarterly Scans Quarter activity required to achieve a PASS scan results by the reporting due dates. Week 1-4 Activities Week 5-8 Activities If your annual Attestation of Compliance (AOC) expires in this quarter, you will be requested for an update AOC by the due date. ASVs are required to make ongoing improvements to detect new vulnerabilities, so perform your scan early in the process to allow for any unexpected remediation. Initial Scan Remediation Perform required vulnerability remediation. Report false positives to your ASV vendor. Complete annual audit activities for the AOC. Week 9-12 Activities For SAQ D merchants, where compliance is not achieved complete a Prioritised Approach report using the approved template. Week 9-12 Submit Reports Ensure you have a compliant ASV scan and AOC or ROC. Where non-compliant, advise the remediation timeframe and where applicable update the Prioritised Approach report showing ongoing improvements and percentages. Submit all reports by the Due Date. Definitions: ASV means approved scanning vendor

26 Completing a Self-Assessment Questionnaire The PCI Council has combined the 2 reference documents which includes test procedures and the guidance into the single document to help your business complete the Self-Assessment Questionnaire. Extract from PCI DSS Version 3 with the extended guidance below: 26

27 Annual assessment requirements for Level 1 & 2 Merchants If you are a Level 1 or Level 2 Merchant, your PCI DSS Assessments must be conducted under the supervision of a Qualified Security Assessor or one of your own staff members certified as Internal Security Assessor. Qualified Security Assessors Qualified Security Assessor (QSA) companies are organisations that have been qualified by the PCI Security Council to have their employees assess compliance to the PCI DSS standard details of QSA s located in Australia can be found at: QSA Organisations. ANZ has strong relationships with several local QSAs and would be happy to facilitate an introduction. Internal Security Assessors are organisations that have had staff qualified by the PCI Council. The Internal Security Assessor (ISA) Program consists of training from the Council to improve the organisation s understanding of PCI DSS. There are a number of requirements around ISA certification at this link ISA Training Information - including pre-registration of your organisation with the PCI Security Standards Council, expertise requirements for the staff participants, online training & assessment prior to attending the training, etc. For Level 1 and 2 Merchants, choosing whether you will appoint a QSA or train your own staff through the ISA program is an important decision and will require time and resources. We recommend that you address these questions early so that you can comply with your annual assessment requirements. 27

28 What if you are PCI DSS non-compliant? Merchants often find that they are non-compliant with PCI DSS after they have completed their annual assessment. In addition, a merchant s payment environment can change and just because PCI DSS compliance has been achieved at one point in time, does not mean that the Merchant will always be compliant. PCI DSS recognises that Merchants may not be compliant and requires that the merchant develop a remediation plan to fix any areas of non-compliance your remediation plan should List and prioritise any remediation activities required for PCI validation. This ensures that you're remediating with a risk based approach, dealing with the highest risks first. The PCI Council has developed the PCI DSS Prioritised Approach and the PCI DSS Prioritised Tool and Instructions Input results from your completed Self Assessment Questionnaire into the Prioritised Approach Tool to provide an assessment of priority to remediate non-compliant requirements, based on risk. The Prioritised Approach Tool groups the PCI DSS requirements into risk-based Milestones. It is important that you are able to demonstrate your commitment to rectify any areas of PCI DSS non-compliance by developing and implementing a remediation plan that is acceptable to ANZ. This can assist in minimising any Card Scheme fines due to non-compliance. Target compliance dates must be included. 28

29 PCI DSS education and references The following information may be helpful in further understanding your PCI DSS obligations: Brochures and Guides ANZ PCI SSC PCI SSC PCI SSC PCI SSC PCI SSC PCI SSC Visa Fraud Minimisation, Data Security and Chargeback Guide PCI DSS (Full Requirements) v3 Understanding the Intent of the PCI DSS Requirements PCI DSS Quick Reference Guide PCI DSS Prioritised Approach Various other PCI DSS supporting documents PCI FAQS Guide for Staying PCI Compliant Webinars MasterCard PCI 360 Merchant Education Webinars APCA Get Smart About Fraud Online Training PCI SSC PCI SSC PCI DSS Awareness Training Online Internal Security Assessor (ISA) Training and Certification 29

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011) Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions Version 5.0 (April 2011) Contents Contents...2 Introduction...3 What are the 12 key requirements of

More information

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate. MasterCard PCI & Site Data Protection (SDP) Program Update Academy of Risk Management Innovate. Collaborate. Educate. The Payment Card Industry Security Standards Council (PCI SSC) Open, Global Forum Founded

More information

Credit Card Processing, Point of Sale, ecommerce

Credit Card Processing, Point of Sale, ecommerce Credit Card Processing, Point of Sale, ecommerce Compliance, Self Auditing, and More John Benson Kurt Willey HACKS REGULATIONS Greater Risk for Merchants Topics Compliance Changes Scans Self Audits

More information

PCI Compliance Overview

PCI Compliance Overview PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)

More information

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock PCI DSS 3.0 Overview OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock 01/16/2015 Purpose of Today s Presentation To provide an overview of PCI 3.0 based

More information

Why Is Compliance with PCI DSS Important?

Why Is Compliance with PCI DSS Important? Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 2.0 October 2010 Document Changes Date Version Description October 1, 2008 1.2 October

More information

Frequently Asked Questions

Frequently Asked Questions PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply

More information

PCI Compliance. Top 10 Questions & Answers

PCI Compliance. Top 10 Questions & Answers PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements

More information

Adyen PCI DSS 3.0 Compliance Guide

Adyen PCI DSS 3.0 Compliance Guide Adyen PCI DSS 3.0 Compliance Guide February 2015 Page 1 2015 Adyen BV www.adyen.com Disclaimer: This document is for guidance purposes only. Adyen does not accept responsibility for any inaccuracies. Merchants

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 3.2 May 2016 Document Changes Date Version Description October 1, 2008 1.2 October 28,

More information

PCI Compliance Top 10 Questions and Answers

PCI Compliance Top 10 Questions and Answers Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 1.1 February 2008 Table of Contents About this Document... 1 PCI Data Security Standard

More information

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers For use with PCI DSS Version 3.1 Revision 1.1 July 2015 Section 1: Assessment

More information

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP 2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate

More information

Payment Card Industry Data Security Standards

Payment Card Industry Data Security Standards Payment Card Industry Data Security Standards The payment card industry data security standard PCI DSS Visa and MasterCard have developed the Payment Card Industry Data Security Standard or PCI DSS as

More information

Becoming PCI Compliant

Becoming PCI Compliant Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History

More information

PCI DSS Gap Analysis Briefing

PCI DSS Gap Analysis Briefing PCI DSS Gap Analysis Briefing The University of Chicago October 1, 2012 Walter Conway, QSA 403 Labs, LLC Agenda The PCI DSS ecosystem - Key players, roles - Cardholder data - Merchant levels and SAQs UofC

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard Office of the State Treasurer Ryan Pitroff Banking Services Manager Ryan.Pitroff@tre.wa.gov PCI-DSS A common set of industry tools and measurements to help

More information

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock 2015 PCI DSS Meeting OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock 11/3/2015 Today s Presentation What do you need to do? What is PCI DSS? Why PCI DSS? Who Needs to Comply

More information

Your Compliance Classification Level and What it Means

Your Compliance Classification Level and What it Means General Information What are the Payment Card Industry (PCI) Data Security Standards? The PCI Data Security Standards represents a common set of industry tools and measurements to help ensure the safe

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other SAQ-Eligible Merchants and Service Providers Version 2.0 October 2010 Document

More information

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer Complying with the PCI DSS All the Moving Parts Don Roeber Vice President, PCI Compliance Manager Lisa Tedeschi Assistant Vice President, Compliance Officer Types of Risk Operational Risk Normal fraud

More information

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS) Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS) What is PCI DSS? The 12 Requirements Becoming compliant with SaferPayments Understanding the jargon SaferPayments Be smart.

More information

An article on PCI Compliance for the Not-For-Profit Sector

An article on PCI Compliance for the Not-For-Profit Sector Level 8, 66 King Street Sydney NSW 2000 Australia Telephone +61 2 9290 4444 or 1300 922 923 An article on PCI Compliance for the Not-For-Profit Sector Page No.1 PCI Compliance for the Not-For-Profit Sector

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers Version 3.1 April 2015 Section 1: Assessment Information Instructions for Submission

More information

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements

More information

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER July 9 th, 2012 Prepared By: Mark Akins PCI QSA, CISSP, CISA WHITE PAPER IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD PCI DSS for Merchants The Payment

More information

Payment Card Industry Compliance Overview

Payment Card Industry Compliance Overview January 31, 2014 11:30am 12:30pm Central Hosted by: Texas.gov Presented by: Jayne Holland Barbara Brinson Payment Card Industry Compliance Overview Securing Government Payments Audio Dial In: 866-740-1260

More information

AISA Sydney 15 th April 2009

AISA Sydney 15 th April 2009 AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks

More information

Payment Card Industry Data Security Standards.

Payment Card Industry Data Security Standards. Payment Card Industry Data Security Standards. Your guide to protecting cardholder data Helping you manage the risk. Credit Card fraud and data compromises are an increasingly serious problem, costing

More information

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business Comodo HackerGuardian PCI Security Compliance The Facts What PCI security means for your business Overview The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements intended

More information

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program MERCHANTS Can Level 1 merchants currently use internal auditors to perform an onsite assessment? Yes. However, after June 30,

More information

Property of CampusGuard. Compliance With The PCI DSS

Property of CampusGuard. Compliance With The PCI DSS Compliance With The PCI DSS Today s Agenda PCI DSS Introduction How are Colleges and Universities Affected? How Do You Validate Compliance? Best Practices Q&A CampusGuard Full-Service QSA/ASV Firm We Know

More information

PCI DSS. CollectorSolutions, Incorporated

PCI DSS. CollectorSolutions, Incorporated PCI DSS Robert Cothran President CollectorSolutions www.collectorsolutions.com CollectorSolutions, Incorporated Founded as Florida C corporation in 1999 Approximately 235 clients in 35 states Targeted

More information

PCI DSS Compliance in a hosted infrastructure

PCI DSS Compliance in a hosted infrastructure PCI DSS Compliance in a hosted infrastructure A Rackspace White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by

More information

Data Security Requirements for K-12 January 28, 2010. Payment Card Industry (PCI)

Data Security Requirements for K-12 January 28, 2010. Payment Card Industry (PCI) CUR RITY SE Data Security Requirements for K-12 January 28, 2010 Payment Card Industry (PCI) SE CUR RITY 1 Welcome To Join The Voice Conference Dial 866-939-3921 Technical issues press 0 Q & A We ll leave

More information

Visa Account Information Security Tool Kit. Welcome to the Visa Account Information Security Program

Visa Account Information Security Tool Kit. Welcome to the Visa Account Information Security Program Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)

More information

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission

More information

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration

More information

PC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA

PC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA PC-DSS Compliance Strategies 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA True or False Now that my institution has outsourced credit card processing, I don t have to worry about compliance?

More information

Project Title slide Project: PCI. Are You At Risk?

Project Title slide Project: PCI. Are You At Risk? Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services

More information

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Compliant? Bank Name

More information

Merchant guide to PCI DSS

Merchant guide to PCI DSS Merchant guide to PCI DSS Contents What is PCI DSS and why was it introduced?... 3 Who needs to become PCI DSS compliant?... 3 BOIPA Simple PCI DSS - 3 step approach to helping businesses... 3 What does

More information

Understanding the SAQs for PCI DSS version 3

Understanding the SAQs for PCI DSS version 3 Understanding the SAQs for PCI DSS version 3 The PCI DSS self-assessment questionnaires (SAQs) are validation tools intended to assist merchants and service providers report the results of their PCI DSS

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.1 April 2015 Section 1: Assessment Information Instructions for Submission

More information

DATA SECURITY. Payment Card Industry (PCI) Compliance Steps for Organizations May 26, 2010. 2010 Merit Member Conference

DATA SECURITY. Payment Card Industry (PCI) Compliance Steps for Organizations May 26, 2010. 2010 Merit Member Conference 2010 Merit Member Conference Compliance Steps for Organizations May 26, 2010 Payment Card Industry (PCI) 1 Welcome 2 Welcome Q & A We ll leave time to address questions during the last 15 minutes of the

More information

Simplêfy Client Support and Information Services. PCI Compliance Guidebook

Simplêfy Client Support and Information Services. PCI Compliance Guidebook Simplêfy Client Support and Information Services PCI Compliance Guidebook Simplêfy, Inc. 301 Science Drive, Suite 280 Moorpark, CA 93021 Phone 888.341.2999 Fax 877.280.0885 Simplêfy is a Registered Trademark

More information

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase PCI DSS Overview By Kishor Vaswani CEO, ControlCase Agenda About PCI DSS PCI DSS Applicability to Banks, Merchants and Service Providers PCI DSS Technical Requirements Overview of PCI DSS 3.0 Changes Key

More information

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to: What is the PCI standards council? The Payment Card Industry Standards Council is an institution set-up by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard Abhinav Goyal, B.E.(Computer Science) MBA Finance Final Trimester Welingkar Institute of Management ISACA Bangalore chapter 13 th February 2010 Credit Card

More information

Achieving PCI Compliance for Your Site in Acquia Cloud

Achieving PCI Compliance for Your Site in Acquia Cloud Achieving PCI Compliance for Your Site in Acquia Cloud Introduction PCI Compliance applies to any organization that stores, transmits, or transacts credit card data. PCI Compliance is important; failure

More information

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

WHITE PAPER. PCI Basics: What it Takes to Be Compliant WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through

More information

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program MERCHANTS Can Level 1 merchants currently use internal auditors to perform an onsite assessment? Yes. However, after June 30,

More information

PCI Compliance : What does this mean for the Australian Market Place? Nov 2007

PCI Compliance : What does this mean for the Australian Market Place? Nov 2007 Sense of Security Pty Ltd (ABN 14 098 237 908) 306, 66 King St Sydney NSW 2000 Australia Tel: +61 (0)2 9290 4444 Fax: +61 (0)2 9290 4455 info@senseofsecurity.com.au PCI Compliance : What does this mean

More information

PCI DSS Compliance Services January 2016

PCI DSS Compliance Services January 2016 PCI DSS Compliance Services January 2016 20160104-Galitt-PCI DSS Compliance Services.pptx Agenda 1. Introduction 2. Overview of the PCI DSS standard 3. PCI DSS compliance approach Copyright Galitt 2 Introduction

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced Version 3.0 February

More information

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected officials, administrative officials and business managers.

More information

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education PCI in Higher Education Walter Conway, QSA 403 Labs, LLC Walt Conway PCI consultant, blogger, trainer, speaker, author Former Visa VP Help schools become PCI compliant Represent Higher Education at PCI

More information

PCI Data Security Standards

PCI Data Security Standards PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission

More information

PCI Compliance: How to ensure customer cardholder data is handled with care

PCI Compliance: How to ensure customer cardholder data is handled with care PCI Compliance: How to ensure customer cardholder data is handled with care Choosing a safe payment process for your business Contents Contents 2 Executive Summary 3 PCI compliance and accreditation 4

More information

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard PCI Compliance Crissy Sampier, Longwood University Edward Ko, CampusGuard Agenda Introductions PCI DSS 101 Chip Cards (EMV) Longwood s PCI DSS Journey Breach Statistics Shortcuts to PCI DSS Compliance

More information

North Carolina Office of the State Controller Technology Meeting

North Carolina Office of the State Controller Technology Meeting PCI DSS Security Awareness Training North Carolina Office of the State Controller Technology Meeting April 30, 2014 agio.com A Note on Our New Name Secure Enterprise Computing was acquired as the Security

More information

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission

More information

Westpac Merchant. A guide to meeting the new Payment Card Industry Security Standards

Westpac Merchant. A guide to meeting the new Payment Card Industry Security Standards Westpac Merchant A guide to meeting the new Payment Card Industry Security Standards Contents Introduction 01 What is PCIDSS? 02 Why does it concern you? 02 What benefits will you receive from PCIDSS?

More information

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

Whitepaper. PCI Compliance: Protect Your Business from Data Breach Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your

More information

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0 Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire C-VT Version 2.0 October 2010 Attestation of Compliance, SAQ C-VT Instructions for Submission

More information

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing

More information

PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard rking@campusguard.com

PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard rking@campusguard.com PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard rking@campusguard.com Whoops!...3.1 Changes 3.1 PCI DSS Responsibility Information Technology Business Office PCI DSS Work Information

More information

PAI Secure Program Guide

PAI Secure Program Guide PAI Secure Program Guide A complete guide to understanding the Payment Card Industry Data Security Requirements and utilizing the PAI Secure Program. Letter From the CEO Welcome to PAI Secure. As you

More information

SecurityMetrics Introduction to PCI Compliance

SecurityMetrics Introduction to PCI Compliance SecurityMetrics Introduction to PCI Compliance Card Data Compromise What is a card data compromise? A card data compromise occurs when payment card information is stolen from a merchant. Some examples

More information

PCI Standards: A Banking Perspective

PCI Standards: A Banking Perspective Slide 1 PCI Standards: A Banking Perspective Bob Brown, CISSP Wachovia Corporate Information Security Slide 2 Agenda 1. Payment Card Initiative History 2. Description of the Industry 3. PCI-DSS Control

More information

Introduction to PCI DSS Compliance. May 18, 2009 1:15 p.m. 2:15 p.m.

Introduction to PCI DSS Compliance. May 18, 2009 1:15 p.m. 2:15 p.m. Introduction to PCI DSS Compliance May 18, 2009 1:15 p.m. 2:15 p.m. Disclaimer The opinions of the contributors expressed herein do not necessarily state or reflect those of the National Association of

More information

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS August 23, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Presenters Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security

More information

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level. Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain

More information

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina ricklambert@sc.

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina ricklambert@sc. PCI Compliance at The University of South Carolina Failure is not an option Rick Lambert PMP University of South Carolina ricklambert@sc.edu Payment Card Industry Data Security Standard (PCI DSS) Who Must

More information

PCI Compliance for Healthcare

PCI Compliance for Healthcare PCI Compliance for Healthcare Best practices for securing payment card data In just five years, criminal attacks on healthcare organizations are up by a stunning 125%. 1 Why are these data breaches happening?

More information

PCI DSS Presentation University of Cincinnati

PCI DSS Presentation University of Cincinnati PCI DSS Presentation University of Cincinnati Quick PCI Level Set Higher Ed Challenges Getting Compliant Application w/ customers Q& A PCI DSS Payment Card Industry Data Security Standard What is the PCI

More information

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

Whitepaper. PCI Compliance: Protect Your Business from Data Breach Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals Electronic Cardholder

More information

PCI Security Compliance

PCI Security Compliance E N T E R P R I S E Enterprise Security Solutions PCI Security Compliance : What PCI security means for your business The Facts Comodo HackerGuardian TM PCI and the Online Merchant Overview The Payment

More information

PCI Compliance 101: Payment Card. Your Presenter: 7/19/2011. Data Security Standards Compliance. Wednesday, July 20, 2011 2:00 pm 3:00 pm EDT

PCI Compliance 101: Payment Card. Your Presenter: 7/19/2011. Data Security Standards Compliance. Wednesday, July 20, 2011 2:00 pm 3:00 pm EDT PCI Compliance 101: Payment Card Industry Basics Data Security Standards Compliance Wednesday, July 20, 2011 2:00 pm 3:00 pm EDT This complimentary webinar is brought to you by ASAE-Endorsed Business Solutions

More information

PCI DSS and SSC what are these?

PCI DSS and SSC what are these? PCI DSS and SSC what are these? What does PCI DSS mean? PCI DSS is the English acronym for Payment Card Industry Data Security Standard. What is the PCI DSS programme? The bank card data, which are the

More information

PROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN

PROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN PCI Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information

More information

It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council. PCI FAQ And MYTHS FREQUENTLY ASKED QUESTIONS (FAQ): Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process,

More information

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions PCI/PA-DSS FAQs Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions What is PCI DSS? The Payment Card Industry Data

More information

University of Sunderland Business Assurance PCI Security Policy

University of Sunderland Business Assurance PCI Security Policy University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission

More information

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines? Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain

More information

PCI Risks and Compliance Considerations

PCI Risks and Compliance Considerations PCI Risks and Compliance Considerations July 21, 2015 Stephen Ramminger, Senior Business Operations Manager, ControlScan Jon Uyterlinde, Product Manager, Merchant Services, SVB Agenda 1 2 3 4 5 6 7 8 Introduction

More information

Two Approaches to PCI-DSS Compliance

Two Approaches to PCI-DSS Compliance Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,

More information

So you want to take Credit Cards!

So you want to take Credit Cards! So you want to take Credit Cards! Payment Card Industry - Data Security Standard: (PCI-DSS) Doug Cox GSEC, CPTE, PCI/ISA, MBA dcox@umich.edu Data Security Analyst University of Michigan PCI in Higher Ed

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.1 April 2015 Section 1: Assessment Information Instructions for Submission

More information