Your Compliance Classification Level and What it Means

Transcription

1 General Information What are the Payment Card Industry (PCI) Data Security Standards? The PCI Data Security Standards represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. Merchants are responsible for the security of cardholder data and must be careful not to store certain types of data on their systems or the systems of their third party service providers. To whom does the Payment Card Industry Data Security Standards Compliance Program apply? The Payment Card Industry Data Security Standards (PCI DSS) Compliance Program applies to all entities that store, process, or transmits cardholder data. What are the benefits of being in Compliance with the Payment Card Industry Data Security Standards? It is good business practice to adhere to the PCI standards and protect cardholder information. Additionally, the card associations may impose fines on merchants who do not comply with PCI Data Security Standards. Please note such fines could be significant, especially if your business is compromised and you have not been validated as compliant. What is "Cardholder Data"? Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. The account number is the critical component that makes the PCI Data Security Standards applicable. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data. Your Compliance Classification Level and What it Means How is a PCI DSS level determined? A PCI DSS level is determined by annual transaction volume. The volume calculation will be based on the gross number of Visa, MasterCard, Discover Network, American Express or JCB transactions processed within your account. Should you have any questions about your PCI DSS level, please contact us at compliance@litle.com. What is the scope of the onsite review for Level 1 Merchants? The scope of PCI Data Security Standards compliance validation for Level 1 Merchants is focused on any system(s) or system component(s) related to authorization and settlement where cardholder data is retained, stored, or transmitted, including: All external connections into the merchant network (i.e., employee remote access, VisaNet, third party access for processing, and maintenance).

2 All connections to and from the authorization and settlement environment (i.e., connections for employee access or for devices such as firewalls and routers). Any data repositories outside of the authorization and settlement environment where more than 500 thousand account numbers are stored. POS Terminals may be excluded from review unless: o o A POS environment is IP-based and there is external access via Internet, wireless, VPN, dial-in, broadband, or publicly accessible machines (such as kiosks) to the merchant location. In this case, the POS environment must be included in the scope of the on-site review. A POS environment is not IP-based nor has external access to the merchant location. In this case, the on-site review begins at the connection into the authorization and settlement environment. How is IP-based POS environment defined? The point of sale (POS) environment is the environment in which a transaction takes place at a merchant location (i.e. retail store, restaurant, hotel property, gas station, supermarket, or other point of sale location). An Internet protocol (IP) -based POS environment is one in which transactions are stored, processed, or transmitted on IP-based systems, or systems communicating via TCP/IP. Are Level 4 merchants ever required to validate their compliance? Yes, if a Level 4 merchant is to validate compliance with the PCI Data Security Standards. Can my compliance requirements change? Yes. As your transaction volume changes, and as association and industry rules change, your compliance requirements may change. It is the merchant s responsibility to be continuously aware of the data security requirements that currently apply. However, Litle s Compliance Team will assist you as a merchant with our yearly review of your transaction volumes, as well as monthly routine checks and reminders. Data Storage Protocol When is it acceptable to store magnetic stripe data or CVV (sensitive authentication data)? It is never acceptable to retain magnetic stripe data or CVV subsequent to transaction authorization. Visa, MasterCard, and Discover Network prohibit storage of the contents of the magnetic stripe as a unit, as well as CVV. However, the following individual data elements may be retained subsequent to transaction authorization:

3 Cardholder Account Number (must be rendered unreadable) Cardholder Name Card Expiration Date Are there alternatives, or compensating controls, that can be used to meet a requirement? If a requirement is not, or cannot, be met exactly as stated, compensating controls can be considered as alternatives to requirements defined in PCI Data Security Standards with the exception of requirement 3.2 do not store sensitive authentication data after authorization (even if encrypted). Compensating controls should meet the intention and rigor of the original PCI Data Security Standards, and should also be examined by the Qualified Security Assessor as part of the regular PCI Data Security standards compliance audit. Compensating controls should be "above and beyond" other PCI Data Security Standards, and should not simply be in compliance with PCI Data Security Standards. What if a merchant does not store cardholder data? If a merchant does not store cardholder data, the PCI Data Security Standards still apply to the environment that transmits or processes cardholder data. This includes any service providers that a merchant utilizes to store, process, or transmit cardholder data of their behalf. Approved Software and Applications What processing software/applications are currently known to be compliant? Below you will find a link to the card processing software programs that have been validated to be compliant with the PCI Data Security requirements, including the requirement that after authorization, Security Data will be purged from the records and systems. Security Data is certain security information, including the full contents of any track of the magnetic stripe from the back of a card and the cardholder validation code (the three or four digit value printed on the signature panel of the card). Copies of these software programs that have version numbers older (those with a lower version number) than those indicated must be either upgraded, have a special security patch installed, or be replaced with compliant software to ensure that you do not store Security Data in violation of Visa, MasterCard or Discover Network's rules. If you are using any software programs different than the programs indicated, you must confirm with your software vendor that the version you are using is compliant with current security requirements. To access this list of card processing software programs visit: Steps You Should be Taking

4 What is a Qualified Security Assessor (QSA)? Quality Security Assessor is an auditing company that specializes in information security. They use card association developed criteria (the PCI Data Security Standards) to validate whether or not a merchant's information security is robust enough to sufficiently protect cardholder data from unauthorized access or malicious parties. A QSA is recommended for all merchant levels, but are required for by Level 1 merchants. Where can the PCI Data Security Standards Compliance Questionnaire be found? The PCI Self-Assessment Questionnaire is available for download on the PCI SSC website: What is a Vulnerability Scan? A Vulnerability Scan (aka a System Perimeter Scan) involves an automated tool that checks a merchant's or service provider's systems for vulnerabilities. The tool will conduct a nonintrusive scan to remotely review networks and Web applications based on the externalfacing Internet protocol (IP) addresses provided by the merchant or service provider. The scan will identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company's private network. The tool will not require the merchant or service provider to install any software on their systems, and it will not perform any denial-ofservice attacks. Is the Vulnerability Scan only applicable to e-commerce merchants? No. The Vulnerability Scan is applicable to all merchants and service providers with internetfacing IP addresses. Even if an entity does not offer web-based transactions, there are other services that make systems internet accessible (i.e. transmission of credit card data to Payment Processor or Third Party Service Providers). Basic functions such as and employee internet access will result in the internet-accessibility of a company's network. These paths to and from the internet can provide unprotected pathways into merchant and service provider systems if not properly controlled. If a merchant or service provider does not have any internet-facing IP addresses, they will only be required to complete the Report on Compliance or the Self Assessment Questionnaire, as appropriate. For more information on the Security Scanning Procedures, navigate to: How do merchants determine the cost of PCI DSS compliance validation? The cost of the review varies greatly depending on the size of the environment to be reviewed, the chosen assessor, and the degree to which the merchant is already in compliance when the review commences. The cost of a Vulnerability Scan depends on the number of IP addresses to be scanned, the frequency of the scans, and the chosen scanning vendor. As a courtesy to its merchants, Litle & Co has negotiated preferred pricing with TrustWave. For more information please contact compliance@litle.com. What if a merchant has outsourced the storage, processing, and transmission of cardholder data to a third party service provider?

5 Merchants should deal only with PCI Data Security Standards compliant service providers. If service providers are handling cardholder data on a merchant's behalf, the merchant is responsible for the security of this data and must ensure that contracts with these service providers specifically include PCI Data Security Standards compliance as a condition of business. Merchant must also complete PCI DSS Self Assessment Questionnaire annually attesting such contracts are up to date with a merchant s service providers. Additionally, merchants must attest that any and all media held on their premises are properly secured. Do merchants need to include their service providers in the scope of their PCI Data Security Standards Review? Yes. Merchants are responsible for validating the compliance of their service providers. Can a merchant be considered Compliant if they have outstanding non-compliance issues, but provide a remediation plan? No. Lack of full compliance will prevent a merchant from being considered compliant. Litle & Co requires merchants to complete the initial review, develop a remediation plan; complete items on the remediation plan, and revalidate compliance of those outstanding items in a timely manner. Penalties for Non-compliance Are there fines associated with non-compliance of the PCI Data Security Standards? Yes. Visa, MasterCard, and Discover Network may impose fines on their member banking institutions when merchants do not comply with PCI Data Security Standards. You are contractually obligated to indemnify and reimburse your acquirer, for such fines. Please note such fines could be significant. Are there fines if cardholder data is compromised? Yes. If cardholder data that you are responsible for is compromised, you may be subject to the following liabilities and fines associated with non-compliance: Potential fines of up to $500,000 (in the discretion of Visa, MasterCard, Discover Network or other card companies). All fraud losses incurred from the use of the compromised account numbers from the date of compromise forward. Cost of re-issuing cards associated with the compromise. Cost of any additional fraud prevention/detection activities required by the card associations (i.e. a forensic audit) or costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraudulent activity).

6 Other PCI Compliance Resources Where can I go online to get more information? For information on association and industry cardholder information security programs, please visit the following websites on a regular basis: PCI Security Standards Council For ASV scans, what is meant by quarterly? The intent of the quarterly scans as prescribed in Requirement 11.2 of the PCI DSS is to have them conducted as close to three months or 90 days apart as possible, so as to minimize the risk and identify vulnerabilities more quickly. In order to meet this requirement, an entity is required to complete their ASV scans, and perform any required remediation, each quarter. Who can I speak to if I have questions? If you have questions, please contact Litle & Co. Compliance Team compliance@litle.com.