Customer Card Data Security and You

Transcription

1 Customer Card Data Security and You

2 01 What Is Global Fortress? Global Fortress is designed as a first line defence to provide you with the resources to help you in your fight against fraudsters. It simplifies the process for you to achieve and maintain Payment Card Industry Data Security Standard (PCI DSS) compliance, by giving you access to the resources you need to protect your customer card data. The Benefits Of Global Fortress Include: A one-stop shop of resources to help you achieve PCI DSS compliance. Access to SecurityMetrics, our Qualified Security Assessor (QSA) partner for this product, who will support you in taking the necessary steps to achieve PCI DSS compliance. With SecurityMetrics and us here to help, you will have the information and support you need to achieve and maintain your PCI DSS compliance. Access to SecurityMetrics PANscan a simple to use tool that will help ensure you aren t storing customer card data. You can avoid our non-compliance charge and you will reduce your risk of incurring substantial fines imposed by the Card Schemes. When you sign up to Global Fortress, the remainder of the current month will be free. If you achieve and maintain PCI DSS compliance using Global Fortress and pay the fees as they fall due, we may, at our sole and absolute discretion, waive our rights of recovery Sign Up For Global Fortress Today from you (whether under this agreement or otherwise) following a Data Breach, up to an absolute maximum waiver of 25,000 in any 12 month period. Whether or not we waive our rights will be considered on a case by case basis in respect of each Data Breach. Call SecurityMetrics on * or visit When signing up please have the following to hand: Your Merchant ID Number/s All IP Address/es where card data is stored, processed or transmitted (which can be a website and/or an office PC) Details of any Payment Service Providers used Authority to proceed (from the business owner if it s not you) *Lines are open Monday to Friday, 9am - 5pm. Calls may be monitored and or recorded. Any recording remains SecurityMetrics sole property

3 2 PCI DSS Compliance is mandated by the Card Schemes including Visa and MasterCard. Global Fortress is not a guarantee of compliance but will help you on your journey. There may be specific actions you will be required to take in order to implement improved security processes or procedures. We will, of course, be happy to direct you to the appropriate resources who can provide assistance to help you with this. Non-compliance Is Not Acceptable Under our Card Processing Agreement, you are required to achieve and maintain PCI DSS compliance. We are now enforcing this requirement. If you don t do this, we will charge you a monthly non-compliance charge to cover the increased risks and costs associated with us supporting your business. We will advise when this applies to you. Our monthly non-compliance charge will also apply to merchants who choose Global Fortress but fail to achieve compliance. This will be applied in addition to your normal monthly fee for Global Fortress. Please see the Terms and Conditions enclosed.

4 02 PCI DSS Protecting The Industry, Protecting You The card payment industry is increasingly concerned about the security of customer card data. Essentially, this is the personal, sensitive, data stored on or in the card that is key to making a transaction. All too often this is easily accessible once the card has been accepted by a merchant. Fraudsters hack into defenceless systems and steal unprotected data, which they then use fraudulently. The proceeds of these crimes may be used to fund other illegal activities. In the wrong hands, customer card data is more valuable than cash! So is your customer card data secure? If you are not PCI DSS compliant, it s very unlikely! The card payment industry has developed a minimum standard that must be adopted by all merchants who store, process or handle customer card data which will help to reduce these risks to a more acceptable level. This global standard is known as the Payment Card Industry Data Security Standard (PCI DSS). It is supported and enforced by the global Card Schemes, including Visa and MasterCard. This standard has been enforced for larger merchants and all e-commerce merchants, resulting in a reduction in data breaches. However, criminals have now shifted focus to attack small businesses, especially where the Card is Not Present (CNP) at the time of transaction i.e. online, mail and telephone order transactions. This poses a very real risk to your business. If you process less than a million Visa and/ or MasterCard transactions every year, you are classified by the Card Schemes as a level 3 and level 4 merchant. Global Fortress is the simplest route to PCI DSS compliance with us. In order for you to become compliant you will need to complete a Self Assessment Questionnaire (SAQ). Depending on your business, you may also be required to have your systems inspected with a quarterly vulnerability scan. SecurityMetrics will advise you of the actions you will need to undertake when you sign up to Global Fortress.

5 4 The 12 key requirements are: Install and maintain a fi rewall confi guration to protect customer card data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored cardholder data Encrypt transmission of customer card data across open, public networks Use and regularly update anti-virus software or programs Develop and maintain secure systems and applications Restrict access to customer card data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Track and monitor all access to network resources and customer card data Regularly test security systems and processes Maintain a policy that addresses information security for employees and contractors With effect from 01 July 2012, Card Scheme rules require all merchants and service providers that use third-party provided ( off-the-shelf ) payment application software, must use software that is Payment Application Data Security Standard (PA-DSS) compliant. Your failure to comply will render any PCI DSS compliance invalid and make your PCI DSS annual renewal more complex after this date. Further information on PA-DSS and PCI DSS is available on the offi cial website

6 03 Why Should You Care? If the customer card data you process isn t held safely and securely, your data could be stolen! If this were to happen, theft of your customer card data could cost you: Loss of business Loss of sales Adverse reputational issues Bad publicity Card Scheme fines are at least 10,000 and are potentially unlimited. For example, one of our merchants was fined 100,000 as a result of a data breach Costs of corrective measures include forensic investigation costs which can be tens of thousands of pounds Significant inconvenience If you process card transactions, you are responsible for securing your customer card data and you are mandated by the Card Schemes to comply with PCI DSS.

7 6 Sign Up For Global Fortress Today Call SecurityMetrics on * or visit When signing up please have the following to hand: Your Merchant ID Number/s All IP Address/es where card data is stored, processed or transmitted (which can be a website and/or an office PC) Details of any Payment Service Providers used Authority to proceed (from the business owner if it s not you) *Lines are open Monday to Friday, 9am - 5pm. Calls may be monitored and or recorded. Any recording remains SecurityMetrics sole property Why SecurityMetrics? SecurityMetrics is a long established QSA with significant expertise in achieving PCI DSS compliance with a proven history in customer service excellence. Among other things, SecurityMetrics provides: Expert assistance in determining validation requirements An easy-to-use online portal for quick and accurate compliance validation PCI DSS Frequently Asked Questions, videos and tutorials Technical support to assist with SAQ and scan results PANscan

8 04 What Happens If I Don t Choose Global Fortress? You don t have to choose Global Fortress, but you must achieve and maintain PCI DSS compliance. Essentially you have three options: Option 1: Through An Alternative QSA There are a number of QSAs who can help you. If you use one of these alternative QSAs, you must inform us and prove you have achieved and are maintaining compliance. It is our responsibility to verify your compliance status and register you with Visa and/or MasterCard. Therefore please ensure you provide us with a copy of: Your certificate of compliance (annually) and your scan results (quarterly) If you utilise a Third Party (other than our Secure epayments/global Iris ) and/or a Payment Service Provider (PSP), a copy of their certifi cate of compliance You will not be compliant with the PCI DSS requirements until we have received and registered your compliance status with the Card Schemes. If you prefer to achieve compliance through an alternative QSA, this will incur a monthly administration fee charged by us. This will be in addition to any fees charged to you by your alternative QSA. Please send copies of your completed documentation to us at: PCI DSS Compliance Programme HSBC Merchant Services LLP 51 De Montfort Street LEICESTER LE1 7BB Option 2: Self Assessment Questionnaire (SAQ) Only Dependant on your individual circumstances, you may be able to achieve and maintain compliance by completing the appropriate SAQ annually. You will have to satisfy yourself that you are compliant and you should note there are large penalties for breached merchants who claim to be compliant and aren t. If you prefer to achieve compliance through a self completion of an SAQ, this will incur a monthly administration fee charged by us. Option 3: Fail To Comply - Pay The Monthly Non-compliance Charge And Increase Your Risk Of Unlimited Fines If you do not comply with PCI DSS, we will apply a monthly non-compliance charge. We will advise when this applies to you. The fact that you will not be compliant is worse than having to pay our noncompliant charges. It will mean that you are at a higher risk of being breached. In cases of persistent failure to comply with the PCI DSS, we may have to resort to cancelling your card processing facility. If you achieve compliance without using Global Fortress, you will not enjoy any of the benefits associated with it.

9 8

10 05 Terms And Conditions Please read the enclosed Terms and Conditions regarding Global Fortress and make sure you understand these before you sign up. Call SecurityMetrics on * or visit *Lines are open Monday to Friday, 9am - 5pm. Calls may be monitored and or recorded. Any recording remains SecurityMetrics sole property

11 10 When you sign up for Global Fortress you will incur a monthly fee, invoiced in arrears. The current fees and charges are detailed in the literature enclosed in this brochure cover. Sign Up For Global Fortress Today Call SecurityMetrics on * or visit When signing up please have the following to hand: Your Merchant ID Number/s All IP Address/es where card data is stored, processed or transmitted (which can be a website and/or an office PC) Details of any Payment Service Providers used Authority to proceed (from the business owner if it s not you) *Lines are open Monday to Friday, 9am - 5pm. Calls may be monitored and or recorded. Any recording remains SecurityMetrics sole property

12 HSBC Merchant Services LLP 51 De Montfort Street Leicester LE1 7BB Tel Textphone HSBC Merchant Services LLP is authorised by the Financial Services Authority under the Payment Services Regulations 2009 (504290) for the provision of payment services. HSBC Merchant Services LLP is a limited liability partnership registered in England number OC Registered Office: 51 De Montfort Street, Leicester, LE1 7BB. The members are Global Payments U.K. Limited and Global Payments U.K. 2 Limited. Service of any documents relating to the business will be effective if served at the Registered Office. HSBC Merchant Services LLP All Rights Reserved. Issued by HSBC Merchant Services LLP AC22150