Information for merchants. Program implementation details for merchants. Payment Card Industry Data Security Standard (PCI DSS)

Transcription

1 Postbank P.O.S. Transact GmbH (now EVO Kartenakzeptanz GmbH) has recently been purchased by EVO Payments International Group Program implementation details for merchants Payment Card Industry Data Security Standard (PCI DSS) 1

2 Introduction In view of the rising number of instances of credit card fraud, credit card organizations MasterCard International and Visa International have respectively initiated programs named MasterCard Site Data Protection (SDP) and Visa Account Information to increase security during saving, processing and/or relay of card data. The credit card organizations have requested acquirers (merchant banks) to prove that you and your service provider have taken appropriate technical and organizational security measures which prevent card data from being compromised. These programs are intended for service providers and merchants who save, process and/or relay card data using your own systems. If card data (governed by an E-commerce, MOTO or POS acceptance contract) are compromised, this could give rise to significant damage claims by the operators of the payment systems and acquirers. Consequently, you and your service provider must provide proof of having taken appropriate technical and organizational measures to protect card, transaction and account data against misuse and unauthorized access. In December 2004 (MasterCard) and February 2005 (Visa), the payment systems hitherto discrete technical requirements were merged to form the Payment Card Industry (PCI) Data Security Standard. In April 2008, the PCI DSS was supplemented by software evaluation according to the PCI Payment Application Data Security Standard (PA DSS), Version 1.2. In September 2006, the companies American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International announced the founding of an independent body named PCI Security Standards Council (PCI SSC). This council is responsible for advancing the Payment Card Industry Data Security Standard (PCI DSS). In October 2008, the PCI SSC updated PCI DSS Version 1.1 to PCI DSS Version 1.2. As of , certification according to the old Version 1.1 of the standard is no longer accepted. The standard s new version comprises PCI DSS Requirements and Security Assessment Procedures, 1.2 (release: October 2008) PCI DSS Self-Assessment Questionnaire, 1.2 (release: October 2008) PCI DSS Security Scanning Procedures, 1.1 (release: September 2006) PA DSS Requirements and Security Assessment Procedures, 1.2 (release: October 2008) This version can be found at: 2

3 To prove compliance with the programs, you are subject to the following actions depending on your category (described further below): You perform an initial evaluation of your security measures using a PCI DSS Self-Assessment Questionnaire. This questionnaire must be newly filled out on an annual basis. Every year, the Internet interface operated by the merchant (if relevant) undergoes four PCI DSS Security Scans intended to detect weak points susceptible to attacks. Conformance to security requirements is examined on location through a PCI DSS Security Audit. Level 1: - Regardless of the distribution channel (POS, MOTO or E-commerce), all merchants who annually handle more than 6 million transactions with MasterCard or Visa - All merchants who have been targets of data compromise and misuse - All merchants assigned to Level 1 on the basis of another credit card brand - All merchants assigned to this category following assessment by MasterCard or Visa with the intention of minimizing risk to payment systems The table below provides an overview of the security checks required in accordance with the number of performed transactions. Categorization according to MasterCard 1 and Visa 2 is based on the following criteria: 1 According to MasterCard Global Security Bulletin No. 1, 14 th January According to Visa Member Letter EU 06/05, 2 nd February 2005 Merchant category Self Assessment Security Scan Security Audit Level 1 4 x annually 1 x annually Level 2 1 x annually 4 x annually 1 x annually* Level 3 1 x annually 4 x annually Level 4 1 x annually 4 x annually * Requirement for MasterCard 3

4 Level 2: - Regardless of the distribution channel (POS, MOTO or E-commerce), all merchants who annually handle 1 million to 6 million transactions with MasterCard or Visa - All merchants assigned to Level 2 on the basis of another credit card brand Level 3: - All merchants handling 20,000 to 1 million transactions with MasterCard or Visa - All merchants assigned to Level 3 on the basis of another credit card brand Increased data protection for your customers Higher level of customer confidence, potentially resulting in greater credit card usage and turnover High protection against security breaches which would lead to financial damage and claims for compensation Safeguarding of corporate image Evaluations of the security of systems for saving, processing and relaying data on credit card owners Lower entrepreneurial risk through minimization and avoidance of data disclosure Lower costs of PCI Compliance through structured networks Level 4: - All merchants handling less than 20,000 transactions with MasterCard or Visa, and not assigned to Level 1, 2 or 3 The individual steps involved in providing proof of PCI Compliance are described next. Compliance Validation by means of the PCI questionnaire, PCI Security Scans and PCI Security Audits is performed by accredited partners (PCI Qualified Security Assessor and PCI Approved Scanning Vendor) of the credit card organizations. Advantages of PCI DSS for merchants: The binding rules of PCI DSS enhance IT security and help prevent fraud. The added security during processing of payment cards in compliance with PCI provides the following benefits in particular: Procedure Important! As a Postbank P.O.S. Transact GmbH contracted merchant, you will have received a notification with information for accessing Postbank P.O.S. Transact s PCI DSS platform. Please register yourself on the platform and check the master data stored there for your company. After that, please follow the instructions and platform s integrated help utility to demonstrate your PCI compliance. 4

5 Registering on the PCI DSS platform Merchant classification SAQ Selection Wizard Completing the SAQ Self Assessment Questionnaire (Level 4) Self Assessment Questionnaire (Level 2-3) Self Assessment Questionnaire (Level 1 obligatory) Security Scan (Level 4) Security Scan (Level 2-3) Security Scan (Level 1) Security Audit (Level 1) Reporting PCI Compliance Validation 5

6 Electronic online questionaire/pci DSS Self-Assessment Questionnaire Merchants (Levels 2-4 ) must annually assess their technical and organizational measures by responding to online PCI Self- Assessment Questionnaires prepared for this purpose. Covering all six areas of the PCI Data Security Standard, the questions examine compliance with twelve requirements: IV. Implement Strong Access Control Measures 7 th requirement: Restriction of access to data according to the need-to-know principle 8 th requirement: Assignment of unique IDs to all persons with computer access 9 th requirement: Restriction of physical access to card owner data I. Build and Maintain a Secure Network 1 st requirement: Establishment and maintenance of a firewall for data protection 2 nd requirement: Modification of the default system-passwords and other security parameters issued by the merchant V. Regularly Monitor and Test Networks 10 th requirement: Tracking and monitoring of all access to network resources and card owner data 11 th requirement: Regular testing of security systems and processes II. Protect Cardholder Data 3 rd requirement: Protection of saved data 4 th requirement: Encrypted transmission of card owner data and other sensitive information via public networks III. Maintain a Vulnerability Management Program 5 th requirement: Use and regular updating of anti-virus programs 6 th requirement: Development and maintenance of secure systems and applications VI. Maintain an Information Security Policy 12 th requirement: Maintenance of an information security policy The questionnaire is used for self-assessment of compliance with the PCI Data Security Standard. 6

7 PCI DSS Security Scan Security Scans are meant to reveal shortcomings in the investigated system s architecture and configuration. Intruders could exploit such shortcomings in order to steal credit card data. An accredited PCI certifier performs PCI Security Scans in compliance with the requirements laid down in PCI Security Scanning Procedures. Non-intrusive and non-destructive, these scans do not affect the availability or integrity of the target systems. Instead, the scans involve sending ordinary requests to the target systems essentially without disrupting their proper operations. An appointment for a PCI Security Scan is agreed with you in advance. The PCI Security Scan is subsequently performed using standardized and defined PCI DSS Security Scanning Procedures. You receive the results of the PCI Security Scan in a report written in English. Formulated according to PCI DSS specifications, the report rates each detected shortcoming by assigning it to one of five categories (ranging from low to urgent ). The scan is meant to systematically reveal all weak points and deficiencies which could permit the system to be infiltrated. If the PCI Security Scan performed according to the PCI Security Scanning Procedures yields less than satisfactory results, you as the merchant must take appropriate measures for improving the shortcomings. A new PCI Security Scan is then performed to ascertain whether your measures were effective. Via the Internet, the systems are examined for possible shortcomings by means of Security Scanners and manual analyses. The employed tools check for deficiencies in network components, operating systems and applications. 1 procedures_v1-1.pdf 7

8 PCI DSS Security Audit The PCI Security Audit comprises a check on-location for adherence to the PCI Data Security Standard. As part of the Security Audit, merchants categorized as Level 1 are subjected to additional tests described later on. Preparation for a PCI Security Audit involves the following steps: 1. Formal application for obtaining the service from a certifier and provisional agreement of an appointment for a PCI Security Audit. 2. Delivery of documents for performing the Security Audit: The PCI certifier delivers documents titled PCI Data Security Audit Procedures and Reporting and Guideline for the preparation of the PCI security audit in electronic form to the customer. At the same time, the certifier issues a password and a public PGP-key for safeguarding future communications. 3. An electronic online PCI Self-Assessment Questionnaire is released so that the customer can carry out an initial, optional assessment of their PCI-Compliance. Step 2: Security Audit on-location As part of the PCI Security Audit, the certifier carries out random, in-situ checks of the details confirmed in writing by the merchant in a document titled PCI Data Security Standard Requirements and Security Assessment Procedures. Covering all six areas of the PCI Data Security Standard, the check includes: Scrutinizing the business model Examining how card transactions are performed with the employed IT systems (data flow) Conducting interviews with staff, especially those who - perform security functions at the company - have access to card data - are responsible for maintaining and operating systems used to save, process or relay card data Viewing log files of relevant applications Inspecting relevant rooms such as the server room, the computer centre, etc. If you have implemented security solutions which differ from the measures mentioned on the checklist ( Compensating Controls ), the certifier will assess their suitability and conformance to the PCI Data Security Standard. Step 1: Evaluating the information The required information is submitted to the certifier no later than two weeks before the agreed Security Audit. 8

9 Step 3: Report draft The certifier prepares an informal report of the audit results on the basis of the document titled PCI Data Security Standard Requirements and Security Assessment Procedures, and discusses the results with you. Step 4: Provisional version of the report Following mutual consultation, the certifier incorporates your feedback into the report draft and submits it to the payment systems. The payment systems review the draft and return it, accompanied by their own comments, to the certifier. Step 5: Final version of the report Taking into consideration the comments issued by the payment systems, the certifier amends the audit report and sends the final version to you as well as the payment systems. If you have any questions relating to the Postbank Service Agreement for Card Acceptance, please do not hesitate to contact: Postbank Service Kartenakzeptanz Nürnberg, Germany Phone: Fax: