White Paper PCI-Validated Point-to-Point Encryption On Microsoft Azure. By Christopher Kronenthal, Chief Technology Officer
|
|
- Muriel Lawrence
- 8 years ago
- Views:
Transcription
1 White Paper PCI-Validated Point-to-Point Encryption On Microsoft Azure By Christopher Kronenthal, Chief Technology Officer
2 Advanced Commerce Platform Foreword 2015 will bring incredible change and innovation in the retail industry, especially around how retailers interact with their customers. Ushered in with next generation Point of Sale (POS) devices, consumers will encounter a more personalized and protected shopping experience, allowing retailers to be mobile or stationary at check-out, make more tailored offers to customers in real-time and meet new security requirements. Today most U.S. retailers support legacy magnetic stripe credit card technology that is inherently insecure and prone to fraud and theft. Similarly, much of the technology that handles this magnetic stripe data does not adequately protect the payment elements and related customer information as it passes through the retailer s networks and systems. In an attempt to address this vulnerability, the major credit card brands are demanding that new payment security standards be adopted as of October, The new standards, which are already broadly implemented internationally, are driven by a global consortium of credit card networks collectively referred to as EMV Co. (Europay, MasterCard, and Visa). Focused on ensuring consumer identity at the point of purchase, U.S. based credit card issues are replacing consumers old cards with those that have EMV s secure Chip and consumer-known PIN technology, with retailers imposed to implement card processing systems that transact with the new technology. Failure to implement the updated technology will result in increased financial liability for the retailer. Further, in addition to reacting to upgraded requirements of payment security, successful 2015 retailers must find innovative ways to connect and engage with their customers. As the advent of integrated ecommerce and mobility solutions continue to mature, the POS and consumer check-out experience will prove to be where retailers maximize customer satisfaction and promote sales throughout the store, giving retailers another way to compete in this modern retail landscape. Security and payment compliance are the lynchpin of this integrated requirement. In partnership with FreedomPay and device manufacturers including HP, Panasonic, Ingenico Group and VeriFone, Microsoft is demonstrating how retailers can create personalized experiences, in real-time, through smart and secure devices. by Brendan O Meara, Sr. Director WW Retail & Consumer Goods, Microsoft Corporation 2015 FreedomPay, Inc. 1
3 Advanced Commerce Platform Executive Summary Merchants are navigating a payments landscape that continues to evolve, as new technologies and new threats emerge with increasing regularity. Therefore, the Payments Card Industry (PCI) council has established a set of standards that seek to make payments more secure and easier for merchants to manage. Specifically, PCI s Point-to-Point Encryption (P2PE) standard meticulously defines the procedures that a payment solution provider must adhere to, and in doing so, enables merchants to process payments securely while keeping their network environment completely out of scope for PCI security audits. FreedomPay s P2PE solution, fully audited and validated by PCI, supports traditional and emerging payment technologies such as EMV, and offers integrations into multiple Point of Sale systems and payment processors. With the coveted PCI validation, merchants employing the FreedomPay P2PE solution may reduce their scope for PCI compliance, and can conduct their business with the confidence that no unencrypted cardholder data flows through their systems. This white paper will explore the merchant benefits of PCI-Validated P2PE, the process by which FreedomPay earned validation, and the value-added benefits of the FreedomPay Commerce Platform hosted on Microsoft Azure. Why P2PE Merchants today face an increasing number of challenges related to payments: ensuring security, maintaining compliance, managing costs, and keeping pace with an ever-changing payments technology landscape, to name just a few. Emerging standards, like the 2015 switch to EMV, and digital wallet products from Apple, Google, PayPal and even Starbucks have disrupted the payment landscape and sent merchants scrambling for solutions. $225,000+ Average cost of a PCI audit $5MM+ Average cost of a data breach Source: Ponemon Institute The stakes are high. For large merchants, a growing threat of cyber crime and malware has placed security at the top of the priority list. In today s retail environment, preventing a data breach and keeping customer data secure is a threat that cannot be ignored. Complicating solving for security, however, is the fact that the solution marketplace is rife with misinformation, non-validated solutions, and biased opinions based on backdoor revenue shares, and profiting agreements. By the PCI council declaring and publishing a standard against which to validate solutions, there is now a technology standard that can completely secure a merchant s payment infrastructure. With P2PE, transactions are entirely encrypted before they even enter the merchant s location, essentially removing cardholder data from the merchant s POS and network. FreedomPay s P2PE solution, which earned PCI validation in August 2014, offers merchants this unparalleled payments security and functionality, while also protecting that investment with EMV support, setting the pace for the entire payments industry. Even better, is that merchants who utilize this solution benefit from a reduced annual audit report just 19 controls versus the normal FreedomPay, Inc.
4 Buyer Beware Many vendors in the payments industry are claiming to offer P2PE, usually bundled with a POS system and/or payment terminal and/or payment gateway. However, merchants must be cautious about false claims and misstatements. Any P2PE solution that does not adhere to the stated PCI requirements and has not been listed by the PCI Security Council as validated P2PE will not take the merchant s POS and supporting network infrastructure out of scope of compliance. It is incumbent on merchants to work with their QSA on vetting fact from fiction. There are any number of imposters making claims that simply cannot hold up to the unambiguous facts as stated by the PCI Council. Only PCI-Validated P2PE solutions have been thoroughly audited and evaluated, and can deliver the merchant benefits of security assurance and true scope reduction. PCI P2PE Standards In 2012 and 2013, the PCI Security Standards Council released the PCI P2PE Standard: a set of controls that aimed to provide some clarity and definition around point-to-point encryption. There are three core principles underlying PCI-Validated solutions: Hardware to hardware encryption and decryption with a POI (point-of-interaction) device that has SRED (Secure Reading and Exchange of Data) listed as a function and is enabled. Certified to have a validated secure distribution channel. This means that the entire chain of custody of the POI devices follow strict controls regarding shipping, receiving, tamper-evident packaging and installation. P2PE Instruction Manual (PIM) that guides the merchant on POI device use, storage, return for repairs and regular PCI reporting. Any solution provider can claim to offer point-to-point encryption, but not all P2PE solutions are the same. Only solutions that have been audited and validated to conform to the rigorous scrutiny of the PCI standards can offer merchants the peace of mind and transparency that customer data is truly secured. Merchants that implement PCI-Validated P2PE solutions gain another important benefit: a reduction in the scope of their PCI assessments. Only PCI-Validated P2PE solutions are recognized to have met the requirements that enable merchants to exclude their POS and network from the scope of their cardholder data environment. Maintaining compliance with the PCI Data Security Standard (PCI DSS) is a requirement for all merchants who accept credit cards, and failure may result in an array of non-compliance penalties. The PCI Data Security Standard includes requirements and protective measures that are designed to maintain a secure network, safeguard cardholder data, and ensure the maintenance of information security policies FreedomPay, Inc. 3
5 Advanced Commerce Platform As stated on the PCI Security Standards Council s listing of Validated Point-to-Point Encryption (P2PE) Solutions, When correctly implemented, these P2PE solutions may simplify merchants PCI compliance programs by eliminating clear-text cardholder data from their environment and reducing the scope of PCI DSS requirements. The PCI P2PE standard contains detailed security requirements and testing procedures for application vendors and providers of P2PE solutions to ensure that their solutions can meet the necessary requirements for the protection of payment card data. PCI Validation Process P2PE solutions listed on the PCI Security Standards Council website are compliant with a single, standardized set of security requirements, security assessment procedures and processes that have been validated by P2PE assessors. The P2PE standards define a common security assessment framework that is currently recognized by all participating PCI payment brands. To earn validation, P2PE solution providers have the responsibility for ensuring that their P2PE solutions satisfy all requirements of the P2PE standard. As a requirement for the P2PE solution assessment, the P2PE solution provider must provide the P2PE assessor with all required documentation, software, access to facilities and access to third-party service providers used in connection with the P2PE solution. The PCI P2PE standard encompasses close to a thousand individual controls governing encryption and decryption methodologies, software applications, device management and operations related to distribution and cryptographic key injection facilities. To summarize the onerous P2PE Assessment process, solutions must be able to account for: Encryption Device Management: Secure cryptographic devices (SCDs) provide tamper-resistance, detection, and response features to help prevent successful attacks involving penetration, monitoring, manipulation, modification, or substitution of the devices to recover protected data. Application Security: The application does not transmit or store clear-text PAN or SAD outside of the device, and only uses communications methods included in the scope of the PCI-approved POI device evaluation. Encryption Environment: The solution provider maintains inventory-control and monitoring procedures to accurately track POI devices in their possession, and provides related instructions to merchants (P2PE Instruction Manual). Decryption Environment Device Management: Documented procedures exist and are demonstrably in use to ensure the security and integrity of decryption devices placed into service, initialized, deployed, used, and decommissioned. P2PE Cryptographic Key Operations: Key management, cryptographic algorithms and cryptographickey lengths must be consistent with international and/or regional standards. Key components must be protected at all times during transmission, conveyance, or movement between locations. As the P2PE solution provider, FreedomPay has initially partnered with Ingenico Group and ScanSource to deliver all facets of the P2PE solution. Ingenico Group s best in class hardware and ScanSource s secure distribution and key injection capabilities have been fully vetted as part of the PCI P2PE assessment process FreedomPay, Inc.
6 PCI DSS Scope Reduction EEmploying a PCI-Validated P2PE solution offers merchants significant reductions in scope for PCI DSS compliance. Because all clear-text cardholder data is removed from the merchant s POS and network environment, that infrastructure is no longer subject to the PCI compliance documentation. The PCI Data Security Standard Self-Assessment Questionnaire is a validation tool intended to assist merchants and service providers who are permitted by the payment brands to self-evaluate their compliance with PCI DSS. With 284 individual controls to document and maintain, and all of the associated costs, PCI DSS compliance requires that merchants make a significant investment in time and resources each year. Official PCI Validation for a P2PE solution means that merchants can significantly reduce their scope for PCI DSS validation and obtain third-party assurance that no cardholder data passes through their network environment in an unencrypted state Matt Getzelman, National PCI Practice Director, Coalfire Systems, Inc. For merchants employing a PCI-Validated P2PE solution, there is relief for the documentation required, as well as the underlying costs of maintaining a compliant environment. SAQ P2PE-HW is a substantially shorter compliance document, available only to merchants who process cardholder data only via approved payment terminals as part of a Council-listed P2PE solution. To be eligible for the SAQ P2PE-HW, merchants must confirm that they: Are using a PCI P2PE solution that is listed on the PCI SSC s List of Validated P2PE Solution. Do not store, process, or transmit any cardholder data on any system or electronic media (for example, on computers, portable disks, or audio recordings) outside of the payment terminal used as part of the Council-listed P2PE solution. Do not store any cardholder data in electronic format. This includes verifying that there is no legacy storage of cardholder data from other payment devices or systems. Have implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider. With just 19 sections to complete, largely related to the proper maintenance and implementation of the P2PE payment terminal, the SAQ P2PE-HW removes the core elements of the merchant environment from scope: the POS, operating system and network. As an additional benefit, penetration tests and vulnerability scans are no longer required. This enables POS devices and operating systems that would otherwise fall out of compliance to remain in use because the P2PE payment terminal circumvents that infrastructure, and no cardholder data flows through legacy systems FreedomPay, Inc. 5
7 Advanced Commerce Platform P2PE Payment Terminals Core to the PCI-Validated P2PE solution is the Secure Reading and Exchange of Data (SRED) module, designed to encrypt data at the Point-of-Interaction. The SRED module applies the security and cryptographic protection of PIN data to the reading of card data presented by magnetic stripe, EMV, contactless/nfc, and manual entry. In order for P2PE to be in the SRED module, the encryption key management and encryption of the cardholder data must be done in the device s security processor. This and other P2PE program aspects must be in firmware, as opposed to being in the application. The firmware is reviewed and certified as meeting the SRED requirements by a PCI approved laboratory. FreedomPay s P2PE solution leverages SRED-enabled payment terminals that offer merchants in any industry the flexibility to roll out a variety of compliant devices. All of the devices that FreedomPay provides support traditional magnetic stripe payments, and also alternative and emerging payment methodologies such as EMV and NFC. FreedomPay Payment Gateway The FreedomPay Commerce Platform functions as a secure switch that routes payment data from the point of sale system to the payment processor seamlessly with its validated P2PE solution. FreedomPay is broadly integrated with both POS systems and processors, ensuring merchants the flexibility and coverage to make changes to their POS platform and/or processing partner at any time. While already the most connected, lowest cost routing network in North America, FreedomPay is continually expanding its integration list with the goal of complete industry interconnectivity. In addition to these, the FreedomPay Commerce Platform can support gift cards, vouchers and stored value (closed-loop cashless) models that execute a declining balance from a prepaid card FreedomPay, Inc.
8 Incentives Engine As a value-added platform provider, FreedomPay offers merchants a robust incentive engine that powers discounts, promotions and loyalty programs. The FreedomPay Commerce Platform evaluates each purchase in real-time and applies discounts or points based on particular SKUs, time of day, overall spend, location, product category and more. As an example, a foodservice provider might consider offering a point for each dollar spent in the café, and triple points for higher margin items or perishable items. In a business-to-business setting, FreedomPay can also help merchants, manufacturers and banks deliver financial terms incentives on large corporate purchases. FreedomPay s Incentive Manager allows a merchant to configure any number of promotions or loyalty point programs. Customers can view offers and loyalty point accruals through a web interface and/ or mobile app, and redeem incentives in real time at the POS. The platform is designed to provide marketers with the tools to validate their promotional activity at a SKU level, gaining valuable insight into what offers, discounts and loyalty rewards are most effective, and for which customer segments. Microsoft Partnership and Global Scalability The FreedomPay Commerce Platform is the first PCI-Validated P2PE solution for merchants available on Microsoft Azure. With connected devices at the point of sale and real-time transaction data in the cloud, Microsoft and FreedomPay are offering retailers a solution to drive more customer interaction and engagement at the point of sale. Microsoft and FreedomPay are enabling retailers to create dynamic and personalized offers at checkout based on real-time transaction information and customer profile data. Connected devices at the point of sale leverage transaction data from the FreedomPay platform and intelligence on the Azure cloud to deliver targeted incentives to customers. The platform can deliver value-added services for the customer at checkout including real-time offers based on basket contents, user profile data and third-party data services in the cloud. Conclusion FreedomPay has reinvented its business according to the strict standard required by PCI for point-topoint encryption. The exacting process of achieving PCI validation for P2PE has resulted in FreedomPay building an industry-leading platform that delivers merchants immediate benefits around payment security and scope reduction, as well as ongoing opportunities to innovate and add value. As the payment landscape shifts to include EMV and NFC transactions, FreedomPay is helping merchants stay ahead of the game. As North America s first fully-functional PCI-Validated P2PE platform with EMV and NFC-ready terminals, FreedomPay is setting the standard for merchants to deliver a customer experience based on security, functionality and intelligence. It is here, at the intersection of payments and data that FreedomPay is able to deliver on its promise to merchants: We make payments smarter, simpler and more secure FreedomPay, Inc. 7
9 Advanced Commerce Platform About the Author Christopher R. Kronenthal, Chief Technology Officer and Alliance Executive Chris Kronenthal is the payment industry s preeminent security expert, bringing world-class experience to the software development processes and compliance solutions of FreedomPay. He led FreedomPay s effort to build the market s first PCI-validated, fully-functional point-to-point encryption (P2PE) payment technology as part of its cloud-based FreedomPay Commerce Platform. Leveraging more than a decade of international experience in diverse industries with a strong focus on compliance and infrastructure enables Chris to advance a security-focused perspective for any company s scalable needs. Chris joined FreedomPay in 2008 and is responsible for the company s technology solutions, as well as key alliances with strategic technology partners. Chris manages security compliance; production network infrastructure; development of new and existing software products; change and quality control initiatives; and technology partner strategy. Prior to joining FreedomPay, Chris held various technology management positions at the Coriell Institute for Medical Research, the world s oldest and largest bio-repository. There he led the development of Coriell s highly specialized and security-driven bio-repository system. Chris received his Bachelor s and Master s of Science degrees in Information Technology at the Rochester Institute of Technology. About FreedomPay The FreedomPay Commerce Platform is the engine inside the world s expanding and interconnected ecosystem of commerce. With broad integrations across point-of-sale devices, payment processors and financial institutions, FreedomPay connects purchase activity with enterprise data in real-time to enable more successful customer interactions. Validated by the PCI Security Standards council for Point-to-Point Encryption (P2PE), the FreedomPay Commerce Platform securely processes transaction data for global leaders in the retail, hospitality, healthcare, education and financial services sectors. With innovative and expansive technologies built for real-time commerce, FreedomPay positions any organization for the future of commerce and customer interaction. Contributors FreedomPay, Inc.
10 FreedomPay Inc. Five Radnor Corporate Center 100 Matsonford Road, Suite 100 Radnor, Pennsylvania USA Toll Free: Tel: Fax:
White Paper PCI-Validated Point-to-Point Encryption
White Paper PCI-Validated Point-to-Point Encryption By Christopher Kronenthal, Chief Technology Officer Contributors Executive Summary Merchants are navigating a payments landscape that continues to evolve,
More informationrguest Pay Gateway: A Solution Review
rguest Pay Gateway: A Solution Review TABLE OF CONTENTS Introduction...3 Why P2PE?...4 PCI P2PE Standards...4 Buyer Beware...6 PCI DSS Scope Reduction...6 P2PE Payment Terminals...7 The Payment Information
More informationWhite Paper Solutions For Hospitality
White Paper Solutions For Hospitality Foreword Addressing the complexity of a hospitality ecosystem as varied as the front desk to the parking garage, to the restaurant, the website, and the call center,
More informationSolutions For Higher Education: Reducing Compliance Scope Across Campus With PCI Validated P2PE
Solutions For Higher Education: Reducing Compliance Scope Across Campus With PCI Validated P2PE Complete Campus Coverage With the complexity of a college campus ecosystem as varied as the development office
More informationPayment Card Industry (PCI) Point-to-Point Encryption
Payment Card Industry (PCI) Point-to-Point Encryption Solution Requirements and : Encryption, Decryption, and Key Management within Secure Cryptographic Devices (Hardware/Hardware) Version 1.1.1 July 2013
More informationPoint-to-Point Encryption (P2PE)
Payment Card Industry (PCI) Point-to-Point Encryption (P2PE) Frequently Asked Questions for PCI Point-to- Point Encryption (P2PE) August 2012 Frequently Asked Questions (FAQs) For PCI Point-to-Point Encryption
More informationInitial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance
Emerging Technology Whitepaper Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance For Transmissions of Cardholder Data and Sensitive Authentication Data Program Guide Version
More informationPCI Compliance Overview
PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)
More informationPCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES
PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES CUTTING THROUGH THE COMPLEXITY AND CONFUSION Over the years, South African retailers have come under increased pressure to gain PCI DSS (Payment Card Industry
More informationProtecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance
Payment Security White Paper Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance Breaches happen across all industries as thieves look for vulnerabilities.
More informationSELLING PAYMENT SYSTEMS SERVICES & SOLUTIONS
SELLING PAYMENT SYSTEMS SERVICES & SOLUTIONS A RESELLER S GUIDE CONTENTS New Sales Opportunities : EMV Mandate Means New Business... 3 New POS Will Need Both EMV and PCI... 3 Growing Demand for NFC Transactions...
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 3.2 May 2016 Document Changes Date Version Description October 1, 2008 1.2 October 28,
More informationAre You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014
Are You Ready For PCI v 3.0 Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014 Today s Presenter Corbin Del Carlo QSA, PA QSA Director, National Leader PCI Services Practice 847.413.6319
More informationPoint-to-Point Encryption
Payment Card Industry (PCI) Point-to-Point Encryption Solution Requirements: Encryption, Decryption, and Key Management within Secure Cryptographic Devices (Hardware/Hardware) Initial Release: Version
More informationWe believe First Data is well positioned to take advantage of all of these trends given the breadth of our solutions and our global operating
Given recent payment data breaches, clients are increasingly demanding robust security and fraud solutions; and Financial institutions continue to outsource and leverage technology providers given their
More informationPCI DSS. CollectorSolutions, Incorporated
PCI DSS Robert Cothran President CollectorSolutions www.collectorsolutions.com CollectorSolutions, Incorporated Founded as Florida C corporation in 1999 Approximately 235 clients in 35 states Targeted
More informationAdyen PCI DSS 3.0 Compliance Guide
Adyen PCI DSS 3.0 Compliance Guide February 2015 Page 1 2015 Adyen BV www.adyen.com Disclaimer: This document is for guidance purposes only. Adyen does not accept responsibility for any inaccuracies. Merchants
More informationTokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism
Tokenization Amplified XiIntercept The ultimate PCI DSS cost & scope reduction mechanism Paymetric White Paper Tokenization Amplified XiIntercept 2 Table of Contents Executive Summary 3 PCI DSS 3 The PCI
More informationPCI PA-DSS Requirements. For hardware vendors
PCI PA-DSS Requirements For hardware vendors PCI security services UL's streamlined PCI PA-DSS certification services get your product to market faster. UL is world leader in advancing safety. Through
More informationPuzzled about PCI compliance? Proactive ways to navigate through the standard for compliance
Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com
More informationUniversity Policy Accepting Credit Cards to Conduct University Business
BROWN UNIVERSITY University Policy Accepting Credit Cards to Conduct University Business Purpose Brown University requires all departments that are involved with credit card handling to do so in compliance
More informationPayment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.
Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History
More informationPCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard
PCI Compliance Crissy Sampier, Longwood University Edward Ko, CampusGuard Agenda Introductions PCI DSS 101 Chip Cards (EMV) Longwood s PCI DSS Journey Breach Statistics Shortcuts to PCI DSS Compliance
More informationUnderstanding the Role of Hardware Data Encryption in EMV and P2PE from the CEO s Perspective
Understanding the Role of Hardware Data Encryption in EMV and P2PE from the CEO s Perspective Futurex. An Innovative Leader in Encryption Solutions. For over 30 years, more than 15,000 customers worldwide
More informationData Security Basics for Small Merchants
Data Security Basics for Small Merchants 28 October 2015 Stan Hui Director, Merchant Risk Lester Chan Director, Merchant Risk Disclaimer The information or recommendations contained herein are provided
More informationTransitions in Payments: PCI Compliance, EMV & True Transactions Security
Transitions in Payments: PCI Compliance, EMV & True Transactions Security There have been more than 600 million records compromised from approximately 4,000 data breaches since 2005 and those are just
More informationPCI P2PE 2.0. What Does it Mean for Merchants and Processors? September 10, 2015
PCI P2PE 2.0 What Does it Mean for Merchants and Processors? September 10, 2015 Agenda Housekeeping Presenters About Conexxus Presentation Q& A 2015 Conexxus Webinar Schedule* Month/Date Webinar Title
More informationPCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock
PCI DSS 3.0 Overview OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock 01/16/2015 Purpose of Today s Presentation To provide an overview of PCI 3.0 based
More informationCredit Card Processing, Point of Sale, ecommerce
Credit Card Processing, Point of Sale, ecommerce Compliance, Self Auditing, and More John Benson Kurt Willey HACKS REGULATIONS Greater Risk for Merchants Topics Compliance Changes Scans Self Audits
More informationA HOLISTIC APPROACH TO MERCHANT PAYMENT SECURITY. 2016, Vantiv, LLC. All rights reserved.
A HOLISTIC APPROACH TO MERCHANT PAYMENT SECURITY A HOLISTIC APPROACH TO MERCHANT PAYMENT SECURITY WHY DEALERS AND ACQUIRERS ARE PIVOTAL TO SECURING THE MERCHANT PAYMENT ENVIRONMENT. For the past fifteen
More informationFrequently Asked Questions
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
More informationPCI DSS Compliance Services January 2016
PCI DSS Compliance Services January 2016 20160104-Galitt-PCI DSS Compliance Services.pptx Agenda 1. Introduction 2. Overview of the PCI DSS standard 3. PCI DSS compliance approach Copyright Galitt 2 Introduction
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance Hardware Payment Terminals in a Validated P2PE Solution only, No Electronic Cardholder
More informationRevenue Security and Efficiency
Revenue Security and Efficiency Discussion with the Mid-Atlantic Oracle Applications Users Group CardConnect Solution Oracle EBS Validated Application Oracle EBS Validated Application Securing Payment
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers For use with PCI DSS Version 3.1 Revision 1.1 July 2015 Section 1: Assessment
More informationPCI Security Standards Council
PCI Security Standards Council Jeremy King, European Director 2013 Why PCI Matters Applying PCI How You Can Participate Agenda 2 Why PCI Matters Applying PCI How You Can Participate Agenda About the PCI
More informationTREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS
TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration
More informationPayment Card Industry (PCI) Point-to-Point Encryption
Payment Card Industry (PCI) Point-to-Point Encryption Solution Requirements and Version 2.0 June 2015 Document Changes Date Version Description 14 September 2011 1.0 April 2012 1.1 June 2014 2.0 Initial
More informationWhat s New in PCI DSS 2.0. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1
What s New in PCI DSS 2.0 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1 Agenda PCI Overview PCI 2.0 Changes PCI Advanced Technology Update PCI Solutions 2010 Cisco and/or
More informationGrow with our omni-channel payment processing technologies and merchant services.
Grow with our omni-channel payment processing technologies and merchant services. Get ready for growth Payment processing solutions ecommerce mcommerce In-app payments Virtual terminal Card present EMV
More informationFlexible and secure. acceo tender retail. payment solution. tender-retail.acceo.com
Flexible and secure payment solution acceo tender retail payment solution tender-retail.acceo.com Take control of your payment transactions ACCEO Tender Retail is a specialized middleware that handles
More informationPayment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions
PCI/PA-DSS FAQs Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions What is PCI DSS? The Payment Card Industry Data
More informationSecurity & Encryption in Healthcare Payments PCI DSS Technical Assessment White Paper
Security & Encryption in Healthcare Payments PCI DSS Technical Assessment White Paper June 05 White Paper Author: Andrey Sazonov CISA, QSA, PA-QSA asazonov@coalfire.com Nick Trenc QSA, PA-QSA nick.trenc@coalfiresystems.com
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers Version 3.1 April 2015 Section 1: Assessment Information Instructions for Submission
More informationICS Presents: The October 1st 2015 Credit Card Liability Shift: This Impacts Everyone!
ICS Presents: The October 1st 2015 Credit Card Liability Shift: This Impacts Everyone! Presenters: Cliff Gray Senior Associate of The Strawhecker Group Jon Bonham CISA, Coalfire The opinions of the contributors
More informationPAYMENTS AS A SERVICE. Fully managed multi-channel card acceptance for all business environments. www.verifone.co.uk
PAYMENTS AS A SERVICE Fully managed multi-channel card acceptance for all business environments www.verifone.co.uk Whether small or large, PAYware Ocius s multi-channel flexibility can transform your s
More informationPCI Compliance: How to ensure customer cardholder data is handled with care
PCI Compliance: How to ensure customer cardholder data is handled with care Choosing a safe payment process for your business Contents Contents 2 Executive Summary 3 PCI compliance and accreditation 4
More informationDon Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer
Complying with the PCI DSS All the Moving Parts Don Roeber Vice President, PCI Compliance Manager Lisa Tedeschi Assistant Vice President, Compliance Officer Types of Risk Operational Risk Normal fraud
More informationCorbin Del Carlo Director, National Leader PCI Services. October 5, 2015
PCI compliance: v3.1 Key Considerations Corbin Del Carlo Director, National Leader PCI Services October 5, 2015 Today s Presenter Corbin Del Carlo QSA, PA QSA Director, National Leader PCI Services Practice
More informationMaking Cloud-Based Mobile Payments a Reality with Digital Issuance, Tokenization, and HCE WHITE PAPER
Making Cloud-Based Mobile Payments a Reality with Digital Issuance, Tokenization, and HCE WHITE PAPER Why Cloud-Based Mobile Payments? The promise of mobile payments has captured the imagination of banks,
More informationHow To Protect Your Credit Card Information From Being Stolen
Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)
More informationPCI DSS Compliance. 2015 Information Pack for Merchants
PCI DSS Compliance 2015 Information Pack for Merchants This pack contains general information regarding PCI DSS compliance and does not take into account your business' particular requirements. ANZ recommends
More informationPCI Risks and Compliance Considerations
PCI Risks and Compliance Considerations July 21, 2015 Stephen Ramminger, Senior Business Operations Manager, ControlScan Jon Uyterlinde, Product Manager, Merchant Services, SVB Agenda 1 2 3 4 5 6 7 8 Introduction
More informationThe State of Security and Compliance for E- Commerce and Retail
The State of Security and Compliance for E- Commerce and Retail Current state of security PCI regulations and compliance Does the data you hold require PCI compliance Security and safeguarding against
More informationPCI DSS v3.0 SAQ Eligibility
http://www.ambersail.com Disclaimer: The information in this document is provided "as is" without warranties of any kind, either express or implied, including, without limitation, implied warranties of
More informationHealthcare Payment Security Is Your Patient s Card Data Exposed? May 24, 2016
Healthcare Payment Security Is Your Patient s Card Data Exposed? May 24, 2016 PRESENTER BIOS Michael Fidler Vice President Elavon Healthcare Payment Solutions Michael D. Fidler is Vice President, Healthcare
More informationPayment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire C-VT Version 2.0 October 2010 Attestation of Compliance, SAQ C-VT Instructions for Submission
More informationBecoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
More informationTechnology Innovation Programme
FACT SHEET Technology Innovation Programme The Visa Europe Technology Innovation Programme () was designed to complement the Payment Card Industry (PCI) Data Security Standard (DSS) by reflecting the risk
More informationPoint Secure Commerce Application (SCA) 2.x PCI PA-DSS Out of Scope White Paper
Point Secure Commerce Application (SCA) 2.x PCI PA-DSS Out of Scope White Paper Executive Summary Lyle Miller: CISSP, QSA PA-QSA December 3, 2013 VeriFone, Inc. (VeriFone) engaged Coalfire Systems Inc.
More informationSection 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationThe Relationship Between PCI, Encryption and Tokenization: What you need to know
October 2014 The Relationship Between PCI, Encryption and Tokenization: What you need to know Mike English Executive Director, Product Development Heartland Payment Systems 2014 Heartland Payment Systems,
More informationPayment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.
Payment Methods The cost of doing business Michelle Powell - BASYS Processing, Inc. You ve got to spend money, to make money Major Industry Topics Industry Process Flow PCI DSS Compliance Risks of Non-Compliance
More informationPayments simplified. 1
1 Payments simplified. T H E PAY M E N T I N D U S T RY A I N T W H AT I T U S E D T O B E 2 Complexity is increasing, More change in next 5, than last 50 Emerging payments / loyalty / rewards / coupons
More informationIntroduction to PCI DSS Compliance. May 18, 2009 1:15 p.m. 2:15 p.m.
Introduction to PCI DSS Compliance May 18, 2009 1:15 p.m. 2:15 p.m. Disclaimer The opinions of the contributors expressed herein do not necessarily state or reflect those of the National Association of
More informationUnderstanding the Value of Tokens
Understanding the Value of Tokens 2012 First Data Corporation. All trademarks, service marks and trade names referenced in this material are the property of their respective owners. Introduction Credit
More informationData Protection and Mobile Payments. Jose Diaz - Business Development & Technical Alliances Ted Heiman Key Account Manager Thales e-security
Data Protection and Mobile Payments Jose Diaz - Business Development & Technical Alliances Ted Heiman Key Account Manager Thales e-security 2 Today s reality It s a data-centric world. And the data is
More informationYour Compliance Classification Level and What it Means
General Information What are the Payment Card Industry (PCI) Data Security Standards? The PCI Data Security Standards represents a common set of industry tools and measurements to help ensure the safe
More informationTarget Security Breach
Target Security Breach Lessons Learned for Retailers and Consumers 2014 Pointe Solutions, Inc. PO Box 41, Exton, PA 19341 USA +1 610 524 1230 Background In the aftermath of the Target breach that affected
More informationtoast EMV in 2015: How Restaurants Can Prepare for the New Chip-and-Pin Standard
toast EMV in 2015: How Restaurants Can Prepare for the New Chip-and-Pin Standard Table of Contents For more than 40 years, merchants and consumers have used magnetic stripe credit cards and compatible
More informationPCI Data Security Standards
PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced Version 3.0 February
More informationOVERVIEW. With just 10,000 customers in your database, the cost of a data breach averages more than $2 million.
Security PLAYBOOK OVERVIEW Today, security threats to retail organizations leave little margin for error. Retailers face increasingly complex security challenges persistent threats that can undermine the
More informationThe Cost of Compliance
The Cost of Compliance The Payment Card Industry Data Security Standard (PCI DSS) aims to protect sensitive cardholder data throughout the life cycle of ecommerce transactions. The standard puts heavy
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 1.1 February 2008 Table of Contents About this Document... 1 PCI Data Security Standard
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationPlatform as a Service and PCI www.engineyard.com
Engine Yard White Paper Platform as a Service and PCI www.engineyard.com Purpose Achieving PCI compliance can be a complex, time-consuming, and expensive undertaking, but the right approach can make it
More informationPCI Compliance Are you at Risk? September 17, 2014 Dan Garrett/Matt Fluegge Vantiv
PCI Compliance Are you at Risk? September 17, 2014 Dan Garrett/Matt Fluegge Vantiv Security Challenges Desirability of Data 80% of all data breaches is payment card data (Verizon RISK team assessment)
More informationEnterprise Payments for
Enterprise Payments for Table of Contents I. Introducing CardConnect II. III. IV. Gartner Tokenization Reporting Featuring CardConnect PCI Compliance, EMV & True Payment Security CardConnect for SAP V.
More informationHow To Comply With The New Credit Card Chip And Pin Card Standards
My main responsibility as a Regional Account Manager for IMD is obtain the absolute lowest possible merchant fees for you as a business. Why? The more customers we can save money, the more volume of business
More informationCOMPLIANCE OVERVIEW: PCI DSS. 2014 Edition. Complimentary. Preview
COMPLIANCE OVERVIEW: PCI DSS 2014 Edition Copyright 2014 insidearm.com. All rights reserved. NOTICE: This is not a free whitepaper. This report is offered for sale by insidearm.com. Purchase of this report
More informationVeriFone VeriShield Total Protect Technical Assessment White Paper
VeriFone VeriShield Total Protect Technical Assessment White Paper Prepared for: September 4 th, 2013 Dan Fritsche, CISSP, QSA (P2PE), PA-QSA (P2PE) dfritsche@coalfiresystems.com Table of Contents EXECUTIVE
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals Electronic Cardholder
More informationmobile payment acceptance Solutions Visa security best practices version 3.0
mobile payment acceptance Visa security best practices version 3.0 Visa Security Best Practices for, Version 3.0 Since Visa s first release of this best practices document in 2011, we have seen a rapid
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission
More informationInside the Mobile Wallet: What It Means for Merchants and Card Issuers
Inside the Mobile Wallet: What It Means for Merchants and Card Issuers Welcome to the age of Universal Commerce commerce that is integrated, personalized, secure, open, and smart. The lines between in-store
More informationPCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.
PCI 3.1 Changes Jon Bonham, CISA Coalfire System, Inc. Agenda Introduction of Coalfire What does this have to do with the business office Changes to version 3.1 EMV P2PE Questions and Answers Contact Information
More informationMobile Payments Applications and Challenges Jose Diaz Director, Business Development & Technical Alliances Thales e-security
www.thales-esecurity.com Mobile Payments Applications and Challenges Jose Diaz Director, Business Development & Technical Alliances Thales e-security 2 / Verizon Data Breach Report 3 / Victim Industry
More informationHow Multi-Pay Tokens Can Reduce Security Risks and the PCI Compliance Burden for ecommerce Merchants
How Multi-Pay Tokens Can Reduce Security Risks and the PCI Compliance Burden for ecommerce Merchants 2012 First Data Corporation. All trademarks, service marks and trade names referenced in this material
More informationPAI Secure Program Guide
PAI Secure Program Guide A complete guide to understanding the Payment Card Industry Data Security Requirements and utilizing the PAI Secure Program. Letter From the CEO Welcome to PAI Secure. As you
More informationTo ensure independence, PSC does not represent, resell or receive commissions from any third party hardware, software or solutions vendors.
About PSC With offices in the USA, Canada, UK and Australia, PSC is a leading PCI, PA DSS, and P2PE assessor, PCI Forensics Company and Approved Scanning Vendor. PSC is one of an elite few companies qualified
More informationEMV in Hotels Observations and Considerations
EMV in Hotels Observations and Considerations Just in: EMV in the Mail Customer Education: Credit Card companies have already started customer training for the new smart cards. 1 Questions to be Answered
More informationTable of Contents. Overview. What is payment processing? Who s Who. Types of Payment Solutions. Online Transactions. Interchange Process
Overview Credit Card Processing 101 is your go-to handbook for navigating the payments industry. This document provides a quick and thorough understanding on how businesses accept electronic payments,
More informationPCI Compliance for Cloud Applications
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
More informationPCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate
More informationCredit Card Risks: Update on PCI Compliance Monday, May 23 2:40pm 3:55 CPE: 2
Credit Card Risks: Update on PCI Compliance Monday, May 23 2:40pm 3:55 CPE: 2 Joe Helmy, VP Emerging Verticals, MasterCard Jennifer Cooperman, MBA, CPFO, Treasurer, City of Portland, OR Tod Burton, Financial
More informationCredit Card Processing Summer Lunch & Learn 2016
AGENDA 1. The Different Ways to Process Cards 2. EMV Chip Cards What You Need to Know 3. Understanding the Industry s Complex Pricing Structure 4. American Express The New Rate/Deposit Plan.Good News!
More informationMobile Device Payment Card Processing: How Secure is It? Richard Poworski CISSP, ISP, ITCP, SCF, PCI QSA, PCIP Managing Consultant
Seccuris is Canada s premier Information Assurance integrator. We enable organizations to achieve business goals through effective management of information risk. We are agile, innovative, flexible, and
More informationCredit Card Processing Overview
CardControl 3.0 Credit Card Processing Overview Overview Credit card processing is a very complex and important system for anyone that sells goods. This guide will hopefully help educate and inform new
More informationBrown Smith Wallace, LLC
Brown Smith Wallace, LLC Successful Software Selection Whitepaper Series How to Adhere to Payment Card Industry Data Security Standards By Ron Schmittling, CPA/CITP, QSA, CISA, CIA To learn more about
More information