Credit Card Processing, Point of Sale, ecommerce

Transcription

1 Credit Card Processing, Point of Sale, ecommerce Compliance, Self Auditing, and More John Benson Kurt Willey

2 HACKS

3

4

5

6 REGULATIONS

7 Greater Risk for Merchants

8 Topics Compliance Changes Scans Self Audits

9 PCI DSS

10 PCI DSS Payment Card Industry Data Security Standard Applies to all organizations that accept, transmit, or store cardholder data.

11 PCI DSS Assess Remediate Report

12 PCI DSS Build and Maintain a Secure Network and Systems Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel

13 398 Tests Normally administered annually by a qualified security assessor

14 Self Assessment Subset of PCI DSS questions

15 PCI Compliance Changes in 2015

16 EMV Mandate EuroPay MasterCard Visa

17

18 Magnetic stripes contain static data.

19 Once compromised, they are easily duplicated.

20 Once compromised, they are easily duplicated.

21 Chip-based cards generate a new code for every transaction.

22 So, stolen transaction codes are useless.

23 Liability Shift

24 Now In-store fraud with counterfeit or stolen card liability falls to payment processor or card issuer.

25 October Fraud liability shifts to least compliant party, including the merchant.

26 Examples A card issuer who has not issued EMV compliant cards.

27 Examples A processor who has not made chipbased card compatible terminals available.

28 Examples A merchant who has not implemented chip-based card compatible terminals even though they are available.

29 EMV KEY DATES CHART-CARD NETWORKS Visa MasterCard American Express Discover October 2012 Visa will extend the Technology Innovation Program (TIP) to merchants in the U.S., potentially allowing them to skip the annual PCI DSS validation for any year in which at least 75% of merchant Visa transactions originate from dual-interface EMV chip enabled devices plus other qualification criteria such as being PCI DSS compliant. October 2012 PCI assessment relief takes effect. December 31, 2012 Discover will institute Fraud Liability Shift for Diners Club International. April 2013 Acquirers/processors will be required to support merchant acceptance of EMV chip transactions. April 2013 Acquirers and sub-processor mandate to fully process EMV transactions. Cross border Maestro ATM liability shift to non-emv ATMs. April 2013 Processors must be able to support American Express EMV chip-based contact, contactless and mobile transactions. April 2013 Discover merchant acquirers, acquiring processors, and merchants with direct connections into its network must be certified as able to support the network data needed in contact and contactless EMV chip card transactions. The mandate applies not only in the U.S., but also in Canada and Mexico. October 2013 MasterCard Account Data Compromise (ADC) relief takes effect (50%). On this date, if at least 75% of MasterCard transactions originate from EMV-compliant contact and contactless POS terminals, the merchant is relieved of 50% of account data compromise penalties. October 2013 Merchants will be eligible to receive relief from PCI Data Security Standard (DSS) reporting requirements if the merchants' point-of-sale (POS) acceptance locations, where 75% of their transactions occur, are enabled to process American Express EMV chip-based contact and contactless transactions. October 2013 Discover will grant annual PCI audit waivers for merchants that process 75% of Discover Network transactions via terminals supporting both contact and contactless payments. October 2015 The party that is the cause of a contact chip transaction not occurring will be financially liable for any resulting card present counterfeit fraud losses. Does not include automated fuel dispensers (AFD). October 2015 MasterCard ADC relief takes effect (100%). On this date, if at least 95% of MasterCard transactions originate from EMV-compliant POS terminals, the merchant is relieved of 100% of account data compromise penalties. MasterCard liability hierarchy takes effect (excluding fuel). October 2015 American Express will institute a Fraud Liability Shift (FLS) policy that will transfer liability for certain types of fraudulent transactions away from the party that has the most secure form of EMV technology. October 1, 2015 Discover will institute a Fraud Liability Shift (in U.S., Canada and Mexico). This Fraud Liability Shift policy will be a risk-based payments hierarchy that benefits the entity that leverages the highest level of available payments security. October 2017 Deadline for automated fuel dispensers (AFD) to comply. October 2017 MasterCard liability hierarchy takes effect for fuel dispensers. October 2017 FLS takes effect for transactions generated from automated fuel dispensers. October 1, 2017 Fraud Liability Shift takes effect for transactions generated from automated fuel dispensers.

30 EMV KEY DATES CHART-CARD NETWORKS Visa MasterCard American Express Discover October 2012 Visa will extend the Technology Innovation Program (TIP) to merchants in the U.S., potentially allowing them to skip the annual PCI DSS validation for any year in which at least 75% of merchant Visa transactions originate from dual-interface EMV chip enabled devices plus other qualification criteria such as being PCI DSS compliant. October 2012 PCI assessment relief takes effect. December 31, 2012 Discover will institute Fraud Liability Shift for Diners Club International. April 2013 Acquirers/processors will be required to support merchant acceptance of EMV chip transactions. April 2013 Acquirers and sub-processor mandate to fully process EMV transactions. Cross border Maestro ATM liability shift to non-emv ATMs. April 2013 Processors must be able to support American Express EMV chip-based contact, contactless and mobile transactions. April 2013 Discover merchant acquirers, acquiring processors, and merchants with direct connections into its network must be certified as able to support the network data needed in contact and contactless EMV chip card transactions. The mandate applies not only in the U.S., but also in Canada and Mexico. October 2013 MasterCard Account Data Compromise (ADC) relief takes effect (50%). On this date, if at least 75% of MasterCard transactions originate from EMV-compliant contact and contactless POS terminals, the merchant is relieved of 50% of account data compromise penalties. October 2013 Merchants will be eligible to receive relief from PCI Data Security Standard (DSS) reporting requirements if the merchants' point-of-sale (POS) acceptance locations, where 75% of their transactions occur, are enabled to process American Express EMV chip-based contact and contactless transactions. October 2013 Discover will grant annual PCI audit waivers for merchants that process 75% of Discover Network transactions via terminals supporting both contact and contactless payments. October 2015 The party that is the cause of a contact chip transaction not occurring will be financially liable for any resulting card present counterfeit fraud losses. Does not include automated fuel dispensers (AFD). October 2015 MasterCard ADC relief takes effect (100%). On this date, if at least 95% of MasterCard transactions originate from EMV-compliant POS terminals, the merchant is relieved of 100% of account data compromise penalties. MasterCard liability hierarchy takes effect (excluding fuel). October 2015 American Express will institute a Fraud Liability Shift (FLS) policy that will transfer liability for certain types of fraudulent transactions away from the party that has the most secure form of EMV technology. October 1, 2015 Discover will institute a Fraud Liability Shift (in U.S., Canada and Mexico). This Fraud Liability Shift policy will be a risk-based payments hierarchy that benefits the entity that leverages the highest level of available payments security. October 2017 Deadline for automated fuel dispensers (AFD) to comply. October 2017 MasterCard liability hierarchy takes effect for fuel dispensers. October 2017 FLS takes effect for transactions generated from automated fuel dispensers. October 1, 2017 Fraud Liability Shift takes effect for transactions generated from automated fuel dispensers.

31 Visa

32 MasterCard

33 American Express

34 Discover

35 PCI 3.0 Update

36 New requirement for service providers with remote access to customer premises, to use unique authentication credentials for each customer. Effective July 1, 2015

37 New requirement to implement a methodology for penetration testing. Effective July 1, 2015

38 New requirement for coding practices to protect against broken authentication and session management. Effective July 1, 2015

39 SCANS

40 SELF AUDITS

41 Step 1: Determine Merchant Level & Requirements

42 Step 2: PCI DSS or Which Self Assessment?

43 ecommerce Transaction Type POS System? Card Presence CHD Storage Additional Criteria SAQ Type DSS Questio ns Included ecommerce or telephone orders No Card NOT Present NOT stored Website AND Payment Processing fully hosted by PCI approved vendor SAQ A 14 ecommerce or telephone orders No Card NOT Present NOT stored Payment Processing hosted by PCI approved vendor but payment form is part of Website that is not hosted by PCI approved vendor SAQ A- EP 139

44 Face to Face Transaction Type Imprint machines with no electronic cardholder data storage and / or standalone dial-out terminals with no electronic cardholder data storage Point of Sale System? Card Presence CHD Storage SAQ Type DSS Questions Included No Card Present NOT stored SAQ B 41 Standalone payment terminals with an IP connection to payment processor - point-of-sale terminal security (PTS) approved No Card Present NOT stored SAQ B - IP 83 Single transactions entered one-at-atime via keyboard into an internet based virtual terminal solution provided by a PCI DSS validated third-party service provider. Yes Card Present NOT stored SAQ C-VT Internet connected payment application system Yes Card Present NOT stored SAQ C

45 Understanding the SAQs for PCI DSS v3.0 The PCI DSS self-assessment questionnaires (SAQs) are validation tools intended to assist merchants and service providers report the results of their PCI DSS self-assessment. The different SAQ types are shown in the table below to help you identify which SAQ best applies to your organization. Detailed descriptions for each SAQ are provided within the applicable SAQ. Note: Entities should ensure they meet all the requirements for a particular SAQ before using the SAQ. Merchants are encouraged to contact their merchant bank (acquirer) or the applicable payment brand(s) to identify the appropriate SAQ based on their eligibility. SAQ A A-EP* B B-IP* C-VT C P2PE-HW D Description Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant s systems or premises. Not applicable to face-to-face channels. E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant s systems or premises. Applicable only to e-commerce channels. Merchants using only: Imprint machines with no electronic cardholder data storage; and/or Standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels. Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels. Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels. Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels. Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels. SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types. SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete a SAQ. * New for PCI DSS v3.0 The intent of this document is to provide supplemental information. Information provided here Page 1 does not replace or supersede PCI SSC Security Standards or their supporting documents PCI Security Standards Council, LLC. All Rights Reserved.

46

47 Step 3: Complete the Assessment

48

49

50 Step 4: Arrange for Quarterly Network Scan

51 Step 5: Submit Reports and Results

52 RECAP

53 1. Budget for POS upgrades. 2. Understand your level and appropriate self-assessment questionnaire. 3. Arrange for Quarterly Scans from an ASV.