What a Processor Needs from a University to Validate Compliance

Transcription

1 What a Processor Needs from a University to Validate Compliance Lisa T. Conroy Merchant Compliance Manager Vantiv May 24, 2016

2 Disclosures The information included in this presentation is for information purposes only, and is not intended as legal or financial advice. The information does not amend or alter your obligations under your agreement with Vantiv, or under the operating regulations of any credit card or debit card association. This presentation is based upon information available to Vantiv as of the date of this communication. It is important that you continue to stay current with changing industry requirements. 2

3 Agenda Define Industry Participants & Their Roles Reiterate Key Points on PCI DSS Applicability Define Merchant Levels & Validation Tools Discuss Validation and Reporting Process Explain Visa Small Merchant Data Security Mandates Describe Validation Enforcement, Fines, & Extensions Review Service Provider Levels & Validation 3

4 The Players

5 Global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. Standards Under Management PCI DSS Merchants and Service Providers PA DSS Software Application Developers PTS Hardware Manufacturers P2PE Merchants & Solution Providers Training & Certification Programs QSA, PA QSA, P2PE QSA, ASV, PFI, ISA, QIR, PCI-P, PCI Awareness, Acquirer List of Approved Entities & Solutions PA DSS Applications, PTS Devices, P2PE Solutions

6 The Card Brands Founding Members of the PCI SSC Executive Committee of PCI SSC Maintain Enforcement Programs Amex DSOP, Discover DISC, MasterCard SDP, & Visa CISP Create Security Mandates

7 Acquirers & Processors May or may not be the same entity Acquirers are responsible for ensuring merchants comply with the PCI DSS Processors support acquirers with merchant education and with helping merchants to understand PCI DSS compliance validation

8 Compliance Validation Steps

9 Key Points to Remember It s an Industry Standard PCI DSS applies to everyone service providers and merchants of all sizes! Even if you outsource some or all of your card processing, PCI compliance and validation still apply Applies to all systems that store, process, or transmit cardholder data not just the ones for which you have been explicitly told to validate compliance Going through the validation process is the best way to understand whether you are compliant

10 Compliance vs. Validation Validation: A snapshot of your compliance status Entails completion of the Self-Assessment Questionnaire (SAQ) or an On-Site Audit (depending on your merchant level) in order to validate that your organization is compliant according to PCI DSS requirements Also requires the quarterly submission of External Network Vulnerability Scans Compliance: Ongoing security controls and procedures that help to protect your business on a 24/7 basis Entails continual adherence to the PCI DSS requirements Validation does not necessarily mean Compliance Validation documentation must be available to the card associations upon their request and for audit purposes 10

11 Visa & MasterCard Merchant Levels: Merchant Level Merchant Level Merchant Level Merchant Level Any merchant processing 6 million or more Visa or MasterCard transactions/year, regardless of acceptance channel. Also, any merchant the card brands deem Level 1. Any merchant, regardless of acceptance channel, processing 1-6 million Visa or MasterCard transactions per year Any merchant processing 20,000 to 1 million e-commerce Visa or MasterCard transactions per year All other merchants, regardless of acceptance channel Level 4 merchants also have compliance requirements. Level 1 merchants have more rigorous compliance validation requirements. 11

12 Amex & Discover Merchant Levels Level 1: 2.5 million or more American Express Card transactions per year (or if you've been selected a Level 1 by American Express) Level 2: 50,000 to 2.5 million American Express Card transactions per year (Service providers: less than 2.5 million transactions) Level 3 Designated: Less than 50,000 American Express Card Transactions per year and has been designated by American Express as being required to submit validation documents. (merchants only; does not apply to service providers).american Express will contact these designated merchants and provide them details for reporting their security status by submitting PCI validation documents. Level 3: Less than 50,000 American Express Card transactions per year (merchants only; does not apply to service providers) Level 1: All merchants processing more than 6 million card transactions annually on the Discover network. Any merchant that Discover, in its sole discretion 1, determines should meet the Level 1 compliance validation and reporting requirements All merchants required by another payment brand or acquirer to validate and report their compliance as a Level 1 merchant Level 2: All merchants processing between 1 million and 6 million card transactions annually on the Discover network Level 3: All merchants processing between 20,000 and 1 million card-not-present only transactions annually on the Discover network Level 4: All Other Merchants

13 Merchant Validation *Note: Due to MasterCard Site Data Protection (SDP) program rules, all level 1 and 2 merchants that elect to perform their own validation assessments must ensure that the primary internal auditor staff engaged in validating PCI DSS compliance attend merchant training programs offered by the PCI Security Standards Council (PCI SSC) and pass any PCI SSC associated accreditation program annually in order to continue validation in this manner.

14 Who Determines Merchant Level? Acquirers/Processors are responsible for classifying merchants appropriately Periodic volume queries covering prior 12 months Sends formal notification to merchant with validation requirements and timeline Notifies applicable card brands of reclassification

15 Validation Considerations for a Higher Education Merchants TALK TO YOUR ACQUIRER OR PROCESSOR! Consider working with a QSA Single assessment or separate SAQ per location Connectivity arrangements Single merchant agreement or multiple

16 Self-Assessment Questionnaires (SAQ) 16

17 What Happens After I Submit My Validation Documentation to My Processor? Review Reply Resolve Report

18 Validation Enforcement & Extension Requests Potential fines are most likely in connection with level 1s, 2s, and 3s Fines levied at the corporate/university level Typically recur monthly or quarterly until resolved Submit extension requests through your acquirer or processor for consideration by the brands

19 New Visa Small Merchant Mandates

20 Level 4 Merchant Validation Scalability challenges Programs Partner with QSA/ASV firm for online validation portal and help desk support Implement non-validation fee programs Will be pushing secure technologies now more than ever EMV, P2PE, tokenization, etc.

21 Service Providers

22 Third-Party Compliance Requirement 12.8 Addresses Third-Party compliance within PCI DSS requirements Merchant is responsible for monitoring compliance status of Third Parties and ensuring the use of appropriate contractual language Use of Gateway/Service Provider does not exempt merchant from compliance requirements Potential to use SAQ A Only IF all storing, processing and transmitting of cardholder data is fully outsourced to a third party AND merchant is exclusively cardnot-present. 22

23 Service Provider Validation Service Provider Levels Validation Actions Criteria On Site Security Audit conducted by a QSA Self Assessment Questionnaire Network Vulnerability Scans Level 1 Any processor directly connected to a Visa or MasterCard or any service provider that stores, processes and/or transmits over 300,000 transactions per year Report on Compliance (ROC) Required Annually Not Applicable Required Quarterly Level 2** Any service provider that stores, processes and/or transmits less than 300,000 transactions per year Not Applicable Required Annually Required Quarterly **Effective February 1, 2009, Level 2 service providers were no longer listed on Visa s List of PCI DSS Compliant Service Providers. Entities that wish to be on the List of PCI DSS Compliant Service Providers must validate as a Level 1 provider. 23

24 Service Provider Considerations Where possible, use only providers that have engaged a QSA for validation If you have a level 2 service provider that self validated, only accept SAQ D Their areas of non-compliance are your risk If a provider states they cannot afford some aspect of compliance or validation, you may want to consider one that can Carefully review your contracts with service providers 24

25 Final Thoughts and Resources

26 Next Steps Talk to your processor Consider PCI SSC training programs If you are not validating compliance today, get started now! Evaluate and implement secure technologies

27 Helpful PCI Resources PCI Security Standards Council PCI DSS, PA DSS, PTS, & P2PE Standards Downloadable Self Assessment Questionnaires List of ASVs, QSAs, PFIs, PA QSAs, QIRs, etc. List of PA DSS Validated Payment Applications, validated P2PE solutions, validated PTS devices Searchable FAQ Tool PCI Supporting Documents Visa CISP website Merchant & Service Provider Levels Defined List of CISP Compliant Service Providers Important Alerts, Bulletins and Webinar MasterCard SDP website Merchant & Service Provider Levels Defined List of CISP Compliant Service Providers PCI 360 Merchant Education Program on demand educational webinars 27

28 Thank You! Questions?