PCI Compliance Workshop. NACS PEI October 21, 2009 10:45 a.m. 11:45 a.m.

Similar documents

The Petroleum Marketer s PCI compliance Reference Guide

INTEGRATED, SMART, AND SECURE

POS NEWS UPDATE 2011

A PCI Compliant Outdoor Payment Terminal For Automated Fuel Dispensers

PCI Compliance 101: Payment Card. Your Presenter: 7/19/2011. Data Security Standards Compliance. Wednesday, July 20, :00 pm 3:00 pm EDT

Need to be PCI DSS compliant and reduce the risk of fraud?

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

Wayne EMV Solutions. Protect your business with a complete EMV Solution inside and out.

Webinar - Skimming and Fraud Protection for Petroleum Merchants. November 14 th 2013

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

How To Buy A Bennett Pump

PAYMENT CARD INDUSTRY (PCI) ANNUAL TRAINING DECEMBER 10, 2009 WESTERN ILLINOIS UNIVERSITY OFFICE OF THE CTSO & BUSINESS SERVICES

Visa PIN Security Program Webinar May Alan Low PIN Risk Representative AP and CEMEA. Visa Public

NACS/PCATS WeCare Data Security Program Overview

Visa Inc. PIN Entry Device Requirements

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

E2EE and PCI Compliancy. Martin Holloway VSP Sales Director VeriFone NEMEA

Project Title slide Project: PCI. Are You At Risk?

CSU, Chico Credit Card PCI-DSS Risk Assessment

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Introduction to. May 18, :15 p.m. 2:15 p.m.

Ruby VASC Instructor Guide

END-OF-LIFE LIST FOR NON-COMPLIANT PIN-ENTRY DEVICE (PED) AND VULNERABLE DEVICES

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

V E R I F O N E POS SOLUTIONS A N D E M V R O A D M A P F O R C I T G O M A R K E T E R S

Credit Card Processing Overview

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

Reliable, Low-Cost Credit Card Processing Since 1998

PROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN

Payment Card Industry Compliance Overview

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Petroleum and convenience-store retailers have reacted. The Heart of the Matter. PCI procrastination may create labor, cost issues in 2010

Mobile Device Payment Card Processing: How Secure is It? Richard Poworski CISSP, ISP, ITCP, SCF, PCI QSA, PCIP Managing Consultant

CardControl. Credit Card Processing 101. Overview. Contents

PCI DSS COMPLIANCE DATA

Payment Technology Deep Dive. October 13, :00 am 8:50 am

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

EMV Delivery of Mobile, Parking and Unattended Payments. Elavon

GLOSSARY OF MOST COMMONLY USED TERMS IN THE MERCHANT SERVICES INDUSTRY

Spokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Addendum #1 - Q&A

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

How To Comply With The New Credit Card Chip And Pin Card Standards

ICS Presents: The October 1st 2015 Credit Card Liability Shift: This Impacts Everyone!

EMV and Small Merchants:

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

paypoint implementation guide

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

PCI DSS Compliance Information Pack for Merchants

A Compliance Overview for the Payment Card Industry (PCI)

PCI Data Security Standards

HOW SECURE IS YOUR PAYMENT CARD DATA?

Your Reference Guide to EMV Integration: Understanding the Liability Shift

PCI Compliance Overview

Credit Card Processing, Point of Sale, ecommerce

Information about this New Guide

Modernizing H-E-B s Point-of-sale Systems

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

PIN Pad Security Best Practices v2. PIN Pad Security Best Practices

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01

Payment Card Industry (PCI) Data Security Standard

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007

Corbin Del Carlo Director, National Leader PCI Services. October 5, 2015

How To Ensure Account Information Security

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Clark Brands Payment Methods Manual. First Data Locations

PCI-PA-DSS. Solution Kit

Payment Card Industry (PCI) Data Security Standard

Your Compliance Classification Level and What it Means

Flexible and secure. acceo tender retail. payment solution. tender-retail.acceo.com

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

Dates VISA MasterCard Discover American Express. support EMV. International ATM liability shift 2

OpenEdge Research & Development Group April 2015

Technical breakout session

Sage ERP MAS I White Paper. Payment Processing Trends, Tips, and Tricks: What You Need to Know

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

Plotting a Course for EMV Compliance

DalPay Internet Billing. Technical Integration Overview

EMV in Hotels Observations and Considerations

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

SellWise User Group. Thursday, February 19, 2015

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

How Secure is Your Payment Card Data?

PCI DSS. CollectorSolutions, Incorporated

CREDIT CARD PROCESSING AND MERCHANT SERVICES

PCI PA-DSS Requirements. For hardware vendors

Payment Card Industry (PCI) Data Security Standard

Frequently Asked Questions

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Transcription:

PCI Compliance Workshop NACS PEI October 21, 2009 10:45 a.m. 11:45 a.m.

Presenters Scott McDowell, Director of Marketing, Dispenser Applications, Gilbarco Veeder-Root Mike Tyler, Director of Marketing, Petroleum Division, VeriFone, Inc. Tim Weston, Product Manager, Payment Technologies, Dresser Wayne

Agenda Overview of Payment Card Industry (PCI) Requirements Payment Terminal Standards and Retailer Options Fuel Dispenser Standards and Retailer Options POS System Standards and Retailer Options Implementing PCI A Customer s Perspective Dresser Wayne Solutions Gilbarco Veeder-Root Solutions VeriFone Solutions Audience Q & A for Panelists 3

Overview of Payment Card Industry (PCI) Standards Mike Tyler Director of Marketing, Petroleum Division VeriFone, Inc.

Payment Card Industry Security Standards Council Covers PIN Entry Devices at the pump and in the check-out lane PA-DSS applies to software vendors who develop payment applications that store, process, or transmit cardholder data PCI DSS applies to any business that stores, processes, and/or transmits cardholder data

Payment Security Deadlines Secure the forecourt with Encryption at Pump 1 2 3 January 1, 2009 New dispensers July 1, 2010 Existing dispensers Upgrade to PCI PED PIN Pads & TDES July 1, 2010 VISA PED or PCI PED approved Pin Pads and TDES from end to end Update Payment Software to PA-DSS October 1, 2008 New Stores July 1, 2010 All Stores July 2008 Oct 2008 Jan 2009 April 2009 July 2009 Oct 2009 Jan 2010 June 2010 July 2010

Payment Terminal Standards and Retailer Options

Payment Terminal Compliance Timeline 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 Unapproved Devices Can t support TDES 156-bit encryption keys 6/30/2010 Sunset Date VISA PED Devices OK to use if you have them installed already 12/31/2014 Sunset Date PCI PED 1.x Devices Tamper Resistance improves security significantly PCI PED 2.x Devices Upgrade PIN Pads TDES Encryption IMPACT: Time your replacement cycles to take advantage of newer terminals with improved security standards. Replace Visa PED in 2013.

Fuel Dispenser Standards and Retailer Options Tim Weston Product Manager of Payment Technologies Dresser Wayne

Payment Security at the Dispenser PCI security standard currently applies to all fuel dispensers that accept PIN debit transactions Requires encryption when PIN information is entered Must use PCI certified Encrypting PIN Pad capable of Triple-DES encryption Triple-DES encryption keys required to be fully compliant Retailers assume risk if using Single-DES encryption after July 2010 PIN encryption must be done within the keypad Dispenser upgrade procedures vary by vendor Keypads, electronics, displays, bezel panels, etc.

Fuel Dispenser Compliance Timeline Visa mandating that all PIN accepting fuel dispensers comply with PCI EPP standards to support Triple-DES migration. 2008 2009 2010 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 2011 Q1 Q2 New Dispensers Newly deployed dispensers must contain TDES-capable PCI-certified EPP keypad All Dispensers All dispenser keypads actively use TDES encryption on PCI-certified EPP keypads TDES/PCI Approved Keypads in New Dispensers Upgrade Existing Equipment to TDES/PCI TDES PIN Encryption Required (to maintain liability protection) Liability Shift to Retailer for continued use of 1DES DUKPT

Choices for Retailers What options do retailers have? Upgrade dispensers with PCI Encrypting PIN Pads Install new TDES-capable PCI compliant fuel dispensers Require PIN debit customers to pay in store Do nothing now and stop accepting PIN debit as of July 1, 2010 Assume risk of non-compliance / compromise liability for use of Single-DES DUKPT after the deadline Note: Your Processor or Major Oil Brand may limit your choices or influence the timing of upgrades

POS System Standards and Retailer Options Scott McDowell Director of Marketing, NA Payment Gilbarco Veeder-Root

PA DSS encompasses the complete Payment System Card Issuers Merchant Acquirers Host Servers Corporate Server Wireless Terminals Websites POS Terminals POS Terminal Software applications, infrastructure, procedures, and processes Automated Fuel Dispenser Indoor PIN Pads PCI DSS Standard PA-DSS Standard PCI PED Standard PCI EPP Standard

Payment Application Compliance Timeline Visa is implementing a series of mandates to eliminate the use of non-secure payment applications from the Visa payment system. PABP PA-DSS Applies to Purchased Software Applications 2008 2009 2010 2011 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Remove all known vulnerable applications Upgrade or remove non-compliant applications Only install PA-DSS applications for NEW sites

Don t Delay, Deadlines are Fast Approaching www.pcisecuritystandards.org Education (PCI-DSS, PA-DSS, PED, EPP) PCI Security Standards Council PCI Quick Reference Guide Self Assessment (PCI-DSS, PA-DSS) Inventory and document site infrastructure Self Assessment Questionnaire Standards Training Look at the big picture Talk to your Vendors Engage a QSA Don t wait

Implementing PCI A Customer s Perspective Dresser Wayne Solutions Gilbarco Veeder-Root Solutions VeriFone Solutions

Bobby Dutcher, President Atlanta Petroleum Equipment Company, Inc.

PCI Upgrade Prep Are we switching POS equipment brands? Do we need a new interface box? Do we need electrical outlets? Do we need Pin Pad Stands? Do we have a site configuration report? Is there a back office and scanning system present? Are the Automated Fuel Dispensers operational? APEC Site Planning Tool Do we need to change any card reader BIOS chips? Are there enough wires for communication? Are there any ADA keypads involved? Do we need to upgrade any components on existing dispensers? Do any dispensers need any new decals?

Typical Upgrade Process Prior to Site Visit Check kits to ensure they are complete and accurate Verify keypad environment variables in our lab Map keypads if needed in our lab During Site Visit Block off subject dispenser for upgrade Upgrade dispenser components Test operations in manual Put dispenser on-line and test operations Open to customers and move to next dispenser Verify all upgraded dispensers on-line and operating Changeover Timeline: One Day, Site Downtime 1 hour

Issues to Watch For Unable to put site on 3DES when only POS upgraded because: Site takes debit and AFD not upgraded yet so debit would be disabled Network not ready to accept and process 3DES encryption keys Unable to put site on 3DES when only AFD upgraded because: POS not able to accept and process 3DES encryption keys Network not ready to accept and process 3DES encryption keys Unable to put site on 3DES after POS and AFD upgraded Network not ready to accept and process 3DES encryption keys Some Brands have multiple encryption keys in operation Key Learning: Prepare ahead of time to avoid scenarios that require making multiple trips to the site

Shell Station, Atlanta Georgia Successful Site Upgrade Installation proceeded as planned Equipment updates went smoothly Dispensers experienced minimal downtime Total upgrade took less than a day Customer very satisfied with results Notable benefits from the upgrade Refreshed user interface on dispensers Latest technology components upgradeability to future requirements 3DES encryption loaded and ready for Shell switchover in the future Local site here in Vegas with similar ix Pay upgrade Green Valley Grocery Sahara & Decatur

Case Study Background Pre-Upgrade Details G-Site installations at all 68 locations in TX Mixture of Gilbarco dispensers Non-upgradeable dispensers; MPD3, Wayne Upgraded units Advantage, Encore 300, 500, and S Post-Upgrade Details Installed Passport V8.02, featuring new PCI d-hub design Replaced 30 dispensers with Encore S with FlexPay EPP Upgraded OEM retrofits for Advantage and Encore dispensers Customer expectation of 58 days to meet 12/31/09 Shell Program

Preparing for the upgrade Point of Sale Preparing the Sites for PCI Upgrade Survey and record service needs Setup equipment off-site Training and Pre-install Confirm with network Dispensers Survey and record service needs Confirm kit contents with survey checklist Organize kits by site with part numbers Key learning / Opportunities for improvement Gain buy-in from customers Review checklist with installation crew daily Timeline vs. Merchant expectations Customer expectation of 58 days vs. actual of 40 days

Completing the PCI Upgrade Upgrading POS Upgrading AFDs 1 2 Convert data & install on new POS Remove CIM Door 3 4 Install kit parts & reassemble Upgrade (if necessary) Start Up

St. Romain Oil Company, Mansura, LA St. Romain Oil Company 23 Sites across Louisiana & Texas Fuel, Convenience Retail, Made to Order Food, Fleet

Preparing for the PCI Upgrade Preparing for the Installation Developed a Strategy and Upgrade Plan well in advance Tuesdays are good conversion days Performed Site Surveys before ordering any equipment Order Equipment Early Allow 6-8 weeks for equipment to ship Have a contingency plan Simplify the Conversion Process Duplicated Site configurations and Price Book structure from previously converted stores

Key Learning s and Ways to Improve Preparing for the PCI Upgrade Take time to plan and manage the schedule carefully Designate a Project Manager Service Techs MUST be certified to install the equipment Verify that your CC network is up before upgrading the POS Beware that Debit Keys may need to be the same both inside and outside (Network host requirement) Actual Timeline vs. What We Planned Planned 23 sites over a 5-month period, took 6 months

Completing the PCI Upgrade High level activities for upgrading POS Price Book/PLU issues Planned in advance for integration of back office software and new POS system Plan for Manager & Cashier training (next shift = New System) Next day has new Report Balancing processing (office Personnel) Topaz keyboard made the transition from G-Site easy High level activities for upgrading Dispensers Equipment staging and pre-installation streamlined the upgrade Minimal out of service; Converted half of pumps at a time Color graphics on Secure PumpPAY and Shell Rewards are a big deal to customers Unexpected Benefits from the upgrade Customers thought we installed new pumps Secure PumpPAY graphics grab attention, began running made to order food specials immediately; easy to change content remotely with broadband access tool Bottom Line Smooth Installation!

Q&A Session