Payment Gateways: Value and Security Presented by: Dmitriy Lerman, Dir. of Marketing 2009 CHARGE Anywhere, LLC. All trademarks, service marks, and trade names referenced in this material are the property of their respective owners.
Basic Value of a Gateway Wireless POS Platforms Wireless Networks Gateway Secure Connection Card and ACH Processors BlackBerry Bold Encrypted Data Integrated & Internet Apps Secure Connection Management Reports Internet
Real Time Information and Data Aggregation Counter Top Gateway POS Real Time Aggregated Reporting
Value Added Services Data Storage for Future Retrieval Signature Capture and Archival Location Based Services
Integration Protocols Development Certification Infrastructure Maintenance Security
Security
Integration: PCI Compliance Outsourcing The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. Goals PCI DSS Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Payment Forms Shopping Carts Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Bill Presentment Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and contractors Virtual Terminal
Off the Shelf Security Benefits Secure storage of credit and debit card information Virtual Terminal Recurring Billing Data export (excluding card numbers) and off the shelf integration into standard application packages such as QuickBooks. A Gateway is a merchant s safe for storing card data!
Enterprise Level Security for the Little Guy Enterprises spend immense resources developing, certifying and maintaining PCI DSS Level 1 facilities and PA DSS POS systems. PA DSS Front End POS Platforms PCI DSS Level 1 Gateway With the use of a Gateway, a SMB merchant can utilize an Enterprise level turnkey end-to-end PCI Level 1 secure solution for a fraction of the cost.
Value to the MSP and ISO community Gateways Facilitate Transactions Gateways Offer Valuable Features Recurring Billing Payment Forms Bill Presentment Virtual Terminal Data Aggregation and Real Time Reporting Gateways Provide Enterprise Level PCI Security at a Fraction of the Cost Reduce or eliminate PCI compliance hurdles Provide turnkey PCI compliant solutions Enable a quick and cost effective integration Put merchant at one signature away from PCI compliance Gateways Empower You to Control Your Destiny and Your Merchant Portfolio!
Contact Information Dmitriy Lerman Director of Marketing Programs and Products 800.211.1256 x104 dlerman@chargeanywhere.com CHARGE Anywhere Empowering Payments
Back-Up Slides
Excerpts from Visa on PCI PABP List of Validated Payment Applications PAYMENT APPLICATION VENDOR PAYMENT APPLICATION APPLICATION VERSION VALIDATION DATE ASSESSOR DESCRIPTION CHARGE Anywhere CHARGE Anywhere Plug-in for QuickBooks 8.0+ 2.45.0 October 2008 403 Labs A plug-in payment application for Intuit QuickBooks that provides customers with the option to process multiple types of credit card transactions. CHARGE Anywhere for Windows 2.0.0 April 2009 403 Labs A payment application for Microsoft Windows that provides customers with the option to process multiple types of credit card transactions. CHARGE Anywhere Mobile Payment Solution for Blackberry 4.1+ CHARGE Anywhere Mobile Payment Solution for Windows Mobile 5.0+ CHARGE Anywhere Mobile Payment Solution for J2ME 2.0.0 2.0.0 2.0.0 October 2008 June 2008 April 2009 403 Labs Trustwave 403 Labs CHARGE Anywhere s Mobile Payment Software Applications empower mobile merchants to harness the power of live card transactions with their smartphones. CHARGE Anywhere s solutions leverage the merchants smartphone, data plan and CHARGE Anywhere s payment gateway to create a secure, cost effective and robust Anywhere card payment solution. CHARGE Anywhere for RIM devices 2.0.0 May 2007 Trustwave CHARGE Anywhere s Mobile Payment Software Applications empower mobile merchants to harness the power of live card transactions with their RIM 950 pagers. CHARGE Anywhere s solutions leverage the merchants hardware and CHARGE Anywhere s payment gateway to create a secure, cost effective and robust Anywhere card payment solution. CHARGE Anywhere for VeriFone POS 2.0.0 October 2008 Trustwave CHARGE Anywhere for Spectra POS 2.0.0 October 2008 403 Labs Allows POS terminals to accept credit card payments, designed to be used by cashiertype employees that have access to only one card number at a time. The above is a compilation of excerpts from a document available in its entirety at www.visa.com/cisp
Excerpts from Visa on PCI DSS Visa U.S.A. Cardholder Information Security Program (CISP) List of Compliant Service Providers As of May 15, 2008 The companies listed below successfully completed a CISP review based on the PCI Data Security Standard. The "VALIDATION DATE" is the date of last compliance. CISP reviews are valid for one year, with the next annual report due to Visa one year from the "VALIDATION DATE". Reports that are from 1-60 days late are noted in yellow and reports that are from 60-90 days late are noted in red. Entities with reports over 90 days past due are removed from this list. It is the member's responsibility to use compliant service providers and to follow up with service providers if there are any questions about their compliance status. Visa U.S.A. Cardholder Information Security Program (CISP) List of Compliant Service Providers - All SERVICE PROVIDER VALIDATION DATE SERVICES COVERED BY REVIEW ASSESSOR CHARGE Anywhere April 30, 2008 Internet Payment Processing Mobile Payment Processing Wireless Payment Processing Trustwave The above is a compilation of excerpts from a document available in its entirety at www.visa.com/cisp
The PCI Standards The PCI Security Standards Council has developed three separate standards that govern the payment card industry. PCI - DSS Payment Card Industry - Data Security Standard PA - DSS Payment Application - Data Security Standard PCI - PED Payment Card Industry - PIN Entry Device
PCI DSS Payment Security Requirements The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. Goals PCI DSS Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and contractors
PA DSS Payment Security Requirements The PA DSS (formerly PCI PABP) is a standard that mandates that merchants use compliant payment applications, which have been written to standard and certified by the PCI SSC. Security Mandates by the PCI Security Council 01/1/2008 New merchants cannot use vulnerable payment applications 10/1/2008 New Level 3 and 4 merchants must be PCI DSS compliant 10/1/2009 Processors must decertify all vulnerable payment applications 07/1/2010 All merchants must use DSS compliant payment applications
Merchant Level Descriptions Merchant Level Level 1 Level 2 Level 3 Level 4 Description Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year. Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year. Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.