Vantiv eprotect iframe Technical Assessment Paper Prepared for:



Similar documents
PCI - Why You Need to be Compliant When Accepting Credit Card Payments. Agenda. Breaches in the Headlines. Breach Events & Commonalities

VCU Payment Card Policy

Process of Setting up a New Merchant Account

GUIDANCE FOR BUSINESS ASSOCIATES

BAMS Third Party Service Providers (TPSPs) FAQs

UNT Payment Card Merchant Handbook

University of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments

HIPAA HITECH ACT Compliance, Review and Training Services

TrustED Briefing Series:

Optimal Payments Extension. Supporting Documentation for the Extension Package v1.1

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

PROTIVITI FLASH REPORT

Bit9 Security Solution Technology Whitepaper Date: September 17, 2015

Firewall/Proxy Server Settings to Access Hosted Environment. For Access Control Method (also known as access lists and usually used on routers)

expertise hp services valupack consulting description security review service for Linux

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

Retail Security and Compliance Where On Earth is it Headed?

IT Account and Access Procedure

The user authentication process varies from client to client depending on internal resource capabilities, and client processes and procedures.

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

MaaS360 Cloud Extender

IMPLEMENTATION DETAILS

Comtrex Systems Corporation. CISP/PCI Implementation Guidance for Odyssey Suite

iphone Mobile Application Guide Version 2.2.2

Information Services Hosting Arrangements

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions

To Receive CPE Credit

A96 CALA Policy on the use of Computers in Accredited Laboratories Revision 1.5 August 4, 2015

Personal Data Security Breach Management Policy

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

Systems Support - Extended

Customer Service Description

Multi-Year Accessibility Policy and Plan for NSF Canada and NSF International Strategic Registrations Canada Company,

PCI Compliance Merchant User Guide

Security Services. Service Description Version Effective Date: 07/01/2012. Purpose. Overview

Using Shift4 with Magento

IMPLEMENTATION DETAILS

In addition to assisting with the disaster planning process, it is hoped this document will also::

First Global Data Corp.

Using PayPal Website Payments Pro UK with ProductCart

Durango Merchant Services QuickBooks SyncPay

Junos Pulse Instructions for Windows and Mac OS X

SPECIFICATION. Hospital Report Manager Connectivity Requirements. Electronic Medical Records DRAFT. OntarioMD Inc. Date: September 30, 2010

MigrationWiz HIPAA Compliant Migration. Focus on data migration, not regulation. BitTitan Global Headquarters: 3933 Lake Washington Blvd NE Suite 200

Merchant Processes and Procedures

IN-HOUSE OR OUTSOURCED BILLING

Symantec User Authentication Service Level Agreement

Service Level Agreement (SLA) Hosted Products. Netop Business Solutions A/S

IT Help Desk Service Level Expectations Revised: 01/09/2012

Plus500CY Ltd. Statement on Privacy and Cookie Policy

StarterPak: Dynamics CRM Opportunity To NetSuite Sales Order

FINRA Regulation Filing Application Batch Submissions

Data Protection Policy & Procedure

FCA US INFORMATION & COMMUNICATION TECHNOLOGY MANAGEMENT

Presentation: The Demise of SAS 70 - What s Next?

HP ValuPack Consulting Description OpenVMS Engineering Change Order (ECO) Patch List

FINANCIAL SERVICES FLASH REPORT

Licensing Windows Server 2012 for use with virtualization technologies

Data Protection Act Data security breach management

Cloud Services Frequently Asked Questions FAQ

Nuance Healthcare Services Project Delivery Methodology

PCI DSS Cloud Computing Guidelines

Electronic Data Interchange (EDI) Requirements

Internal Audit Charter and operating standards

Support Services. v1.19 /

Implementing SQL Manage Quick Guide

Bill Payment Agreement & Disclosures

Intel Hybrid Cloud Management Portal Update FAQ. Audience: Public

Office Use Only Account # Approved By:

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

HP ValuPack Consulting Description Red Hat Linux System Performance Monitoring & Tuning

Dates Visa MasterCard Discover American Express. Acquirers, subprocessors. support EMV International ATM liability shift 2

HP ValuPack Consulting Description Security Vulnerability Solution ValuPack

FORM ADV (Paper Version) UNIFORM APPLICATION FOR INVESTMENT ADVISER REGISTRATION AND REPORT FORM BY EXEMPT REPORTING ADVISERS

PROCESSING THROUGH MPS and AVIMARK

9 ITS Standards Specification Catalog and Testing Framework

Payment Card Industry (PCI) Qualified Integrators and Resellers

Using McAllister Payment Solutions and Updating to AVImark version

CSC IT practix Recommendations

Access to the Ashworth College Online Library service is free and provided upon enrollment. To access ProQuest:

ISO Management Systems. Guidance on understanding the benefits of an ISO Management System

Agency Fund (Non-Student Org X-Fund) Guidelines Last Revision: 12/7/2009

HP Point of Sale FAQ Warranty, Care Pack Service & Support. Limited warranty... 2 HP Care Pack Services... 3 Support... 3

HP ValuPack Consulting Description OpenVMS Replacement Software Distribution Kit

SaaS Listing CA Cloud Service Management

An Introduction To Credit Card Processing

Using PayPal Website Payments Pro with ProductCart

Christchurch Polytechnic Institute of Technology Access Control Security Standard

FAYETTEVILLE STATE UNIVERSITY

WEB APPLICATION SECURITY TESTING

Introduction to Mindjet MindManager Server

Service Request Form

Installation Guide Marshal Reporting Console

Session 9 : Information Security and Risk

Licensing Windows Server 2012 R2 for use with virtualization technologies

GETTING STARTED With the Control Panel Table of Contents

Introduction LIVE MAPS UNITY PORTAL / INSTALLATION GUIDE Savision B.V. savision.com All rights reserved.

IMT Standards. Standard number A GoA IMT Standards. Effective Date: Scheduled Review: Last Reviewed: Type: Technical

BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS

Transcription:

Vantiv eprtect iframe Technical Assessment Paper Prepared fr: Octber 13, 2015

P a g e 2 Cntents EXECUTIVE SUMMARY...3 OVERVIEW... 3 ABOUT VANTIV EPROTECT... 4 OPERATIONAL FLOW... 5 TECHNICAL ASSESSMENT...6 AUDIENCE... 6 ASSESSMENT SCOPE... 6 MERCHANT PCI DSS COMPLIANCE APPLICABILITY... 7 TECHNICAL SECURITY ASSESSMENT... 7 RECOMMENDED BEST PRACTICES... 11 SUMMARY FINDINGS AND CONCLUSIONS... 13 U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e 3 0 3. 5 5 4. 6 3 3 3 w w w. c a l f i r e. c m Calfire v. 09-14

P a g e 3 E X E C U T I V E S U M M A R Y Overview As f July 2015, all eligible merchants and service prviders are required t be cmpliant with PCI DSS v3.1, which defines new scping guidelines fr utsurced web payment capture slutins that are nw cnsidered part f Cardhlder Data Envirnment (CDE). As a result, merchants and service prviders must define their respnsibilities in alignment with PCI DSS 3.1 when utsurcing their payment prcessing respnsibilities t validated third parties. Merchants wh utsurce their payment prcessing respnsibilities t PCI DSS-cmpliant third parties may still have t validate applicable security cntrls f their ecmmerce envirnment based n their specific implementatin apprach. Payment brands allw Level 2 1, Level 3, and Level 4 merchants wh d nt electrnically stre, prcess, r transmit cardhlder data n any f their systems r premises t validate their cmpliance using SAQ A r SAQ A-EP. Level 1 merchants wh utsurce their payment prcessing must discuss the validatin requirements with their QSAs, acquirers, r payment brands t cnfirm which applicable cntrls remain. Vantiv engaged Calfire Systems Inc., a respected Payment Card Industry (PCI) Qualified Security Assessr (QSA) cmpany, t cnduct an independent technical review f Vantiv s eprtect slutin (frmally knwn as Vantiv PayPage). Vantiv eprtect prvides card-nt-present data security fr merchants needing t reduce their risk by cmpletely eliminating the presence f cardhlder data frm their systems. Vantiv eprtect ffers multiple integratin appraches, and this technical assessment specifically addresses the Vantiv eprtect iframe integratin methdlgy. Calfire s findings describe hw the use f Vantiv eprtect iframe, implemented in alignment with the eprtect Integratin Guide (v4.5/1.2), will significantly reduce the risk f accunt data cmprmise within a merchant s ecmmerce envirnment, and hw merchants will expect t receive applicable cntrl reductin under PCI DSS v3.1. 1 Level 2 merchants that chse t cmplete annual self-assessment questinnaire must ensure staff engaged in self-assessment attend PCI SSC ISA Training and pass assciated accreditatin prgram annually in rder t cntinue ptin f self-assessment fr cmpliance validatin. Alternatively, Level 2 merchants may, at their wn discretin, cmplete an annual nsite assessment cnducted by a PCI SSCapprved Qualified Security Assessr (QSA) rather than cmplete an annual self-assessment questinnaire. MasterCard.cm U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e 3 0 3. 5 5 4. 6 3 3 3 w w w. c a l f i r e. c m Calfire v. 09-14

P a g e 4 Abut Vantiv eprtect Vantiv eprtect is a cmprehensive card-nt-present data security slutin that helps merchants slve initial data capture and cardhlder data strage challenges by eliminating cardhlder data frm their systems, significantly reducing the threat f accunt data cmprmise and PCI applicable cntrls under PCI DSS v3.1. T eliminate capture f cardhlder data n their systems, merchants embed the iframe URL n their web page hsted by Vantiv s servers. Rich custmizatin f the style and layut f the checkut experience allws the merchant s site t lk and feel like the merchant s brand, while eliminating cardhlder data frm their systems. T eliminate pst-authrizatin cardhlder data strage, Vantiv s OmniTken slutin replaces clear cardhlder values with tkens that can be used in place f payment data thrughut merchant systems that virtually eliminate the risk f data theft. The Vantiv eprtect envirnment is validated against PCI DSS (Vantiv ecmmerce/litle & C. Attestatin f Cmpliance) until Dec. 19, 2015). Figure 1: Vantiv eprtect iframe Data Flw U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e 3 0 3. 5 5 4. 6 3 3 3 w w w. c a l f i r e. c m Calfire v. 09-14

P a g e 5 Operatinal Flw 1. When a custmer is ready t enter their cardhlder data int the merchant's web page, the merchant web server delivers a frm t the custmer's web brwser. The brwser lads the iframe hsted by the eprtect server utilizing a third-party Cntent Delivery Netwrk (CDN) prvider t accelerate the cntent delivery. 2. The custmer enters their PAN, ptinal security cde (card verificatin values), and ptinal expiratin date int the iframe fields and clicks the submit buttn n the merchant's page calling the eprtect server. Within the hsted iframe, JavaScript encrypts cardhlder data with a 24-hur public-private key pair knwn nly by Vantiv (RSA/ECB/PKCS1 Padding 2048 bits) and sends the encrypted message t the eprtect server via HTTPS/TLS v1.2* (Getrust Glbal CA, SHA-1 with RSA 2048 bit encryptin) thrugh a third party CDN, using an HTTPS GET request. eprtect returns a nn-sensitive, lw-value tken called a Registratin ID in place f the Primary Accunt Number (PAN). 3. The merchant page submits the Registratin ID and nn-cardhlder data elements t their web server fr rder prcessing. 4. Once the authrizatin request arrives at Vantiv, the Registratin ID is cnverted t a high-value tken called an OmniTken and returned t the merchant with the authrizatin respnse. N cardhlder data is ever transmitted t the merchant s servers, since the page never had access t the payment infrmatin submitted via the Vantiv eprtect iframe. * eprtect supprts TLS v1.0 and higher as it utilizes field-level encryptin with a public-private key pair prir t transmissin, and is nt limited by the TLS prtcl versin t meet applicable cntrl reductin under PCI DSS v3.1. U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e 3 0 3. 5 5 4. 6 3 3 3 w w w. c a l f i r e. c m Calfire v. 09-14

P a g e 6 T E C H N I C A L A S S E S S M E N T As part f the technical assessment, Calfire perfrmed applicatin and vulnerability testing, reviewed technical dcumentatin (including the eprtect Integratin Guide, v4.5/1.2), and interviewed subject matter experts t identify ptential risks t cardhlder data and reductin f applicable PCI DSS cntrls. Audience This technical assessment reprt has tw relevant audiences. I. Merchants, Develpers, and Integratrs: This audience will be able t clearly understand the reductin f applicable PCI DSS cntrls under v3.1 they will receive frm implementing this slutin. II. QSAs and the Internal Audit Cmmunity: This audience will be able t clearly identify the impact n PCI DSS v3.1 validatin n behalf f their merchants. Assessment Sc pe The scpe f Calfire s assessment fcused n the critical elements that validate the security and effectiveness f the Vantiv eprtect iframe slutin, the impact t the merchant s PCI respnsibility when implementing eprtect, and remaining nn-pci required security best practices. Calfire incrprated in-depth analysis f cmpliance fundamentals that are essential fr evaluatin. Calfire als utilized reviews and feedback btained frm members f the PCI cmmunity. Vantiv s eprtect iframe was assessed by Calfire between April 6-18, 2015. Calfire perfrmed testing n the iframe slutin via the Vantiv prvided test website: (https://www.testlitle.cm/iframe/index-calfire.gsp). The testing fcused n packet captures, data cntained in brwser requests (GET and POST), and web applicatin testing t cnfirm that Vantiv iframe is nt vulnerable t attacks. Calfire cnducted technical remte lab testing in Vantiv labs in Lwell, Mass., encmpassing merchant web pages, integratin, transactin testing, and encryptin in transmissin. U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e 3 0 3. 5 5 4. 6 3 3 3 w w w. c a l f i r e. c m Calfire v. 09-14

P a g e 7 Merchant PC I D S S Cmpliance Applicability Based n analysis and testing, Calfire recmmends that merchant ecmmerce envirnments that d nt electrnically stre, prcess, r transmit cardhlder data n their systems, and prvide an iframe t a PCI DSS cmpliant third-party prcessr fr payment prcessing, will be eligible t validate cmpliance with an SAQ A under PCI DSS v3.1. Discussed belw are tw use-cases when Vantiv iframe is deplyed by merchants. U s e Case I: Level 2 1, Level 3, and Level 4 merchants defined by the payment brands that d nt electrnically stre, prcess, and transmit cardhlder data in their ecmmerce envirnment, and implement eprtect iframe, will be eligible fr SAQ A in alignment with the PCI DSS 3.1 standard. Merchants are required t cnsult their acquirer(s) r payment brands abut individual PCI DSS validatin requirements and their eligibility fr submitting an SAQ. U s e Case II: Level 1 merchants will achieve reductin f applicable PCI cntrls fr their ecmmerce envirnment where cardhlder data is nt electrnically stred, prcessed, r transmitted n systems when eprtect iframe has been implemented t handle all cardhlder data respnsibilities. Eligible merchant envirnments with Vantiv s eprtect iframe can be validated against applicable cntrls t the SAQ A. Technical Security Assessment Calfire evaluated and tested Vantiv s eprtect iframe slutin t determine applicable cntrls fr PCI DSS v3.1. Verificatin f Vantiv eprtect iframe: Calfire simulated transactins that culd ccur n a merchant web page using knwn cardhlder data and fund nn-sensitive plain text-data n the web pages. Encrypted cardhlder data was bserved thrugh the sampled web pages. eprtect utilizes HTTPS TLS v1.2 as per PCI DSS 3.1 fr all cmmunicatins t and frm the eprtect envirnment. Cnfirmed Vantiv eprtect envirnment is PCI DSS validated. (Vantiv ecmmerce Attestatin f Cmpliance (AOC) valid until Dec. 19, 2015). Registratin ID (a nn-sensitive value as defined by the PCI DSS Tkenizatin Standard) in place f the accunt number was returned frm the Vantiv envirnment. eprtect iframe entirely remves expsure and strage f cardhlder data n merchant servers by securely transmitting cardhlder data directly frm the custmer s web brwser t the Vantiv eprtect server, returning nly tkenized data t the merchant envirnment. U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e 3 0 3. 5 5 4. 6 3 3 3 w w w. c a l f i r e. c m Calfire v. 09-14

P a g e 8 Perfrmed web applicatin penetratin test using Burp Suite applicatin scanning tl and cnfirmed that n vulnerabilities related t ecmmerce applicatin exist; hwever, culd be vulnerable t knwn susceptibilities like clickjacking, if merchants d nt handle their initiating web pages in a secure manner. Figure 2: Vantiv eprtect iframe Brwser Request frm a Sample Transactin GET Request t Vantiv eprtect frm merchant envirnment shws thse parameters cntaining PAN and Sensitive Authenticatin Data (CVV/ CVV /CVV2) are encrypted using public private key pair implemented by Vantiv. Figure 3: Vantiv eprtect iframe Request Parameters with Encrypted Data Calfire bserved and analyzed traffic via Wireshark tl and cnfirmed that the transmissin f data ccurs ver TLS v1.2. U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e 3 0 3. 5 5 4. 6 3 3 3 w w w. c a l f i r e. c m Calfire v. 09-14

P a g e 9 Figure 4: Wireshark Transactin Capture Assessment testing used transactins frm Visa and Discver cards. N PAN r Sensitive Authenticatin Data (CVC/CVV/CVV2) was fund unencrypted ver public netwrks. Cardhlder data was captured and transmitted n the Vantiv web pages, and n cardhlder data was returned t the merchant test web pages. Data parameters received n merchant pages included first six and last fur digits f initiating primary accunt number, registratin ID, transactin ID, and ther data elements essential fr perfrming peratins like returns, reversals, card verificatins, refunds, data analytics, and reprting. U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e 3 0 3. 5 5 4. 6 3 3 3 w w w. c a l f i r e. c m Calfire v. 09-14

P a g e 10 Figure 5: POST Request Data frm Vantiv eprtect iframe (N Full Credit Card Number r Sensitive Authenticatin Data Exist) U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e 3 0 3. 5 5 4. 6 3 3 3 w w w. c a l f i r e. c m Calfire v. 09-14

P a g e 11 R E C O M M E N D E D B E S T P R A C T I C E S While merchants that implement Vantiv iframe may nt be required t validate applicable cntrls fr systems that d nt tuch cardhlder data, it is recmmended they review PCI DSS requirements fr elements f their ecmmerce infrastructure since cmprmise f the merchant s web pages culd ptentially result in a cmprmise f the iframe, and failure t implement the slutin in alignment with the eprtect Integratin Guide culd intrduce risk t the envirnment, and merchants may n lnger be eligible fr cntrl reductin. T help mitigate such risks within the merchant envirnment, Calfire and Vantiv recmmend the fllwing additinal security best practices fr merchants that have implemented Vantiv iframe slutin: Reviewing web pages peridically: Review the Vantiv eprtect surce that is called frm the merchant envirnment t validate the fllwing surce has nt changed. (Please nte the belw is URL frm test envirnment, merchants needs t ensure that the URL prvided by Vantiv fr prductin envirnment is apprpriately reviewed.) <script type="text/javascript" src=" https://request-prelive.np-secureeprtect-litle.cm/litleeprtect/js/payframe-client.min.jss"> </script> Initiating new website and servers, including applicable PCI DSS requirements. Having written agreements with Vantiv (third-party service prvider in this case) and ensuring they prtect cardhlder data n behalf f the merchant, in accrdance with PCI DSS. Securing the web page(s) cntaining the iframe. iframes culd be hijacked by sending custmers t false payment pages where credit card data culd be stlen. Calfire recmmends that merchants deply and maintain the web pages in a secure manner. Ensuring transactins are received by acquirer n regular basis. Recnciliatin f transactins can be perfrmed frequently t knw that surce n merchant website has nt been altered. Using TLS v1.2 r higher when transmitting cardhlder data. Cnsider implementing a web applicatin firewall r ther intrusin-detectin technlgies t ensure web server s initiating requests are prtected against attacks. Develping applicatins in alignment with PCI DSS cmpliance. Regularly mnitring links (URLs, iframes, APIs) frm a merchant s website t the payment prcessr t ensure they have nt been altered t redirect t unauthrized lcatins. Perfrm peridic web applicatin penetratin testing fr the hsted ecmmerce website. U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e 3 0 3. 5 5 4. 6 3 3 3 w w w. c a l f i r e. c m Calfire v. 09-14

P a g e 12 Requirement 9 and 12 f PCI DSS are cvered under SAQ-A. SAQ A-EP fcuses n the fllwing additinal areas: Requirement 1: Install and maintain a firewall cnfiguratin t prtect data (firewall and ruter cnfiguratins hardening). Requirement 2: D nt use vendr-supplied defaults fr system passwrds and ther security parameters (initiating web server cnfiguratins hardening). Requirement 3: Prtect stred cardhlder data (ensure card verificatin values r Persnal Identificatin Number (PIN) is nt stred after authrizatin). Requirement 4: Encrypt transmissin f cardhlder data acrss pen, public netwrks (ensure cardhlder data is transmitted nly thrugh Vantiv, and des nt facilitate transmissin via any ther means). Requirement 5: Prtect all systems against malware and regularly update anti-virus sftware prgrams. Requirement 6: Develp and maintain secure systems and applicatins (have prcess fr identifying security vulnerabilities, patching f systems, change cntrl prcesses, develp applicatins based n secure cding guidelines, and web applicatin firewall). Requirement 7: Restrict access t cardhlder data by business need t knw (access t cardhlder data envirnment systems shuld be limited). Requirement 8: Identify and authenticate access t system cmpnents (assign unique IDs, enable remte access nly when needed, fllw tw-factr and passwrd prcedures). Requirement 10: Track and mnitr all access t netwrk resurces and cardhlder data (mnitr the security f the server and applicatin ensuring that audit trails and alerts are in place - such as detecting and alerting upn unauthrized changes t the payment page). Requirement 11: Regularly test security systems and prcesses (engage an Apprved Scanning Vendr [ASV] t perfrm quarterly external vulnerability scans, and perfrm the penetratin testing and have change detectin mechanism deplyed within the cardhlder data envirnment, especially initiating web server). U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e 3 0 3. 5 5 4. 6 3 3 3 w w w. c a l f i r e. c m Calfire v. 09-14

P a g e 13 S U M M A R Y F I N D I N G S A N D C O N C L U S I O N S Based upn interviews with Vantiv persnnel and review f supprted dcumentatin, it is Calfire s pinin that merchants wh prperly utilize Vantiv data security technlgies will reduce their risk f accunt data cmprmise and receive PCI DSS applicable cntrl reductin. Merchant ecmmerce envirnments that d nt tuch cardhlder data and implement Vantiv s eprtect iframe will be eligible fr SAQ A. The remaining security respnsibilities f the merchant s envirnment are nt applicable t PCI DSS. The fllwing are imprtant highlights f Calfire s technical evaluatin. A prperly designed and deplyed Vantiv iframe slutin can: Reduce the risk f cmprmise f cardhlder data fr a merchant envirnment. Reduce the attack surface and threat envirnment fr a merchant. Significantly reduce the number f applicable PCI DSS cntrls and validatin requirements fr merchants. Minimize the expsure f plain text cardhlder data fr the merchant when Vantiv eprtect is used. While achieving risk and PCI applicable cntrl reductin, implementing Vantiv eprtect des nt fully utsurce the merchant s payment respnsibilities. Vantiv eprtect iframe shuld nt lwer a merchant s sensitivity t the security f their ecmmerce envirnment, nr des it fully utsurce all their PCI DSS cmpliance respnsibilities. L e g a l Discl ai m er The pinins and findings within this evaluatin are slely thse f Calfire and d nt represent any assessment findings, r pinins, frm any ther parties. Calfire is slely respnsible fr the cntents f this dcument as f the date f publicatin. The cntents f this dcument are subject t change at any time based n revisins t the applicable regulatins and standards (HIPAA, PCI-DSS, et.al). Cnsequently, any frward-lking statements are nt predictins and are subject t change withut ntice. While Calfire has endeavred t ensure that the infrmatin cntained in this dcument has been btained frm reliable surces, there may be regulatry, cmpliance, r ther reasns that prevent us frm ding s. Cnsequently, Calfire is nt respnsible fr any errrs r missins, r fr the results btained frm the use f this infrmatin. Calfire reserves the right t revise any r all f this dcument t reflect an accurate representatin f the cntent relative t the current technlgy landscape. In rder t maintain cntextual accuracy f this dcument, all references t this dcument must explicitly reference the entirety f the dcument inclusive f the title and publicatin date; Neither party will publish a press release referring t the ther party r excerpting highlights frm the dcument withut prir written apprval f the ther party. If yu have questins with regard t any legal r cmpliance matters referenced herein, yu shuld cnsult legal cunsel, yur security advisr, and/r yur relevant standard authrity. U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e 3 0 3. 5 5 4. 6 3 3 3 w w w. c a l f i r e. c m Calfire v. 09-14

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information