Payment Card Industry (PCI) Additional Security Requirements for Token Service Providers (EMV Payment Tokens)

Similar documents
Point-to-Point Encryption (P2PE)

Transitioning from PCI DSS 2.0 to 3.1

PCI PA-DSS Requirements. For hardware vendors

Payment Card Industry (PCI) Point-to-Point Encryption

The PCI Security Standards Council. Jeremy King European Director

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

What You Need to Know About PCI SSC Guiding open standards for global payment card security

The Relationship Between PCI, Encryption and Tokenization: What you need to know

PCI Security Standards Council

LESS IS MORE PCI DSS SCOPING DEMYSTIFIED

PCI Compliance Overview

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Mobile Payment Security

Thoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director

PCI Security Standards Council

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry Compliance Overview

What a Processor Needs from a University to Validate Compliance

Registry of Service Providers

Guidance Notes PCI DSS Compliance as it relates to Call Recording

A Compliance Overview for the Payment Card Industry (PCI)

Payment Card Industry (PCI) Data Security Standard QSA Validation Requirements. Supplement for PCI Forensic Investigators (PFIs)

Payment Card Industry (PCI) Data Security Standard. PCI DSS Applicability in an EMV Environment A Guidance Document Version 1

PCI DSS Gap Analysis Briefing

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

Payment Card Industry Data Security Standards

Third Party Agent Registration and PCI DSS Compliance Validation Guide

SecurityMetrics Introduction to PCI Compliance

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

CyberSource Payment Security. with PCI DSS Tokenization Guidelines

Information Sheet. PCI DSS Overview

White Paper On. PCI DSS Compliance And Voice Recording Implications

Payment Card Industry (PCI) Data Security Standard Validation Requirements

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

PCI Security as a Lifecycle: How to Plan for PCI in 2012 and Beyond

Point-to-Point Encryption

INFORMATION TECHNOLOGY FLASH REPORT

Payment Card Industry (PCI) Data Security Standard

Third-Party Security Assurance

Payment Card Industry (PCI) Data Security Standard

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

Section 1: Assessment Information

Payment Card Industry Data Security Standard (PCI DSS)

PCI Compliance The Road Ahead. October 2012 Hari Shah & Parthiv Sheth

How To Write A Work Paper

Payment Card Industry (PCI) Point-to-Point Encryption

Mobile Device Payment Card Processing: How Secure is It? Richard Poworski CISSP, ISP, ITCP, SCF, PCI QSA, PCIP Managing Consultant

Credit Card Risks: Update on PCI Compliance Monday, May 23 2:40pm 3:55 CPE: 2

HOW SECURE IS YOUR PAYMENT CARD DATA?

Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

Registration and PCI DSS compliance validation

PCI & the Contact Centre The Acquirer Perspective

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

EMV FAQs for developers

Understanding the Role of Hardware Data Encryption in EMV and P2PE from the CEO s Perspective

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

EMV mobile Point of Sale (mpos) Initial Considerations

Securing The Data. Payment System Forum Bank Negara Malaysia. 27 th November Murugesh Krishnan Head of Risk, South & Southeast Asia

AISA Sydney 15 th April 2009

PCI DSS. CollectorSolutions, Incorporated

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

Payment Card Industry (PCI) Payment Application Data Security Standard

PCI Standards: A Banking Perspective

Payment Card Industry (PCI) Data Security Standard

How Secure is Your Payment Card Data?

Adyen PCI DSS 3.0 Compliance Guide

UTAH VALLEY UNIVERSITY Policies and Procedures

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

SecurityMetrics. PCI Starter Kit

THIRD PARTY AGENT REGISTRATION PROGRAM

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

Android pay. Frequently asked questions

PCI Compliance 101: Payment Card. Your Presenter: 7/19/2011. Data Security Standards Compliance. Wednesday, July 20, :00 pm 3:00 pm EDT

VeriFone VeriShield Total Protect Technical Assessment White Paper

E2EE and PCI Compliancy. Martin Holloway VSP Sales Director VeriFone NEMEA

Credit Card Processing, Point of Sale, ecommerce

PIN Entry Device Security Requirements: Frequently Asked Questions

Credit Card Processing Overview

PCI DSS Compliance Information Pack for Merchants

Payment Card Industry (PCI) Data Security Standard Report on Compliance. Template for Report on Compliance for use with PCI DSS v3.0. Version 1.

Corbin Del Carlo Director, National Leader PCI Services. October 5, 2015

Data Security Basics for Small Merchants

Payment Card Industry (PCI) Data Security Standard

Project Title slide Project: PCI. Are You At Risk?

PCI Compliance. PCI DSS v3.1. Dan Lobb CRISC. Lisa Gable CISM

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.1 April 2015

To ensure independence, PSC does not represent, resell or receive commissions from any third party hardware, software or solutions vendors.

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

Payment Card Industry (PCI) Point-to-Point Encryption. Template for Report on Validation for use with P2PE v2.0 (Revision 1.1) for P2PE Application

How To Protect Visa Account Information

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Credit Card Retrieval API Implementation Guide This guide illustrates how to implement the Credit Card Retrieval API.

CardControl. Credit Card Processing 101. Overview. Contents

Making Cloud-Based Mobile Payments a Reality with Digital Issuance, Tokenization, and HCE WHITE PAPER

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

Meet The Family. Payment Security Standards

Third Party Agent Registration Program Frequently Asked Questions

EMV Frequently Asked Questions for Merchants May, 2014

Transcription:

Payment Card Industry (PCI) Additional Security Requirements for Token Service Providers (EMV Payment Tokens) Frequently Asked Questions December 2015

Introductory Note This document addresses frequently asked questions (FAQs) related to the PCI SSC Additional Security Requirements and Assessment Procedures for Token Service Providers (EMV Payment Tokens), Version 1.0. Throughout this FAQ document: The use of PCI TSP Security Requirements refers to the Additional Security Requirements and Assessment Procedures for Token Service Providers (EMV Payment Tokens) Version 1.0, as published on the PCI SSC website (www.pcisecuritystandards.org). The use of EMVCo Technical Framework refers to the EMV Payment Tokenisation Specification Technical Framework, as published by EMVCo (www.emvco.com). TSP is a PCI SSC-defined acronym that refers to and aligns with the EMVCo-defined term Token Service Provider Further information about use and applicability of the PCI TSP Security Requirements can be found in the Introduction, Terminology, and Scope of Requirements sections within the document itself. FAQs for PCI TSP Security Requirements Q 1. Who is required to comply with the PCI TSP Security Requirements? A: Compliance programs for the PCI TSP Security Requirements, including which entities need to validate and validation procedures, are managed by the payment brands. Entities that are registered as Token Service Providers by EMVCo should confirm their compliance and validation requirements with the applicable payment brand(s). Q 2. When are the PCI TSP Security Requirements effective? A: The TSP Security Requirements are active upon publication. Effective dates for compliance to TSP Security Requirements are defined by the payment brands. Any queries about validating compliance to the TSP Security Requirements should be directed to the applicable payment brand(s). Q 3. What is the relationship between PCI DSS and the PCI TSP Security Requirements? A: The PCI TSP Security Requirements build on and are additional to those in PCI DSS. Both the PCI DSS and TSP Security Requirements apply to the TSP s token data environment. Q 4. What is the relationship between the EMVCo Technical Framework and the PCI TSP Security Requirements? A: The EMVCo Technical Framework defines technical requirements for interoperable tokenization solutions for Payment Tokens. The specification defines the key roles and data fields associated with Payment Token requests, issuance, provisioning, transaction processing, and application programming interfaces (APIs). The PCI TSP Security Requirements define physical and logical security controls to protect the environments where Token Service Providers (as defined by the EMVCo Technical Framework) perform tokenization services. FAQs for PCI TSP Security Requirements v1.0 Page 2

During development of the PCI TSP Security Requirements, PCI SSC consulted with EMVCo to produce requirements that support and complement the EMVCo Technical Framework. Supporting programs for the PCI TSP Security Requirements and EMVCo Technical Framework are managed by PCI SSC and EMVCo respectively, and each entity defines its own processes and procedures related to their own program. The documents are independently maintained, and neither document replaces or supersedes the other. Q 5. Do the PCI TSP Security Requirements apply to acquiring tokens? A: No. The PCI TSP Security Requirements are intended for entities that have registered with EMVCo as a Token Service Provider for Payment Tokens. The PCI TSP Security Requirements cover Payment Tokens as defined by EMVCo, and do not address acquiring tokens or other types of tokens. While entities that provide services for acquiring tokens (for example, by tokenizing PAN after it is received from the cardholder during a transaction) may choose to implement the PCI TSP Security Requirements, they are not required to do so. For guidance on acquiring token solutions, the PCI Tokenization Product Security Guidelines document is available on the PCI SSC website. Q 6. What is the difference between acquiring tokens, issuer tokens, and Payment Tokens? A: Each of these types of tokens replace the PAN with an alternative or surrogate value. Acquiring tokens are created by the acquirer, merchant, or a merchant s service provider after the cardholder presents their PAN and/or other payment credentials. Acquiring tokenization solutions are proprietary and are not based on an industry-standard approach to token generation, format, request or provisioning 1. Acquiring Tokens cannot be used for new authorizations. They can be used for card-on-file and recurring payments. The PCI Tokenization Product Security Guidelines offers guidance on acquiring tokens. Issuer tokens, also known as virtual card numbers, are created by issuers and provide the means to reduce risk in specific use cases, including commercial card applications, as well as consumeroriented services. These tokens resemble the PAN, so merchants and acquirers are unlikely to know that they are using a token 2. Payment tokens are created by TSPs that are registered with EMVCo. Payment Tokens and their usage are defined by EMVCo in the EMVCo Technical Framework. Payment Tokens are issued to a cardholder in lieu of a PAN, and the cardholder presents the Payment Token to the merchant when making a purchase. During a Payment Token transaction, the merchant and acquirer do not receive or have access to the corresponding PAN. 1 U.S. Payments Security Evolution and Strategic Road Map. Developed by the working groups of the Payments Security Taskforce, December 11, 2014. 2 U.S. Payments Security Evolution and Strategic Road Map. Developed by the working groups of the Payments Security Taskforce, December 11, 2014. FAQs for PCI TSP Security Requirements v1.0 Page 3

Q 7. How do the PCI TSP Security Requirements differ from the PCI Tokenization Product Security Guidelines? A: The PCI TSP Security Requirements is a standard for Payment Tokens, while the PCI Tokenization Product Security Guidelines provide guidance and best practices for acquiring tokens The PCI TSP Security Requirements are intended for entities designated by EMVCo as Token Service Providers, to protect the environments where the Token Service Provider performs tokenization services. Assessment and validation against the TSP Security Requirements may be required by payment brands for registered Token Service Providers. The Tokenization Product Security Guidelines were published by PCI SSC in April 2015 to provide technical best practices for the development of tokenization solutions for acquiring tokens. The Tokenization Product Security Guidelines do not apply to Payment Tokens and are not intended for use by Payment Token TSPs. The Tokenization Product Security Guidelines are intended as guidance only; there is no program or validation associated with the Guidelines. Q 8. Where do the PCI TSP Security Requirements apply within a TSP s environment? A: The PCI TSP Security Requirements apply to the TSP s token data environment, which is a dedicated, secure area within which the TSP performs the tokenization services defined in the EMVCo Technical Framework. The token data environment is described further within the PCI TSP Security Requirements. Payment Tokens that exist outside of the token data environment are not subject to the PCI TSP Security Requirements. Q 9. How does a TSP validate to the PCI TSP Security Requirements? A: Entities wishing to become Token Service Providers must first register with EMVCo and meet all requirements defined in the EMVCo Technical Framework. To validate to the PCI TSP Security Requirements, the TSP engages a QSA (P2PE) to evaluate the token data environment against the PCI TSP Security Requirements. The TSP submits validation documentation (ROC and AOC) to the applicable payment brand(s). Templates for the TSP ROC and TSP AOC are provided on the PCI SSC website. Q 10. Who is qualified to assess the PCI TSP Security Requirements? A: When assessing the TSP s token data environment, only QSA (P2PE)s that have undergone TSP training are qualified to assess the PCI TSP Security Requirements. PCI DSS Requirements 1 through 12 (which also apply to the token data environment) may be validated by a QSA. Q 11. Why is a QSA (P2PE) required to assess the PCI TSP Security Requirements? A: The PCI TSP Security Requirements include cryptographic key management, physical security and logical access controls that are more stringent than PCI DSS. Assessment of these requirements requires a level of knowledge and skill comparable to that required for performing P2PE assessments. Qualification as a QSA (P2PE) requires a level of prerequisite experience and knowledge that is also suitable for assessing the more stringent controls defined in the PCI TSP Security Requirements. FAQs for PCI TSP Security Requirements v1.0 Page 4

Q 12. How can a QSA that is not also a QSA (P2PE) become qualified to assess the PCI TSP Security Requirements? A: QSAs that wish to assess the PCI TSP Security Requirements, and that meet all the requisite personnel and company requirements defined in the PCI Qualification Requirements For Pointto-Point Encryption (P2PE) Qualified Security Assessors QSA (P2PE) and PA-QSA (P2PE), can follow the qualification path to become a QSA (P2PE) in order to perform such assessments. Q 13. When will qualified assessors be available to perform TSP Security Requirements assessments? A: PCI SSC will publish reporting templates and provide QSA (P2PE)s with supplemental training in early 2016. Additional announcements and communications will be provided when these are available. Q 14. Does PCI SSC list validated TSPs? A: There are currently no plans for PCI SSC to list Token Service Providers that have been assessed to the PCI TSP Security Requirements. Any queries about TSP compliance should be directed to the applicable payment brand(s). FAQs for PCI TSP Security Requirements v1.0 Page 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information