PCI COMPLIANCE GUIDE For Merchants and Service Members



Similar documents
PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

Payment Card Industry Data Security Standards.

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

Customer PCI 3.0 Changes = New Opportunity For You. Giles Witherspoon-Boyd SecurityMetrics

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

How To Protect Your Business From A Hacker Attack

PCI Data Security Standards

Accelerating PCI Compliance

CSU, Chico Credit Card PCI-DSS Risk Assessment

PCI DSS i mindre miljøer

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Project Title slide Project: PCI. Are You At Risk?

PCI Compliance Top 10 Questions and Answers

Policies and Procedures

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

PCI Compliance. Top 10 Questions & Answers

Becoming PCI Compliant

How To Comply With The Pci Ds.S.A.S

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Qualified Integrators and Resellers (QIR) Implementation Statement

Dartmouth College Merchant Credit Card Policy for Processors

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

PCI Overview. PCI-DSS: Payment Card Industry Data Security Standard

How To Protect Your Data From Being Stolen

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

Complying with PCI is a necessary step in safely accepting Payment Cards.

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI DSS Presentation University of Cincinnati

La règlementation VisaCard, MasterCard PCI-DSS

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01

COMPLIANCE OVERVIEW: PCI DSS Edition. Complimentary. Preview

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

PCI DSS 3.0 and You Are You Ready?

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

Best Practices (Top Security Tips)

Payment Card Industry Data Security Standard

University of Sunderland Business Assurance PCI Security Policy

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

The Petroleum Marketer s PCI compliance Reference Guide

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Credit Card Processing Overview

Josiah Wilkinson Internal Security Assessor. Nationwide

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

Payment Gateways: Value and Security

PC-DSS Compliance Strategies NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

Field Processing of Credit Cards: Solving Credit and Collections Issues

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard

Why Is Compliance with PCI DSS Important?

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Payment Card Industry Technical Requirements

PCI Data Security Standards. Presented by Pat Bergamo for the NJTC February 6, 2014

PCI Compliance: Protection Against Data Breaches

Accepting Payment Cards and ecommerce Payments

An article on PCI Compliance for the Not-For-Profit Sector

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

PCI Security Compliance

AISA Sydney 15 th April 2009

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

Payment Card Industry Self-Assessment Questionnaire

Payment Card Industry Data Security Standard C-VT Guide

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

PCI DSS Compliance Information Pack for Merchants

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

UCSB Credit Card Processing and PCI Compliance

Merchant guide to PCI DSS

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

How To Protect Your Credit Card Information From Being Stolen

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

Tokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

SecurityMetrics Introduction to PCI Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance

Payment Card Industry - Achieving PCI Compliance Steps Steps

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

CardControl. Credit Card Processing 101. Overview. Contents

PCI Compliance Tutorial - Virtual Terminal

PAI Secure Program Guide

Property of CampusGuard. Compliance With The PCI DSS

Data Security, Fraud Prevention, and Cost Control. Mike Dorland, CPP Regional Marketing Representative Michigan Retailers Association

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

Payment Card Industry (PCI) Data Security Standard

PCI Requirements Coverage Summary Table

PCI Data Security and Classification Standards Summary

So you want to take Credit Cards!

P R O G R E S S I V E S O L U T I O N S

How To Complete A Pci Ds Self Assessment Questionnaire

PCI Compliance for Cloud Applications

Important Info for Youth Sports Associations

Transcription:

PCI SAQ C-VT PCI COMPLIANCE GUIDE For Merchants and Service Members PCI DSS v2.0 SAQ CVT Merchant Guide 1

Contents Contents... 2 Introduction... 3 Defining an SAQ C Merchant... 3 REQUIREMENTS FOR SAQ-VT... 3 REQUIREMENT 1 Install and maintain a firewall configuration to protect data... 4 REQUIREMENT 2 Do not use vendor-supplied defaults for system passwords and other security parameters... 5 REQUIREMENT 3 - Protect Stored Cardholder Data... 6 REQUIREMENT 4 - Encrypt transmission of cardholder data across open, public networks... 7 REQUIREMENT 5 - Use and regularly update anti-virus software or programs... 8 REQUIREMENT 6 Develop and maintain secure systems and applications... 8 REQUIREMENT 7 - Restrict access to cardholder data by business need-to-know... 9 REQUIREMENT 9 - Restrict physical access to cardholder data... 9 REQUIREMENT 12 Maintain an Information Security Policy for employees and contractors... 10 Summary... 11 Information Policy Template... 11 PCI DSS v2.0 SAQ CVT Merchant Guide 2

Introduction What follows is a general guide to help you complete your SAQ (Self-Assessment Questionnaire) C-VT and validate your compliance with PCI DSS (Payment Card Industry Data Security Standard). This guide will outline all of the questions necessary to validate this compliance and help you satisfy the SAQ (Self- Assessment Questionnaire) C-VT distinction. For each question in the SAQ C-VT this document will provide a general explanation(s) and illustrations where appropriate. The overriding theme of this guide is to be just that, a guide towards PCI validation. There are multiple questions that are very technical and therefore, it is recommended that you have a system administrator available to assist you in completing your SAQ. Defining an SAQ C-VT Merchant If you are SAQ C-VT, then you are a merchant who uses a payment application system that is connected to the internet. However, you do not store cardholder data in electronic format. Requirements For SAQ-CVT There are 12 total requirements defined for PCI Data Security Standard. The SAQ C-VT contains questions from those requirements as follows: Requirement 1- Install and maintain a firewall configuration to protect data Requirement 2- Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 3- Protect Stored Cardholder Data Requirement 4- Encrypt transmission of cardholder data across open, public networks Requirement 5- Use and regularly update anti-virus software or programs Requirement 6- Develop and maintain secure systems and applications Requirement 7- Restrict access to cardholder data by business need-to-know Requirement 9- Restrict physical access to cardholder data Requirement 12 Maintain a policy that addresses information security for all personnel PCI DSS v2.0 SAQ CVT Merchant Guide 3

The answer guide below the requirement will assist you in completing the questions for each of these requirements. Again, some of the questions will require in depth technical knowledge and should be completed by, or with the assistance of, an administrator. REQUIREMENT 1 Install and maintain a firewall configuration to protect data Requirement 1 Answers: 1.2 1.4 You must create and maintain a firewall between your cardholder data and party (s) other than those who have explicit permission. A firewall is software that you configure to determine who is allowed entry to your network. For example, you may have the need to connect to a third party network system for credit card processing, or a POS system on your network which connects the POS device to the network. These would be examples of processes that would be allowed, via a firewall configuration, on to your network. Any others not explicitly allowed should be prohibited. If your firewall conforms to these requirements, please answer YES to both questions. PCI DSS v2.0 SAQ CVT Merchant Guide 4

REQUIREMENT 2 Do not use vendor-supplied defaults for system Requirement 2 Answers: 2.1-2.22 All vendor supplied login/password defaults should be changed before installations are done. These defaults are common knowledge in the cyber world and therefore are not providing protection for your systems. Also, any wireless accesses should use encryption technology. Please answer YES for these questions if you comply. PCI DSS v2.0 SAQ CVT Merchant Guide 5

REQUIREMENT 3 - Protect Stored Cardholder Data Requirement 3 Answers: 3.2.1 3.2.3 These questions are for merchants that are storing cardholder data electronically. You have indicated that you DO NOT store any cardholder data electronically. You can, therefore, answer YES to all of these questions. If at some time in the future your procedures change requiring you to store cardholder data, you will need to revisit these questions. 3.3 Probably the only time you display a credit card number is on the receipt or on a display screen. If you mask credit card information, answer yes to this question. If you display the credit card number any other place, (and you shouldn t), it must be masked. The only time this does not apply is in the case where there is a specific business need to view the entire account number. PCI DSS v2.0 SAQ CVT Merchant Guide 6

REQUIREMENT 4 - Encrypt transmission of cardholder data Requirement 4 Answer: 4.1 You need to be concerned with this question only if you have a wireless terminal. Therefore, if your terminal is attached to the Internet you can answer this question YES. All transmissions of cardholder data is required to be encrypted and the proper wireless security protocol should be in place. If you are following the protocols you may answer YES. 4.2 If ever the need arises that you are required to send PAN s (card numbers) over the internet, the card numbers cannot be in clear text. You must encrypt them. Does your organization have a security policy, procedure and practice in place that prohibits the sending of unencrypted PANs via e-mail, instant messaging or chat? If so, answer YES to this question. If you don t have this security policy, there is a policy template at the end of this guide that you can customize to your organization. Once you have customized and implemented the policy you can then answer YES. Note: A critical step in implementing a security policy is to circulate it to all members of the organization: owners, managers, employees (current and future), etc. A best practice would be to have everyone sign a copy acknowledging they have read and understand the policy. These copies should be kept on file. PCI DSS v2.0 SAQ CVT Merchant Guide 7

REQUIREMENT 5 Use and regularly update anti-virus software or programs Requirement 5 Answer: 5.1 5.2 This requirement is to ensure that you are using anti-virus software on all systems, that it is kept up to date, and monitored. If you follow this procedure, please answer YES. REQUIREMENT 6 Develop and maintain secure systems and applications Requirement 6 Answer: 6.1 A patch is a piece of software that is developed to correct and/or enhance a particular software application. Vendors supply security patches for their software on a regular basis in order to protect the software from security vulnerabilities. If you keep your software up to date in a timely manner, please answer YES. PCI DSS v2.0 SAQ CVT Merchant Guide 8

REQUIREMENT 7 - Restrict access to cardholder data by business Need-to-know Requirement 7 Answer: 7.1 If access to cardholder data is limited to only those people whose jobs require it, please answer YES to this question. This type of access should be on a need to know basis only. In other words, you would not want an office clerk to have access to paper receipts, accounting information, etc... REQUIREMENT 9 Restrict physical access to cardholder data PCI DSS v2.0 SAQ CVT Merchant Guide 9

Requirement 9 Answers: 9.6 9.10.1 All of these questions are relating to the physical handling of cardholder data. If you have procedures in place to protect the information as outlined in the questions, please answer YES to all. If not, please use the template provided below to develop a policy for your organization. Once you have customized and implemented the policy you can then answer YES. REQUIREMENT 12 - Maintain an Information Security Policy for Employees and Contractors Requirement 12 Answers: 12.1 12.8 These questions determine whether your organization has a security policy that covers all the points outlined. Following these procedures shows that you, as an organization, are concerned with the safety of your customer s information, that you make protecting cardholder data a priority and keep your procedures current. If you have such a policy in place, answer YES. If not, please use the template provided below to develop a policy for your organization. Once you have customized and implemented the policy you can then answer YES. PCI DSS v2.0 SAQ CVT Merchant Guide 10

Summary We hope this guide has helped you in completing your SAQ. If you find you need further assistance, please contact your ISO or payment processor for guidance. PCI DSS v2.0 SAQ CVT Merchant Guide 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information