PCI PA-DSS Requirements. For hardware vendors

Similar documents
Adyen PCI DSS 3.0 Compliance Guide

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

Credit Card Processing Overview

CardControl. Credit Card Processing 101. Overview. Contents

Payment Card Industry (PCI) Point-to-Point Encryption

Why Is Compliance with PCI DSS Important?

Payment Card Industry (PCI) Terminal Software Security. Best Practices

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

PCI Security Standards Council

PCI Compliance Overview

Payment Card Industry (PCI) Point-to-Point Encryption

Data Security Basics for Small Merchants

PCI DSS. CollectorSolutions, Incorporated

Prevention Is Better Than Cure EMV and PCI

Becoming PCI Compliant

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Payment Application Data Security Standard

PCI DSS Gap Analysis Briefing

PCI Security Standards Council

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Need to be PCI DSS compliant and reduce the risk of fraud?

The PCI Security Standards Council. Jeremy King European Director

Point-to-Point Encryption (P2PE)

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Payment Card Industry (PCI) Additional Security Requirements for Token Service Providers (EMV Payment Tokens)

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

A Compliance Overview for the Payment Card Industry (PCI)

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Payment Application Data Security Standard

Registration and PCI DSS compliance validation

PCI DSS Compliance Information Pack for Merchants

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

PCI Compliance Training

Securing The Data. Payment System Forum Bank Negara Malaysia. 27 th November Murugesh Krishnan Head of Risk, South & Southeast Asia

Point-to-Point Encryption

Project Title slide Project: PCI. Are You At Risk?

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry Compliance Overview

The PCI DSS Compliance Guide For Small Business

Payment Card Industry (PCI) Data Security Standard

Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance

The Relationship Between PCI, Encryption and Tokenization: What you need to know

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Payment Card Industry (PCI) Data Security Standard

Point Secure Commerce Application (SCA) 2.x PCI PA-DSS Out of Scope White Paper

Payment Card Industry (PCI) Data Security Standard

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Qualified Integrators and Resellers (QIR) Implementation Statement

White Paper On. PCI DSS Compliance And Voice Recording Implications

Template for PFI Final Incident Report for Remote Investigations

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

PCI Quick Reference Guide

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

PCI Compliance. Top 10 Questions & Answers

MPOS: RISK AND SECURITY

So you want to take Credit Cards!

Payment Card Industry (PCI) Data Security Standard PFI Final Incident Report. Template for PFI Final Incident Report. Version 1.1.

Transitioning from PCI DSS 2.0 to 3.1

How To Protect Your Business From A Hacker Attack

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

PCI DSS v3.0 SAQ Eligibility

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

North Carolina Office of the State Controller Technology Meeting

Third Party Agent Registration and PCI DSS Compliance Validation Guide

Payment Card Industry Data Security Standards

To ensure independence, PSC does not represent, resell or receive commissions from any third party hardware, software or solutions vendors.

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

PCI Quick Reference Guide

Payment Card Industry (PCI) Data Security Standard PFI Final Incident Report. Template for PFI Final Incident Report. Version 1.0.

PCI Compliance Top 10 Questions and Answers

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry Data Security Standards.

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

SecurityMetrics Introduction to PCI Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.1 April 2015

PCI Data Security Standards

Transcription:

PCI PA-DSS Requirements For hardware vendors

PCI security services UL's streamlined PCI PA-DSS certification services get your product to market faster. UL is world leader in advancing safety. Through it's transaction security unit (UL Transaction Security), UL is the world's leading provider of PCI security services. We pride ourselves on our leadership in this and other fields. We are accredited to supply services for all the PCI programs and programs outside the PCI umbrella. This PCI PA-DSS primer has been created with two purposes in mind: i. to assist hardware vendors to understand the PA-DSS ecosystem, and ii. to identify how UL can benefit hardware vendors to be more vertically integrated into the security certification market via PCI PA-DSS to achieve greater sales. UL is a source of expertise when it comes to the PCI program. You can utilize our experts to understand more about PTS PTS SRED, PCI P2PE, and for devices focused on the mpos market; Visa Ready Partner Program for mpos and MasterCard Mobile POS Program. What is PCI all about? All PCI programs are concerned with the protection of cardholder data. The diagram below identifies data that must be protected. The PCI Security Standards Council runs a number of programs on behalf of the PCI card brands. These programs focus on different elements of the ecosystem and are constantly being reviewed and enhanced to match the security threat environment. page 2

Operational Audit Product Approval Product/Solution Implementation How does PA-DSS help a merchant with PCI DSS compliance? The cost and effort of PCI compliance is top of mind for most large merchants. Recent fraud events and U.S. interest in EMV, means merchant are more interested in PCI PTS devices than ever before. Clear-text cardholder data on POS systems is difficult to secure. In the same way PCI PTS gives merchants comfort that their device will protect PIN data, PA-DSS confirms the hardware vendor has gone to the additional effort to protect all cardholder data. This reduces the effort and cost for a merchants QSA while performing a PCI DSS assessment. Isn t SRED enough? Many hardware vendors only focus on SRED and do not understand the added value of PA-DSS. Devices with PCI PTS SRED will only provide support to encrypt cardholder data before it leaves the secure area of the device. However PA-DSS not only focuses on software functionalities, it covers a number of other areas which are not assessed during PCI PTS SRED evaluation. The hardware vendor provides an implementation guide which would include detailed guidance on how to PCI DSS Secure cardholder data and security governance PCI PIN PIN encryption and cryptographic governance PCI PTS Secure Payment Hardware PA-DSS Payment Application Software PCI P2PE Point to point encryption solutions as defined by PCI SS This table classifies the PCI program and provides a should description of its focus and assessment process. configure and deploy their devices in a merchant environment in a PCI DSS compliant state The device does not support any feature that would store, transmit or process cardholder data in a manner that would be non-complaint to PCI DSS. SRED does not guarantee the device would not support any insecure feature. Logical management of the device is supported in a secure manner with audit trails Troubleshooting requests received by the hardware vendor are handled in a PCI DSS complaint manner The hardware vendor follows a documented software development process to ensure their code running on the device has gone through proper security review and testing The hardware vendor follows a documented vulnerability and patch management process that ensures their code on the device is kept up-to-date with security patches QSAs and merchants already understand the extra value provided by PA-DSS. Security is greater enhanced when combined with encrypted cardholder data. Benefits and challenges for hardware vendors The challenge faced by hardware vendors, is it is typically other third party creating payment application that run on the PCI PTS device. There are two alternative solution to this: i. The hardware vendor also creates the payment application; or ii. The hardware vendor assist third party payment application vendors understand how the PCI PTS device s security properties can be used to achieve PA-DSS UL transaction Security offers services and training to assist hardware vendors and payment application vendors to work together to achieve PA-DSS compliance is the shortest time possible. page 3

The Fine Print PCI Rules What PCI DSS v3 says about PA-DSS Relationship between PCI DSS and PA-DSS Applicability of PCI DSS to PA-DSS Applications Use of a Payment Application Data Security Standard (PA-DSS) compliant application by itself does not make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment and according to the PA-DSS Implementation Guide provided by the payment application vendor. All applications that store, process, or transmit cardholder data are in scope for an entity s PCI DSS assessment, including applications that have been validated to PA-DSS. The PCI DSS assessment should verify the PA-DSS validated payment application is properly configured and securely implemented per PCI DSS requirements. If the payment application has undergone any customization, a more in-depth review will be required during the PCI DSS assessment, as the application may no longer be representative of the version that was validated to PA-DSS. The PA-DSS requirements are derived from the PCI DSS Requirements and Security Assessment Procedures (defined in this document). The PA-DSS details the requirements a payment application must meet in order to facilitate a customer s PCI DSS compliance. Secure payment applications, when implemented in a PCI DSS-compliant environment, will minimize the potential for security breaches leading to compromises of PAN, full track data, card verification codes and values (CAV2, CID, CVC2, CVV2), and PINs and PIN blocks, along with the damaging fraud resulting from these breaches. To determine whether PA-DSS applies to a given payment application, please refer to the PA-DSS Program Guide, which can be found at www.pcisecuritystandards.org. Applicability of PCI DSS to Payment Application Vendors PCI DSS may apply to payment application vendors if the vendor stores, processes, or transmits cardholder data, or has access to their customers cardholder data (for example, in the role of a service provider). What PA-DSS v3 says about Hardware Terminals PA-DSS Applicability to Payment Applications on Hardware Terminals This section provides guidance for vendors who wish to gain PA-DSS validation for resident payment applications on hardware terminals (also known as standalone or dedicated payment terminals). There are two ways for a resident payment application on a hardware terminal to achieve PA-DSS validation: page 4

1. The resident payment application directly meets all PA-DSS requirements and is validated according to standard PA-DSS procedures. 2. The resident payment application does not meet all PA-DSS requirements, but the hardware that the application is resident on is listed on the PCI SSC s Approved PIN Transaction Security (PTS) Devices List as a current PCI PTS approved Point of Interaction (POI) device. In this scenario, it may be possible for the application to satisfy PA-DSS requirements through a combination of the PA-DSS and PTS validated controls. The remainder of this section applies only to payment applications that are resident on a validated PCI PTS approved POI device. If one or more PA-DSS requirements cannot be met by the payment application directly, they may be satisfied indirectly by controls tested as part of the PCI PTS validation. For a hardware device to be considered for inclusion in a PA-DSS review, the hardware device MUST be validated as a PCI PTS approved POI device and be listed on the PCI SSC s Approved PTS Devices List. The PTS validated POI device, which provides a trusted computing environment, will become a required dependency for the payment application, and the combination of application and hardware will be listed together on the PA-DSS List of Validation Payment Applications. When conducting the PA-DSS assessment, the PA-QSA must fully test the payment application with its dependent hardware against all PA-DSS requirements. If the PA-QSA determines that one or more PA-DSS requirements cannot be met by the resident payment application, but they are met by controls validated under PCI PTS, the PA-QSA must: 1. Clearly document which requirements are met as stated per PA-DSS (as usual); 2. Clearly document which requirement was met via PCI PTS in the In Place box for that requirement; 3. Include a thorough explanation as to why the payment application could not meet the PA-DSS requirement; 4. Document the procedures that were conducted to determine how that requirement was fully met through a PCI PTS validated control; 5. List the PCI PTS validated hardware terminal as a required dependency in the Executive Summary of the Report on Validation. Once the PA-QSA s validation of the payment application is complete and is subsequently accepted by the PCI SSC, the PTS validated hardware device will be listed as a dependency for the payment Want to know more? UL's PCI and security experts are happy to assist. Please visit our website for locations and contact details or email info@ul-ts.com. application on the PA-DSS List of Validated Applications. Resident payment applications on hardware terminals that are validated through a combination of PA-DSS and PCI PTS controls must meet the following criteria: 1. Be provided together to the customer (both hardware terminal and application), OR, if provided separately, the application vendor and/or the integrator/reseller must package the application for distribution such that it will operate only on the hardware terminal it has been validated to run on. 2. Enabled by default to support a customer s PCI DSS compliance. 3. Include ongoing support and updates to maintain PCI DSS compliance. 4. If the application is separately sold, distributed, or licensed to customers, the vendor must provide details of the dependent hardware required for use with the application, in accordance with its PA-DSS validation listing. page 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information