Information for merchants. Program implementation details for merchants. Payment Card Industry Data Security Standard (PCI DSS)

Similar documents
La règlementation VisaCard, MasterCard PCI-DSS

Payment Card Industry Data Security Standards.

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

How To Protect Your Business From A Hacker Attack

How To Protect Your Credit Card Information From Being Stolen

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

How To Comply With The Pci Ds.S.A.S

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

PCI Compliance. Top 10 Questions & Answers

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

PCI Security Compliance

PCI Compliance Top 10 Questions and Answers

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Josiah Wilkinson Internal Security Assessor. Nationwide

Merchant guide to PCI DSS

PCI DSS. CollectorSolutions, Incorporated

Frequently Asked Questions

PCI Standards: A Banking Perspective

Payment Card Industry Data Security Standard

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

PCI Compliance: How to ensure customer cardholder data is handled with care

Two Approaches to PCI-DSS Compliance

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Adyen PCI DSS 3.0 Compliance Guide

PCI Data Security Standards

PCI Compliance Overview

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

An article on PCI Compliance for the Not-For-Profit Sector

How To Protect Visa Account Information

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

The Cyber Attack and Hacking Epidemic A Legal and Business Survival Guide

Becoming PCI Compliant

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

PAI Secure Program Guide

Why Is Compliance with PCI DSS Important?

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

PCI Compliance for Large Computer Systems

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

Payment Card Industry Data Security Standards Compliance

PCI Compliance: Protection Against Data Breaches

GFI White Paper PCI-DSS compliance and GFI Software products

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants

Project Title slide Project: PCI. Are You At Risk?

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

PCI COMPLIANCE GUIDE For Merchants and Service Members

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Achieving Compliance with the PCI Data Security Standard

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Achieving Compliance with the PCI Data Security Standard

Are You Prepared to Successfully Pass a PCI-DSS and/or a FISMA Certification Assessment? Fiona Pattinson, SHARE: Seattle 2010

And Take a Step on the IG Career Path

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Accepting Payment Cards and ecommerce Payments

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

SecurityMetrics Introduction to PCI Compliance

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

Your Compliance Classification Level and What it Means

PROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN

PCI DSS. Payment Card Industry Data Security Standard.

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

PCI COMPLIANCE TO BUILD HIGHER CONFIDENCE FOR CARD HOLDER AND BOOST CASHLESS TRANSACTION. Suresh Dadlani, ControlCase

VISA EUROPE ACCOUNT INFORMATION SECURITY (AIS) PROGRAMME FREQUENTLY ASKED QUESTIONS (FAQS)

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

Payment Card Industry Data Security Standard (PCI DSS) v1.2

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

Achieving PCI Compliance for Your Site in Acquia Cloud

White Paper September 2013 By Peer1 and CompliancePoint PCI DSS Compliance Clarity Out of Complexity

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

PCI DSS COMPLIANCE DATA

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

University of Sunderland Business Assurance PCI Security Policy

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

Transcription:

Postbank P.O.S. Transact GmbH (now EVO Kartenakzeptanz GmbH) has recently been purchased by EVO Payments International Group Program implementation details for merchants Payment Card Industry Data Security Standard (PCI DSS) 1

Introduction In view of the rising number of instances of credit card fraud, credit card organizations MasterCard International and Visa International have respectively initiated programs named MasterCard Site Data Protection (SDP) and Visa Account Information to increase security during saving, processing and/or relay of card data. The credit card organizations have requested acquirers (merchant banks) to prove that you and your service provider have taken appropriate technical and organizational security measures which prevent card data from being compromised. These programs are intended for service providers and merchants who save, process and/or relay card data using your own systems. If card data (governed by an E-commerce, MOTO or POS acceptance contract) are compromised, this could give rise to significant damage claims by the operators of the payment systems and acquirers. Consequently, you and your service provider must provide proof of having taken appropriate technical and organizational measures to protect card, transaction and account data against misuse and unauthorized access. In December 2004 (MasterCard) and February 2005 (Visa), the payment systems hitherto discrete technical requirements were merged to form the Payment Card Industry (PCI) Data Security Standard. In April 2008, the PCI DSS was supplemented by software evaluation according to the PCI Payment Application Data Security Standard (PA DSS), Version 1.2. In September 2006, the companies American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International announced the founding of an independent body named PCI Security Standards Council (PCI SSC). This council is responsible for advancing the Payment Card Industry Data Security Standard (PCI DSS). In October 2008, the PCI SSC updated PCI DSS Version 1.1 to PCI DSS Version 1.2. As of 31.12.2008, certification according to the old Version 1.1 of the standard is no longer accepted. The standard s new version comprises PCI DSS Requirements and Security Assessment Procedures, 1.2 (release: October 2008) PCI DSS Self-Assessment Questionnaire, 1.2 (release: October 2008) PCI DSS Security Scanning Procedures, 1.1 (release: September 2006) PA DSS Requirements and Security Assessment Procedures, 1.2 (release: October 2008) This version can be found at: www.pcisecuritystandards.org. 2

To prove compliance with the programs, you are subject to the following actions depending on your category (described further below): You perform an initial evaluation of your security measures using a PCI DSS Self-Assessment Questionnaire. This questionnaire must be newly filled out on an annual basis. Every year, the Internet interface operated by the merchant (if relevant) undergoes four PCI DSS Security Scans intended to detect weak points susceptible to attacks. Conformance to security requirements is examined on location through a PCI DSS Security Audit. Level 1: - Regardless of the distribution channel (POS, MOTO or E-commerce), all merchants who annually handle more than 6 million transactions with MasterCard or Visa - All merchants who have been targets of data compromise and misuse - All merchants assigned to Level 1 on the basis of another credit card brand - All merchants assigned to this category following assessment by MasterCard or Visa with the intention of minimizing risk to payment systems The table below provides an overview of the security checks required in accordance with the number of performed transactions. Categorization according to MasterCard 1 and Visa 2 is based on the following criteria: 1 According to MasterCard Global Security Bulletin No. 1, 14 th January 2005 2 According to Visa Member Letter EU 06/05, 2 nd February 2005 Merchant category Self Assessment Security Scan Security Audit Level 1 4 x annually 1 x annually Level 2 1 x annually 4 x annually 1 x annually* Level 3 1 x annually 4 x annually Level 4 1 x annually 4 x annually * Requirement for MasterCard 3

Level 2: - Regardless of the distribution channel (POS, MOTO or E-commerce), all merchants who annually handle 1 million to 6 million transactions with MasterCard or Visa - All merchants assigned to Level 2 on the basis of another credit card brand Level 3: - All merchants handling 20,000 to 1 million transactions with MasterCard or Visa - All merchants assigned to Level 3 on the basis of another credit card brand Increased data protection for your customers Higher level of customer confidence, potentially resulting in greater credit card usage and turnover High protection against security breaches which would lead to financial damage and claims for compensation Safeguarding of corporate image Evaluations of the security of systems for saving, processing and relaying data on credit card owners Lower entrepreneurial risk through minimization and avoidance of data disclosure Lower costs of PCI Compliance through structured networks Level 4: - All merchants handling less than 20,000 transactions with MasterCard or Visa, and not assigned to Level 1, 2 or 3 The individual steps involved in providing proof of PCI Compliance are described next. Compliance Validation by means of the PCI questionnaire, PCI Security Scans and PCI Security Audits is performed by accredited partners (PCI Qualified Security Assessor and PCI Approved Scanning Vendor) of the credit card organizations. Advantages of PCI DSS for merchants: The binding rules of PCI DSS enhance IT security and help prevent fraud. The added security during processing of payment cards in compliance with PCI provides the following benefits in particular: Procedure Important! As a Postbank P.O.S. Transact GmbH contracted merchant, you will have received a notification with information for accessing Postbank P.O.S. Transact s PCI DSS platform. Please register yourself on the platform and check the master data stored there for your company. After that, please follow the instructions and platform s integrated help utility to demonstrate your PCI compliance. 4

Registering on the PCI DSS platform Merchant classification SAQ Selection Wizard Completing the SAQ Self Assessment Questionnaire (Level 4) Self Assessment Questionnaire (Level 2-3) Self Assessment Questionnaire (Level 1 obligatory) Security Scan (Level 4) Security Scan (Level 2-3) Security Scan (Level 1) Security Audit (Level 1) Reporting PCI Compliance Validation 5

Electronic online questionaire/pci DSS Self-Assessment Questionnaire Merchants (Levels 2-4 ) must annually assess their technical and organizational measures by responding to online PCI Self- Assessment Questionnaires prepared for this purpose. Covering all six areas of the PCI Data Security Standard, the questions examine compliance with twelve requirements: IV. Implement Strong Access Control Measures 7 th requirement: Restriction of access to data according to the need-to-know principle 8 th requirement: Assignment of unique IDs to all persons with computer access 9 th requirement: Restriction of physical access to card owner data I. Build and Maintain a Secure Network 1 st requirement: Establishment and maintenance of a firewall for data protection 2 nd requirement: Modification of the default system-passwords and other security parameters issued by the merchant V. Regularly Monitor and Test Networks 10 th requirement: Tracking and monitoring of all access to network resources and card owner data 11 th requirement: Regular testing of security systems and processes II. Protect Cardholder Data 3 rd requirement: Protection of saved data 4 th requirement: Encrypted transmission of card owner data and other sensitive information via public networks III. Maintain a Vulnerability Management Program 5 th requirement: Use and regular updating of anti-virus programs 6 th requirement: Development and maintenance of secure systems and applications VI. Maintain an Information Security Policy 12 th requirement: Maintenance of an information security policy The questionnaire is used for self-assessment of compliance with the PCI Data Security Standard. 6

PCI DSS Security Scan Security Scans are meant to reveal shortcomings in the investigated system s architecture and configuration. Intruders could exploit such shortcomings in order to steal credit card data. An accredited PCI certifier performs PCI Security Scans in compliance with the requirements laid down in PCI Security Scanning Procedures. Non-intrusive and non-destructive, these scans do not affect the availability or integrity of the target systems. Instead, the scans involve sending ordinary requests to the target systems essentially without disrupting their proper operations. An appointment for a PCI Security Scan is agreed with you in advance. The PCI Security Scan is subsequently performed using standardized and defined PCI DSS Security Scanning Procedures. You receive the results of the PCI Security Scan in a report written in English. Formulated according to PCI DSS specifications, the report rates each detected shortcoming by assigning it to one of five categories (ranging from low to urgent ). The scan is meant to systematically reveal all weak points and deficiencies which could permit the system to be infiltrated. If the PCI Security Scan performed according to the PCI Security Scanning Procedures yields less than satisfactory results, you as the merchant must take appropriate measures for improving the shortcomings. A new PCI Security Scan is then performed to ascertain whether your measures were effective. Via the Internet, the systems are examined for possible shortcomings by means of Security Scanners and manual analyses. The employed tools check for deficiencies in network components, operating systems and applications. 1 https://www.pcisecuritystandards.org/pdfs/pci_scanning_ procedures_v1-1.pdf 7

PCI DSS Security Audit The PCI Security Audit comprises a check on-location for adherence to the PCI Data Security Standard. As part of the Security Audit, merchants categorized as Level 1 are subjected to additional tests described later on. Preparation for a PCI Security Audit involves the following steps: 1. Formal application for obtaining the service from a certifier and provisional agreement of an appointment for a PCI Security Audit. 2. Delivery of documents for performing the Security Audit: The PCI certifier delivers documents titled PCI Data Security Audit Procedures and Reporting and Guideline for the preparation of the PCI security audit in electronic form to the customer. At the same time, the certifier issues a password and a public PGP-key for safeguarding future communications. 3. An electronic online PCI Self-Assessment Questionnaire is released so that the customer can carry out an initial, optional assessment of their PCI-Compliance. Step 2: Security Audit on-location As part of the PCI Security Audit, the certifier carries out random, in-situ checks of the details confirmed in writing by the merchant in a document titled PCI Data Security Standard Requirements and Security Assessment Procedures. Covering all six areas of the PCI Data Security Standard, the check includes: Scrutinizing the business model Examining how card transactions are performed with the employed IT systems (data flow) Conducting interviews with staff, especially those who - perform security functions at the company - have access to card data - are responsible for maintaining and operating systems used to save, process or relay card data Viewing log files of relevant applications Inspecting relevant rooms such as the server room, the computer centre, etc. If you have implemented security solutions which differ from the measures mentioned on the checklist ( Compensating Controls ), the certifier will assess their suitability and conformance to the PCI Data Security Standard. Step 1: Evaluating the information The required information is submitted to the certifier no later than two weeks before the agreed Security Audit. 8

Step 3: Report draft The certifier prepares an informal report of the audit results on the basis of the document titled PCI Data Security Standard Requirements and Security Assessment Procedures, and discusses the results with you. Step 4: Provisional version of the report Following mutual consultation, the certifier incorporates your feedback into the report draft and submits it to the payment systems. The payment systems review the draft and return it, accompanied by their own comments, to the certifier. Step 5: Final version of the report Taking into consideration the comments issued by the payment systems, the certifier amends the audit report and sends the final version to you as well as the payment systems. If you have any questions relating to the Postbank Service Agreement for Card Acceptance, please do not hesitate to contact: Postbank Service Kartenakzeptanz 90314 Nürnberg, Germany Phone: +49 228 55 00 58 11 Fax: +49 228 55 00 58 22 kreditkarten@postransact.de www.postransact.com 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information