The Petroleum Marketer s PCI compliance Reference Guide



Similar documents
Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

PCI Compliance Workshop. NACS PEI October 21, :45 a.m. 11:45 a.m.

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

Credit Card Processing Overview

La règlementation VisaCard, MasterCard PCI-DSS

PCI COMPLIANCE GUIDE For Merchants and Service Members

CardControl. Credit Card Processing 101. Overview. Contents

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Project Title slide Project: PCI. Are You At Risk?

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

How To Comply With The Pci Ds.S.A.S

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

Payment Card Industry Data Security Standards.

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01

Payment Card Industry Data Security Standards Compliance

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

PAI Secure Program Guide

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

PCI Compliance Top 10 Questions and Answers

PAYMENT CARD INDUSTRY (PCI) SECURITY STANDARDS COUNCIL

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

PCI DSS Presentation University of Cincinnati

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

How To Protect Your Business From A Hacker Attack

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

PCI Compliance. Top 10 Questions & Answers

How To Program A Credit Card Terminal To Be A Pca Compliant (Cpo) Or Not (Pca) Compliant (Dns) (Cisp) (Dhs) (Pci) (Susu) (Usu/

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

Technical breakout session

Payment Card Industry Compliance

Understanding Payment Card Industry (PCI) Data Security

PCI DSS. CollectorSolutions, Incorporated

Property of CampusGuard. Compliance With The PCI DSS

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

Payment Card Industry Data Security Standard PCI DSS

How To Protect Your Credit Card Information From Being Stolen

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Information for merchants. Program implementation details for merchants. Payment Card Industry Data Security Standard (PCI DSS)

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Two Approaches to PCI-DSS Compliance

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

END-OF-LIFE LIST FOR NON-COMPLIANT PIN-ENTRY DEVICE (PED) AND VULNERABLE DEVICES

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Ruby VASC Instructor Guide

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

Becoming PCI Compliant

Merchant guide to PCI DSS

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

A Whitepaper by Vesta Corporation. Payment Card Industry Data Security Standards (PCI DSS) and Mobile Operators: Trends and Implications

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

How To Protect Visa Account Information

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

Why Is Compliance with PCI DSS Important?

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

paypoint implementation guide

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

PCI Standards: A Banking Perspective

PCI DATA SECURITY STANDARD OVERVIEW

An article on PCI Compliance for the Not-For-Profit Sector

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard

VESTA CORPORATION WHITEPAPER Payment Card Industry Data Security Standards (PCI DSS) and Mobile Operators: Trends and Implications

Data Security & PCI Compliance & PCI Compliance Securing Your Contact Center Securing Your Contact Session Name :

PAYMENT CARD INDUSTRY (PCI) ANNUAL TRAINING DECEMBER 10, 2009 WESTERN ILLINOIS UNIVERSITY OFFICE OF THE CTSO & BUSINESS SERVICES

Josiah Wilkinson Internal Security Assessor. Nationwide

. Merchant Accounts are special bank accounts issued by a merchant. . Merchant Level: This classification is based on transaction volume.

Payment Card Industry - Achieving PCI Compliance Steps Steps

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

UCSB Credit Card Processing and PCI Compliance

Transcription:

The Petroleum Marketer s PCI compliance Reference Guide 1. Become familiar with the 12 standards of card data security: Build and maintain a secure network Requirement 1 Install and maintain a firewall configuration to protect data. Requirement 2 Do not use vendor-supplied defaults for system passwords and security parameters Protect cardholder data Requirement 3 Protect stored data Requirement 4 Encrypt transmission of cardholder data and sensitive information across public networks Maintain a vulnerability management program Requirement 5 Use and regularly update anti-virus software Requirement 6 Develop and maintain secure systems and applications Implement strong access control measures Requirement 7 Restrict access to data by business need-to-know Requirement 8 Assign a unique ID to each person with computer access Requirement 9 Restrict physical access to cardholder data Regularly monitor and test networks Requirement 10 Track and monitor all access to network resources and cardholder data Requirement 11 Regularly test security systems and processes Maintain an information security policy Requirement 12 Maintain a policy that addresses information security Notes to myself: Much like healthily life styles, or responsible home ownership, PCI Compliance is MORE about adopting good habits and safe behaviors than anything else.

2. Be familiar with what can and cannot be stored in a POS system. There is also a Good List of PCI compliant software companies, I can visit on Visa s Website: http://www.usa.visa.com/merchants/risk_management/cisp_payment_applications.html If I don t see what I am looking for, I can always contact the software company to find out. If they tell me that they are PABP compliant, they should have a letter they can share with me from VISA certifying them to this standard. I have to fill out the Self-Assessment Questionnaire on http://www.pcisecuritystandards.org both after the upgrade and each year. I will keep the most current copy in my PCI folder. G-site is no longer available to unbranded stations in a PCI version. If I have a G-site product, I will need to upgrade it.

3. TIMELINES (What are the PCI deadlines that concern my business?) Processor Network and Software Company Phase Proposed Mandate Effective Date I Newly boarded merchants may not use applications 01/01/2008 with known vulnerabilities II Payment networks must only certify PA-DSSvalidated 07/01/2008 payment applications III Newly boarded Level 3 and Level 4 merchants 10/01/2008 must be PCI DSS compliant or use PA-DSS validated applications IV Payment networks must decertify known 01/01/ vulnerable payment applications V Members must ensure their merchants use Payment Application Best Practices (PABP) validated applications 07/01/ The Petroleum Marketers Timeline POS Compliance Timetable 1. Update your Payment Software PCI-DSS Software versions must be implemented by 10/1/08. The software you have MUST become PABP certified by 7/1/10. 2. Upgrade the PIN Pads Stations must upgrade to PCI compliant models by 6/30/08. 3. The Forecourt (Dispensers) If you buy dispenser on or after 1/1/09 it has to have a Triple DES Pin Pad. Everyone will need to have a Triple DES Pin Pad by 7/1/10. 2008 Oct 2008 Jan April Oct Jan April Notes to myself: MY SOFTWARE: I should make sure that I have a PCI compliant system in place no later than October 1, 2008. (Ruby=Version 4 / Passport=Version 6 or 7 / Dresser Wayne Nucleus = Version 2) At my dispenser: If I am getting brand new dispensers after 1/1/, they MUST have Triple DES encrypted PIN PAD overlays. If I don t buy any, I MUST replace my old ones with Triple DES encrypted overlays no later than 7/1/ For my register PIN PADS: I need to make sure to have VISA PED or PCI PED Terminals no later than 6/30/. (Good ones to have are: Hypercom 1300, Verifone 1000SE-2, MX800 s and Ingenico 3070. 5

MY Steps to becoming the PABP compliant: What are the steps I should take to become compliant? [PA] Define Your Point A -Look To CISP Good List -Take Inventory of your POS Hardware / Software Understand Where you need to be -Contact Equipment Co. for a Site survey -Take Self-assessment -Get cost quote Execute to Plan -Install Software -Install Hardware where required. -TAKE THE USER TRAINING 1 Use your Point of Sale Safely What are the steps I should take to remain compliant? [BP] -Follow recommended user/admin/manager functions -Avoid making short cuts -Regularly change difficult Passwords Secure your hardcopies -Lock box customer receipts -Destroy all hand written notes of card numbers Follow the prescriptive -Take self assessment annually -User scanner services from a if DSL -Ask Equipment co to periodically inspect your devices when on site 2 For Scanning Services I can contact Trustwave. www.trustwave.com Phone number is: 888-878-7817

My Best Practices Basics Flow Chart: (Refer to Self-Assessment for more details) What YOU can do on your own to secure your POS Starting Point: Good POS Habits Create Difficult passwords & change periodically PCI Compliant Point of Sale System Follow POS user advice (ex: Limit User Access to Manager Functions) Update anti-virus Software where present 3 What YOU can do on your own to secure your FACILITY Starting Point: Good SITE habits Keep Hard Copy Receipts Secure Don t leave passwords exposed The Station Periodically Walk Your site Establish procedure to have employee s call you when in doubt. If I find a security breach or an attempted breach, I should contact my equipment provider and my credit card processor. Chase Paymentech s PCI compliance reporting officer is: Veronica Murphy - 214-849-3257. 4

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information