CardControl. Credit Card Processing 101. Overview. Contents

Similar documents
Credit Card Processing Overview

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01

How To Comply With The Pci Ds.S.A.S

Payment Card Industry (PCI) Data Security Standard

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

PCI Overview. PCI-DSS: Payment Card Industry Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

Payment Card Industry (PCI) Data Security Standard

Josiah Wilkinson Internal Security Assessor. Nationwide

PC-DSS Compliance Strategies NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA

Payment Card Industry (PCI) Data Security Standard

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

PCI Security Standards Council

PCI Compliance Overview

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

11/24/2014. PCI Compliance: Major Changes in e-quantum/quantum Net

PAYMENT CARD INDUSTRY (PCI) SECURITY STANDARDS COUNCIL

Payment Card Industry (PCI) Data Security Standard

Version 15.3 (October 2009)

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

Payment Card Industry Compliance

PCI PA-DSS Requirements. For hardware vendors

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Steps for staying PCI DSS compliant Visa Account Information Security Guide October 2009

Becoming PCI Compliant

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Payment Card Industry Technical Requirements

CSU, Chico Credit Card PCI-DSS Risk Assessment

FOR A BARRIER-FREE PAYMENT PROCESSING SOLUTION

SellWise User Group. Thursday, February 19, 2015

PCI Data Security Standards. Presented by Pat Bergamo for the NJTC February 6, 2014

Attestation of Compliance for Onsite Assessments Service Providers

Information Sheet. PCI DSS Overview

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Credit Card Handling Security Standards

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

PCI Compliance : What does this mean for the Australian Market Place? Nov 2007

PCI DSS Presentation University of Cincinnati

Payment Card Industry (PCI) Data Security Standard

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Implementation Guide

Payment Card Industry (PCI) Data Security Standard

The Petroleum Marketer s PCI compliance Reference Guide

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Payment Card Industry Data Security Standard PCI DSS

Attestation of Compliance for Onsite Assessments Service Providers

La règlementation VisaCard, MasterCard PCI-DSS

Attestation of Compliance for Onsite Assessments Service Providers

PCI Data Security Standards

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Why Is Compliance with PCI DSS Important?

Catapult PCI Compliance

Project Title slide Project: PCI. Are You At Risk?

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

Information Technology

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Viterbo University Credit Card Processing & Data Security Procedures and Policy

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

Data Security, Fraud Prevention, and Cost Control. Mike Dorland, CPP Regional Marketing Representative Michigan Retailers Association

Payment Card Industry (PCI) Data Security Standard

University of Virginia Credit Card Requirements

115 th Annual Convention

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Payment Card Industry Data Security Standards Compliance

Business Link Presentation E-Commerce Payment Processors. 25 January 2010

PCI COMPLIANCE GUIDE For Merchants and Service Members

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Payment Card Industry Data Security Standards.

Policy Title: Payment Cards Policy Effective Date: 5/5/2010. Policy Number: FA-PO-1214 Date of Last Revision: 11/5/2014

John B. Dickson, CISSP October 11, 2007

Attestation of Compliance for Onsite Assessments Service Providers

Payment Application Data Security Standard

Cash 257 Merchant Services and Revenue Collection

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

POLICY SECTION 509: Electronic Financial Transaction Procedures

Payment Card Industry Data Security Standard (PCI DSS)

Application Security. Standard PCI. 26 novembre

EMV : Frequently Asked Questions for Merchants

GLOSSARY OF MOST COMMONLY USED TERMS IN THE MERCHANT SERVICES INDUSTRY

EMV Frequently Asked Questions for Merchants May, 2014

University Policy Accepting Credit Cards to Conduct University Business

Qualified Integrators and Resellers (QIR) Implementation Statement

UCSB Credit Card Processing and PCI Compliance

Office of Finance and Treasury

Need to be PCI DSS compliant and reduce the risk of fraud?

DalPay Internet Billing. Technical Integration Overview

Transcription:

CardControl Credit Card Processing 101 Overview Credit card processing is a very complex and important system for anyone that sells goods. This guide will hopefully help educate and inform new and old merchants that are working towards being more secure with the use of credit card information, ultimately leading to PCI-DSS compliance. Contents Overview... 1 Contents... 1 Definitions... 3 Card Issuer... 3 Card Not Present... 3 Card Present... 3 Card Security Code... 3 Chip and Pin... 3 Credit Card Number... 3 Data Security Standard (DSS)... 3 Gateways... 3 Level 1, 2, & 3 Data... 3 Merchant... 4 Payment Application DSS (PA-DSS)... 4 Payment Brand... 4 Payment Card Industry (PCI)... 4 Point of Sale (POS) Terminal... 4 Processors... 4 Tokenization... 4 Difference between PCI Compliance and PA-DSS Validation... 5 The 12 Requirements of the PCI DSS:... 5 Build and Maintain a Secure Network... 5 Maintain a Vulnerability Management Program... 5 Implement Strong Access Control Measures... 5 Regularly Monitor and Test Networks... 5 Maintain an Information Security Policy... 5 The Payment Process... 6 Process Diagram... 6 Notes... 6 Useful Links... 7 Find Applications and Companies that are PA-DSS Validated... 7 Credit Card Processing 101 Page 1

Payment Applications Data Security Standard (PA-DSS)... 7 Payment Card Industry Data Security Standard (PCI DSS)... 7 Open Web Application Security Project (OWASP)... 7 Credit Card Processing 101 Page 2

Definitions In most places CardControl and SalesPad use the terms Processor and Gateway interchangeably. They are distinctly different entities. These are some definitions to better understand the process a transaction goes through to capture funds. Card Issuer Bank that Issued the c bank, (ex. Bank of America) or one of the payment brands. Card Not Present When a credit card is processed without the card stripe information being sent to the Processor or Gateway. A swipe can still be used for card entry. This is typical for online or transactions processed over the phone. Card Present When a credit card is processed via a credit card swipe in the United States or a Chip and Pin transaction in other parts of the world. The track data from the mag strip is sent to the processor or gateway. Card Security Code An embossed number typically shown on the back of a credit card. This code is used to verify the physical presence of a credit card at the time a transaction is processed. The different payment brands have different names for this code MasterCard Card Validation Code (CVC2) Visa - Card Verification Value (CVV2) Discover Card Identification Number (CID) American Express (Amex) Unique Card Code (CID) Chip and Pin Also known as EuroPay, MasterCard, Visa (EMV) cards, or smart cards. Cards that contain integrated circuits. The word "chip" refers to a computer chip embedded in the smartcard; the word PIN refers to a personal identification number that must be supplied by the customer. "Chip and PIN" is also used in a generic sense to mean any EMV smart card technology which relies on an embedded chip and a PIN. Chip and Pin is not commonly used in the United States. CardControl does not support Chip and Pin. Credit Card Number Also known as the Primary Account Number (PAN), The 13, 15, or 16 digit number representing the credit card account. Data Security Standard (DSS) Also known as PCI-DSS, Security requirements for any merchant that chooses to process credit cards. There are several different versions of the DSS standard. CardControl is validated under DSS 2.0, DSS 1.2 is retired and DSS 3.0 is set to go into general use mid-2014. Gateways Application Programming Interfaces (APIs) for connecting to processors. These companies add various services on top of the processors that they connect with such as tokenization. Level 1, 2, & 3 Data There are differing levels of data that can be sent to a payment processor / gateway. What each level constitutes is different for each setup. Credit Card Processing 101 Page 3

1) Card info only The bare minimum information needed to charge a credit card 2) Card info + Order Info Level 1 plus including information about the order such as order number, shipping and billing address information, etc. 3) Card Info + Order Info + Order Detail Level 2 plus including Line item details, Tax, duty, commodity codes, etc. Level 3 is required for US federal government transactions. Merchant world. Payment Application DSS (PA-DSS) Security validation that states that an application can help a merchant achieve PCI-DSS compliance. An application must be validated before being certified as PA-DSS Validated. Payment Brand Major Credit Card companies, Such as Visa, Discover, MasterCard, etc. Payment Card Industry (PCI) Trade group for credit card payment brands. Point of Sale (POS) Terminal A hardware device that will take a credit card swipe or chip and pin entry. Processors Also called acquirers, these are the companies that actually contact the Card Issuer / Payment Brand to get funds for a transaction. Tokenization the card is stored at the Gateway or Processor level. Credit Card Processing 101 Page 4

Difference between PCI Compliance and PA-DSS Validation PA-DSS v2.0 is the standard against which CardControl has been tested, assessed, and validated. PCI Compliance is then later obtained by the merchant, and is an assessment of your actual server (or hosting) environment. compliant server architecture with proper hardware & software configurations and access control procedures. The PA-DSS Validation is intended to ensure that CardControl will help you achieve and maintain PCI Compliance with respect to how CardControl handles user accounts, passwords, encryption, and other payment data related information. The Payment Card Industry (PCI) has developed security standards for handling cardholder information in a published standard called the PCI Data Security Standard (DSS). The security requirements defined in the DSS apply to all members, merchants, and service providers that store, process, or transmit cardholder data. The PCI DSS requirements apply to all system components within the payment application environment, which is defined as any network device, host, or application included in, or connected to, a network segment where cardholder data is stored, processed, or transmitted. The 12 Requirements of the PCI DSS: Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect Stored Data 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security Credit Card Processing 101 Page 5

The Payment Process The payment process is the most complex process of taking payments. Understanding of this process can allow merchants to save money once their setup is optimized. Process Diagram 1) The consumer chooses the credit card they would like to use to pay for their order. a) This process may involve swiping their card at a POS terminal, typing their card information into a web application, or reading the card information to a Customer Service Rep over the phone. b) At this point the sensitive information PAN, Expiration date, card security code, etc. 2) The Merchant sends the sensitive credit card information to their Processor or Gateway to process the transaction a) If the merchant is using a gateway then the data is sent to the gateway. b) The gateway sends the data to the processor the merchant has configured in the account with the gateway. 3) The processor contacts the Payment brand based on the type of card provided. 4) The payment brand contacts the issuing bank to determine if there is enough balance available to process the transaction. a) If the issuing bank approves the transaction, that approval is sent back along the chain back to the merchant. Notes t o The processor, gateway, and issuing bank must all run settlement before the money can be transferred. o Each step in this process requires resources. Each step also increases the percentage of the payment the merchant pays to process the transaction. If a merchant can reduce the number of steps then their rate will be lower. (I.e. it is better to go directly to a processor than use a gateway, the tradeoff is that is extremely difficult to integrate with a processor.) The more information that is sent & supported by a gateway or processor the more secure a transaction will be considered. When more information is sent rates are typically lower. See Level 1, 2, & 3 data. Credit Card Processing 101 Page 6

Useful Links Find Applications and Companies that are PA-DSS Validated https://www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php Payment Applications Data Security Standard (PA-DSS) https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml Payment Card Industry Data Security Standard (PCI DSS) https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml Open Web Application Security Project (OWASP) http://www.owasp.org Credit Card Processing 101 Page 7

SalesPad LLC 3200 Eagle Park Dr. Ste. 100 Grand Rapids, MI 49525 www.salespad.net Credit Card Processing 101 Page 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information