Credit Card Processing Overview

Similar documents
CardControl. Credit Card Processing 101. Overview. Contents

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01

How To Comply With The Pci Ds.S.A.S

Payment Card Industry (PCI) Data Security Standard

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

Payment Card Industry (PCI) Data Security Standard

Josiah Wilkinson Internal Security Assessor. Nationwide

Payment Card Industry (PCI) Data Security Standard

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

Payment Card Industry (PCI) Data Security Standard

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

Payment Card Industry (PCI) Data Security Standard

PCI Security Standards Council

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

11/24/2014. PCI Compliance: Major Changes in e-quantum/quantum Net

PAYMENT CARD INDUSTRY (PCI) SECURITY STANDARDS COUNCIL

Payment Card Industry (PCI) Data Security Standard

Version 15.3 (October 2009)

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

Payment Card Industry Compliance

PCI PA-DSS Requirements. For hardware vendors

Steps for staying PCI DSS compliant Visa Account Information Security Guide October 2009

PCI Compliance Overview

Implementation Guide

Becoming PCI Compliant

FOR A BARRIER-FREE PAYMENT PROCESSING SOLUTION

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Payment Card Industry (PCI) Data Security Standard

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

PCI Data Security Standards. Presented by Pat Bergamo for the NJTC February 6, 2014

Attestation of Compliance for Onsite Assessments Service Providers

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Credit Card Handling Security Standards

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

PCI DSS Presentation University of Cincinnati

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

The Petroleum Marketer s PCI compliance Reference Guide

Payment Card Industry Data Security Standard PCI DSS

Attestation of Compliance for Onsite Assessments Service Providers

Viterbo University Credit Card Processing & Data Security Procedures and Policy

La règlementation VisaCard, MasterCard PCI-DSS

Attestation of Compliance for Onsite Assessments Service Providers

PCI COMPLIANCE GUIDE For Merchants and Service Members

Payment Card Industry (PCI) Data Security Standard

Why Is Compliance with PCI DSS Important?

Catapult PCI Compliance

Project Title slide Project: PCI. Are You At Risk?

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

Information Technology

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants

PCI Data Security Standards

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

POLICY SECTION 509: Electronic Financial Transaction Procedures

Data Security, Fraud Prevention, and Cost Control. Mike Dorland, CPP Regional Marketing Representative Michigan Retailers Association

University of Virginia Credit Card Requirements

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

DalPay Internet Billing. Technical Integration Overview

Payment Card Industry Data Security Standards Compliance

Office of Finance and Treasury

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Payment Card Industry Data Security Standards.

Policy Title: Payment Cards Policy Effective Date: 5/5/2010. Policy Number: FA-PO-1214 Date of Last Revision: 11/5/2014

Attestation of Compliance for Onsite Assessments Service Providers

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Payment Card Industry Data Security Standard (PCI DSS)

EMV : Frequently Asked Questions for Merchants

EMV Frequently Asked Questions for Merchants May, 2014

University Policy Accepting Credit Cards to Conduct University Business

UCSB Credit Card Processing and PCI Compliance

So you want to take Credit Cards!

Payment Card Industry (PCI) Data Security Standard

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Need to be PCI DSS compliant and reduce the risk of fraud?

Transcription:

CardControl 3.0 Credit Card Processing Overview Overview Credit card processing is a very complex and important system for anyone that sells goods. This guide will hopefully help educate and inform new and old merchants that are working towards being more secure with the use of credit card information, ultimately leading to PCI-DSS compliance. www.salespad.net (616) 245-1221 Credit Card Processing 101 Updated October 2015 Page 1

Contents Overview... 1 Definitions... 3 Card Issuer... 3 Card Not Present... 3 Card Present... 3 Card Security Code... 3 Chip and Pin... 3 Credit Card Number... 4 Data Security Standard (DSS)... 4 Gateways... 4 Level 1, 2, & 3 Data... 4 Merchant... 4 Payment Application DSS (PA-DSS)... 4 Payment Brand... 4 Payment Card Industry (PCI)... 4 Point of Sale (POS) Terminal... 4 Processors... 5 Tokenization... 5 Difference between PCI Compliance and PA-DSS Validation... 5 The 12 Requirements of the PCI DSS:... 5 Build and Maintain a Secure Network... 5 Maintain a Vulnerability Management Program... 5 Implement Strong Access Control Measures... 6 Regularly Monitor and Test Networks... 6 Maintain an Information Security Policy... 6 The Payment Process... 6 Process Diagram... 6 Notes... 7 Useful Links... 7 Find Applications and Companies that are PA-DSS Validated... 7 Payment Applications Data Security Standard (PA-DSS)... 7 Payment Card Industry Data Security Standard (PCI DSS)... 7 Open Web Application Security Project (OWASP)... 7 www.salespad.net (616) 245-1221 Credit Card Processing 101 Updated October 2015 Page 2

Definitions In most places CardControl and SalesPad use the terms Processor and Gateway interchangeably. They are distinctly different entities. These are some definitions to better understand the process a transaction goes through to capture funds. Card Issuer Bank that issued the card. Could be the customer s bank, (ex. Bank of America) or one of the payment brands. Card Not Present When a credit card is processed without the card stripe information being sent to the Processor or Gateway. A swipe can still be used for card entry. This is typical for online or transactions processed over the phone. Card Present When a credit card is processed via a credit card swipe in the United States or a Chip and Pin transaction in other parts of the world. The track data from the mag strip is sent to the processor or gateway. Card Security Code An embossed number typically shown on the back of a credit card. This code is used to verify the physical presence of a credit card at the time a transaction is processed. The different payment brands have different names for this code, such as the following: MasterCard - Card Validation Code (CVC2) Visa - Card Verification Value (CVV2) Discover - Card Identification Number (CID) American Express (Amex) - Unique Card Code (CID) Chip and Pin Also known as EuroPay, MasterCard, Visa (EMV) cards, or smart cards. Cards that contain integrated circuits. The word "chip" refers to a computer chip embedded in the smartcard; the word PIN refers to a personal identification number that must be supplied by the customer. "Chip and PIN" is also used in a generic sense to mean any EMV smart card technology which relies on an embedded chip and a PIN. Chip and Pin is not commonly used in the United States. CardControl does not support Chip and Pin. www.salespad.net (616) 245-1221 Credit Card Processing 101 Updated October 2015 Page 3

Credit Card Number Also known as the Primary Account Number (PAN), The 13, 15, or 16 digit number representing the credit card account. Data Security Standard (DSS) Also known as PCI-DSS, Security requirements for any merchant that chooses to process credit cards. There are several different versions of the DSS standard. CardControl is validated under DSS 2.0, DSS 1.2 is retired and DSS 3.0 is set to go into general use mid-2014. Gateways Application Programming Interfaces (APIs) for connecting to processors. These companies add various services on top of the processors that they connect with such as tokenization. Level 1, 2, & 3 Data There are differing levels of data that can be sent to a payment processor / gateway. What each level constitutes is different for each setup. The general guidelines are: Card info only the bare minimum information needed to charge a credit card Card info + Order Info Level 1 plus including information about the order such as order number, shipping and billing address information, etc. Card Info + Order Info + Order Detail Level 2 plus including Line item details, Tax, duty, commodity codes, etc. Level 3 is required for US federal government transactions. Merchant The company taking payment via a credit card. CardControl is the merchant s interface to the credit card processing world. Payment Application DSS (PA-DSS) Security validation that states that an application can help a merchant achieve PCI-DSS compliance. An application must be validated before being certified as PA-DSS Validated. Payment Brand Major Credit Card companies, Such as Visa, Discover, MasterCard, etc. Payment Card Industry (PCI) Trade group for credit card payment brands. Point of Sale (POS) Terminal A hardware device that will take a credit card swipe or chip and pin entry. www.salespad.net (616) 245-1221 Credit Card Processing 101 Updated October 2015 Page 4

Processors Also called acquirers, these are the companies that actually contact the Card Issuer / Payment Brand to get funds for a transaction. Tokenization A way of storing a credit card number for later use. Instead of storing the card information in the merchant s database. The card is stored at the Gateway or Processor level. Difference between PCI Compliance and PA-DSS Validation PA-DSS v2.0 is the standard against which CardControl has been tested, assessed, and validated. PCI Compliance is then later obtained by the merchant, and is an assessment of your actual server (or hosting) environment. Obtaining PCI Compliance is the responsibility of the merchant and your hosting provider, working together, using PCI compliant server architecture with proper hardware & software configurations and access control procedures. The PA-DSS Validation is intended to ensure that CardControl will help you achieve and maintain PCI Compliance with respect to how CardControl handles user accounts, passwords, encryption, and other payment data related information. The Payment Card Industry (PCI) has developed security standards for handling cardholder information in a published standard called the PCI Data Security Standard (DSS). The security requirements defined in the DSS apply to all members, merchants, and service providers that store, process, or transmit cardholder data. The PCI DSS requirements apply to all system components within the payment application environment, which is defined as any network device, host, or application included in, or connected to, a network segment where cardholder data is stored, processed, or transmitted. The 12 Requirements of the PCI DSS: Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect Stored Data 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications www.salespad.net (616) 245-1221 Credit Card Processing 101 Updated October 2015 Page 5

Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security The Payment Process The payment process is the most complex process of taking payments. Understanding of this process can allow merchants to save money once their setup is optimized. Process Diagram 1. The consumer chooses the credit card they would like to use to pay for their order. a. This process may involve swiping their card at a POS terminal, typing their card information into a web application, or reading the card information to a Customer Service Rep over the phone. b. At this point the sensitive information PAN, Expiration date, card security code, etc. are sent 2. The Merchant sends the sensitive credit card information to their Processor or Gateway to process the transaction a. If the merchant is using a gateway then the data is sent to the gateway. b. The gateway sends the data to the processor the merchant has configured in the account with the gateway. 3. The processor contacts the Payment brand based on the type of card provided. www.salespad.net (616) 245-1221 Credit Card Processing 101 Updated October 2015 Page 6

4. The payment brand contacts the issuing bank to determine if there is enough balance available to process the transaction. a. If the issuing bank approves the transaction, that approval is sent back along the chain back to the merchant. Notes While a transaction has been approved the money does not instantly transfer from the Consumer s bank account to the merchant s. o The processor, gateway, and issuing bank must all run settlement before the money can be transferred. o For this reason, it may take a day or two for money to show up in the merchant s accounts. Each step in this process requires resources. Each step also increases the percentage of the payment the merchant pays to process the transaction. If a merchant can reduce the number of steps then their rate will be lower. (I.e. it is better to go directly to a processor than use a gateway, the tradeoff is that is extremely difficult to integrate with a processor.) The more information that is sent & supported by a gateway or processor the more secure a transaction will be considered. When more information is sent rates are typically lower. See Level 1, 2, & 3 data. Useful Links Find Applications and Companies that are PA-DSS Validated https://www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php Payment Applications Data Security Standard (PA-DSS) https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml Payment Card Industry Data Security Standard (PCI DSS) https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml Open Web Application Security Project (OWASP) http://www.owasp.org www.salespad.net (616) 245-1221 Credit Card Processing 101 Updated October 2015 Page 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information