Merchant guide to PCI DSS



Similar documents
Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

An article on PCI Compliance for the Not-For-Profit Sector

How To Protect Your Business From A Hacker Attack

Payment Card Industry Data Security Standards.

PCI DSS. CollectorSolutions, Incorporated

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

PCI Compliance: How to ensure customer cardholder data is handled with care

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

PCI Compliance. Top 10 Questions & Answers

Frequently Asked Questions

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

SecurityMetrics Introduction to PCI Compliance

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI Compliance Top 10 Questions and Answers

Becoming PCI Compliant

Payment Card Industry Data Security Standard

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

PROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN

It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

Adyen PCI DSS 3.0 Compliance Guide

PAI Secure Program Guide

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

La règlementation VisaCard, MasterCard PCI-DSS

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Payment Card Industry Data Security Standard

PCI DSS. Payment Card Industry Data Security Standard.

Why Is Compliance with PCI DSS Important?

How To Ensure Account Information Security

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

Achieving PCI Compliance for Your Site in Acquia Cloud

Your Compliance Classification Level and What it Means

How To Protect Your Credit Card Information From Being Stolen

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

E Pay. A Case Study in PCI Compliance. Illinois State Treasurer. Dan Rutherford

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

PCI Data Security Standards

PCI Security Compliance

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Josiah Wilkinson Internal Security Assessor. Nationwide

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

PCI Compliance: Protection Against Data Breaches

Understanding Payment Card Industry (PCI) Data Security

PCI DSS Compliance Information Pack for Merchants

Two Approaches to PCI-DSS Compliance

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

Project Title slide Project: PCI. Are You At Risk?

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

And Take a Step on the IG Career Path

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Information for merchants. Program implementation details for merchants. Payment Card Industry Data Security Standard (PCI DSS)

How To Protect Visa Account Information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Registration and PCI DSS compliance validation

Payment Card Industry Data Security Standards Compliance

PCI Standards: A Banking Perspective

Payment Card Industry Data Security Standards

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

A Compliance Overview for the Payment Card Industry (PCI)

Third Party Agent Registration and PCI DSS Compliance Validation Guide

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

The PCI DSS Compliance Guide For Small Business

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

Payment Card Industry - Achieving PCI Compliance Steps Steps

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

FAQ s. SaferPayments. Be smart. Be compliant. Be protected. The benefits of compliance SaferPayments Non-compliance fees

PCI DSS Compliance Services January 2016

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Information Technology

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

Credit Card Processing, Point of Sale, ecommerce

PCI COMPLIANCE TO BUILD HIGHER CONFIDENCE FOR CARD HOLDER AND BOOST CASHLESS TRANSACTION. Suresh Dadlani, ControlCase

SecurityMetrics. PCI Starter Kit

Property of CampusGuard. Compliance With The PCI DSS

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Transcription:

Merchant guide to PCI DSS

Contents What is PCI DSS and why was it introduced?... 3 Who needs to become PCI DSS compliant?... 3 BOIPA Simple PCI DSS - 3 step approach to helping businesses... 3 What does the BOIPA Simple PCI DSS programme include?... 4 How does a business become compliant?... 4 There are 4 different levels to determine PCI validation requirements... 4 There are 12 broad requirements to complying with PCI DSS... 5 Common objections businesses have about PCI... 5

What is PCI DSS and why was it introduced? PCI DSS stands for the Payment Card Industry Data Security Standard. This standard is managed by the Payment Card Industry Security Standards Council. PCI DSS is a set of minimum security requirements to help handle payment information securely. It was developed by the major payment card brands (MasterCard, Visa, Amex, Discover & JCB) in 2004. Any business accepting cards for payment of goods or services must be compliant with PCI DSS. BOI Payment Acceptance (BOIPA), like most Acquirers, have outsourced their PCI DSS programme to a specialist company Sysnet. They operate the customer portal, communications, and attestation on our behalf. The BOIPA PCI programme is called Simple PCI DSS. Note: BOIPA are one of the few Acquirers who do not charge customers fees for PCI. Who needs to become PCI DSS compliant? If you accept payments by Credit or Debit card you are affected. Any business that stores, processes or transmits any cardholder data must take responsibility for PCI and achieve compliance. BOIPA Simple PCI DSS - 3 step approach to helping businesses Merchants logon to the Simple PCI DSS portal and answer some questions The questions focus around how your business is set up to handle credit and debit card payments. Using dynamic profiling, you are only asked questions relevant to your business in order to figure out your security risk level. Merchants are assisted in understanding how to protect their business To help businesses understand and identify areas of your business that might be at risk, you will are brought through the security assessment that matches your business type, including any scanning if needed. Merchants will finally be asked to confirm and validate their compliance You will be asked to confirm and validate all of your responses and any tasks you were required to undertake. This is referred to as your Attestation of Compliance (AoC).

What does the BOIPA Simple PCI DSS programme include? 1. Dedicated online portal (https://simplepcidss.eu/services/login/login) 2. Dedicated program helpdesk with telephone and online chat support 3. Security & compliance advice and assistance How does a business become compliant? To report your PCI DSS compliance, businesses need to identify and complete the appropriate Self-Assessment Questionnaire (SAQ) for your business type. You also must ensure security controls are in place at all times to maintain your compliance. Securing your business requires the following steps: Analysis of business practice and processes Research of appropriate security solutions Implementing and maintaining security solutions. Core to this is protecting your customers payment card data. Customers trust businesses to keep their information safe and you should repay that trust with, at the very least, compliance with PCI DSS. There are 4 different levels to determine PCI validation requirements These levels are prescribed by the card schemes. See the table below to understand the different levels and the compliance requirements within each. Level Criteria Validation requirement 1 Any merchant processing in excess of 6 Million Annual Report on Compliance (ROC) (by either a Qualified MasterCard OR Visa transactions a year, regardless Security Assessor, or qualified internal security resource) of acceptance channel. Compliant quarterly network scan by Approved Scan Any merchant that has lost data due to a security Vendor (ASV) breech or hacking with the last 12 months. Attestation of Compliance Form 2 Any merchant processing between 1 and 6 Million Annual Report on Compliance (ROC) (by either a Qualified MasterCard OR Visa transactions a year, regardless Security Assessor, or qualified internal security resource) of acceptance channel Compliant quarterly network scan by Approved Scan Vendor (ASV) Attestation of Compliance Form 3 Any e-commerce merchant processing between Annual Self-Assessment Questionnaire (SAQ) 20,000 and 1 Million MasterCard OR Visa Compliant quarterly network scan by ASV transactions a year Attestation of Compliance Form 4 Merchants processing fewer than 20,000 Visa or Level 4 merchants register compliance through our Simple MasterCard ecommerce transactions annually and all other merchants processing up to one million Visa or MasterCard transactions annually. Merchants currently in scope of deadlines are those who process fewer than 1 million Visa ecommerce transactions per year PCI DSS merchant portal https://simplepcidss.eu/services/login/login

There are 12 broad requirements to complying with PCI DSS Build and maintain a secure computer network 1. Install and maintain a security protection programme (known as a firewall configuration) to protect the card data you may hold 2. Do not use computer passwords that have been provided by external suppliers or businesses. Ensure you issue your own unique passwords and security measures Protect cardholder data 3. Protect stored data but do not store card and transaction data unnecessarily. Such as: The full card number, The contents of any information within the magnetic strip, The card security code (CVV2), The PIN if you operate an ATM machine. 4. If you are sending out card data or sensitive information by email you must always ensure that you encrypt it. If you are using the postage system, you should ensure it is at least by registered post which requires signed receipt upon delivery. Maintain an IT vulnerability management program 5. Use and regularly update anti-virus software 6. Develop and maintain secure computer systems and applications Implement robust control measures / Control access to card data 7. Only access card data when there is a business requirement 8. Assign a unique ID to each member of your staff who has computer access 9. Restrict physical access to the storage area where the cardholder data is kept. Regularly monitor and test your computer networks 10. Regularly check to see who accesses your computers and cardholder data that you hold. 11. Regularly test your security systems and processes. Make information security a priority 12. Create and maintain your own security policy to ensure you remain compliant with PCI DSS guidance. Common objections businesses have about PCI 1 Why do I have to do this, isn t my terminal secure? Having a PCI validated POS solution helps with the annual PCI DSS assessment, however, it does not guarantee PCI DSS compliance. Every business has a responsibility to ensure that the relevant policies, procedures and controls are in place (& practiced) to minimise exposure and reduce the likelihood of a breach.

2 How often do I have to comply with PCI DSS? Annually. This is to ensure businesses are maintaining compliance with the standard, and to identify if anything new has come into scope for the assessment as a result of growth and/or expansion. For example: The introduction of an ecommerce site or the addition of a new premises will affect the risk factors. 3 I outsource all my cardholder data functions via a third party service provider, do I still need to do this? Outsourcing cardholder data functions to a third-party service provider does not exclude a business from PCI DSS compliance. It may reduce the scope and effort involved in the annual assessment, providing the third party is PCI DSS compliant. 4 What happens if I don t comply with the PCI DSS? Not being compliant with the PCI DSS can leave a business at risk of a data breach and related costs. These can be quite substantial and can include: card scheme fines and card replacement costs. Other factors include: reputational damage and loss of customer confidence not to mention businesses being vulnerable to lawsuits and audits. Payment Acceptance is provided by EVO Payments International GmbH trading as BOI Payment Acceptance. Underwriting Criteria, Terms and Conditions apply. EVO Payments International GmbH, trading as BOI Payment Acceptance is licenced by the Federal Financial Supervisory Authority BaFin (Bundesanstalt fur Finanzdienstleistungsaufsicht) in Germany and is regulated by the Central Bank of Ireland for conduct of business rules. EVO Payments International GmbH (trading as BOI Payment Acceptance) is not a member of the Bank of Ireland Group. BOI Payment Acceptance has entered into a marketing alliance with the Bank of Ireland. BOI and the Tree of Life logo are trademarks of The Governor and Company of the Bank of Ireland and are being used under licence by EVO Payments International GmbH, trading as BOI Payment Acceptance.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information