Credit Card Processing, Point of Sale, ecommerce

Similar documents
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Understanding the SAQs for PCI DSS version 3

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.

PCI DSS Compliance Information Pack for Merchants

Payment Card Industry Data Security Standard

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI DSS v3.0 SAQ Eligibility

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

PCI Compliance Overview

PCI on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for PCI on AWS

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

PCI Compliance 3.1. About Us

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

PCI Compliance for Healthcare

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

PCI DSS Compliance Services January 2016

Adyen PCI DSS 3.0 Compliance Guide

Becoming PCI Compliant

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

PCI Compliance. Top 10 Questions & Answers

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Sales Rep Frequently Asked Questions

Frequently Asked Questions

PCI Data Security Standards

Card Network Update Chip (EMV) Acceptance in the United States At-A-Glance

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Your Compliance Classification Level and What it Means

Why Is Compliance with PCI DSS Important?

SecurityMetrics Introduction to PCI Compliance

How To Protect Your Credit Card Information From Being Stolen

Achieving PCI Compliance for Your Site in Acquia Cloud

North Carolina Office of the State Controller Technology Meeting

PCI Security Compliance

PCI Compliance Top 10 Questions and Answers

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

EMV in Hotels Observations and Considerations

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

Project Title slide Project: PCI. Are You At Risk?

Merchant guide to PCI DSS

Payment Card Industry (PCI) Data Security Standard

PCI Compliance: How to ensure customer cardholder data is handled with care

How To Protect Your Business From A Hacker Attack

PCI DSS. CollectorSolutions, Incorporated

Fall Conference November 19 21, 2013 Merchant Card Processing Overview

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Payment Card Industry Data Security Standards

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard

Tokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism

PCI Security Standards Council

Data Security Basics for Small Merchants

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

What a Processor Needs from a University to Validate Compliance

An article on PCI Compliance for the Not-For-Profit Sector

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

OKLAHOMA STATE UNIVERSITY STUDENT UNION HOW IT SERVES OTHERS THROUGH PCI COMPLIANCE

So you want to take Credit Cards!

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

Payment Card Industry (PCI) Data Security Standard

Josiah Wilkinson Internal Security Assessor. Nationwide

Simplêfy Client Support and Information Services. PCI Compliance Guidebook

Payment Card Industry Data Security Standards.

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard

Customer PCI 3.0 Changes = New Opportunity For You. Giles Witherspoon-Boyd SecurityMetrics

Office of Finance and Treasury

PCI DSS Gap Analysis Briefing

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE WORKBOOK. PCI SAQ TYPE B Level 4. Virtual Terminals

PAI Secure Program Guide

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

EMV and Small Merchants:

UCSB Credit Card Processing and PCI Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

University Policy Accepting Credit Cards to Conduct University Business

PCI Data Security Standards. Presented by Pat Bergamo for the NJTC February 6, 2014

Payment Card Industry Data Security Standards Compliance

EMV FOR U.S. ACQUIRERS: SEVEN GUIDING PRINCIPLES FOR EMV READINESS

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

La règlementation VisaCard, MasterCard PCI-DSS

Transcription:

Credit Card Processing, Point of Sale, ecommerce Compliance, Self Auditing, and More John Benson Kurt Willey

HACKS

REGULATIONS

Greater Risk for Merchants

Topics Compliance Changes Scans Self Audits

PCI DSS

PCI DSS Payment Card Industry Data Security Standard Applies to all organizations that accept, transmit, or store cardholder data.

PCI DSS Assess Remediate Report

PCI DSS Build and Maintain a Secure Network and Systems Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel

398 Tests Normally administered annually by a qualified security assessor

Self Assessment Subset of PCI DSS questions

PCI Compliance Changes in 2015

EMV Mandate EuroPay MasterCard Visa

Magnetic stripes contain static data.

Once compromised, they are easily duplicated.

Once compromised, they are easily duplicated.

Chip-based cards generate a new code for every transaction.

So, stolen transaction codes are useless.

Liability Shift

Now In-store fraud with counterfeit or stolen card liability falls to payment processor or card issuer.

October Fraud liability shifts to least compliant party, including the merchant.

Examples A card issuer who has not issued EMV compliant cards.

Examples A processor who has not made chipbased card compatible terminals available.

Examples A merchant who has not implemented chip-based card compatible terminals even though they are available.

EMV KEY DATES CHART-CARD NETWORKS Visa MasterCard American Express Discover October 2012 Visa will extend the Technology Innovation Program (TIP) to merchants in the U.S., potentially allowing them to skip the annual PCI DSS validation for any year in which at least 75% of merchant Visa transactions originate from dual-interface EMV chip enabled devices plus other qualification criteria such as being PCI DSS compliant. October 2012 PCI assessment relief takes effect. December 31, 2012 Discover will institute Fraud Liability Shift for Diners Club International. April 2013 Acquirers/processors will be required to support merchant acceptance of EMV chip transactions. April 2013 Acquirers and sub-processor mandate to fully process EMV transactions. Cross border Maestro ATM liability shift to non-emv ATMs. April 2013 Processors must be able to support American Express EMV chip-based contact, contactless and mobile transactions. April 2013 Discover merchant acquirers, acquiring processors, and merchants with direct connections into its network must be certified as able to support the network data needed in contact and contactless EMV chip card transactions. The mandate applies not only in the U.S., but also in Canada and Mexico. October 2013 MasterCard Account Data Compromise (ADC) relief takes effect (50%). On this date, if at least 75% of MasterCard transactions originate from EMV-compliant contact and contactless POS terminals, the merchant is relieved of 50% of account data compromise penalties. October 2013 Merchants will be eligible to receive relief from PCI Data Security Standard (DSS) reporting requirements if the merchants' point-of-sale (POS) acceptance locations, where 75% of their transactions occur, are enabled to process American Express EMV chip-based contact and contactless transactions. October 2013 Discover will grant annual PCI audit waivers for merchants that process 75% of Discover Network transactions via terminals supporting both contact and contactless payments. October 2015 The party that is the cause of a contact chip transaction not occurring will be financially liable for any resulting card present counterfeit fraud losses. Does not include automated fuel dispensers (AFD). October 2015 MasterCard ADC relief takes effect (100%). On this date, if at least 95% of MasterCard transactions originate from EMV-compliant POS terminals, the merchant is relieved of 100% of account data compromise penalties. MasterCard liability hierarchy takes effect (excluding fuel). October 2015 American Express will institute a Fraud Liability Shift (FLS) policy that will transfer liability for certain types of fraudulent transactions away from the party that has the most secure form of EMV technology. October 1, 2015 Discover will institute a Fraud Liability Shift (in U.S., Canada and Mexico). This Fraud Liability Shift policy will be a risk-based payments hierarchy that benefits the entity that leverages the highest level of available payments security. October 2017 Deadline for automated fuel dispensers (AFD) to comply. October 2017 MasterCard liability hierarchy takes effect for fuel dispensers. October 2017 FLS takes effect for transactions generated from automated fuel dispensers. October 1, 2017 Fraud Liability Shift takes effect for transactions generated from automated fuel dispensers.

EMV KEY DATES CHART-CARD NETWORKS Visa MasterCard American Express Discover October 2012 Visa will extend the Technology Innovation Program (TIP) to merchants in the U.S., potentially allowing them to skip the annual PCI DSS validation for any year in which at least 75% of merchant Visa transactions originate from dual-interface EMV chip enabled devices plus other qualification criteria such as being PCI DSS compliant. October 2012 PCI assessment relief takes effect. December 31, 2012 Discover will institute Fraud Liability Shift for Diners Club International. April 2013 Acquirers/processors will be required to support merchant acceptance of EMV chip transactions. April 2013 Acquirers and sub-processor mandate to fully process EMV transactions. Cross border Maestro ATM liability shift to non-emv ATMs. April 2013 Processors must be able to support American Express EMV chip-based contact, contactless and mobile transactions. April 2013 Discover merchant acquirers, acquiring processors, and merchants with direct connections into its network must be certified as able to support the network data needed in contact and contactless EMV chip card transactions. The mandate applies not only in the U.S., but also in Canada and Mexico. October 2013 MasterCard Account Data Compromise (ADC) relief takes effect (50%). On this date, if at least 75% of MasterCard transactions originate from EMV-compliant contact and contactless POS terminals, the merchant is relieved of 50% of account data compromise penalties. October 2013 Merchants will be eligible to receive relief from PCI Data Security Standard (DSS) reporting requirements if the merchants' point-of-sale (POS) acceptance locations, where 75% of their transactions occur, are enabled to process American Express EMV chip-based contact and contactless transactions. October 2013 Discover will grant annual PCI audit waivers for merchants that process 75% of Discover Network transactions via terminals supporting both contact and contactless payments. October 2015 The party that is the cause of a contact chip transaction not occurring will be financially liable for any resulting card present counterfeit fraud losses. Does not include automated fuel dispensers (AFD). October 2015 MasterCard ADC relief takes effect (100%). On this date, if at least 95% of MasterCard transactions originate from EMV-compliant POS terminals, the merchant is relieved of 100% of account data compromise penalties. MasterCard liability hierarchy takes effect (excluding fuel). October 2015 American Express will institute a Fraud Liability Shift (FLS) policy that will transfer liability for certain types of fraudulent transactions away from the party that has the most secure form of EMV technology. October 1, 2015 Discover will institute a Fraud Liability Shift (in U.S., Canada and Mexico). This Fraud Liability Shift policy will be a risk-based payments hierarchy that benefits the entity that leverages the highest level of available payments security. October 2017 Deadline for automated fuel dispensers (AFD) to comply. October 2017 MasterCard liability hierarchy takes effect for fuel dispensers. October 2017 FLS takes effect for transactions generated from automated fuel dispensers. October 1, 2017 Fraud Liability Shift takes effect for transactions generated from automated fuel dispensers.

Visa

MasterCard

American Express

Discover

PCI 3.0 Update

New requirement for service providers with remote access to customer premises, to use unique authentication credentials for each customer. Effective July 1, 2015

New requirement to implement a methodology for penetration testing. Effective July 1, 2015

New requirement for coding practices to protect against broken authentication and session management. Effective July 1, 2015

SCANS

SELF AUDITS

Step 1: Determine Merchant Level & Requirements

Step 2: PCI DSS or Which Self Assessment?

ecommerce Transaction Type POS System? Card Presence CHD Storage Additional Criteria SAQ Type DSS Questio ns Included ecommerce or telephone orders No Card NOT Present NOT stored Website AND Payment Processing fully hosted by PCI approved vendor SAQ A 14 ecommerce or telephone orders No Card NOT Present NOT stored Payment Processing hosted by PCI approved vendor but payment form is part of Website that is not hosted by PCI approved vendor SAQ A- EP 139

Face to Face Transaction Type Imprint machines with no electronic cardholder data storage and / or standalone dial-out terminals with no electronic cardholder data storage Point of Sale System? Card Presence CHD Storage SAQ Type DSS Questions Included No Card Present NOT stored SAQ B 41 Standalone payment terminals with an IP connection to payment processor - point-of-sale terminal security (PTS) approved No Card Present NOT stored SAQ B - IP 83 Single transactions entered one-at-atime via keyboard into an internet based virtual terminal solution provided by a PCI DSS validated third-party service provider. Yes Card Present NOT stored SAQ C-VT Internet connected payment application system Yes Card Present NOT stored SAQ C

Understanding the SAQs for PCI DSS v3.0 The PCI DSS self-assessment questionnaires (SAQs) are validation tools intended to assist merchants and service providers report the results of their PCI DSS self-assessment. The different SAQ types are shown in the table below to help you identify which SAQ best applies to your organization. Detailed descriptions for each SAQ are provided within the applicable SAQ. Note: Entities should ensure they meet all the requirements for a particular SAQ before using the SAQ. Merchants are encouraged to contact their merchant bank (acquirer) or the applicable payment brand(s) to identify the appropriate SAQ based on their eligibility. SAQ A A-EP* B B-IP* C-VT C P2PE-HW D Description Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant s systems or premises. Not applicable to face-to-face channels. E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant s systems or premises. Applicable only to e-commerce channels. Merchants using only: Imprint machines with no electronic cardholder data storage; and/or Standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels. Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels. Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels. Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels. Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels. SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types. SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete a SAQ. * New for PCI DSS v3.0 The intent of this document is to provide supplemental information. Information provided here Page 1 does not replace or supersede PCI SSC Security Standards or their supporting documents. 2014 PCI Security Standards Council, LLC. All Rights Reserved.

Step 3: Complete the Assessment

Step 4: Arrange for Quarterly Network Scan

Step 5: Submit Reports and Results

RECAP

1. Budget for POS upgrades. 2. Understand your level and appropriate self-assessment questionnaire. 3. Arrange for Quarterly Scans from an ASV.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information