What a Processor Needs from a University to Validate Compliance

Similar documents
A Compliance Overview for the Payment Card Industry (PCI)

PCI Compliance Overview

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

How To Ensure Account Information Security

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Payment Card Industry Compliance Overview

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

PCI DSS Gap Analysis Briefing

Data Security Basics for Small Merchants

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Payment Card Industry Data Security Standard

How To Protect Your Business From A Hacker Attack

Third Party Agent Registration and PCI DSS Compliance Validation Guide

Registration and PCI DSS compliance validation

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

PCI DSS. CollectorSolutions, Incorporated

VISA EUROPE ACCOUNT INFORMATION SECURITY (AIS) PROGRAMME FREQUENTLY ASKED QUESTIONS (FAQS)

Credit Card Processing, Point of Sale, ecommerce

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

PCI DSS Compliance Information Pack for Merchants

Payment Card Industry Data Security Standard

Understanding Payment Card Industry (PCI) Data Security

PCI Compliance. Top 10 Questions & Answers

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

Merchant guide to PCI DSS

Validation of PCI Compliance Requirements NC Office of the State Controller June 23, 2015

Achieving PCI Compliance for Your Site in Acquia Cloud

PROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN

An article on PCI Compliance for the Not-For-Profit Sector

E Pay. A Case Study in PCI Compliance. Illinois State Treasurer. Dan Rutherford

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

Payment Card Industry Data Security Standard Explained

PCI Standards: A Banking Perspective

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

PCI Compliance Top 10 Questions and Answers

SecurityMetrics Introduction to PCI Compliance

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

PCI Compliance: How to ensure customer cardholder data is handled with care

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

How To Protect Your Credit Card Information From Being Stolen

Two Approaches to PCI-DSS Compliance

The PCI DSS Compliance Guide For Small Business

Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008

Ecommerce Guide to PCI DSS 3.0

PCI DSS and SSC what are these?

Adyen PCI DSS 3.0 Compliance Guide

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for PCI on AWS

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard

Merchant Services Tool Kit TEXPO 2013

Registry of Service Providers

PCI DSS. Payment Card Industry Data Security Standard.

Your Compliance Classification Level and What it Means

Property of CampusGuard. Compliance With The PCI DSS

North Carolina Office of the State Controller Technology Meeting

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

La règlementation VisaCard, MasterCard PCI-DSS

Becoming PCI Compliant

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

Information for merchants. Program implementation details for merchants. Payment Card Industry Data Security Standard (PCI DSS)

Project Title slide Project: PCI. Are You At Risk?

Westpac Merchant. A guide to meeting the new Payment Card Industry Security Standards

American Express Data Security Operating Policy United States

Securing The Data. Payment System Forum Bank Negara Malaysia. 27 th November Murugesh Krishnan Head of Risk, South & Southeast Asia

Introduction to PCI DSS

Sales Rep Frequently Asked Questions

Josiah Wilkinson Internal Security Assessor. Nationwide

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard

Brown Smith Wallace, LLC

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Are You Prepared to Successfully Pass a PCI-DSS and/or a FISMA Certification Assessment? Fiona Pattinson, SHARE: Seattle 2010

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Transcription:

What a Processor Needs from a University to Validate Compliance Lisa T. Conroy Merchant Compliance Manager Vantiv May 24, 2016

Disclosures The information included in this presentation is for information purposes only, and is not intended as legal or financial advice. The information does not amend or alter your obligations under your agreement with Vantiv, or under the operating regulations of any credit card or debit card association. This presentation is based upon information available to Vantiv as of the date of this communication. It is important that you continue to stay current with changing industry requirements. 2

Agenda Define Industry Participants & Their Roles Reiterate Key Points on PCI DSS Applicability Define Merchant Levels & Validation Tools Discuss Validation and Reporting Process Explain Visa Small Merchant Data Security Mandates Describe Validation Enforcement, Fines, & Extensions Review Service Provider Levels & Validation 3

The Players

Global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. Standards Under Management PCI DSS Merchants and Service Providers PA DSS Software Application Developers PTS Hardware Manufacturers P2PE Merchants & Solution Providers Training & Certification Programs QSA, PA QSA, P2PE QSA, ASV, PFI, ISA, QIR, PCI-P, PCI Awareness, Acquirer List of Approved Entities & Solutions PA DSS Applications, PTS Devices, P2PE Solutions

The Card Brands Founding Members of the PCI SSC Executive Committee of PCI SSC Maintain Enforcement Programs Amex DSOP, Discover DISC, MasterCard SDP, & Visa CISP Create Security Mandates

Acquirers & Processors May or may not be the same entity Acquirers are responsible for ensuring merchants comply with the PCI DSS Processors support acquirers with merchant education and with helping merchants to understand PCI DSS compliance validation

Compliance Validation Steps

Key Points to Remember It s an Industry Standard PCI DSS applies to everyone service providers and merchants of all sizes! Even if you outsource some or all of your card processing, PCI compliance and validation still apply Applies to all systems that store, process, or transmit cardholder data not just the ones for which you have been explicitly told to validate compliance Going through the validation process is the best way to understand whether you are compliant

Compliance vs. Validation Validation: A snapshot of your compliance status Entails completion of the Self-Assessment Questionnaire (SAQ) or an On-Site Audit (depending on your merchant level) in order to validate that your organization is compliant according to PCI DSS requirements Also requires the quarterly submission of External Network Vulnerability Scans Compliance: Ongoing security controls and procedures that help to protect your business on a 24/7 basis Entails continual adherence to the PCI DSS requirements Validation does not necessarily mean Compliance Validation documentation must be available to the card associations upon their request and for audit purposes 10

Visa & MasterCard Merchant Levels: Merchant Level Merchant Level Merchant Level Merchant Level Any merchant processing 6 million or more Visa or MasterCard transactions/year, regardless of acceptance channel. Also, any merchant the card brands deem Level 1. Any merchant, regardless of acceptance channel, processing 1-6 million Visa or MasterCard transactions per year Any merchant processing 20,000 to 1 million e-commerce Visa or MasterCard transactions per year All other merchants, regardless of acceptance channel Level 4 merchants also have compliance requirements. Level 1 merchants have more rigorous compliance validation requirements. 11

Amex & Discover Merchant Levels Level 1: 2.5 million or more American Express Card transactions per year (or if you've been selected a Level 1 by American Express) Level 2: 50,000 to 2.5 million American Express Card transactions per year (Service providers: less than 2.5 million transactions) Level 3 Designated: Less than 50,000 American Express Card Transactions per year and has been designated by American Express as being required to submit validation documents. (merchants only; does not apply to service providers).american Express will contact these designated merchants and provide them details for reporting their security status by submitting PCI validation documents. Level 3: Less than 50,000 American Express Card transactions per year (merchants only; does not apply to service providers) Level 1: All merchants processing more than 6 million card transactions annually on the Discover network. Any merchant that Discover, in its sole discretion 1, determines should meet the Level 1 compliance validation and reporting requirements All merchants required by another payment brand or acquirer to validate and report their compliance as a Level 1 merchant Level 2: All merchants processing between 1 million and 6 million card transactions annually on the Discover network Level 3: All merchants processing between 20,000 and 1 million card-not-present only transactions annually on the Discover network Level 4: All Other Merchants

Merchant Validation *Note: Due to MasterCard Site Data Protection (SDP) program rules, all level 1 and 2 merchants that elect to perform their own validation assessments must ensure that the primary internal auditor staff engaged in validating PCI DSS compliance attend merchant training programs offered by the PCI Security Standards Council (PCI SSC) and pass any PCI SSC associated accreditation program annually in order to continue validation in this manner.

Who Determines Merchant Level? Acquirers/Processors are responsible for classifying merchants appropriately Periodic volume queries covering prior 12 months Sends formal notification to merchant with validation requirements and timeline Notifies applicable card brands of reclassification

Validation Considerations for a Higher Education Merchants TALK TO YOUR ACQUIRER OR PROCESSOR! Consider working with a QSA Single assessment or separate SAQ per location Connectivity arrangements Single merchant agreement or multiple

Self-Assessment Questionnaires (SAQ) 16

What Happens After I Submit My Validation Documentation to My Processor? Review Reply Resolve Report

Validation Enforcement & Extension Requests Potential fines are most likely in connection with level 1s, 2s, and 3s Fines levied at the corporate/university level Typically recur monthly or quarterly until resolved Submit extension requests through your acquirer or processor for consideration by the brands

New Visa Small Merchant Mandates https://usa.visa.com/dam/vcom/download/merchants/bulletin-small-merchant-security-faq.pdf

Level 4 Merchant Validation Scalability challenges Programs Partner with QSA/ASV firm for online validation portal and help desk support Implement non-validation fee programs Will be pushing secure technologies now more than ever EMV, P2PE, tokenization, etc.

Service Providers

Third-Party Compliance Requirement 12.8 Addresses Third-Party compliance within PCI DSS requirements Merchant is responsible for monitoring compliance status of Third Parties and ensuring the use of appropriate contractual language Use of Gateway/Service Provider does not exempt merchant from compliance requirements Potential to use SAQ A Only IF all storing, processing and transmitting of cardholder data is fully outsourced to a third party AND merchant is exclusively cardnot-present. 22

Service Provider Validation Service Provider Levels Validation Actions Criteria On Site Security Audit conducted by a QSA Self Assessment Questionnaire Network Vulnerability Scans Level 1 Any processor directly connected to a Visa or MasterCard or any service provider that stores, processes and/or transmits over 300,000 transactions per year Report on Compliance (ROC) Required Annually Not Applicable Required Quarterly Level 2** Any service provider that stores, processes and/or transmits less than 300,000 transactions per year Not Applicable Required Annually Required Quarterly **Effective February 1, 2009, Level 2 service providers were no longer listed on Visa s List of PCI DSS Compliant Service Providers. Entities that wish to be on the List of PCI DSS Compliant Service Providers must validate as a Level 1 provider. 23

Service Provider Considerations Where possible, use only providers that have engaged a QSA for validation If you have a level 2 service provider that self validated, only accept SAQ D Their areas of non-compliance are your risk If a provider states they cannot afford some aspect of compliance or validation, you may want to consider one that can Carefully review your contracts with service providers 24

Final Thoughts and Resources

Next Steps Talk to your processor Consider PCI SSC training programs If you are not validating compliance today, get started now! Evaluate and implement secure technologies

Helpful PCI Resources PCI Security Standards Council www.pcisecuritystandards.org PCI DSS, PA DSS, PTS, & P2PE Standards Downloadable Self Assessment Questionnaires List of ASVs, QSAs, PFIs, PA QSAs, QIRs, etc. List of PA DSS Validated Payment Applications, validated P2PE solutions, validated PTS devices Searchable FAQ Tool PCI Supporting Documents Visa CISP website www.visa.com/cisp Merchant & Service Provider Levels Defined List of CISP Compliant Service Providers Important Alerts, Bulletins and Webinar MasterCard SDP website www.mastercard.com/sdp Merchant & Service Provider Levels Defined List of CISP Compliant Service Providers PCI 360 Merchant Education Program on demand educational webinars 27

Thank You! Questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information