Prcess f Setting up a New Merchant Accunt
Table f Cntents PCI DSS... 3 Wh t cntact?... 3 Bakcgrund n PCI... 3 Why cmply?... 3 Hw t cmply?... 3 PCI DSS Scpe... 4 Des PCI DSS Apply t Me?... 4 What if I am nt cmpliant?... 4 What is UBC e-payment (previusly Cnslidated Billing Mdule)?... 4 PROCESS TO SET UP A NEW MERCHANT ACCOUNT... 5 PROCESS 1... 5 PROCESS 2... 6 Sample f Cardflw Prcess... 7 PROCESS 3... 8 PROCESS 4... 8 PROCESS 5... 8 PCI DSS Self- Assessment Questinnaire (SAQ)... 9 SAQ Dcuments... 10 Merchant Levels... 11 Guidelines fr Cardhlder Data Elements... 12 Appendix A: Merchant Payment Prcess Cnfirmatin... 13 Setting up a New Merchant Accunt Page 2
PCI DSS Payment Card Industry Data Security Standard Wh t cntact? Raul Rams f Finance fr PCI cmpliance requirements Michele Benitez f Revenue Accunting fr Merchant accunt set up (after PCI cmpliance) Bakcgrund n PCI PCI Security Standards Cuncil (PCI SSC r the Cuncil) was launched in September 2006 by majr payment brands: Visa, MasterCard, AMEX, Discver and JCB Internatinal A glbal frum fr nging develpment and enhancement f security standards fr accunt data prtectin, including the PCI DSS The gal f PCI DSS is t prtect cardhlder data that is prcessed, stred r transmitted by merchants in rder t thwart theft f cardhlder data and prevent fraud PCI DSS cvers security systems and netwrks that stre, prcess r transmit card data; they cver credit card transactins nly, NOT bank debit cards Exceptins are the new VISA and MasterCard debit transactins, which is cvered by PCI DSS Why cmply? Prevent thieves frm stealing credit card data and using it t cmmit fraud. Fraud and cardhlder data cmprmise impact cnsumer cnfidence and damage yur reputatin as merchants Hw t cmply? Minimize r eliminate amunt f stred credit card data (electrnically r n paper) t reduce yur risk and scpe. Dn t stre it if yu dn t need it Prtect credit card data that is stred Setting up a New Merchant Accunt Page 3
PCI DSS Scpe PCI DSS requirements are applicable if a Primary Accunt Number (PAN) r credit card number is stred, prcessed r transmitted. If a PAN is nt stred, prcessed r transmitted, PCI DSS requirements d nt apply. Refer t guidelines n page 14. PCI DSS applies t all systems and netwrks that stre, prcess and/r transmit cardhlder data and cnnected systems including: All external cnnectins t the entity s netwrk All cnnectins t and frm the authrizatin and settlement envirnment Pint f sale (POS) envirnment PCI DSS requirements apply t all system cmpnents. In the cntext f PCI DSS, system cmpnents are defined as any netwrk cmpnent, server r applicatin that is included in, r cnnected t, the cardhlder data envirnment. System cmpnents als include any virtualizatin cmpnents such as virtual machines, virtual switches/ruters, virtual appliances, virtual applicatins/desktps, and hypervisrs. Des PCI DSS Apply t Me? PCI standards apply t all rganizatins/entities that stre, prcess r transmit cardhlder data The security standards apply t all types f payments including in-persn, mail, telephne and e- cmmerce web transactins PCI cmpliance is required fr any merchant that accepts payment cards, even if the quantity f transactins is just ne What if I am nt cmpliant? UBC merchants will be respnsible fr and bear all csts related t becming PCI DSS cmpliant IN the event f a security breach/data cmprmise, the UBC merchant invlved pays all csts (i.e. frensics investigatin, remediatin csts, fines/penalties, litigatin csts, etc.) What is UBC e-payment (previusly Cnslidated Billing Mdule)? UBC Infrmatin Technlgy (UBC IT) has develped several web payment services, knwn as UBC e- Payment, fr UBC merchants t prcess credit card and Interac Online fr UBC business transactins Merchants are requested t cnsider UBC e-payment befre explring ther payment prcess r securing a payment applicatin frm an external service prvider UBC E-Payment users are bliged t sign a Terms f Use Agreement and/r Service Level Cmmitment (SLC) t mnitr changes in prcedures and t adhere with PCI cmpliance standards Fr mre infrmatin, click the link http://www.it.ubc.ca/service_catalgue/admin_sys/epayment.html Setting up a New Merchant Accunt Page 4
PROCESS TO SET UP A NEW MERCHANT ACCOUNT PROCESS 1: Merchant Business Owners shuld educate themselves with the PCI DSS plicy. PCI standards apply t all rganizatins/entities that stre, prcess r transmit cardhlder data All UBC merchants that prcess, stre r transmit credit card data as payments t the University and/r perate pint f sale (POS) systems must be in cmpliance with PCI DSS v.1.2.2 (v.2.0 at January 1, 2012) The security standards apply t all types f payments including in-persn, mail, telephne and e- cmmerce web transactins PCI cmpliance is required fr any merchant that accepts payment cards, even if the quantity f transactins is just ne Resurces: PCI DSS plicy - https://www.pcisecuritystandards.rg/merchants/ UBC Plicy 106 - http://universitycunsel.ubc.ca/files/2010/08/plicy106.pdf UBC PCI Cmpliance - http://www.finance.ubc.ca/ap/pcicmpliance-main.cfm UBC IT Security Plicies - http://www.it.ubc.ca/service_catalgue/infrmatin_security/security/security_plicies.html UBC PCI Cmpliance Resurces - http://it.ubc.ca/service_catalgue/infrmatin_security/security/pci-cmpliance-resurces.html Setting up a New Merchant Accunt Page 5
PROCESS 2: Merchant dcuments cardflw prcess. Refer t PCI DSS Requirements fr guidance in dcumenting the cardhlder data flw - https://www.pcisecuritystandards.rg/dcuments/navigating_dss_v20.pdf. The PCI DSS is the glbal data security standard adpted by the card brands fr all rganizatins that prcess, stre r transmit cardhlder data. It cnsists f 12 steps that mirrr best security practices. Build and Maintain a Secure Netwrk Requirement 1: Install and maintain a firewall cnfiguratin t prtect cardhlder data Requirement 2: D nt use vendr-supplied defaults fr system passwrds and ther security parameters Prtect Cardhlder Data Requirement 3: Prtect stred cardhlder data Requirement 4: Encrypt transmissin f cardhlder data acrss pen, public netwrks Maintain a Vulnerability Management Prgram Requirement 5: Use and regularly update anti-virus sftware r prgrams Requirement 6: Develp and maintain secure systems and applicatins Implement Strng Access Cntrl Measures Requirement 7: Restrict access t cardhlder data by business need t knw Requirement 8: Assign a unique ID t each persn with cmputer access Requirement 9: Restrict physical access t cardhlder data Regularly mnitr and Test Netwrks Requirement 10: Track and mnitr all access t netwrk resurces and cardhlder data Requirement 11: Regularly test security systems and prcesses Maintain an Infrmatin Security Plicy Requirement 12: Maintain a plicy that addresses infrmatin security fr all persnnel The merchant identifies and dcuments the existence f all cardhlder data in their envirnment, t verify that n cardhlder data exists utside f the currently defined cardhlder data envirnment (CDE). The results may be a diagram r an inventry f cardhlder data lcatins see sample n page 9. The merchant retains dcumentatin that shws hw PCI DSS scpe was cnfirmed and the results, fr assessr review and/r reference during the next annual PCI assessment activity. Setting up a New Merchant Accunt Page 6
Sample f Cardflw Prcess Setting up a New Merchant Accunt Page 7
PROCESS 3: Merchant determines the Merchant and SAQ level f their payment prcess. Cntact UBC s Qualified Security Assessr (QSA), if necessary thrugh Finance (Raul Rams) The merchant is respnsible fr the cst f the QSA s fee Dcument a plan fr attaining cmpliance that reasnably meets the cmpliance bjectives fr the SAQ Submit dcumentatin frm Prcess 2, QSA cnfirmatin f SAQ level and plan f cmpliance t PCI Wrking Grup fr apprval Refer t SAQ descriptin n page 9. Refer t Merchant Levels n page 11. PROCESS 4: Merchant passes validatin and cmpletes the SAQ Merchants are required t cmplete the Merchant Payment Prcessing Cnfirmatin frm Refer t Appendix A SAQ A and B merchants are required t cmplete the SAQ but nt validated by the QSA SAQ C and D merchants are required t cmplete the SAQ and validated by the QSA Cpy f Service Prvider agreement t be cuntersigned in Finance Refer t SAQ instructins and dcuments n page 10. IMPORTANT: N new accunt will be pened unless Telus signs ff that the merchant payment prcess is PCI cmpliant prir t ging live. PROCESS 5: Merchant accunt can be activated. The new accunt will be set up by Revenue Accunting (Michele Benitez) after all requirements frm Prcess 1 t 4 are met and satisfied. Fill up the UBC Merchant Accunt Request Frm and submit t Michele Benitez - http://www.finance.ubc.ca/ra/dcuments/ubcmerchantaccuntrequestfrmv4.pdf Setting up a New Merchant Accunt Page 8
PCI DSS Self- Assessment Questinnaire (SAQ) https://www.pcisecuritystandards.rg/merchants/self_assessment_frm.php Questinnaire Level determines hw thrugh yu need t be t becme cmpliant. SAQ Descriptin Validatin Type 1 Card-nt-present (e-cmmerce r mail/telephne-rder) merchants, all cardhlder data functins utsurced. This wuld never apply t face-tface merchants. Merchant des nt stre, prcess, r transmit any cardhlder data n merchant premises but relies entirely n third party service prvider(s) t handle these functins. The third party service prvider(s) handling strage, prcessing, and/r transmissin f cardhlder data is cnfirmed t be PCI DSS cmpliant. Merchant des nt stre any cardhlder data in electrnic frmat, and if Merchant des stre cardhlder data, such data is nly in paper reprts r cpies f receipts and is nt received electrnically. 2 Imprint-nly merchants with n cardhlder data strage. Merchant uses nly an imprint machine t imprint custmers payment card infrmatin and des nt transmit cardhlder data ver either a phne line r the Internet. 3 Stand-alne dial-up terminal merchants, n cardhlder data strage. Merchant uses nly standalne, dial-up terminals; and the standalne, dial-up terminals are nt cnnected t the Internet r any ther systems within the merchant envirnment. Merchant des nt stre cardhlder data in electrnic frmat, and if Merchant des stre cardhlder data, such data is nly paper reprts r cpies f paper receipts and is nt received electrnically. 4 Merchants with payment applicatin systems cnnected t the Internet, n cardhlder data strage. Merchant has a payment applicatin system and an Internet r public netwrk cnnectin n the same device. The payment applicatin system/internet device is nt cnnected t any ther system within the merchant envirnment. Merchant des nt stre cardhlder data in electrnic frmat, and if Merchant des stre cardhlder data, such data is nly paper reprts r cpies f paper receipts and is nt received electrnically. Merchant s payment applicatin sftware vendr uses secure techniques t prvide remte supprt t merchant s payment applicatin system. 5 All ther merchants (nt included n descriptins fr SAQs A-C abve) and all service prviders defined by a payment brand as eligible t cmplete a SAQ. SAQ A (13 questins) B (26 questins) B (26 questins) C (41 questins) D (238 questins) Setting up a New Merchant Accunt Page 9
SAQ Dcuments SAQ Instructins and Guidelines v2.0 - https://www.pcisecuritystandards.rg/dcuments/pci_dss_saq_instr_guide_v2.0.pdf SAQ A v2.0 - SAQ B v2.0 - SAQ C v2.0 - SAQ C-VT v2.0 - SAQ D v2.0 - Setting up a New Merchant Accunt Page 10
Merchant Levels Merchant Level determines whether r nt yu need t be cmpliant and hw much expensive help yu must buy t becme cmpliant. There are fur merchant levels, with 1 being the largest/mst difficult, and fur being the least stringent/easiest t cmply with: Level 1 Level 2 Level 3 Level 4 Any merchant, regardless f acceptance channel, wh: Prcesses ver 6 millin Visa r MasterCard transactins per year Has suffered a hack r an attack that resulted in data cmprmise Has been identified by Visa, MasterCard, r any ther payment card as Level 1 Any merchant wh prcesses 1 millin t 6 millin Visa r MasterCard transactins, regardless f acceptance channel Any merchant wh prcesses 20,000 t 1 millin Visa r MasterCard e-cmmerce transactins Any merchant wh prcesses fewer than 20,000 Visa r MasterCard e-cmmerce transactins r prcesses fewer than 1 millin Visa r MasterCard transactins, regardless f acceptance channel Setting up a New Merchant Accunt Page 11
Guidelines fr Cardhlder Data Elements Cardhlder Data Sensitive Authenticatin Data 2 Data Element Strage Permitted Prtectin Required PCI DSS Req. 3.4 Primary Accunt Number (PAN) Yes Yes Yes Cardhlder Name 1 Yes Yes 1 N Service Cde 1 Yes Yes 1 N Expiratin Date 1 Yes Yes 1 N Full Magnetic Stripe Data 3 N N/A N/A CAV2/CVC2/CVV2/CID N N/A N/A PIN/PIN Blck N N/A N/A 1 2 3 These data elements must be prtected if stred in cnjunctin with the PAN. This prtectin shuld be per PCI DSS requirements fr general prtectin f the cardhlder data envirnment. Additinally, ther legislatin (fr example, related t cnsumer persnal data prtectin, privacy, identity theft, r data security may require specific prtectin f this data, r prper disclsure f a cmpany s practices if cnsumer-related persnal data is being cllected during the curse f business. PCI DSS, hwever, des nt apply if PANs are nt stred, prcessed, r transmitted. Sensitive authenticatin data must nt be stred after authrizatin (even if encrypted). Full track data frm the magnetic stripe, magnetic stripe image n the chip, r elsewhere. Setting up a New Merchant Accunt Page 12
Appendix A: Merchant Payment Prcess Cnfirmatin UBC PCI-DSS Cmpliance: Merchant Payment Prcess Cnfirmatin Overall SAQ Level Merchant Name Cntact Payment Prcesses Merchant Name & Accunt # PIN pad Cnnectin Chip/PIN Cmpliant (Y/N) Detail SAQ level Are the abve prcess(es) and details crrect? If nt, please make the necessary crrectin(s) and prvide updated prcess and cardhlder data flw dcumentatin if applicable. If a "telephne dial-ut nly" PIN pad is specified as SAQ B by the Merchant because they use it as a dial-ut device, then there shuld be n ethernet/netwrk/ cable ptin. If the Merchant wishes t have the ptin f high-speed ethernet then the prcess shuld be a SAQ C. If the Merchant is a SAQ B, then the high-speed capability "must" be disabled, therwise, the payment prcess is a SAQ C. I hereby cnfirm that my unit uses the abve prcess(es) t prcess credit card transactins and cmplies with PCI DSS requirements. IMPORTANT NOTE: Any changes t yur credit card prcesses and/r additin f new prcesses must be cmmunicated t and apprved by the PCI Wrking Cmmittee thrugh UBC Finance. Please cntact Raul Rams in Finance: rrams@finance.ubc.ca r 2-0259. Prcess(es) Cnfirmed By: (print name) Date: (Signature) Setting up a New Merchant Accunt Page 13