Process of Setting up a New Merchant Account



Similar documents
PCI - Why You Need to be Compliant When Accepting Credit Card Payments. Agenda. Breaches in the Headlines. Breach Events & Commonalities

VCU Payment Card Policy

UNT Payment Card Merchant Handbook

University of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments

BAMS Third Party Service Providers (TPSPs) FAQs

HIPAA HITECH ACT Compliance, Review and Training Services

IMPLEMENTATION DETAILS

Vantiv eprotect iframe Technical Assessment Paper Prepared for:

GUIDANCE FOR BUSINESS ASSOCIATES

PCI Compliance Merchant User Guide

Systems Support - Extended

PROTIVITI FLASH REPORT

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

Dates Visa MasterCard Discover American Express. Acquirers, subprocessors. support EMV International ATM liability shift 2

First Global Data Corp.

IMPLEMENTATION DETAILS

Office Use Only Account # Approved By:

Convenience Fees BEST PRACTICES FOR MERCHANT USE OF CONVENIENCE FEES:

PROCESSING THROUGH MPS and AVIMARK

Comtrex Systems Corporation. CISP/PCI Implementation Guidance for Odyssey Suite

Plus500CY Ltd. Statement on Privacy and Cookie Policy

State Bank Virtual Card FAQs

FINRA Regulation Filing Application Batch Submissions

WHAT YOU NEED TO KNOW ABOUT. Protecting your Privacy

Retail Security and Compliance Where On Earth is it Headed?

Data Protection Policy & Procedure

In addition to assisting with the disaster planning process, it is hoped this document will also::

Durango Merchant Services QuickBooks SyncPay

New Chip Card Technology Released Across the U.S.

iphone Mobile Application Guide Version 2.2.2

Remote Working (Policy & Procedure)

Symantec User Authentication Service Level Agreement

An Introduction To Credit Card Processing

Installation Guide Marshal Reporting Console

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

How To Contact Skrill

Skrill Merchant Services Application Form

How To Ensure Your Health Care Is Safe

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions

2. Are there any restrictions on when the work can be performed (e.g. only at night, only during business hours, only on weekends)? No.

expertise hp services valupack consulting description security review service for Linux

IN-HOUSE OR OUTSOURCED BILLING

Supersedes: DPS Policy Internet and Use Of The DPSnet, July 14, 2000 Effective: February 15, 2005 Pages: 1 of 5

Optimal Payments Extension. Supporting Documentation for the Extension Package v1.1

Change Management Process For [Project Name]

Electronic Data Interchange (EDI) Requirements

TrustED Briefing Series:

FundingEdge. Guide to Business Cash Advance & Bank Statement Loan Programs

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

FAYETTEVILLE STATE UNIVERSITY

Information Services Hosting Arrangements

Personal Data Security Breach Management Policy

BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS

UBC Incident Response Plan V1.5

The user authentication process varies from client to client depending on internal resource capabilities, and client processes and procedures.

Merchant Processes and Procedures

SPECIFICATION. Hospital Report Manager Connectivity Requirements. Electronic Medical Records DRAFT. OntarioMD Inc. Date: September 30, 2010

AUDIT AND RISK COMMITTEE TERMS OF REFERENCE

TITLE: RECORDS AND INFORMATION MANAGEMENT POLICY

Agency Fund (Non-Student Org X-Fund) Guidelines Last Revision: 12/7/2009

High Speed Internet Services

SITE APPLICATIONS USER GUIDE:

A96 CALA Policy on the use of Computers in Accredited Laboratories Revision 1.5 August 4, 2015

Using McAllister Payment Solutions and Updating to AVImark version

Payment Card Industry (PCI) Qualified Integrators and Resellers

Key Steps for Organizations in Responding to Privacy Breaches

To Receive CPE Credit

BUPA DENTAL PLAN A P P L I C AT I O N F O R M

Wire Transfer Request

Using PayPal Website Payments Pro UK with ProductCart

Information Security Incident Response Plan

Corporate Standards for data quality and the collation of data for external presentation

Considerations for Success in Workflow Automation. Automating Workflows with KwikTag by ImageTag

Privacy Policy. The Central Equity Group understands how highly people value the protection of their privacy.

Security Services. Service Description Version Effective Date: 07/01/2012. Purpose. Overview

IT Help Desk Service Level Expectations Revised: 01/09/2012

HIPAA Notice of Privacy Practices. Central Ohio Surgical Associates, Inc.

April 29, 2013 INTRODUCTION ORGANIZATIONAL OVERVIEW PROJECT OVERVIEW

Hillsborough Board of Education Acceptable Use Policy for Using the Hillsborough Township Public Schools Network

Data Protection Act Data security breach management

Enrollee Health Assessment Program Implementation Guide and Best Practices

Electronic and Information Resources Accessibility Compliance Plan

Merchant Management System. New User Guide CARDSAVE

DisplayNote Technologies Limited Data Protection Policy July 2014

Internet Banking Agreement and Disclosure Statement

ACTIVITY MONITOR. Live view of remote desktops. You may easily have a look at any user s desktop.

CSC IT practix Recommendations

Oakland County Department of Information Technology Project Scope and Approach

NYU Langone Medical Center NYU Hospitals Center NYU School of Medicine

PCI DSS Cloud Computing Guidelines

DATE APPROVED March Version Date Comments / Changes 1.0 March 2011 Initial policy released

Service Level Agreement (SLA) Hosted Products. Netop Business Solutions A/S

Kentwood Police Department 4742 Walma Ave SE Kentwood, Michigan (616) REPORTING IDENTITY THEFT

Cloud Services Frequently Asked Questions FAQ

Information Security Policy

ISO Management Systems. Guidance on understanding the benefits of an ISO Management System

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

Volume THURSTON COUNTY CLERK S OFFICE. e-file SECURE FTP Site (January 2011) User Guide

Transcription:

Prcess f Setting up a New Merchant Accunt

Table f Cntents PCI DSS... 3 Wh t cntact?... 3 Bakcgrund n PCI... 3 Why cmply?... 3 Hw t cmply?... 3 PCI DSS Scpe... 4 Des PCI DSS Apply t Me?... 4 What if I am nt cmpliant?... 4 What is UBC e-payment (previusly Cnslidated Billing Mdule)?... 4 PROCESS TO SET UP A NEW MERCHANT ACCOUNT... 5 PROCESS 1... 5 PROCESS 2... 6 Sample f Cardflw Prcess... 7 PROCESS 3... 8 PROCESS 4... 8 PROCESS 5... 8 PCI DSS Self- Assessment Questinnaire (SAQ)... 9 SAQ Dcuments... 10 Merchant Levels... 11 Guidelines fr Cardhlder Data Elements... 12 Appendix A: Merchant Payment Prcess Cnfirmatin... 13 Setting up a New Merchant Accunt Page 2

PCI DSS Payment Card Industry Data Security Standard Wh t cntact? Raul Rams f Finance fr PCI cmpliance requirements Michele Benitez f Revenue Accunting fr Merchant accunt set up (after PCI cmpliance) Bakcgrund n PCI PCI Security Standards Cuncil (PCI SSC r the Cuncil) was launched in September 2006 by majr payment brands: Visa, MasterCard, AMEX, Discver and JCB Internatinal A glbal frum fr nging develpment and enhancement f security standards fr accunt data prtectin, including the PCI DSS The gal f PCI DSS is t prtect cardhlder data that is prcessed, stred r transmitted by merchants in rder t thwart theft f cardhlder data and prevent fraud PCI DSS cvers security systems and netwrks that stre, prcess r transmit card data; they cver credit card transactins nly, NOT bank debit cards Exceptins are the new VISA and MasterCard debit transactins, which is cvered by PCI DSS Why cmply? Prevent thieves frm stealing credit card data and using it t cmmit fraud. Fraud and cardhlder data cmprmise impact cnsumer cnfidence and damage yur reputatin as merchants Hw t cmply? Minimize r eliminate amunt f stred credit card data (electrnically r n paper) t reduce yur risk and scpe. Dn t stre it if yu dn t need it Prtect credit card data that is stred Setting up a New Merchant Accunt Page 3

PCI DSS Scpe PCI DSS requirements are applicable if a Primary Accunt Number (PAN) r credit card number is stred, prcessed r transmitted. If a PAN is nt stred, prcessed r transmitted, PCI DSS requirements d nt apply. Refer t guidelines n page 14. PCI DSS applies t all systems and netwrks that stre, prcess and/r transmit cardhlder data and cnnected systems including: All external cnnectins t the entity s netwrk All cnnectins t and frm the authrizatin and settlement envirnment Pint f sale (POS) envirnment PCI DSS requirements apply t all system cmpnents. In the cntext f PCI DSS, system cmpnents are defined as any netwrk cmpnent, server r applicatin that is included in, r cnnected t, the cardhlder data envirnment. System cmpnents als include any virtualizatin cmpnents such as virtual machines, virtual switches/ruters, virtual appliances, virtual applicatins/desktps, and hypervisrs. Des PCI DSS Apply t Me? PCI standards apply t all rganizatins/entities that stre, prcess r transmit cardhlder data The security standards apply t all types f payments including in-persn, mail, telephne and e- cmmerce web transactins PCI cmpliance is required fr any merchant that accepts payment cards, even if the quantity f transactins is just ne What if I am nt cmpliant? UBC merchants will be respnsible fr and bear all csts related t becming PCI DSS cmpliant IN the event f a security breach/data cmprmise, the UBC merchant invlved pays all csts (i.e. frensics investigatin, remediatin csts, fines/penalties, litigatin csts, etc.) What is UBC e-payment (previusly Cnslidated Billing Mdule)? UBC Infrmatin Technlgy (UBC IT) has develped several web payment services, knwn as UBC e- Payment, fr UBC merchants t prcess credit card and Interac Online fr UBC business transactins Merchants are requested t cnsider UBC e-payment befre explring ther payment prcess r securing a payment applicatin frm an external service prvider UBC E-Payment users are bliged t sign a Terms f Use Agreement and/r Service Level Cmmitment (SLC) t mnitr changes in prcedures and t adhere with PCI cmpliance standards Fr mre infrmatin, click the link http://www.it.ubc.ca/service_catalgue/admin_sys/epayment.html Setting up a New Merchant Accunt Page 4

PROCESS TO SET UP A NEW MERCHANT ACCOUNT PROCESS 1: Merchant Business Owners shuld educate themselves with the PCI DSS plicy. PCI standards apply t all rganizatins/entities that stre, prcess r transmit cardhlder data All UBC merchants that prcess, stre r transmit credit card data as payments t the University and/r perate pint f sale (POS) systems must be in cmpliance with PCI DSS v.1.2.2 (v.2.0 at January 1, 2012) The security standards apply t all types f payments including in-persn, mail, telephne and e- cmmerce web transactins PCI cmpliance is required fr any merchant that accepts payment cards, even if the quantity f transactins is just ne Resurces: PCI DSS plicy - https://www.pcisecuritystandards.rg/merchants/ UBC Plicy 106 - http://universitycunsel.ubc.ca/files/2010/08/plicy106.pdf UBC PCI Cmpliance - http://www.finance.ubc.ca/ap/pcicmpliance-main.cfm UBC IT Security Plicies - http://www.it.ubc.ca/service_catalgue/infrmatin_security/security/security_plicies.html UBC PCI Cmpliance Resurces - http://it.ubc.ca/service_catalgue/infrmatin_security/security/pci-cmpliance-resurces.html Setting up a New Merchant Accunt Page 5

PROCESS 2: Merchant dcuments cardflw prcess. Refer t PCI DSS Requirements fr guidance in dcumenting the cardhlder data flw - https://www.pcisecuritystandards.rg/dcuments/navigating_dss_v20.pdf. The PCI DSS is the glbal data security standard adpted by the card brands fr all rganizatins that prcess, stre r transmit cardhlder data. It cnsists f 12 steps that mirrr best security practices. Build and Maintain a Secure Netwrk Requirement 1: Install and maintain a firewall cnfiguratin t prtect cardhlder data Requirement 2: D nt use vendr-supplied defaults fr system passwrds and ther security parameters Prtect Cardhlder Data Requirement 3: Prtect stred cardhlder data Requirement 4: Encrypt transmissin f cardhlder data acrss pen, public netwrks Maintain a Vulnerability Management Prgram Requirement 5: Use and regularly update anti-virus sftware r prgrams Requirement 6: Develp and maintain secure systems and applicatins Implement Strng Access Cntrl Measures Requirement 7: Restrict access t cardhlder data by business need t knw Requirement 8: Assign a unique ID t each persn with cmputer access Requirement 9: Restrict physical access t cardhlder data Regularly mnitr and Test Netwrks Requirement 10: Track and mnitr all access t netwrk resurces and cardhlder data Requirement 11: Regularly test security systems and prcesses Maintain an Infrmatin Security Plicy Requirement 12: Maintain a plicy that addresses infrmatin security fr all persnnel The merchant identifies and dcuments the existence f all cardhlder data in their envirnment, t verify that n cardhlder data exists utside f the currently defined cardhlder data envirnment (CDE). The results may be a diagram r an inventry f cardhlder data lcatins see sample n page 9. The merchant retains dcumentatin that shws hw PCI DSS scpe was cnfirmed and the results, fr assessr review and/r reference during the next annual PCI assessment activity. Setting up a New Merchant Accunt Page 6

Sample f Cardflw Prcess Setting up a New Merchant Accunt Page 7

PROCESS 3: Merchant determines the Merchant and SAQ level f their payment prcess. Cntact UBC s Qualified Security Assessr (QSA), if necessary thrugh Finance (Raul Rams) The merchant is respnsible fr the cst f the QSA s fee Dcument a plan fr attaining cmpliance that reasnably meets the cmpliance bjectives fr the SAQ Submit dcumentatin frm Prcess 2, QSA cnfirmatin f SAQ level and plan f cmpliance t PCI Wrking Grup fr apprval Refer t SAQ descriptin n page 9. Refer t Merchant Levels n page 11. PROCESS 4: Merchant passes validatin and cmpletes the SAQ Merchants are required t cmplete the Merchant Payment Prcessing Cnfirmatin frm Refer t Appendix A SAQ A and B merchants are required t cmplete the SAQ but nt validated by the QSA SAQ C and D merchants are required t cmplete the SAQ and validated by the QSA Cpy f Service Prvider agreement t be cuntersigned in Finance Refer t SAQ instructins and dcuments n page 10. IMPORTANT: N new accunt will be pened unless Telus signs ff that the merchant payment prcess is PCI cmpliant prir t ging live. PROCESS 5: Merchant accunt can be activated. The new accunt will be set up by Revenue Accunting (Michele Benitez) after all requirements frm Prcess 1 t 4 are met and satisfied. Fill up the UBC Merchant Accunt Request Frm and submit t Michele Benitez - http://www.finance.ubc.ca/ra/dcuments/ubcmerchantaccuntrequestfrmv4.pdf Setting up a New Merchant Accunt Page 8

PCI DSS Self- Assessment Questinnaire (SAQ) https://www.pcisecuritystandards.rg/merchants/self_assessment_frm.php Questinnaire Level determines hw thrugh yu need t be t becme cmpliant. SAQ Descriptin Validatin Type 1 Card-nt-present (e-cmmerce r mail/telephne-rder) merchants, all cardhlder data functins utsurced. This wuld never apply t face-tface merchants. Merchant des nt stre, prcess, r transmit any cardhlder data n merchant premises but relies entirely n third party service prvider(s) t handle these functins. The third party service prvider(s) handling strage, prcessing, and/r transmissin f cardhlder data is cnfirmed t be PCI DSS cmpliant. Merchant des nt stre any cardhlder data in electrnic frmat, and if Merchant des stre cardhlder data, such data is nly in paper reprts r cpies f receipts and is nt received electrnically. 2 Imprint-nly merchants with n cardhlder data strage. Merchant uses nly an imprint machine t imprint custmers payment card infrmatin and des nt transmit cardhlder data ver either a phne line r the Internet. 3 Stand-alne dial-up terminal merchants, n cardhlder data strage. Merchant uses nly standalne, dial-up terminals; and the standalne, dial-up terminals are nt cnnected t the Internet r any ther systems within the merchant envirnment. Merchant des nt stre cardhlder data in electrnic frmat, and if Merchant des stre cardhlder data, such data is nly paper reprts r cpies f paper receipts and is nt received electrnically. 4 Merchants with payment applicatin systems cnnected t the Internet, n cardhlder data strage. Merchant has a payment applicatin system and an Internet r public netwrk cnnectin n the same device. The payment applicatin system/internet device is nt cnnected t any ther system within the merchant envirnment. Merchant des nt stre cardhlder data in electrnic frmat, and if Merchant des stre cardhlder data, such data is nly paper reprts r cpies f paper receipts and is nt received electrnically. Merchant s payment applicatin sftware vendr uses secure techniques t prvide remte supprt t merchant s payment applicatin system. 5 All ther merchants (nt included n descriptins fr SAQs A-C abve) and all service prviders defined by a payment brand as eligible t cmplete a SAQ. SAQ A (13 questins) B (26 questins) B (26 questins) C (41 questins) D (238 questins) Setting up a New Merchant Accunt Page 9

SAQ Dcuments SAQ Instructins and Guidelines v2.0 - https://www.pcisecuritystandards.rg/dcuments/pci_dss_saq_instr_guide_v2.0.pdf SAQ A v2.0 - SAQ B v2.0 - SAQ C v2.0 - SAQ C-VT v2.0 - SAQ D v2.0 - Setting up a New Merchant Accunt Page 10

Merchant Levels Merchant Level determines whether r nt yu need t be cmpliant and hw much expensive help yu must buy t becme cmpliant. There are fur merchant levels, with 1 being the largest/mst difficult, and fur being the least stringent/easiest t cmply with: Level 1 Level 2 Level 3 Level 4 Any merchant, regardless f acceptance channel, wh: Prcesses ver 6 millin Visa r MasterCard transactins per year Has suffered a hack r an attack that resulted in data cmprmise Has been identified by Visa, MasterCard, r any ther payment card as Level 1 Any merchant wh prcesses 1 millin t 6 millin Visa r MasterCard transactins, regardless f acceptance channel Any merchant wh prcesses 20,000 t 1 millin Visa r MasterCard e-cmmerce transactins Any merchant wh prcesses fewer than 20,000 Visa r MasterCard e-cmmerce transactins r prcesses fewer than 1 millin Visa r MasterCard transactins, regardless f acceptance channel Setting up a New Merchant Accunt Page 11

Guidelines fr Cardhlder Data Elements Cardhlder Data Sensitive Authenticatin Data 2 Data Element Strage Permitted Prtectin Required PCI DSS Req. 3.4 Primary Accunt Number (PAN) Yes Yes Yes Cardhlder Name 1 Yes Yes 1 N Service Cde 1 Yes Yes 1 N Expiratin Date 1 Yes Yes 1 N Full Magnetic Stripe Data 3 N N/A N/A CAV2/CVC2/CVV2/CID N N/A N/A PIN/PIN Blck N N/A N/A 1 2 3 These data elements must be prtected if stred in cnjunctin with the PAN. This prtectin shuld be per PCI DSS requirements fr general prtectin f the cardhlder data envirnment. Additinally, ther legislatin (fr example, related t cnsumer persnal data prtectin, privacy, identity theft, r data security may require specific prtectin f this data, r prper disclsure f a cmpany s practices if cnsumer-related persnal data is being cllected during the curse f business. PCI DSS, hwever, des nt apply if PANs are nt stred, prcessed, r transmitted. Sensitive authenticatin data must nt be stred after authrizatin (even if encrypted). Full track data frm the magnetic stripe, magnetic stripe image n the chip, r elsewhere. Setting up a New Merchant Accunt Page 12

Appendix A: Merchant Payment Prcess Cnfirmatin UBC PCI-DSS Cmpliance: Merchant Payment Prcess Cnfirmatin Overall SAQ Level Merchant Name Cntact Payment Prcesses Merchant Name & Accunt # PIN pad Cnnectin Chip/PIN Cmpliant (Y/N) Detail SAQ level Are the abve prcess(es) and details crrect? If nt, please make the necessary crrectin(s) and prvide updated prcess and cardhlder data flw dcumentatin if applicable. If a "telephne dial-ut nly" PIN pad is specified as SAQ B by the Merchant because they use it as a dial-ut device, then there shuld be n ethernet/netwrk/ cable ptin. If the Merchant wishes t have the ptin f high-speed ethernet then the prcess shuld be a SAQ C. If the Merchant is a SAQ B, then the high-speed capability "must" be disabled, therwise, the payment prcess is a SAQ C. I hereby cnfirm that my unit uses the abve prcess(es) t prcess credit card transactins and cmplies with PCI DSS requirements. IMPORTANT NOTE: Any changes t yur credit card prcesses and/r additin f new prcesses must be cmmunicated t and apprved by the PCI Wrking Cmmittee thrugh UBC Finance. Please cntact Raul Rams in Finance: rrams@finance.ubc.ca r 2-0259. Prcess(es) Cnfirmed By: (print name) Date: (Signature) Setting up a New Merchant Accunt Page 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information