Frequently Asked Questions



Similar documents
Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Your Compliance Classification Level and What it Means

How To Ensure Account Information Security

Frequently Asked Questions

PROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

How To Protect Your Business From A Hacker Attack

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Agent Registration. Program Guidelines. (For use in Asia Pacific, Central Europe, Middle East and Africa)

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Frequently Asked Questions

A Compliance Overview for the Payment Card Industry (PCI)

Payment Card Industry (PCI) Data Security Standard

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

Why Is Compliance with PCI DSS Important?

Agent Registration. Program Guide. (For use in Asia Pacific, Central Europe, Middle East, Africa)

Becoming PCI Compliant

Registry of Service Providers

Payment Card Industry (PCI) Data Security Standard

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

University Policy Accepting Credit Cards to Conduct University Business

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Attestation of Compliance for Onsite Assessments Service Providers

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Security

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

Registration and PCI DSS compliance validation

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

PCI PA-DSS Requirements. For hardware vendors

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Third Party Agent Registration and PCI DSS Compliance Validation Guide

Merchant guide to PCI DSS

Payment Card Industry Data Security Standard

PCI DSS. CollectorSolutions, Incorporated

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

PCI Compliance Overview

PCI Compliance : What does this mean for the Australian Market Place? Nov 2007

Understanding Payment Card Industry (PCI) Data Security

Payment Card Industry (PCI) Data Security Standard

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

AISA Sydney 15 th April 2009

Information Technology

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

Visa global Compromised Account

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

PCI Data Security Standards

The following are responsible for the accuracy of the information contained in this document:

Clark University's PCI Compliance Policy

Project Title slide Project: PCI. Are You At Risk?

Payment Card Industry Data Security Standards.

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

Payment Card Industry (PCI) Data Security Standard

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry - Achieving PCI Compliance Steps Steps

Credit Card Processing, Point of Sale, ecommerce

DATA SECURITY. Payment Card Industry (PCI) Compliance Steps for Organizations May 26, Merit Member Conference

University Policy Accepting and Handling Payment Cards to Conduct University Business

Josiah Wilkinson Internal Security Assessor. Nationwide

An article on PCI Compliance for the Not-For-Profit Sector

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Credit Card Handling Security Standards

PCI Compliance 101: Payment Card. Your Presenter: 7/19/2011. Data Security Standards Compliance. Wednesday, July 20, :00 pm 3:00 pm EDT

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

FAQ s. SaferPayments. Be smart. Be compliant. Be protected. The benefits of compliance SaferPayments Non-compliance fees

How To Protect Visa Account Information

Sales Rep Frequently Asked Questions

Payment Card Industry Compliance Overview

Third Party Agent Registration Program Frequently Asked Questions

Attestation of Compliance for Onsite Assessments Service Providers

Attestation of Compliance for Onsite Assessments Service Providers

CREDIT CARD PROCESSING POLICY AND PROCEDURES

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

PCI Compliance: How to ensure customer cardholder data is handled with care

Attestation of Compliance for Onsite Assessments Service Providers

Card Network Update Chip (EMV) Acceptance in the United States At-A-Glance

THIRD PARTY AGENT REGISTRATION PROGRAM

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

Technical breakout session

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

ICCCFO Conference, Fall Payment Fraud Mitigation: Securing Your Future

Transcription:

I ccount Information System (IS) Program Frequently sked Questions Q What is IS? ccount Information Security, or IS, is a Risk Management program by Visa aimed to protect account and/or transaction information whereby all entities which process, store, and/or transmit account and transaction information must be compliant with the Payment Card Industry (PCI) Data Security Standards (DSS). The five major card brands founded the PCI Security Standards Council (PCI SSC) in 2006 to oversee the standards itself, but each of the card brands maintain their own program that outlines the validation requirements, deadlines and fines. To learn more about the PCI DSS and the PCI SSC, please visit the PCI SSC website at www.pcisecuritystandards.org. Q Who is required to comply with the PCI DSS? ll entities that store, process, or/and transmit cardholder data, such as merchants, service providers (e.g. payment gateways, IPSP, processors), issuers and acquirers, must comply with the PCI DSS. The requirements apply to all acceptance channels including retail (brickand mortar), mail/telephone order (MOTO) and e-commerce. Q What if I outsource the handling, transmission or storage of cardholder data to a third party organization? Both issuing and acquiring banks must use, and are responsible for ensuring that their merchants use, service providers that are compliant with the PCI Data Security Standards. lthough there may not be a direct contractual relationship between merchant service providers and acquiring members, Visa acquirers are responsible for any liability that may occur as a result of non-compliance. Q How do I validate PCI DSS compliance? Validation requirements for merchants and service providers are based on the average annual volume of cardholder data handled by the organization. Please refer to www.visaasia.com/secured for the merchant and service provider levels and requirements. Validation tools: nnual on-site PCI Data Security ssessment by a PCI SSC Qualified Security ssessor (QS). Quarterly vulnerability scans performed by a PCI SSC pproved Scanning Vendor (SV) nnual self-assessment using the PCI DSS Self-ssessment Questionnaire (SQ) For the list of QSs and SVs and SQ, please go to www.pcisecuritystandards.org.

ccount Information Security (IS) Program Frequently-sked Questions Q What is the PCI Self-ssessment Questionnaire (SQ)? The PCI Self-ssessment Questionnaire (SQ) is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the PCI DSS. You can download the SQ from www.pcisecuritystandards.org/saq/instructions.shtml. Q What is a Vulnerability Scan? vulnerability scan is an automated remote scan that assesses your network from the internet to see if you have any vulnerabilities or gaps that may allow an unauthorized or malicious user to gain access to your network and potentially compromise cardholder data. Q Is PCI DSS compliance a one-time requirement? No. PCI DSS compliance is an ongoing process. While validation actions vary depending on the actual number of transactions an entity process annually, all merchants and service providers are required to comply with PCI DSS at all times. Q Is there a deadline to be compliant? Yes. The deadlines are as follows: Level 1 Merchants Elimination of prohibited data storage deadline is September 30, 2009. PCI DSS compliance deadline is September 30, 2010. Level 2 Merchants Elimination of prohibited data storage deadline is September 30, 2009. Service providers PCI DSS compliance deadline is December 31, 2008. Q How are the merchant levels defined and what are the validation requirements? Separate from the mandate to comply with the PCI DSS is the validation of compliance, whereby Visa has prioritized and defined validation levels based on the volume of transactions, the potential risk and exposure introduced into the Visa system. Visa has established globally aligned merchant levels and validation requirements for annual PCI DSS compliance validation as follows: Level / Tier 1 Merchant Criteria Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as level 1 by any Visa region Validation Requirements nnual Report on Compliance ( ROC )by Qualified Security ssessor ( QS ) Quarterly network scan by pproved Scan Vendor ( SV ) ttestation of Compliance Form

ccount Information Security (IS) Program Frequently-sked Questions Level / Tier 2 3 4 Merchant Criteria Merchants processing 1 million to 6 million Visa transactions annually (all channels) Merchants processing 20,000 to 1 million Visa e-commerce transactions annually Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually Validation Requirements nnual Self-ssessment Questionnaire ( SQ ) Quarterly network scan by SV ttestation of Compliance Form nnual SQ Quarterly network scan by SV ttestation of Compliance Form nnual SQ recommended Quarterly network scan by SV if applicable Compliance validation requirements set by acquirer *ll merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business s ("DB"). In cases where a merchant corporation has more than one DB, clients must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBs, members will continue to consider the DB s individual transaction volume to determine the validation level as follows. Q How are the service provider levels defined and what are the validation requirements? Visa has established globally aligned levels and validation requirements for annual PCI DSS compliance validation for service providers as follows: Level ll Regions Validation Requirements 1 2 VisaNet processors or any service provider that stores, processes and / or transmits over 300,000 transactions per year ny service provider that stores, processes and / or transmits less than 300,000 transactions per year nnual ROC by QS Quarterly network scan by SV ttestation of Compliance Form nnual SQ Quarterly network scan by SV ttestation of Compliance Form Q What if I choose not to be involved in the IS program? The IS program is globally mandated for all Visa issuing and acquiring banks and their agents (e.g. merchants, service providers etc). Should an issuer s or acquirer s agent be found not compliant with the IS requirements, the issuer or acquirer may be financially penalized by Visa. Ultimately, merchants and service providers must meet the IS requirements to continue to accept Visa payment products. Q. Who do I contact if I have questions about the IS Program requirements? Please contact your acquiring bank, or visit the IS website at www.visa-asia.com/secured. For enquiries on the PCI DSS and its related information, please contact the PCI SSC at www.pcisecuritystandards.org/about/contact.shtml.

ccount Information Security (IS) Program Frequently-sked Questions Payment pplications Q What is P DSS? The Payment pplication Data Security Standard (P-DSS) is an industry standard, based on Visa s Payment pplication Best Practices (PBP), originally created to support the PCI DSS and help software vendors and others develop secure payment applications that do not store prohibited data such as full magnetic stripe or other sensitive authentication data or PIN data. The P-DSS is managed by the Payment Card Industry Security Standards Council (PCI SSC) along with other industry standards such as the PCI DSS and PCI PED, and is recognized by all major payment brands. For more information on what is required to be PCI DSS-compliant, please visit www.pcisecuritystandards.org. Q What types of payment applications are subject to the P-DSS requirements? The P-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third-parties e.g. merchants, service providers. Payment applications validated in accordance with P-DSS, when implemented in a PCI DSS-compliant environment, will minimize the potential for security breaches leading to compromises of full magnetic stripe/track, card validation codes and values (CV2, CID, CVC2, and CVV2), PINs and PIN blocks, and the damaging fraud resulting from these breaches. Q What types of payment applications are NOT subject to the P-DSS requirements? 1. Payment applications that are developed for and sold to only one customer are NOT subject to the P-DSS requirements; however, they must be covered by the customer s PCI DSS assessment. 2. Payment applications that are developed in-house by merchants or service providers and are not sold to a third party are NOT subject to P-DSS, however, they must be covered by the merchants or service providers PCI DSS assessment. 3. Payment applications that are resident in standalone point-of-sale terminals are NOT subject to the P-DSS requirements 4. The following list, while not all inclusive, illustrates applications that are NOT payment applications for purposes of P-DSS: operating systems onto which a payment application is installed (for example, Windows, Unix), database systems that store cardholder data (for example, Oracle), and back-office systems that store cardholder data (for example, for reporting or customer service purposes).

ccount Information Security (IS) Program Frequently-sked Questions Q Will the PCI SSC accept applications that have been previously validated under the existing Visa PBP program? PCI SSC will recognize PBP validated payment applications and list them with the appropriate PBP version that they were validated against. For further details, please refer to the table below. Version PBP 1.4 PBP 1.3 Prior to PBP 1.3 P-DSS 1.1 Expiration Date 24 months 18 months 12 months 3 Years after change to standard PCI SSC Listing Prior to Expiration Validation PBP PBP Pre-PCI application P-DSS Deployment cceptable for new cceptable for new Not recommended for new cceptable for new PCI SSC Listing fter Expiration Validation PBP PBP Pre-PCI application P- DSS Deployment Q How does the P-DSS impact customers? Secure payment applications help to facilitate a customer s PCI DSS compliance. When implemented in a DSS-compliant environment, P-DSS validated payment applications will minimize the potential for security breaches leading to compromises of full magnetic stripe data, card validation codes and values (CV2, CID, CVC2, and CVV2), PINs and PIN blocks. Q Who will perform P-DSS assessments? Only Payment pplication Qualified Security ssessors (P-QS) accredited by the PCI SSC can perform payment application reviews.. Note that not all QSs are P-QSs there are additional qualification requirements that must be met for a QS to become a P-QS. The list of P-QSs is published on the PCI SSC website. Q How much does P DSS validation cost? Compliance validation takes place at the software vendor s expense. The cost of P-DSS validation is determined by a payment application s complexity and size, as well as the time required for review and P-QS pricing.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information