Adyen PCI DSS 3.0 Compliance Guide February 2015 Page 1 2015 Adyen BV www.adyen.com
Disclaimer: This document is for guidance purposes only. Adyen does not accept responsibility for any inaccuracies. Merchants should always consult their acquirer for clarification. Page 2 2015 Adyen BV
An introduction to PCI DSS... 4 PCI SSC... 4 Steps to adhering to the PCI DSS... 4 Security and Operational Implications... 4 General PCI DSS Goals and Requirements... 5 Adyen PCI DSS 3.0 Compliance Requirements Card Not Present... 5 Adyen CSE requires an SAQ A.... 6 Adyen PCI DSS 3.0 Compliance Requirements Card Present... 6 Card Present, which SAQ to use?... 6 FAQ... 7 Q1: What is in scope?... 7 Q2: What is NOT in scope?... 7 Q3: What is Connected to?... 7 Q4: What is Segmentation?... 7 Q5: Do PCI DSS controls reduce scope?... 7 Q6: What is a Service Provider?... 7 Q7: Does outsourcing solve my PCI Compliance effort?... 7 Q8: What is PTS POI?... 7 Q9: Does a PTS-approved device solve my PCI Compliance effort?... 7 Q10: What is SRED?... 8 Q11: What is a P2PE solution?... 8 Q12: Is Adyen a Payment Application?... 8 Consequences of non-compliance... 8 Acronyms/Glossary... 8 Page 3 2015 Adyen BV
An introduction to PCI DSS PCI DSS is the global data security standard adopted by the card schemes for all entities that process, store or transmit cardholder data and/or sensitive authentication data. It consists of steps that mirror security best practices. When your company starts accepting credit cards via an API connection, compliancy with the PCI DSS requirements is mandatory. PCI SSC PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards. The Council's five founding global payment brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs. In this paper you'll find useful information about the PCI DSS requirements for merchants and the Council's certification, created to mitigate data breaches and prevent payment cardholder data fraud. Steps to adhering to the PCI DSS From the world's largest corporations to small Internet stores, compliance with the PCI Data Security Standard (PCI DSS) is vital for all merchants who accept credit cards, online or offline, because nothing is more important than keeping your customer s payment card data secure. The size of your business will determine the specific compliance requirements that must be met. There are three steps for adhering to the PCI DSS which is not a single event, but a continuous, ongoing process. First, Assess identify cardholder data, take an inventory of your IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose cardholder data. Second, Remediate fix vulnerabilities and do not store cardholder data unless you need it. Third, Report compile and submit required remediation validation records (if applicable), and submit compliance reports to the acquiring bank and card brands you do business with. Security and Operational Implications In security terms, it means that your business adheres to the PCI DSS requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. In operational terms, it means that you are playing your role to make sure your customers' payment card data is being kept safe throughout every transaction, and that they and you can have confidence that they're protected against the pain and cost of data breaches. Page 4 2015 Adyen BV
General PCI DSS Goals and Requirements Goals Build and Maintain a Secure Network and Systems Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy PCI DSS Requirements 1. Install and maintain a firewall configuration to protect Cardholder Data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored Cardholder Data 4. Encrypt transmission of Cardholder Data across open, public networks 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to Cardholder Data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to Cardholder Data 10. Track and monitor all access to network resources and Cardholder Data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel Depending on your payment channels and the way that Card Holder Data is processed, some PCI DSS requirements may not be applicable to you. Adyen PCI DSS 3.0 Compliance Requirements Card Not Present The table below shows the requirements for PCI DSS 2.0 and 3.0 for each Adyen integration. Connection Method / Channel Until December 31, 2014 After January 1, 2015 HPP / E-commerce none none CSE / E-commerce & MOTO SAQ A v2.0 SAQ A v3.0 API / E-commerce & MOTO SAQ D v2.0 & network scan or certificate from QSA SAQ D Merchant v3.0 & network scan or certificate from QSA Important: For merchants with more than one channel, several SAQ's may be applicable. Adyen recommends that merchants should tackle PCI compliance per channel, per legal entity and in case of questions reach out to a PCI Qualified Security Assessor. https://www.pcisecuritystandards.org/approved_companies_providers/qualified_security_assessors.php Page 5 2015 Adyen BV
Adyen CSE requires an SAQ A. An aim of the PCI DSS 3.0 is to ensure that the browser that sends encrypted payment data is securely sent to the Adyen payment platform (and not another recipient). Since the encryption key that is provided by Adyen to the CSE merchant cannot be used to decrypt the Cardholder Data, and the decryption key is never available to the merchant or the shopper, the primary concern is to ensure the integrity of the merchant website s assets and not to protect Cardholder Data, which is never available there as all Cardholder Data functions are outsourced. Adyen does offer the option of hosted CSE Java script where the merchant requires this to avoid even having the encryption keys in their environment. However, please note that compliance for the Adyen CSE solution does not require the following: Constant maintenance An on-site visit by a Qualified Security Assessor (QSA) A quarterly network scan by an Approved Scanning Vendor (ASV) Adyen PCI DSS 3.0 Compliance Requirements Card Present Network segmentation is critical to the impact of the PCI requirements related to Card Present environment. Connection Method / Channel Until December 31, 2014 After January 1, 2015 POS / mpos none SAQ B-IP v3.0 Important: For merchants with more than one channel, several SAQ's may be applicable. Adyen recommends that merchants should tackle PCI compliance per channel, per legal entity and in case of questions reach out to a PCI Qualified Security Assessor. Card Present, which SAQ to use? Applies to Payment Terminals Cardholder Data Transmissions SAQ B Imprint machines or standalone, dial-out terminals Not an Adyen Solution SAQ B-IP Standalone PTS-approved payment terminals with an IP connection Brick-and-mortar (Card-Present) or mail/telephone order (Card-Not- Present) Merchants Standalone, PTS-approved pointof-interaction (POI) devices Standalone, dial-out terminal (connected via a phone line to the (excludes SCRs) connected via IP processor) to the payment processor Cardholder Data is not transmitted over a network (either an internal network or the Internet) Only Encrypted Cardholder Data transmission is via IP from the PTS-approved POI devices to the payment processor Page 6 2015 Adyen BV
FAQ Q1: What is in scope? A1: System components (people, processes, and technologies) that do any of the following: Store, process or transmit Cardholder Data (a.k.a. the Cardholder Environment) Connect to the Cardholder Environment Provide security services to the Cardholder Environment Provide segmentation of the Cardholder Environment Could otherwise impact security of Cardholder Data Q2: What is NOT in scope? A2: System components that: Do not store, process or transmit Cardholder Data, and Do not connect to the Cardholder Environment, and Do not provide security services to the Cardholder Environment, and Do not provide segmentation of the Cardholder Environment, and Cannot otherwise impact security of Cardholder Data Q3: What is Connected to? A3: Communication to and/or from the Cardholder Environment Q4: What is Segmentation? A4: Isolating the Card Holder Data Environment from the rest of the network via logical or physical means. Controlled access is not segmentation. Out of scope = security is not reviewed = untrusted. Without adequate network segmentation, the entire network is in scope of the PCI DSS assessment. Segmentation is strongly recommended as a method that may reduce not only the scope and cost of a PCI DSS assessment, but also the ongoing overhead of maintaining PCI DSS compliance. By consolidating cardholder data into fewer, more controlled locations, the risk of data breach may also be reduced. Q5: Do PCI DSS controls reduce scope? A5: A system is in scope due to its function and/or network connectivity and implementing PCI DSS controls does not change that. Q6: What is a Service Provider? A6: Any company that: Meets PCI DSS requirements for you or You share Cardholder Data with or Could impact your Cardholder Environment Q7: Does outsourcing solve my PCI Compliance effort? A7: No, responsibility cannot be fully outsourced. Outsourcing may reduce complexity of implementing PCI DSS controls Outsourcing may increase oversight and validation complexity Merchant still responsible for customer's data Q8: What is PTS POI? A8: PTS = PIN Transaction Security. A PTS-approved POI incorporates hardware, firmware, and applications that are evaluated and included on the List of Approved PTS devices for that POI. Q9: Does a PTS-approved device solve my PCI Compliance effort? A9: A PTS-approved device Can facilitate PCI DSS compliance Page 7 2015 Adyen BV
Does not guarantee PCI DSS compliance or reduce PCI DSS scope Is in scope for PCI DSS to confirm it is configured properly and that secure functionality has not been disabled Q10: What is SRED? A10: SRED devices provide secure encryption of account data by covering data from point of contact to point of output. PCI PTS devices with SRED can be used in validated PCI P2PE solutions. Q11: What is a P2PE solution? A11: Combination of secure devices, applications, and processes that encrypt data from the point of interaction to the solution providers secure decryption environment. Q12: Is Adyen a Payment Application? A12: No, Adyen is not a Payment Application in terms of PCI DSS. Adyen is a Payment Service Provider. Consequences of non-compliance Enforcement of compliance with the PCI DSS and determination of any non-compliance penalties are carried out by the individual card schemes. However, potential consequences include the following: If a merchant is found to be non-compliant they can be fined up to $25,000 per month. Additionally, they are susceptible to huge fines if a breach occurs up to five- or six-figure amounts. Breach costs have been estimated to be between $100 and $300 per breached record (card number). Reputational damage. Acronyms/Glossary ASV CHD CSE MOTO PCI PCI DSS QSA SAD SAQ PCI Accredited Scanning Vendor Card Holder Data, including PANs, expiry dates, shopper names, SAD Client-Side Encryption Mail order/telephone order Payments Card Industry Payments Card Industry Data Security Standard PCI DSS Qualified Security Assessor Sensitive Authentication Data CVV, CVV2 etc PCI DSS Self Assessment Questionnaire Page 8 2015 Adyen BV