How To Ensure Account Information Security



Similar documents
Registry of Service Providers

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

A Compliance Overview for the Payment Card Industry (PCI)

PCI DSS. CollectorSolutions, Incorporated

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

PROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

PCI Compliance Overview

Frequently Asked Questions

Payment Card Industry Data Security Standard

Registration and PCI DSS compliance validation

Third Party Agent Registration and PCI DSS Compliance Validation Guide

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

How To Protect Your Business From A Hacker Attack

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

Merchant guide to PCI DSS

What a Processor Needs from a University to Validate Compliance

AISA Sydney 15 th April 2009

Project Title slide Project: PCI. Are You At Risk?

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Your Compliance Classification Level and What it Means

Internal Audit Activity Update

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

ICCCFO Conference, Fall Payment Fraud Mitigation: Securing Your Future

PCI Compliance Just the Facts. Rick Dakin President ext. 7001

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Frequently Asked Questions

PCI Compliance 101: Payment Card. Your Presenter: 7/19/2011. Data Security Standards Compliance. Wednesday, July 20, :00 pm 3:00 pm EDT

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

How To Protect Your Credit Card Information From Being Stolen

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Payment Card Industry (PCI) Data Security Standard

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Payment Card Industry Data Security Standard

Validation of PCI Compliance Requirements NC Office of the State Controller June 23, 2015

PC-DSS Compliance Strategies NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Understanding Payment Card Industry (PCI) Data Security

PCI Compliance. Top 10 Questions & Answers

Introduction to. May 18, :15 p.m. 2:15 p.m.

PCI-DSS Compliance. Ron Dinwiddie Chief Technology Officer J. Spargo & Associates

PAI Secure Program Guide

PCI Standards: A Banking Perspective

PCI Security Compliance

PCI Compliance: How to ensure customer cardholder data is handled with care

Becoming PCI Compliant

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

University Policy Accepting Credit Cards to Conduct University Business

Property of CampusGuard. Compliance With The PCI DSS

How Secure is Your Payment Card Data?

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

THIRD PARTY AGENT REGISTRATION PROGRAM

PCI DSS Gap Analysis Briefing

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

PCI Compliance Top 10 Questions and Answers

Securing The Data. Payment System Forum Bank Negara Malaysia. 27 th November Murugesh Krishnan Head of Risk, South & Southeast Asia

PCI DSS. Payment Card Industry Data Security Standard.

Payment Card Industry Compliance Overview

DATA SECURITY. Payment Card Industry (PCI) Compliance Steps for Organizations May 26, Merit Member Conference

PCI DSS Presentation University of Cincinnati

PCI DSS and SSC what are these?

HOW SECURE IS YOUR PAYMENT CARD DATA?

VISA EUROPE ACCOUNT INFORMATION SECURITY (AIS) PROGRAMME FREQUENTLY ASKED QUESTIONS (FAQS)

Payment Card Industry - Achieving PCI Compliance Steps Steps

Third Party Agent Registration Program Frequently Asked Questions

Agent Registration. Program Guidelines. (For use in Asia Pacific, Central Europe, Middle East and Africa)

Technical breakout session

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

Payment Card Industry (PCI) Data Security Standard

The following are responsible for the accuracy of the information contained in this document:

How To Program A Credit Card Terminal To Be A Pca Compliant (Cpo) Or Not (Pca) Compliant (Dns) (Cisp) (Dhs) (Pci) (Susu) (Usu/

PCI DSS Compliance Services January 2016

Why Is Compliance with PCI DSS Important?

Payment Card Industry (PCI) Data Security Standard

PCI on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for PCI on AWS

Mobile Device Payment Card Processing: How Secure is It? Richard Poworski CISSP, ISP, ITCP, SCF, PCI QSA, PCIP Managing Consultant

Payment Card Industry Data Security Standard (PCI DSS) v1.2

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Agent Registration. Program Guide. (For use in Asia Pacific, Central Europe, Middle East, Africa)

University Policy Accepting and Handling Payment Cards to Conduct University Business

UO Third Party Credit Card Processing Request

PCI DSS Compliance Information Pack for Merchants

Transcription:

Global PCI DSS Framework Emöke Bitter Business Leader, Risk Management 26 February 2009

Agenda Introduction Merchants Service Providers Registry of Service Providers Payment Applications Resources Information Classification as Needed Presentation Identifier.2

Introduction Account Information Security, or AIS, is a globally mandated program for all Visa clients, their agents and merchants that process, store and/or transmit cardholder data. In November 2008, International Member Letter (IML) 28/08 was issued to inform Visa clients on the new global PCI DSS framework which affects the AIS validation and reporting requirements. The AIS program aims to protect the interests of all parties involved in the Visa payment system in both the physical and virtual worlds In the US, the AIS program is known as Cardholder Information Security Program (CISP) Information Classification as Needed Presentation Identifier.3 3

Merchants All merchants fall into one of the four merchant levels based on Visa transaction volume over a 12- month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant. In cases where a merchant corporation has more than one Doing Business As (DBA), acquirers must consider the aggregate volume of transactions by the corporate entity to determine the validation level. Information Classification as Needed Presentation Identifier.4 4

Merchants Levels & Requirements Level / Tier 1 All Regions Validation Requirements 1 Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as L1 by any Visa region 2 Annual Onsite Review by QSA Quarterly network scan by Approved Scanning Vendor (ASV) 2 Merchants processing 1 million to 6 million Visa transactions annually (all channels) Annual completion of PCI DSS SAQ Quarterly network scan by ASV 3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually Annual completion of PCI DSS SAQ Quarterly network scan by ASV 4 Merchants processing less than 20,000 Visa e- commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually Annual completion of SAQ recommended Quarterly network scan by ASV if applicable Compliance validation requirements set by acquirer 1 Compromised entities may be escalated at regional discretion. 2 Merchant meeting level 1 criteria in any Visa country/region that operates in more than one country/region is considered a global Level 1 merchant. Exceptions may apply to global merchants if no common infrastructure and if Visa data is not aggregated across borders; in such cases merchant validates according to regional levels. Information Classification as Needed Presentation Identifier.5 5

Merchants Compliance Deadlines 30 September 2009 L1 and L2 Merchants: No storage of prohibited data 30 September 2010 L1 Merchants: PCI DSS compliant Prohibited Data = Full track data; CAV2/CVC2/CVV2/CID; PIN/PIN block Information Classification as Needed Presentation Identifier.6 6

Merchants Reporting Requirements Acquirers must report to Visa twice a year (31st of March and 30th of September) the following: Compliance status of each Level 1 merchant Compliance status of each Level 2 merchant Statistical reporting metrics of the compliance status of Level 3 merchants First reporting date: 31 March 2009 Information Classification as Needed Presentation Identifier.7 7

Merchants Bi-Annual Report Merchant PCI DSS Compliance Report Acquirer name: BID: Completed by: Signature: Title: Telephone #: E-mail address: Date: This document must be completed to demonstrate compliance status with the Payment Card Industry Data Security Standard (PCI DSS Regulations requirement prohibiting the storage of sensitive cardholder account authentication information beyond authorization. Acquirers must identify all level 1 and 2 merchants and include them in this report. Acquirers must obtain validation documentation from their merchants including Report on Compliance, Attestation of Compliance for O Quarterly Scan Results and Self-assessment Questionnaire, and submit to Visa if requested. Initial Identification Year Merchant Name Merchant Level Compliance Status Self Assessment Validation Date (DD/MM/YYYY) Quarterly Network Scan Validation Dates (DD/MM/YYYY) Date of Onsite Review by QSA or Merchant Internal Auditor (DD/MM/YYYY) Prohibited Data Storage (e.g., track, CVV2, PIN Block) Prohibited Data Identification Date (DD/MM/YYYY) Merchant PCI DSS Compliance Report BID: Completed by: Signature: Title: E-mail address: Date: Period Total # of Level 3 Merchants Total # of Compliant Level 3 Merchants % of Compliant Total # of Remediating Total # of Validation in Progress Total # of Pending Commitment 31-Mar-09 30-Sep-09 Legend: Compliant = ROC complete confirming PCI compliance Remediating = Initial ROC complete; Remediating findings In Progress = Initial ROC in progress, QSA has been engaged, Audit ongoing Pending Commitment = Merchant identified; No commitment to validate Information Classification as Needed Presentation Identifier.8 8

Service Providers Visa clients are required to register their relationship with all their service providers via Exhibit 5E (and Exhibit 5A if the service provider is directly connected to VisaNet via a VisaNet Extended Access Server) to the Agent Registration team at apsgpagent@visa.com. Those that store, transmit and/or process Visa cardholder data are required to be PCI DSS compliant and are automatically enrolled in the AIS program. Information Classification as Needed Presentation Identifier.9 9

Service Providers Validation Requirements LEVEL 1 More than 300,000 Visa transactions* per year LEVEL 2 Less than 300,000 Visa transactions* per year PCI DSS onsite review Mandated Recommended Quarterly network scan Mandated Mandated Self assessment questionnaire (SAQ) Optional Mandated * includes all transactions (for all clients), regardless of the type / channel Information Classification as Needed Presentation Identifier.10

Service Providers Reporting Requirements LEVEL 1 Attestation of Compliance form (Appendix E of PCI DSS Requirements and Security Assessment Procedures v1.2) Executive summary and description of scope of work and approach taken from the ROC. The complete ROC is not required. Clients are responsible to submit attestations to Visa on an annual basis for all their service providers. Visa no longer notify clients in advance. LEVEL 2 Completed PCI DSS Self- Assessment Questionnaire (SAQ) Information Classification as Needed Presentation Identifier.11

Registry of Service Providers New optional program for service providers to register directly with Visa and report PCI DSS compliance Clients not required to submit annual attestations to Visa if the service provider has registered under this program Only service providers that have been reported as PCI DSS compliant via an onsite review by a QSA are listed on the Registry Information Classification as Needed Presentation Identifier.12

Payment Applications Payment Application Data Security Standard (PA-DSS) PA-DSS is a set of requirements derived from PCI Data Security Standards (PCI DSS), developed to validate payment software / applications Payment applications can store data without the merchant s knowledge Safe applications implemented in a PCI DSS compliant environment will minimize the potential for security breaches leading to data compromises More information can be obtained at https://www.pcisecuritystandards.org/ security_standards/pa_dss.shtml Information Classification as Needed Presentation Identifier.13

Resources AIS www.visa-asia.com/secured www.visa-asia.com/padss vpssais@visa.com Registry of Service Providers www.visa-asia.com/spregistry apspregistry@visa.com Third-Party Agent Registration apsgpagent@visa.com PCI DSS www.pcisecuritystandards.org Information Classification as Needed Presentation Identifier.14

Thank You

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information