Credit Card Compliance

Slides:



Advertisements
Similar presentations
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Advertisements

Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,
October 28, Who? What? When? Why? Comply with PCI compliance policies set forth by industry Create internal policies and procedures to protect.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
Mobile Payment Security The Good, the Bad and the Ugly
PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Navigating the New SAQs (Helping the 99% validate PCI compliance)
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)
This refresher course will:
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Credit Card Changes that Impact You! Changes to Accounts Receivable, Cash Receipts and Student Billing 7.77 Wanda Mahon & Bucky Wall Corporate Readiness.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Why Comply with PCI Security Standards?
Northern KY University Merchant Training
PCI and how it affects College Stores… ROBIN MAYO | PCIP ECOMMERCE MANAGER EAST CAROLINA UNIVERISTY.
Security & PCI Compliance The Future of Electronic Payments Security & PCI Compliance Greg Grant Vice President – Managed Security Services.
Web Advisory Committee June 17,  Implementing E-commerce at UW  Current Status and Future Plans  PCI Data Security Standard  Questions.
MasterCard Site Data Protection Program Program Alignment.
The influence of PCI upon retail payment design and architectures Ian White QSA Head of UK&I and ME PCI Team September 4, 2013 Weekend Conference 7 & 8.
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
PCI requirements in business language What can happen with the cardholder data?
Date goes here PCI COMPLIANCE: What’s All the Fuss? Mark Banbury Vice President and CIO, Plan Canada.
DATE: 3/28/2014 GETTING STARTED WITH THE INTEGRITY EASY PCI PROGRAM Presenter : Integrity Payment Systems Title: Easy PCI Program.
Credit Card Processing Gail “Montreal” Shoffey Keeler August 14, 2007.
PCI DSS Readiness Presented By: Paul Grégoire, CISSP, QSA, PA-QSA
Payment Card PCI DSS Compliance SAQ-A Training Accounts Receivable Services, Controller’s Office 7/1/2012.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
e-Learning Module Credit/Debit Payment Card Acceptance and Security
BUSINESS CLARITY ™ PCI – The Pathway to Compliance.
Fall  Comply with PCI compliance policies set forth by industry  Create internal policies and procedures to protect cardholder data  Inform and.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
PCI 3.1 Boot Camp Payment Card Industry Data Security Standards 3.1.
Introduction to PCI DSS
PCI COMPLIANCE & A/R AUTOMATION 101 Nodus Technologies, Inc.
MARTA’s Road to PCI Compliance
Payment Card Industry (PCI) Rules and Standards
PCI DSS Improve the Security of Your Ecommerce Environment
Payment Card Industry (PCI) Rules and Standards
PCI-DSS Security Awareness
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment card industry data security standards
Internet Payment.
UGA Extension Credit Card Processing Training
Switchover from Teledeposit to VIRTUAL TERMINAL Moneris Solutions
Payment Card Industry Data Security Compliance
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Data Compliance.
Overview of Business Processes
PCI Compliance : Whys and wherefores
PCI DSS Erin Carrick.
Rld pci compliance project
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
MARTA’s Road to PCI Compliance
Utility Payment Conference
Ski Clubs and E-Commerce
Presented by: Jeff Soukup
UD PCI GUIDELINES A guide for compliance with PCI DSS and the University of Delaware Payment Card Program ALWAYS Process payments immediately using a solution.
Presentation transcript:

Credit Card Compliance Overview for merchants

Agenda Credit card flow overview The compliance players Types of payment transactions Overview of the security standard Merchant Impact Review agenda

Role Level Transaction Flow Card Association 4 3 Issuing Bank 5 6 Aquiring Bank 2 Consumer Merchant 7 Interactive exercise for a very generalized payment processing flow. We will do a more detailed one later. Pass out nametags with roles and have them pass around credit cards as you step through the process. 1

The scope of compliance responsibility falls to each merchant account and organizations may roll many merchant accounts into one umbrella account. In this case, all of the merchants must be compliant for the overall account to be compliant. Compliance Players

The Compliance Players Card Brands PCI Council Banks Merchants There are four major players in the PCI-DSS standard, and one more that I’ll mention later.

Card Brands: Who Card Brands PCI Council Banks Merchants The card brands are the driver behind the standard and the push for cardholder security. Better security means fewer customer hassles and fewer dollars paid out under fraud protection clauses. JCB is Japan Credit Bank

Card Brands: What Set rules for adhering to the standards PCI Council Banks Merchants Card Brands: What Set rules for adhering to the standards How you demonstrate compliance Four tiers based on volume of transactions CU and CU Foundation are both at levels that allow self-assessment for compliance Set penalties for violations The different card brands used to have independent security standards, which was bad for merchants. Now they have separate, but similar, rules for how closely merchants are monitored for compliance. The compliance monitoring is done by tiers based on the volume of transactions by the merchant, with a heavy bias on online transactions. The four tiers fall into two groups with identical requirements. Originally there were four levels of requirements, but the card brands have tightened the requirements.

Card brands are executive committee PCI Council Banks Merchants Card brands are executive committee Banks and large companies are advisory board 700 companies are members NACUBO and Treasury Institute represent higher education as general members The card brands are the executive committee on the council, but the bulk of the membership are banks and large merchants. Higher education is represented by two groups on the council: the Treasury Institute for Higher Education and NACUBO. They are our avenues for feedback on the standard. The latest Council gathering and feedback meeting for the next revisions to the standard just completed in early October 2009. The Treasury Institute has a PCI related blog which is very good.

Develop security standards Card Brands PCI Council Banks Merchants Develop security standards PCI-DSS (Data Security Standard) SAQ (Self-assessment questionnaires) PTS (Pin Transaction Security) PA-DSS (Payment Application) P2PE (Point-to-Point Encryption) The council develops the security standards. There are three main standards: PCI-DSS is what we’re focused on – it’s the standard for merchants and service providers. PTS is a hardware standard for companies who make PIN entry devices. PA-DSS is a software development standard for companies who make and sell software that handles cardholder data. PTS only applies to hardware that provides PIN entry and not swipe systems that do not handle PIN entry. We are focused on PCI-DSS, but we care about PTS and PA-DSS when we buy products to handle cards.

Certify third parties Qualified Security Assessors (QSA) Card Brands PCI Council Banks Merchants Certify third parties Qualified Security Assessors (QSA) Internal Security Assessors (ISA) Authorized Scanning Vendors (ASV) Certified Forensic Investigators (PFI) Validated Payment Applications Approved PIN Transaction Security Devices The council also validates third-parties in the PCI compliance chain. QSA – trained and authorized to assess compliance to the standard ISA – internal compliance assessors like myself ASV – authorized to provide the required third-party vulnerability scanning service Software and hardware that meet the PA-DSS and PTS standards. The Council maintains lists of these authorized third-parties and products. Using validated third-parties is a key aspect of PCI compliance.

Card Brands PCI Council Banks Merchants Acquiring Banks Provide merchant accounts for card processing Require merchants to be PCI compliant Pass along any fines from card brands XXXXX is our “acquiring bank” Insert acquiring bank logo Banks are the enforcement arm in the process – they require their merchants to be compliant and request their annual reports on compliance. If a problem arises, they may be fined by the card brands, then pass the fines along to the offending merchant. These fines can easily reach hundreds of thousands of dollars for exposure of cardholder data and tens of thousands of failure to comply to the standard without data exposure occurring.

Card Brands PCI Council Banks Merchants Issuing Banks Issue credit cards to consumers Manages consumer’s line of credit, bill, etc. Banks are the enforcement arm in the process – they require their merchants to be compliant and request their annual reports on compliance. If a problem arises, they may be fined by the card brands, then pass the fines along to the offending merchant. These fines can easily reach hundreds of thousands of dollars for exposure of cardholder data and tens of thousands of failure to comply to the standard without data exposure occurring.

Card Brands PCI Council Banks Merchants Merchants Groups provided an account by an acquiring bank to process card payments (our organization) has (X) merchant accounts Separate accounts for different business and card handling processes Every merchant account must be assessed as compliant annually The scope of compliance responsibility falls to each merchant account and organizations may roll many merchant accounts into one umbrella account. In this case, all of the merchants must be compliant for the overall account to be compliant.

Service Providers Anyone handling cardholder data on behalf of a merchant (other than the bank) They have the same PCI-DSS requirements, but different assessment rules Must provide documentation of compliance (may do so via VISA online registry) The extra level I mentioned earlier – service providers. They must also adhere to PCI-DSS and have stricter requirements for how closely they are monitored. Validated service providers has been a tricky issue. Many companies have gotten into the service provider market without realizing they need to be validated and going through the process. Contracts with service providers must include language describing the PCI-DSS compliance responsibilities.

Square/Stripe/etc Some credit card service perform transactions under their own merchant accounts and then send payments to you Check with (organizational finance department) about whether these services are authorized

Recap Card Brands set compliance rules and penalties PCI Council defines standards and certifies third-parties Banks enforce compliance Merchants and Service Providers must be compliant The scope of compliance responsibility falls to each merchant account and organizations may roll many merchant accounts into one umbrella account. In this case, all of the merchants must be compliant for the overall account to be compliant.

The scope of compliance responsibility falls to each merchant account and organizations may roll many merchant accounts into one umbrella account. In this case, all of the merchants must be compliant for the overall account to be compliant. Transaction flows

Swipe transactions Insert acquiring bank logo Acquiring Bank Customer either makes an in-person purchase, calls or mails and a merchant employee either swipes their card or keys their information into a swipe device connected to a telephone line that connects to the bank to process and register the transaction. Insert acquiring bank logo Acquiring Bank

Point of sale transactions System Application Database – On-campus or Hosted by Vendor Customer makes in-person purchase and their card is swiped on a point of sale system that connects to a POS management server, which then connects to a transaction processor (probably a third-party chosen by the POS vendor), which then registers the transaction with the bank. Transaction processor Insert acquiring bank logo Acquiring Bank

Web-based transactions Web-based “shopping cart” On-campus or hosted by vendor Or Payment Gateway Customer visits website directly, which handles the product/service selection, accepts basic information from the customer, then redirects to the Payment Gateway for accepting the credit card information, which then connects to the bank to register the transaction. Once the transaction is completed, the customer is directed back to the merchant website. Or, customer visits in person, mails or calls and a merchant employee enters the purchase information into the same webpage and the same payment process. When entering customer cardholder data is handled within the department, the computer used to enter this information must also be compliant. Insert acquiring bank logo Acquiring Bank

Transaction Flow (website) Card Association Aquiring Bank Issuing Bank Web host Consumer Web design Review agenda Merchant

The scope of compliance responsibility falls to each merchant account and organizations may roll many merchant accounts into one umbrella account. In this case, all of the merchants must be compliant for the overall account to be compliant. The PCI-DSS Standard

The PCI-DSS Standard PCI-DSS 3.1 Twelve sections 200+ total items (different subsets apply to different transaction processes – called merchant type or SAQ level) Applies to all merchants and service providers, regardless of size All merchants must annually self-assess compliance or hire a third-party assessor Updated periodically It’s a fairly long standard, covering a variety of topics, but always focused on the cardholder data. I covers technical requirements, procedures and policies. The self-assessment process involves filling out a form that has the merchant provide a yes/no/NA for each line item. There is a short-form for those who only use telephone line swipe units.

PCI-DSS Overview Build and maintain secure network Protect cardholder data Maintain vulnerability mgt program Implement strong access control Monitor and test networks Information security policy It’s a fairly long standard, covering a variety of topics, but always focused on the cardholder data. There are six “goals”, 12 high level topics and more than 200 line items. It covers technical requirements, procedures and policies. The self-assessment process involves filling out a form that has the merchant provide a yes/no/NA for each line item. There is a short-form for those who only use telephone line swipe units.

Other standards Payment Application DSS – software we buy must meet this standard PIN Transaction Security – PIN entry devices we buy must meet this Point to Point Encryption – optional features built into some equipment We won’t go into any detail on this standard, but if we purchase software than handles credit card numbers, we should check the list before purchasing.

The scope of compliance responsibility falls to each merchant account and organizations may roll many merchant accounts into one umbrella account. In this case, all of the merchants must be compliant for the overall account to be compliant. MERCHANT Impact

Merchant responsibilities Accountable for everything under your merchant accounts (even if handled by third party) Have compliance ownership and a plan Meet security requirements Data and physical security Policies and training Ensure compliance is addressed in contracts Annual self-assessment Participation in quarterly scans (when applicable)

Common daily actions Use dedicated computers for credit card processing Swipe machines and computers are physically secured Make sure card numbers are masked on-screen and on print-outs Never use email for sending/receiving card numbers Ensure paper copies are secure (locked cabinet), then shredded (cross-cut)

More information (campus PCI website): (link) PCI Security Standards Council website: https://www.pcisecuritystandards.org/ Treasury Institute for Higher Education: http://www.treasuryinstitute.org/ and http://treasuryinstitutepcidss.blogspot.com/ VISA Cardholder Information Security Program: http://usa.visa.com/merchants/risk_management/cisp_overview.html MasterCard merchant security: http://www.mastercard.com/us/merchant/security

Recap Accepting card payments means accepting the responsibilities of addressing security Merchants are responsible for their compliance and verifying contractor compliance PCI-DSS has lots of detailed specifics under a common-sense set of categories Applicable requirements differ by type of transaction process We must annually self-assess compliance

Questions