Credit Card Compliance Overview for merchants
Agenda Credit card flow overview The compliance players Types of payment transactions Overview of the security standard Merchant Impact Review agenda
Role Level Transaction Flow Card Association 4 3 Issuing Bank 5 6 Aquiring Bank 2 Consumer Merchant 7 Interactive exercise for a very generalized payment processing flow. We will do a more detailed one later. Pass out nametags with roles and have them pass around credit cards as you step through the process. 1
The scope of compliance responsibility falls to each merchant account and organizations may roll many merchant accounts into one umbrella account. In this case, all of the merchants must be compliant for the overall account to be compliant. Compliance Players
The Compliance Players Card Brands PCI Council Banks Merchants There are four major players in the PCI-DSS standard, and one more that I’ll mention later.
Card Brands: Who Card Brands PCI Council Banks Merchants The card brands are the driver behind the standard and the push for cardholder security. Better security means fewer customer hassles and fewer dollars paid out under fraud protection clauses. JCB is Japan Credit Bank
Card Brands: What Set rules for adhering to the standards PCI Council Banks Merchants Card Brands: What Set rules for adhering to the standards How you demonstrate compliance Four tiers based on volume of transactions CU and CU Foundation are both at levels that allow self-assessment for compliance Set penalties for violations The different card brands used to have independent security standards, which was bad for merchants. Now they have separate, but similar, rules for how closely merchants are monitored for compliance. The compliance monitoring is done by tiers based on the volume of transactions by the merchant, with a heavy bias on online transactions. The four tiers fall into two groups with identical requirements. Originally there were four levels of requirements, but the card brands have tightened the requirements.
Card brands are executive committee PCI Council Banks Merchants Card brands are executive committee Banks and large companies are advisory board 700 companies are members NACUBO and Treasury Institute represent higher education as general members The card brands are the executive committee on the council, but the bulk of the membership are banks and large merchants. Higher education is represented by two groups on the council: the Treasury Institute for Higher Education and NACUBO. They are our avenues for feedback on the standard. The latest Council gathering and feedback meeting for the next revisions to the standard just completed in early October 2009. The Treasury Institute has a PCI related blog which is very good.
Develop security standards Card Brands PCI Council Banks Merchants Develop security standards PCI-DSS (Data Security Standard) SAQ (Self-assessment questionnaires) PTS (Pin Transaction Security) PA-DSS (Payment Application) P2PE (Point-to-Point Encryption) The council develops the security standards. There are three main standards: PCI-DSS is what we’re focused on – it’s the standard for merchants and service providers. PTS is a hardware standard for companies who make PIN entry devices. PA-DSS is a software development standard for companies who make and sell software that handles cardholder data. PTS only applies to hardware that provides PIN entry and not swipe systems that do not handle PIN entry. We are focused on PCI-DSS, but we care about PTS and PA-DSS when we buy products to handle cards.
Certify third parties Qualified Security Assessors (QSA) Card Brands PCI Council Banks Merchants Certify third parties Qualified Security Assessors (QSA) Internal Security Assessors (ISA) Authorized Scanning Vendors (ASV) Certified Forensic Investigators (PFI) Validated Payment Applications Approved PIN Transaction Security Devices The council also validates third-parties in the PCI compliance chain. QSA – trained and authorized to assess compliance to the standard ISA – internal compliance assessors like myself ASV – authorized to provide the required third-party vulnerability scanning service Software and hardware that meet the PA-DSS and PTS standards. The Council maintains lists of these authorized third-parties and products. Using validated third-parties is a key aspect of PCI compliance.
Card Brands PCI Council Banks Merchants Acquiring Banks Provide merchant accounts for card processing Require merchants to be PCI compliant Pass along any fines from card brands XXXXX is our “acquiring bank” Insert acquiring bank logo Banks are the enforcement arm in the process – they require their merchants to be compliant and request their annual reports on compliance. If a problem arises, they may be fined by the card brands, then pass the fines along to the offending merchant. These fines can easily reach hundreds of thousands of dollars for exposure of cardholder data and tens of thousands of failure to comply to the standard without data exposure occurring.
Card Brands PCI Council Banks Merchants Issuing Banks Issue credit cards to consumers Manages consumer’s line of credit, bill, etc. Banks are the enforcement arm in the process – they require their merchants to be compliant and request their annual reports on compliance. If a problem arises, they may be fined by the card brands, then pass the fines along to the offending merchant. These fines can easily reach hundreds of thousands of dollars for exposure of cardholder data and tens of thousands of failure to comply to the standard without data exposure occurring.
Card Brands PCI Council Banks Merchants Merchants Groups provided an account by an acquiring bank to process card payments (our organization) has (X) merchant accounts Separate accounts for different business and card handling processes Every merchant account must be assessed as compliant annually The scope of compliance responsibility falls to each merchant account and organizations may roll many merchant accounts into one umbrella account. In this case, all of the merchants must be compliant for the overall account to be compliant.
Service Providers Anyone handling cardholder data on behalf of a merchant (other than the bank) They have the same PCI-DSS requirements, but different assessment rules Must provide documentation of compliance (may do so via VISA online registry) The extra level I mentioned earlier – service providers. They must also adhere to PCI-DSS and have stricter requirements for how closely they are monitored. Validated service providers has been a tricky issue. Many companies have gotten into the service provider market without realizing they need to be validated and going through the process. Contracts with service providers must include language describing the PCI-DSS compliance responsibilities.
Square/Stripe/etc Some credit card service perform transactions under their own merchant accounts and then send payments to you Check with (organizational finance department) about whether these services are authorized
Recap Card Brands set compliance rules and penalties PCI Council defines standards and certifies third-parties Banks enforce compliance Merchants and Service Providers must be compliant The scope of compliance responsibility falls to each merchant account and organizations may roll many merchant accounts into one umbrella account. In this case, all of the merchants must be compliant for the overall account to be compliant.
The scope of compliance responsibility falls to each merchant account and organizations may roll many merchant accounts into one umbrella account. In this case, all of the merchants must be compliant for the overall account to be compliant. Transaction flows
Swipe transactions Insert acquiring bank logo Acquiring Bank Customer either makes an in-person purchase, calls or mails and a merchant employee either swipes their card or keys their information into a swipe device connected to a telephone line that connects to the bank to process and register the transaction. Insert acquiring bank logo Acquiring Bank
Point of sale transactions System Application Database – On-campus or Hosted by Vendor Customer makes in-person purchase and their card is swiped on a point of sale system that connects to a POS management server, which then connects to a transaction processor (probably a third-party chosen by the POS vendor), which then registers the transaction with the bank. Transaction processor Insert acquiring bank logo Acquiring Bank
Web-based transactions Web-based “shopping cart” On-campus or hosted by vendor Or Payment Gateway Customer visits website directly, which handles the product/service selection, accepts basic information from the customer, then redirects to the Payment Gateway for accepting the credit card information, which then connects to the bank to register the transaction. Once the transaction is completed, the customer is directed back to the merchant website. Or, customer visits in person, mails or calls and a merchant employee enters the purchase information into the same webpage and the same payment process. When entering customer cardholder data is handled within the department, the computer used to enter this information must also be compliant. Insert acquiring bank logo Acquiring Bank
Transaction Flow (website) Card Association Aquiring Bank Issuing Bank Web host Consumer Web design Review agenda Merchant
The scope of compliance responsibility falls to each merchant account and organizations may roll many merchant accounts into one umbrella account. In this case, all of the merchants must be compliant for the overall account to be compliant. The PCI-DSS Standard
The PCI-DSS Standard PCI-DSS 3.1 Twelve sections 200+ total items (different subsets apply to different transaction processes – called merchant type or SAQ level) Applies to all merchants and service providers, regardless of size All merchants must annually self-assess compliance or hire a third-party assessor Updated periodically It’s a fairly long standard, covering a variety of topics, but always focused on the cardholder data. I covers technical requirements, procedures and policies. The self-assessment process involves filling out a form that has the merchant provide a yes/no/NA for each line item. There is a short-form for those who only use telephone line swipe units.
PCI-DSS Overview Build and maintain secure network Protect cardholder data Maintain vulnerability mgt program Implement strong access control Monitor and test networks Information security policy It’s a fairly long standard, covering a variety of topics, but always focused on the cardholder data. There are six “goals”, 12 high level topics and more than 200 line items. It covers technical requirements, procedures and policies. The self-assessment process involves filling out a form that has the merchant provide a yes/no/NA for each line item. There is a short-form for those who only use telephone line swipe units.
Other standards Payment Application DSS – software we buy must meet this standard PIN Transaction Security – PIN entry devices we buy must meet this Point to Point Encryption – optional features built into some equipment We won’t go into any detail on this standard, but if we purchase software than handles credit card numbers, we should check the list before purchasing.
The scope of compliance responsibility falls to each merchant account and organizations may roll many merchant accounts into one umbrella account. In this case, all of the merchants must be compliant for the overall account to be compliant. MERCHANT Impact
Merchant responsibilities Accountable for everything under your merchant accounts (even if handled by third party) Have compliance ownership and a plan Meet security requirements Data and physical security Policies and training Ensure compliance is addressed in contracts Annual self-assessment Participation in quarterly scans (when applicable)
Common daily actions Use dedicated computers for credit card processing Swipe machines and computers are physically secured Make sure card numbers are masked on-screen and on print-outs Never use email for sending/receiving card numbers Ensure paper copies are secure (locked cabinet), then shredded (cross-cut)
More information (campus PCI website): (link) PCI Security Standards Council website: https://www.pcisecuritystandards.org/ Treasury Institute for Higher Education: http://www.treasuryinstitute.org/ and http://treasuryinstitutepcidss.blogspot.com/ VISA Cardholder Information Security Program: http://usa.visa.com/merchants/risk_management/cisp_overview.html MasterCard merchant security: http://www.mastercard.com/us/merchant/security
Recap Accepting card payments means accepting the responsibilities of addressing security Merchants are responsible for their compliance and verifying contractor compliance PCI-DSS has lots of detailed specifics under a common-sense set of categories Applicable requirements differ by type of transaction process We must annually self-assess compliance
Questions