thankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance
What is it ? A set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID).
What isn’t it ? ● PCI is not, in itself, a law. The standard was created by the major card brands ● merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, forensic audits, brand damage etc., should a breach event occur
● launched on September 7, 2006 ● focus on improving payment account security throughout the transaction process ● administered and managed by the PCI SSC ( an independent body that was created by the major payment card brands Basic Facts
Coverage ● In-scope cards include any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC - American Express, Discover, JCB, MasterCard, and Visa International PCI SSC
Why do it – the positive ● your systems are secure ● customers can trust you with their sensitive payment card information ● improves your reputation with acquirers and payment brands ● helps prevent security breaches and theft of payment card data ● Compromised data negatively affects consumers, merchants, and financial institutions
Why do it – avoid the negative ● one incident can severely damage your reputation ● Possible negative consequences also include: ● Lawsuits ● Insurance claims ● Cancelled accounts ● Payment card issuer fines ● Government fines
What are the penalties for noncompliance? ● Acquiring banks are fined and typically pass the fines on ● Transaction fees may increase ● Bank relationship could be terminated ● Check your merchant agreement
PCI Data Security Standard Build and maintain a secure network 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data3. Protect stored cardholder data 4. Encrypt transmission of cardholder data and sensitive information across open public networks Maintain a vulnerability management program 5. Use and regularly update anti ‑ virus software 6. Develop and maintain secure systems and applications Implement strong access control measures 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an information security policy 12. Maintain a policy that addresses information security
The Banks ● Most banks advertise a policy ● Information should be available online ● Talk to your account manager ● The Reserve Bank: ● Any merchant that is not PCI DSS compliant can potentially be prevented from processing card payments
What the banks say - Westpac ● Being compliant to the PCIDSS forms part of your merchant agreement ● Westpac will review your transaction count annually and should we require you to validate compliance as a Level 1, 2 or 3 merchant we will advise you accordingly. ● At all times, the Westpac PCIDSS Levels will take precedence over MasterCard and Visa levels for our merchants.
Commonwealth
ANZ ● As a merchant, it is vital to protect your customers as well as your business against misuse of credit & debit account information. It is essential that you do not store prohibited cardholder data such as magnetic stripe data (track data) and Customer Verification Value (CVV) after a transaction is completed.
How does it apply ?
thankQ Processing ● To store Credit Card details or not ? ● Options for storing them outside of your business: ● Macquarie ● SecurePay ● Remember the paperwork