Understanding PCI DSS Compliance from an Acquirer s Perspective

Transcription

1 Understanding PCI DSS Compliance from an Acquirer s Perspective J.P. Morgan April 2017 Andy Goh Matt Leman

2 P C I P A Y M E N T B R A N D O V E R V I E W & C O M P L I A N C E E N A B L I N G T E C H N O L O G I E S This presentation was prepared exclusively for the benefit and internal use of the Chase client or potential Chase client to whom it is directly delivered and/or addressed (including subsidiaries and affiliates, the Company ) in order to assist the Company in evaluating, on a preliminary basis, the feasibility of a possible transaction or transactions or other business relationship and does not carry any right of publication or disclosure, in whole or in part, to any other party. This presentation is for discussion purposes only and is incomplete without reference to, and should be viewed solely in conjunction with, the oral briefing provided by Chase. Neither this presentation nor any of its contents may be disclosed or used for any other purpose without the prior written consent of Chase. This presentation does not constitute a commitment by any Chase entity to extend or arrange credit or to provide any other services to Company. In preparing this presentation, we have relied upon and assumed, without independent verification, the accuracy and completeness of all information available from public sources or which was provided to us by or on behalf of the Company or which was otherwise reviewed by us. The statements, views, and opinions that will be expressed during the presentation are those of the presenters and are not endorsed by, or reflect the views or positions of, Chase. The information herein may not take into account individual client circumstances, objectives or needs and is not necessarily intended as a recommendation of a particular product or strategy to the Company and Company shall make its own independent decision. Chase is not liable for decisions made or actions taken in reliance on any of the information covered during the presentation. Furthermore, Chase makes no representations as to the actual value which may be received in connection with a transaction or use of the products and services mentioned nor the legal, tax or accounting effects of consummating a transaction. Chase, Chase Paymentech, JPMorgan and JPMorgan Chase are marketing names for certain businesses of JPMorgan Chase & Co. and its subsidiaries worldwide (collectively, Chase ) and if and as used herein may include as applicable employees or officers of any or all of such entities irrespective of the marketing name used. Products and services may be provided by commercial bank affiliates, securities affiliates or other Chase affiliates or entities. In particular, securities brokerage services other than those which can be provided by commercial bank affiliates under applicable law will be provided by registered broker/dealer affiliates such as J.P. Morgan Securities LLC, J.P. Morgan Institutional Investments Inc. or by such other affiliates as may be appropriate to provide such services under applicable law. Such securities are not deposits or other obligations of any such commercial bank, are not guaranteed by any such commercial bank and are not insured by the Federal Deposit Insurance Corporation. Not all products and services are available in all geographic areas. Eligibility for particular products and services is subject to final determination by Chase or its affiliates/subsidiaries. IRS Circular 230 Disclosure: Chase does not provide tax advice. Accordingly, any discussion of U.S. tax matters included herein (including any attachments) is not intended or written to be used, and cannot be used, in connection with the promotion, marketing or recommendation by anyone not affiliated with Chase of any of the matters addressed herein or for the purpose of avoiding U.S. tax-related penalties.

3 Learning Objectives This session will answer the following: The role of the acquirer in educating clients and helping them maintain a secure environment Requirements to ensure your institution's compliance with PCI-DSS The factors that determine the PCI Merchant Level and the reporting that is required of the client Expectations of an acquirer from its clients in the area of PCI compliance and how these expectations are communicated Compensating controls and solutions available to higher education institutions to reduce PCI impact and scope 1

4 Agenda PCI overview Acquirer s perspective 2 Page Compliance-enabling technologies 11 Appendix 19

5 Acquirer s Role in the PCI DSS Compliance Ecosystem 2

6 The Role of the Acquirer Overall Mission Relating to PCI DSS Compliance- As an acquirer, we monitor and validate clients Payment Card Industry (PCI) data security compliance as well as their adherence to the respective Payment Brands mandate on their cardholder data security program. We provide guidance, expertise and a wide range of payment acceptance solutions for higher education institutions that help and mitigate PCI compliance and financial risk by ensuring that cardholder data is secure. We are PCI DSS compliant and are an inaugural member of the PCI Security Standards Council, Board of Advisors. 3

7 Educating Clients Dedicated resources focused on clients PCI DSS Ongoing education and resources Various solutions that help manage cost and the complexity of compliance Solutions from third party to help assess and validate PCI compliance 4

8 Liasion with the Payment Brands Manage and report client s PCI DSS to the payment brands Ensure payment brand mandates are communicated and applied Liaise between clients and the payment brands on PCI compliance matters 5

9 PCI DSS version 3.2 Key Dates 6

10 Web SSL/Early TLS Retired What does this mean? Internet security protocol that is prohibited to use beyond June 2018 for PCI Acquirers assist institutions by: Providing updated standalone terminals to support the secure protocol, where applicable Having updated our payment processing web sites to require the use of secure protocol Working with clients to help them determine when a non-compliant solution is being used and share ideas on possible replacement solutions 7

11 Mastercard and Visa Merchant PCI levels Merchant Level Criteria??? Level 1 Over 6 million Visa or Mastercard transactions in a 12-month period Level 2 Between 1 and 6 million Visa or Mastercard transactions in a 12-month period Level 3 Between 20,000 and 1 million Visa or Mastercard e-commerce transactions in a 12- month period Level 4 Less than 20,000 e-commerce or less than 1 million Visa or Mastercard transactions in a 12-month period 8

12 Transaction Volume Aggregation Factors to Determine PCI Merchant Level Any brands bearing a PCI SSC member logo Level set on transaction volume for a single card brand in a 12 month period Includes credit, debit and prepaid/gift cards For institutions with more than one campus/location: Acquirers must consider the aggregated transaction volume for the organization if: The transactions are transmitted through the institution s primary office The same shared network is used (Front/Back end Network) There is remote access capability IN to the location If a merchant is at a higher level with another card brand, Mastercard requires them to validate at that same level 9

13 PCI Validation Requirements & Reporting to Acquirer Level 1 to 3 Merchants Mandatory reporting to acquirer ASV Scan due quarterly SAQ/ROC due one year from notification by your acquirer OR upon request/notification from card brands Level 1 Report on Compliance and ISA/QSA is required Level 2 Can use SAQ and ISA is required Level 3 Can use SAQ Level 4 Merchants (Represents >90% all U.S. merchants) Validate PCI compliance annually (same as Levels 1 to 3) Can use SAQ Perform network vulnerability scan quarterly, based on SAQ used Starting January 31, 2017 If third parties are used for installing new payment acceptance solutions must be QIR Acquirer mandated to report Level 4 Merchant PCI DSS status 10

14 Self Assessment Questionnaire Applies to Higher Education For merchants who are self-assessing A validation tool for merchants that are not required to undergo an onsite data security assessment Contains a subset of the PCI DSS requirements that are appropriate to the merchant s processing environment Attestation of Compliance merchant s certification that they have performed the appropriate validation Eight different Self Assessment Questionnaires (SAQs) for merchants currently in use 11

15 Self Assessment Questionnaire types Eligibility for each SAQ Use the self-assessment questionnaire that applies to how payment cards are processed How your organization processes Card-not-present (e-commerce or mail/telephone order) merchants, all cardholder data functions outsourced E-Commerce merchants using a third party for payment processing Imprint-only merchants or standalone dial-up terminal Merchants with standalone, IP-connected (to the Internet) terminals Hardware payment terminals included in a validated, PCI SSClisted P2PE solution Does not include these kind of transactions This would never apply to face-to-face merchants This would never apply to face-to-face merchants No electronic cardholder data storage No e-commerce No electronic cardholder data storage No e-commerce No Electronic cardholder data storage No e-commerce SAQ form A A - EP B B - IP P2PE-HW Virtual Terminal accessed by merchant via browser on Internet No e-commerce C-VT IP terminals, or POS systems connected to the Internet All other merchants (not included in above) and all service providers defined by a payment brand as eligible to complete an SAQ No electronic cardholder data storage No networked devices n/a C D 12

16 SAQ Review and Selection Questions to Ask Do I have more than one acceptance environment (card present, ecommerce, etc.)? How is my level being determined? Am I completing multiple SAQs based on my environment or one SAQ for the institution? Will I have only P2PE-validated solutions? Am I storing any cardholder data? Am I outsourcing any processing where it is hosted by a third party, off of my network? Am I eligible for another SAQ besides SAQ D? Is my environment one consistent, identical process across the campus/system-wide? 13

17 PCI Validation Requirement & Reporting to Acquirer Level 2 & 3 Institutions Things to do Due Date Complete PCI Contact Information Form and Prohibited Data Retention Attestation Form TBD Network security scans through an Approved Scanning Vendor (ASV) Address all identified High vulnerabilities Submit network scan reports to acquirer If the organization is not PCI DSS compliant, report compliance status quarterly using the PCI DSS Prioritized Approach document Quarterly If your organization is PCI DSS compliant or when full compliance is reached, you must submit appropriate and required documentation Annual revalidation is required 12 months from the date of previous validation (SAQ submission). Upon PCI DSS compliance and annually thereafter 14

18 Prioritized Approach if not PCI DSS Compliant Tracked for progress Submitted quarterly to your acquirer Reported to the card brand Card brand enforcement actions on non-compliant institutions Still face penalty 15

19 C O M P L I A N C E - E N A B L I N G T E C H N O L O G I E S Agenda PCI overview Acquirer s perspective 1 Page Compliance-enabling technologies 16 Appendix 19

20 C O M P L I A N C E - E N A B L I N G T E C H N O L O G I E S What are Compliance-Enabling Technologies? Product (or service) that reduces the impact of PCI Not a PCI requirement Does not replace PCI or its requirements Can benefit in the long term Not one-size-fits-all 16

21 C O M P L I A N C E - E N A B L I N G T E C H N O L O G I E S Third Party Hosted Solutions Service Provider processing payment acceptance on your behalf Numerous benefits Security Reduce your PCI scope May reduce cost Consider risks Solution may not be PCI compliant These are still YOUR transactions (liability) Third party s financial strength Indemnification to you Other gaps? Services not covered (check Req & 12.9) Is the back office function receiving cardholder data? 17

22 C O M P L I A N C E - E N A B L I N G T E C H N O L O G I E S Tokenization A form of PAN replacement that substitutes a derived value for the PAN Tokenization server creates tokens, tracks the relationship of tokens to PANS, and translates tokens back into PANs A true token is NOT reversible PCI SSC Information Supplement: PCI DSS Tokenization Guidelines A mathematically reversible cryptographic function A one-way non-reversible cryptographic function Assignment through an index function, sequence number or a randomly generated number 18

23 C O M P L I A N C E - E N A B L I N G T E C H N O L O G I E S Tokenization & PCI Impact PCI Compliance Impact Potentially eliminates cardholder data storage which can: Reduce scope and cost of PCI DSS compliance Reduce risk in the event of compromise Limitations Tokenization occurs after authorization Does not address acceptance System accepting transactions can perpetuate an in-scope cardholder data environment within the merchant s systems May require integration into existing systems E-commerce payment acceptance may require Hosted Pay Page to further reduce PCI impact 19

24 C O M P L I A N C E - E N A B L I N G T E C H N O L O G I E S Point-to-point Encryption (P2PE) Card data encrypted at swipe Secure hardware performing encryption Decryption occurs outside of the merchant environment No decryption key material in merchant environment REQUIRED to achieve scope reduction Implementation is key Encrypted Personal Account Number (PAN) is considered PAN 20

25 C O M P L I A N C E - E N A B L I N G T E C H N O L O G I E S Point-to-Point Encryption and PCI Impact Point of swipe/dip encryption using PCI approved P2PE solutions Combination of processes with a service provider Eligible to validate PCI DSS using SAQ P2PE-HW The merchant environment PCI DSS impact is potentially minimized if Cardholder data is encrypted when read AND Decryption occurs outside the merchant environment AND No key material exists in the merchant environment Assuming no other cardholder data is stored, processed, or transmitted anywhere in the University s environment End-to-end encryption solutions from an acquirer Typically not P2PE validated at this point May provide greater flexibility, cardholder data security and/or comfort for the institution Can be eligible for PCI DSS reduced validation 21

26 C O M P L I A N C E - E N A B L I N G T E C H N O L O G I E S Outsourced e-commerce Payment Acceptance Page Integrated Encryption Cardholder data encrypted at consumer s device/browser Cardholder data does not enter the institution s e-commerce environment Decryption and payment processing performed on the third party s site Hosted Payment Page/Form Cardholder data does not enter the institution s e-commerce environment Payment processing performed on the third party s site Merchant e-commerce site can be excluded from PCI scope Web/Internet security risk remains 22

27 C O M P L I A N C E - E N A B L I N G T E C H N O L O G I E S Additional Resources Chase Paymentech Cardholder Data Security PCI Security Standards Council Validated Payment Applications PTS Certified devices QSA, ASV Questionnaires Prioritized Approach Info Supplements Mastercard Site Data Protection Program Visa (CA) Account Information Security (US) Cardholder Information Security

28 A P P E N D I X Agenda PCI overview Acquirer s perspective 1 Page Compliance-enabling technologies 11 Appendix 24

29 A P P E N D I X Prioritized Approach - Six Milestones Prioritized Approach Summary Milestone Goals Remove sensitive authentication data and limit data retention. This milestone targets a key area of risk for entities that have been compromised. Remember if sensitive authentication data and other cardholder data are not stored, the effects of a compromise will be greatly reduced. If you don't need it, don't store it Protect systems and networks, and be prepared to respond to a system breach. This milestone targets controls for points of access to most compromises, and the processes for responding. Secure payment card applications. This milestone targets controls for applications, application processes, and application servers. Weaknesses in these areas offer easy prey for compromising systems and obtaining access to cardholder data. Monitor and control access to your systems. Controls for this milestone allow you to detect the who, what, when, and how concerning who is accessing your network and cardholder data environment. Protect stored cardholder data. For those organizations that have analyzed their business processes and determined that they must store Primary Account Numbers, Milestone Five targets key protection mechanisms for that stored data. Finalize remaining compliance efforts, and ensure all controls are in place. The intent of Milestone Six is to complete PCI DSS requirements, and to finalize all remaining related policies, procedures, and processes needed to protect the cardholder data environment. Source: 24

30 Action Items PCI DSS Compliance Reporting to J.P. Morgan Things to do For Level 1-3 Merchants recently received a Merchant Level letter from J.P. Morgan Complete attached PCI Contact Information Form and Prohibited Data Retention Attestation Form and return to your Relationship Manager or PCI_Compliance@chase.com Storing prohibited data or failing to return the attestation form will result in monthly fines beginning April* and escalating every three months. For all Level 1-3 Merchants - Schedule network security scans through an Approved Scanning Vendor (ASV) and address all identified High vulnerabilities Submit network scan report to J.P. Morgan via your Relationship Manager If your organization is not PCI DSS compliant, you must report compliance status quarterly to J.P. Morgan using the PCI DSS Prioritized Approach document. This is needed until you reach PCI DSS compliance. A copy of the Prioritized Approach Tool can be downloaded from the PCI Security Standards Council website at If your organization is PCI DSS compliant or when full compliance is reached, you must submit a Self Assessment Questionnaire (SAQ), including a signed Attestation of Compliance (AOC). Level 1 Merchant must submit their copy of the Report on Compliance (ROC). Annual revalidation is required 12 months from the date of previous validation. Failure to revalidate may result in fines. * The same year the notification letter is received Due Date September 15* Quarterly by 15 th of: September* December* March June and each subsequent quarter Upon PCI DSS compliance and annually thereafter 25

31 A P P E N D I X Non-compliance Risks from fines Mastercard and Visa Fines up to $600k annually per brand Differs for other card brands Check with respective brands Data breach liability May incur assessment from card brands including: Fraud loss recovery Card re-issuing cost Cost associated with cardholder data loss Remediation: between $68 and $363 per record loss 1 1 Ponemon Institute's 2015 Global Cost of Data Breach Study 26

32 A P P E N D I X Mastercard and Visa Non-Compliance Mastercard Visa Merchant level Initial enforcement date Quarterly assessment Initial enforcement date Monthly assessment Level 1 Level 2 12 months from date of notification 1 st up to $25,000 2 nd up to 50,000 3 rd up to $100,000 4 th up to $200,000 Sept. 30 of year following notification Dec. 31 of year following notification $25,000 $5,000 Level 3 12 months from date of notification 1 st up to $10,000 2 nd up to $20,000 3 rd up to $40,000 4 th up to $60,000 N/A N/A 27

33 A P P E N D I X PCI Security Standards Council Accreditations What we look for Type PCI SSC designation Activity Assessment Network scanning Forensics investigation Internal Security Assessor (ISA) Qualified Security Assessor (QSA) Payment Application QSA (PA-QSA) Point-to-Point Encryption QSA (P2PE-QSA) Approved Scanning Vendor (ASV) PCI Forensics Investigator (PFI) Merchant resource certified to validate compliance of PCI DSS Independent third party certified to validate compliance of PCI DSS Independent third party certified to evaluate compliance of Payment Applications to the PA DSS Independent third party certified to evaluate compliance of Point-to-Point Encryption implementations. Independent third party accredited to perform network vulnerability scan Independent third party accredited to perform forensics investigation in the event of suspected cardholder data breach Laboratory PCI Recognized Laboratory Independent third party certified to validate compliance of PIN Transaction Security Standards Other Qualified Integrator/ Reseller (QIR) Software Integrator, Reseller, Implementer, Installer, Technicians trained to assist merchants for the secure installation, configuration and maintenance of validated payment applications in a manner that supports PCI DSS compliance 28