PCI COMPLIANCE IS NO LONGER OPTIONAL

Transcription

1 PCI COMPLIANCE IS NO LONGER OPTIONAL YOUR PARTICIPATION IS MANDATORY To protect the data security of your business and your customers, the credit card industry introduced uniform Payment Card Industry Data Security Standards (PCI DSS). These standards require all merchants accepting credit and debit cards to provide annual proof that you are compliant with industry regulations. Participation in a certified PCI DSS compliance program is required of every merchant, for every MID, regardless of your bank or processor. Non-compliance can result in costly fees and the boosted threat of a security breach. Fortunately, we make it easy for you comply with all PCI mandates. So you can meet industry regulations, protect your cardholder data and protect your financial resources, all with one simple program. Just a Few Easy Steps and You re Compliant: Our program gives you access to a simple online questionnaire that will help ensure that you are compliant; We send proof of your compliance to the Card Associations when you have successfully completed the questionnaire; and We provide FREE quarterly or annual network vulnerability scans should you be required by the Card Associations to conduct them. The PCI Security Standards website, explains the certification process and lists approved QSAs. Please refer to the instructions on the next page for help navigating through the required Self-Assessment Questionnaire (SAQ). We ve also included a graphical navigation guide on pages 3-11 for additional help. Page 1

2 Complete These Simple Steps to Certify Compliance: 1. Access the following URL, on or after April 1, 2015, through your web browser: Please note: The mybackofficetools.com link will take you to VIMAS, an interactive tool that will help you navigate to the Self-Assessment Questionnaire. If you are a first-time VIMAS user, your temporary user name is your full Merchant ID Number (MID) and your temporary password is Cynxxxx, where the x s are the last four digits of your Social Security Number; for instance, if the last four digits of your SSN is 1234, the password would be Cyn1234. Once logged in, you will be prompted to create a password of your choice. 2. After logging in, a link to the Merchant PCI Compliance Program can be found in the Extras/Priorities box in the upper right hand corner of your screen. 3. Click the Merchant PCI Compliance Program hyperlink. 4. You will be taken to a main menu. Click the View Registration Information hyperlink. It is very important to ensure your address is correct so that you can receive all PCI status and confirmation s. If your information is not correct, please click the Merchant Profile menu at the top. Then click Merchant Address. Then, in the box, type in your correct address. Click Save. 5. Click the Begin/Resume PCI Questionnaire hyperlink. 6. You will be prompted to answer six simple yes or no questions about your processing environment. 7. When you have answered all six questions, a Review Questionnaire screen will load where you can either edit your answers or begin the Self-Assessment Questionnaire (SAQ) by clicking the Begin Test button. 8. If you choose to complete the SAQ at another time, or must stop for any reason and access the system later, you can access the SAQ by clicking the Begin/Resume PCI Questionnaire button on the PCI main menu. 9. Complete the SAQ. When you have finished, you will be asked to attest to the information you have entered, and you will be able to print your validation of compliance. 10. VERY IMPORTANT: Please print the validation you receive for your records and keep it in a safe place. This will serve as proof that you have successfully completed the SAQ. NOTE: Completion of the SAQ is required prior to May 29, 2015, to avoid being assessed a monthly non compliance fee until certification is proven. If you are already certified for 2015 from an approved ASV/QSA, you must submit your certification of compliance prior to April 29, 2015, to avoid being billed the annual PCI compliance fee. You may submit your proof in one of the following ways: >> By fax to (keep a copy of your successful fax transmission receipt) >> By mail (return receipt requested) to: Processing Cen ter Customer Serv ice P.O. Box 246 Alpharetta, GA Certification must be completed every year for every one of your MIDs. For more information, please call the number listed in your letter. Please print your validation for your records and keep it in a safe place. This validation serves as proof that you have successfully completed the required SAQ. Page 2

3 STEP 1: Log Into VIMAS First Time VIMAS Users: Access this link: Log in using your full Merchant ID Number (MID) as the Username Your temporary password is Cyn followed by the last four digits of your Social Security Number; e.g., Cyn1234 Returning Users: Log into VIMAS using your normal procedures If you need to reset your password the system will automatically prompt you. Simply key your new password in both fields and click Renew. Note: The Reset button is to clear fields if you make an error when keying your new password. Page 3

4 STEP 2: Launch the PCI Questionnaire Click the Merchant PCI Compliance Program hyperlink (the third hyperlink under Extras/Priorities box) to access the main menu of the Self-Assessment Questionnaire (SAQ). STEP 3: View Your Registration Information Click the View Registration Information hyperlink Page 4

5 STEP 4: Review Your Contact Information Review the information on this screen, to confirm that your contact information, including your address, is accurate. If your information is not correct, please click the Merchant Profile menu at the top. Then click Merchant Address. Then, in the box, type in your correct address. Then click Save. Once you have reviewed your information, then click Return to Main Menu. Page 5

6 STEP 5: Begin/Resume PCI Questionnaire Click the Begin/Resume PCI Questionnaire hyperlink. Six Preliminary Questions Will Appear You will be be prompted to answer a series of six yes or no questions about your processing environment. Clicking Yes or No automatically navigates you to the next screen. Please note that you must answer all questions before you can begin the Self Assessment Questionnaire (SAQ). Page 6

7 STEP 6: Confirm Preliminary Information Questions If you need to edit an answer, simply check the applicable box and click the Edit Answers button. If all answers are correct, click the Begin Test button. Then, the Self Assessment Questionnaire will load. You must answer all questions in order to complete the questionnaire and certify your validation of compliance. If you need to stop for any reason, your previous answers will be saved. You can then log back into VIMAS at a later time and click the Begin/Resume PCI Questionnaire link to finish. Page 7

8 STEP 7: Complete Attestation A screen will load with a Confirm Attestations link. You must check each checkbox to attest that you have completed the Self Assessment Questionnaire (SAQ). Then, fill in the required fields (Executive Name, Executive Title and ), and click the Confirm Attestations button. Please print and keep a copy of this page for your records. Page 8

9 For SAQ C: This Screen Appears Important: If you are chosen to complete SAQ C, you ve indicated that you have a website or payment application that is attached to the Internet. Under PCI regulations, a scan of your website or application on a quarterly basis is required. Please expect an from donotreply@mybackofficetools.com. This will contain login credentials to the Comodo website, where you must complete your required scan. You will also receive an from Comodo (noreply_support@comodo.com), within 48 business hours with additional instructions. If you do not receive either of the two s above, please contact the customer support number listed in your merchant PCI letter. Page 9

10 For SAQ D: This Screen Appears Important: If you are chosen to complete SAQ D, please ensure you read the instructions carefully. NOTE: Only hosting or service providers (such as shopping cart providers) should complete this SAQ and a required network scan. Page 10

11 FOR SAQ D Important: Required Scan Information Important: Although you completed the SAQ, you will be required to perform a scan. Please expect an from donotreply@mybackofficetools.com. This will contain login credentials to the Comodo website, where you must complete your required scan. You will also receive an from Comodo (noreply_support@comodo.com), within 48 business hours with additional instructions. If you do not receive either of the two s above, please contact the customer support number listed in your merchant PCI letter. Page 11

12 the TWELVE basic STEPS TO UNDERSTANDING achieving PCI PCI COMPLIANCE compliance Payment Card Industry Data Security Standard (PCI DSS) Requirements PCI DSS requirements are global data security standards that any business of any size must adhere to in order to accept payment cards, and to store, process and/or transmit cardholder data. Goals PCI DSS Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security For more information, visit the PCI Security Standards Council website at Page 12

13 MERCHANT PCI compliance UNDERSTANDING programpci COMPLIANCE Frequently Asked Questions Q: What is the PCI DSS? A: PCI DSS stands for Payment Card Industry Data Security Standards and represents a set of security requirements created by the Payment Card Industry, laying out what Merchants need to do to protect customer information. The PCI Council requires that Merchants meet this set of security requirements if their business accepts, transmits, or processes customer payment cards (such as credit cards or debit cards). Merchants that do not comply with these requirements, are non-compliant, in violation of the card brand rules, and can be easily breached in a number of ways. The consequences for non-compliance are severe; the payment brands may, at their discretion, impose fines and penalties at a minimum of $5,000 for a single data breach. Plus, merchants risk having their card-processing privileges revoked, leaving them unable to accept customer payment cards. All of this collectively results in a loss of revenue. For more information about PCI DSS, please visit Q: To whom does PCI apply? A: PCI applies to ALL organizations or merchants, regardless of size, that accept, transmit, or store any payment card information. Q: What do I have to do in order to satisfy the PCI requirements? A: To satisfy the requirements of PCI, all merchants must complete these steps: NOTE: Please see definitions of Merchant Levels in the question below this one. Level 1 merchants must complete an annual Onsite assessment by a PCI SSC approved Qualified Security Assessor (QSA), plus an Attestation of Compliance from a Report on Compliance (ROC), plus a Quarterly Network Scan. Level 2, 3, and 4 merchants must complete an annual self-assessment questionnaire ( SAQ ), a quarterly network scan. Note that this only applies to merchants with externally facing IP addresses; e.g., e-commerce merchants or merchants who utilize a payment gateway/shopping cart), by an Approved Scanning Vendor ( ASV ), and complete an Attestation of Compliance. Complete the appropriate version (currently A, B, C, CVT or D) of the SAQ in accordance with the PCI Security Council s guidelines. All merchants who are already certified for 2015, or whose certificate of compliance is not due to expire MUST submit proof of compliance by April 29, 2015, via one of the following methods: By mail: Processing Center Customer Service P.O. Box 246 Alpharetta, GA By Fax: Attention: Customer Service, at All merchants must be PCI DSS compliant and use PA-DSS (Payment Application Data Security Standards) compliant applications. Page 13

14 MERCHANT PCI compliance UNDERSTANDING programpci COMPLIANCE Frequently Asked Questions Q: How are the different Merchant Levels defined? A: The following table defines the levels: 1 Any Merchant that processes over 6 million Visa or MasterCard transactions per year (regardless of whether the transactions are e-commerce or not), OR Any Merchant that is declared to be Level 1 by any Card Association Any Merchant that has suffered a security incident or attack that resulted in an account data compromise 2 Any Merchant processing 1 million to 6 million Visa or MasterCard transactions per year. 3 Any Merchant processing 20,000 to 1 million Visa or MasterCard e-commerce transactions per year. 4 Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants processing fewer than 1 million transactions per year. Q: What is the Self-Assessment Questionnaire (SAQ)? A: The PCI DSS SAQ is a validation tool for merchants to assist in self-evaluating compliance with the PCI DSS. All merchants are required to complete the annual SAQ, attest to the information they ve entered and print and save their Attestation of Compliance. This means that you are meeting the PCI DSS requirements. Q: What is a Qualified Security Assessor (QSA)? A. Qualified Security Assessors are organizations that have been qualified to have their employees assess compliance to the PA-DSS standard. They have been certified to validate an entity s adherence to the PA-DSS standard. Q: What is an Approved Scanning Vendor? A. Approved Scanning Vendors (ASVs) are organizations that validate adherence to certain DSS requirements by performing vulnerability scans of Internet facing environments of merchants and service providers. Q: Why do I need a scan? A. The Card Associations require all merchants with externally- facing IP addresses (e-commerce merchants or merchants who utilize a payment gateway/shopping cart) to undergo a quarterly network scan by an Approved Scanning Vendor ( ASV ), and complete an attestation of compliance. The scan checks your website and IP addresses to ensure there are no vulnerabilities subject to outside attacks. Page 14

15 MERChANT PCI COMPLIANCE UNDERSTANDING PROGRAMPCI COMPLIANCE Frequently Asked Questions Q: How do I validate my compliance? A: After you complete your SAQ, you will be asked to attest to the information you entered and print your validation of compliance. That is all you need to do, because our system will notify us that you have completed the SAQ. If you have already been certified for 2015, you must submit your certification of compliance from an approved ASV/QSA by no later than April 29, 2015, to avoid the annual PCI billing fee for our program. If you are not certified for 2015, you must complete your SAQ prior to May 29, 2015, in order to avoid a monthly PCI non-compliance fee until you complete the SAQ. You may submit your certification in one of the following ways: Via fax: (keep a copy of your successful fax transmission receipt), or Via mail: Processing Center Customer Service P.O. Box 246 Alpharetta, GA Q: What am I getting for the PCI program annual fee? A: The annual fee covers the cost for us to manage the program as required by the Card Associations. Through our program, you ll be given access to our online SAQ, and we ll submit proof of your compliance directly to the Card Associations. We also provide FREE quarterly or annual network vulnerability scans should you be required by the Card Associations to conduct them. Page 15