How do you manage your customers payment card details securely and responsibly? White paper PCI DSS

How do you manage your customers payment card details securely and responsibly? White paper PCI DSS

Contents Introduction Gaining trust 3 Definition What is PCI DSS? 4 Objectives What is the purpose of PCI DSS? 6 PCI DSS requirements How do you achieve the PCI DSS objectives? 7 Four categories What business are you in? 8 Practice (1) How do you comply with the PCI DSS requirements? 9 Practice (2) How do you remain compliant with the PCI DSS requirements? 11 Fighting fraud together Where does your responsibility begin and end? 12 Risks What are some of the types of fraud which might occur? 13 Clarification Misunderstandings about PCI DSS 15 Terminology PCI DSS Glossary 17 Further information 19

Introduction Gaining trust You want to give your customers the opportunity to pay by credit card or international debit card because ease of payment and the security of payment cards make it more likely that your customers will spend money. In other words: credit cards and debit cards help you generate higher revenues. However, this also gives your business an additional responsibility in that cardholders assume that their card details are in safe hands with you. As the recipient of the cardholder s payments, you are partly responsible for the security of this data. In order to make things easier for you, the major payment card issuers including Visa and MasterCard have developed a security standard known as the Payment Card Industry Data Security Standard (PCI DSS). Your business can only accept card payments if you comply with the requirements under PCI DSS. Your suppliers, such as Payment Service Providers (PSPs) and payment terminal suppliers, must also satisfy these requirements. This is how we work together to help make your payment transactions more secure. Naturally, PCI DSS also involves a number of obligations on your part, but the benefit which is ultimately far more rewarding is that your customers will place their trust in your business and will make purchases from you without hesitation. At the same time, you also protect your business from the charges and fines that might arise as a result of the theft and abuse of card details. This PaySquare white paper provides information on PCI DSS and its backgrounds. You will learn how you can increase your customers trust in you and information on the measures you must take in order to satisfy the security standard. In addition, you will also find information on the areas for which you, as a business, are and are not liable. 3

Definition What is PCI DSS? In order to create a transparent framework for the security of payment card details, the major payment card industries have set a number of guidelines for all parties involved in payment transactions involving payment cards. Collectively, these guidelines constitute the Payment Card Industry Data Security Standard (PCI DSS). Primary Account Numbers PCI DSS relates solely to situations in which Primary Account Numbers (PANs), i.e. complete card numbers, are stored, processed, transmitted or received. For other card details (including the cardholder s name and the expiry date of the card), you only need to take protective measures if you process or store them together with the related card numbers. Authentication details such as the CVC (Card Validation Code) or CVV (Card Verification Value) (which are printed on the back of every credit card) and the PIN must never be stored under any circumstances. As a general rule, you must store as few card details as possible. The figure below shows clearly which card details you should and should not store. The example shows a MasterCard, but this applies to all payment cards. 1 2 3 4 5 6 Card details to be protected Sensitive Authentication Data: this must not be stored under any circumstances: Card track details (= comprehensive card details as stored in, for example, the magnetic strip 1 and/or chip 2 ) Card Verification Code (3-digit code [CVC2, CVV2] on the back of the signature strip 3 ) PIN Cardholder details which can be stored (provided this is in compliance with the PCI DSS regulations) if this is necessary for business operations: PAN (Primary Account Number = full card number 4 ) Cardholder s name 5 Expiry date 6 4

The following details can be stored in unencrypted form, provided they are not linked to other cardholder details: Transaction amount, transaction date and transaction authorisation code Basic standard PCI DSS has become the basic standard for securing cardholder details. The standard is designed to support businesses in establishing and implementing an effective security policy. In order to be able to accept payment cards, you must therefore satisfy the PCI DSS requirements. If you comply with PCI DSS, you protect your customers and strengthen the foundation of your business. Liability If you are negligent in securing your customers card details, you potentially make things easier for those with malicious intentions, which could result in substantial losses. You are liable for any direct losses arising from the use of counterfeit payment cards and/or the use of stolen card details. However, this also applies to legal expenses, costs related to the replacement of payment cards, investigation, and reputational damage. In addition, the card issuer may decide to impose a fine and exclude you from accepting payment cards. When it comes to liability, there are, in other words, good reasons to comply with the PCI DSS guidelines. 5

Objectives What is the purpose of PCI DSS? In implementing PCI DSS, the payment card issuers have not simply randomly imposed a number of regulations on the contrary. In fact, the security standard is based on a number of clear objectives for your business. If these objectives are achieved, your customers can use international payment cards in your store or on your website to pay easily, efficiently and securely. PCI DSS objectives: 1. Establishing a payment network that is secure and remains secure. 2. Protecting the details of the cardholder (your customer). 3. Establishing, maintaining and updating a programme that enables you to manage vulnerabilities in the payment system. 4. Restricting access to your customers card details to a minimum. 5. Establishing, maintaining and updating a solid and reliable IT infrastructure. 6. Pursuing a practical and efficient information security policy. 6

PCI DSS requirements How do you achieve the PCI DSS objectives? Each PCI DSS requirement comes with its own set of practical measures to help achieve the objectives. Depending on the acceptance method you use for payments, you are subject to at least some of these measures. Where necessary, you can contact your suppliers for the implementation of the various measures (including your PSP, payment terminal supplier, software provider, etc.). PCI DSS requirements: Secure payment network Measure 1: You install and maintain a firewall. Measure 2: You do not use the standard passwords provided by your system supplier. Protect customers card details Measure 1: Store payment card details only if this is strictly necessary. If storage is essential to your business operations, you must ensure that the data is well protected. Measure 2: If you use public networks to transmit your customers card details, you must ensure proper encryption. Managing vulnerabilities Measure 1: Use anti-virus software and perform regular updates. Measure 2: Secure your systems and applications and update the security on a regular basis. Restriction of access Measure 1: Provide employees with access to card details on a need-to-know basis. Measure 2: Provide each employee who has access with a unique username and password. Measure 3: Restrict physical access to card details. Monitoring your IT infrastructure Measure 1: Monitor access to all relevant IT components and cardholder details and regularly check that these are being properly monitored. Measure 2: Test all security features and processes on a regular basis. Information security Measure 1: Create a policy based on information security and regularly check the actual situation for compliance with this policy. 7

Four categories What business are you in? Businesses come in many varieties, and the card schemes have taken this into account in setting the PCI DSS requirements. A total of four business categories have been set for PCI DSS. Based on the number of card payments you receive and the method you use to accept payments, you can determine in which category your business is classified. If you satisfy the requirements applicable to your category, you are entitled to call yourself PCI DSS compliant. Category Features Required PCI DSS action Level 1 Physical stores and distance buying (e-commerce, MO/TO) Level 2 Physical stores and distance buying (e-commerce, MO/TO) Level 3 (e-commerce only) Level 4 All businesses accepting payment cards which have processed in excess of 6 million Visa transactions, or All businesses accepting payment cards which have processed in excess of 6 million MasterCard and Maestro transactions combined, or All businesses accepting payment cards which have been the victim of a data breach/compromise All businesses accepting payment cards which have processed in excess of 1 million but fewer than 6 million Visa transactions, or All businesses accepting payment cards which have processed in excess of 1 million but fewer than 6 million MasterCard and Maestro transactions combined Businesses accepting payment cards which have processed in excess of 20,000 million but fewer than 1 million Visa e-commerce transactions, or businesses accepting payment cards which have processed in excess of 20,000 but fewer than 1 million MasterCard and Maestro transactions combined All other businesses accepting payment cards Annual on-site PCI DSS evaluation by PCI SSC (Security Standards Council), accredited in-house staff or an external Qualified Security Assessor (QSA) recognised by PCI SSC Quarterly network scans by an Approved Scanning Vendor (ASV) Annual Self-Assessment by PCI SSC (Security Standards Council), accredited in-house staff or an external Qualified Security Assessor (QSA) recognised by PCI SSC plus a quarterly network scan by an ASV Annual Self Assessment Questionnaire (SAQ) plus quarterly network scan by an ASV (Policy may vary depending on the Acquirer) Annual Self Assessment Questionnaire (SAQ) plus quarterly network scan by an ASV 8

Practice (1) How do you comply with the PCI DSS requirements? Once you start using PCI DSS, it is best to simply use your common sense. Before you read up on the exact regulations, it is a good idea to assess what the general purposes are of the security standard. In many cases, this already provides a solid foundation for your PCI DSS project. Getting started with the SAQ The Self Assessment Questionnaire (SAQ) is an excellent way to start when you first embark on a PCI DSS process. There are five different questionnaires; which list applies to you depends on the method used by your business to accept card payments. After reading through the questions, you will have a good idea of your progress towards secure payment transactions. If you already satisfy the requirements, you must fully complete the SAQ and submit it to your acquirer. If you would like to get started with PCI DSS now and are a PaySquare customer, you can contact the Customer Services department directly to request a password to access PaySquare s PCI DSS page. You can find the questionnaire that s right for your company at the following link: pci.payquare.nl. In the majority of cases, your business will not satisfy all the PCI DSS requirements right away. In this case, you can start implementing measures at your business or outsource the PCI DSS project to a third-party services provider. If you go to the page of PCI Security Standards Council, you will find a list of all businesses and payment software tools certified by SCC to support you in PCI-DSS projects. Practical tips for a successful PCI DSS process Don t wait start today If you get an early start, you will save costs and be a step ahead of your competitors. Do not store data unless strictly needed PCI DSS is the security standard for storing, processing and transmitting card details, but in some cases storing card details is not actually necessary. We recommend that you make a list of the details you would like to and/or are required to store, and whether this may be happening without your knowledge. The rule of thumb to follow is: If you don t need it, don t store it. Set policies A clear policy related to payment card details provides you with a solid foundation. Be sure to set procedures for the storage, processing and transmission of card details. Compare regulations When storing card details, you may already be required to comply with specific legal requirements, as arising from the Dutch Personal Data Protection Act [Wet Bescherming Persoonsgegevens]. You can assess at an early stage whether these regulations are in line with the PCI DSS requirements. 9

Make a gap analysis You require specialised knowledge for PCI DSS. This means you must assess for each separate regulation that all the required knowledge is available within your business. If this is not the case, we recommend that you hire the services of external experts. Consult with your suppliers and set out the terms in writing If you wish to comply with the PCI DSS requirements, providers of hardware and software who process or transmit payment card details on your behalf must also comply with the PCI DSS rules. You must never assume that your suppliers are also PCI DSS compliant and set out the terms in writing. You should ask for proof of compliance and set out the agreements made in a contract. On the PCI Security Standards Council (PCI SSC) website, you can also check whether your supplier and/or the hardware and software installed on their system have been approved by the SSC. Contact your suppliers You should never, under any circumstances, store track data (i.e. the full card details stored on the magnetic strip or chip of a payment card), since this data can be used relatively easy to make illegal copies of the card. Similarly, you should never store authorisation and authentication details, as some hardware will store this data even if this is not intended. We recommend that you check with your hardware and software supplier(s) that this may be the case with your payment terminal or payment infrastructure. Discover the data Find all the data that could potentially be relevant to PCI DSS. Identify all the payment channels and data flows and make a list of all locations where card details could potentially end up. Always encrypt Make sure that any card details you sent are encrypted. Use secure Wi-Fi networks only A non-secure wireless network is not suitable for transmitting card details. Train your employees While not all members of staff need to be PCI Qualified Security Assessors (QSA), they do, each individually, need to know what is needed to comply with the PCI DSS requirements. Check your POS systems Point-of-sales systems (e.g. the link between your cash register and a payment terminal and your administrative software) can be vulnerable when it comes to securing your card details. Make sure your POS system does not store full card details, particularly not the Card Verification Value/Code. It is also not permitted to display the full 16-digit credit card number on store receipts. Ensure the physical security of your systems Make sure only your own, authorised employees have access to your payment systems. Record the process Maintain a log to keep track of the measures you are taking to comply with the PCI DSS regulations. 10

Practice (2) How do you remain compliant with the PCI DSS requirements? If your payment transactions comply with these regulations, you are safe in the knowledge that all payment transactions are secure and responsible for you and your customers. The next step, then, is to ensure that the method you use to manage payment card details will remain compliant with the standard requirements in the future. Practical tips to remain PCI DSS compliant Keep reminding your staff Regularly discuss the topic of PCI DSS with your employees. Be sure to set a number of clear and straightforward guidelines. Restrict access Continue to restrict access to card details. Only employees of whom you are certain that they require access to the data in order to perform their work should be given a username and password. Delete data on a regular basis Check at regular intervals which customer data you no longer require, and delete this data immediately. Prepare a worst-case scenario Make sure there is no risk of your customers card details being compromised, and be well prepared when this does occur. Decide what you and your employees need to do if you find yourself in such a situation and create emergency scenarios. Keep checking Check system security and control logs on a regular basis. 11

Fighting fraud together Where does your responsibility begin and end? Using payment cards is easy, secure and efficient. Your customers rely on you to use secure technical facilities and work with reliable partners and suppliers in managing your payment transactions. The card schemes use PCI DSS to support your efforts to protect your customers card details as effectively as possible. Your responsibility for the security of this data relates to the following aspects of payment transactions: The hardware you use to scan credit cards and other payment cards used by your customers. The payment terminals you use in your store(s) (POS systems). The networks and hardware involved in your payment transactions (e.g. servers, wireless routers, modems, etc.). The storage, processing and transmission of payment card details. The security of hardware and software of all parties you involve in your payment transactions. Physical access to key IT components and cardholder data. Your suppliers have their own security standards Obviously, you are not the only business that is responsible for secure payment transactions other parties concerned also play a role and must be PCI DSS compliant. For example, you require a payment terminal or online cash register, along with payment software. Separate security standards have been developed for the manufacturers and suppliers of payment terminals, as well as for suppliers of payment software. Under the PCI DSS requirements, you must use a payment terminal or application at all times and partner with a software provider that complies with these standards. You will find a list of suppliers of certified payment applications and suppliers at pcisecuritystandards.org. PCI DSS So what s next? If you satisfy the PCI DSS requirements, you will contribute significantly to the security of data that is of great importance to your customers. But obviously, the security standard of the card schemes does not eliminate the need for alternative (legal) regulations. For example, in storing, processing and transmitting your customers card details, you are also required to comply with the Personal Data Protection Act (Wet Bescherming Persoonsgegevens). You are required by law to manage your customers data, but you must also set restrictions for, for example, the various ways in which you can use customer data for commercial activities. 12

Risks What are some of the types of fraud which might occur? Fraud comes in a variety of forms, and every acceptance method for payment cards comes with its own set of specific risks and specific measures to diminish these risks. The PaySquare white paper on fraud involving credit cards and international payment cards contains further information on how to identify fraud and what you can do to prevent it. As part of PCI DSS, we explain several specific cases of possible fraud below. A stand-alone, in-store payment terminal Even if your cash register and in-store payment terminal are not linked together, there is still a risk that the payment terminal itself or the data connection will be tampered with. This would give criminals the opportunity to intercept your customers card details and/or transaction details. What can you do? Regularly check your payment terminal and the communication connection for signs of tampering (preferably every morning). If you suspect that unauthorised individuals have tampered with your payment terminal and/or connections and/or cables, your supplier will be able to assist you. In-store payment terminal linked to the cash register If your cash register and payment terminal are connected, the communication line and/or payment software are at risk of getting hacked, which would mean that card details stored in your system could potentially be accessed, putting you at risk of malicious software, i.e. malware. What can you do? Make sure you have an adequate security system in place and use effective encryption when transferring data. Integrated in-store payment terminal The communication line can be checked even if you are using a payment terminal and cash register in one. Since these devices are used primarily by businesses with multiple locations, the connections between individual branches and with the head office are also at risk of getting hacked. What can you do? Agree on a set of clear rules with your IT provider and be sure to check whether your supplier s products satisfy the requirements imposed under PCI SSC. 13

Online store using PSP s payment page Many e-commerce businesses use a PSP s payment page for the purpose of making card payments. PSPs are also required to regularly test their methods for compliance with the PCI DSS requirements. However, it is up to you to make sure that your PSP is truly PCI DSS compliant. If your PSP s payment page is not properly configured yet and still stores card details, this could potentially have an impact on your customers. What can you do? In your contract with your PSP, you must specify that the payment page must comply at all times with the PCI DSS requirements. You must make sure to implement solid security measures such as anti-virus software and firewalls; if you neglect to do so, your online store will remain vulnerable to hackers. Online store with its own payment page E-commerce businesses with their own payment pages are exposed to excessive levels of risk. What can you do? Many acquirers do not permit e-commerce businesses with their own payment pages (i.e. not from a PSP). Use the payment page of a PSP that satisfies the PCI DSS requirements in order to minimise fraud and security risks. Credit card acceptance for MO/TO If you use mail order telephone order (MO/TO), you can enter credit card details manually through a PSP selected by PaySquare, under strict conditions. In so doing, you create risks if you store card details or communicate with your customers by email (or through a website). What can you do? Do not store your customers credit card details and, when communicating with your customers about their orders, ensure that the data you send is properly encrypted. 14

Clarification Misunderstandings about PCI DSS There are a number of misunderstandings regarding the security of card details and about PCI DSS. We would like to clear up some of these misunderstandings. Misunderstanding # 1 PCI DSS is a recommendation and not a requirement. Payment schemes are entitled to decide how you, as a business, should manage card details. This means you must satisfy the PCI DSS requirements for accepting payment card payments. Misunderstanding # 2 A scan by an ASV is all I need to be PCI DSS compliant. The security scan, which is performed by an Approved Scanning Vendor, only constitutes one part of the PCI DSS procedure; as a business, you will usually be required to complete an annual Self Assessment Questionnaire as well. See pci.paysquare.nl to check the conditions imposed by PaySquare on merchants. Misunderstanding # 3 I accept such a small number of card payments that I don t need to comply with the PCI DSS requirements. Even in order to accept a single card payment, your business must still comply with the PCI DSS regulations. Misunderstanding # 4 Since I do not store my customers card details, I am not subject to the PCI DSS regulations. PCI DSS is the security standard for storing, processing and transmitting card details; this means you are required to comply with the majority of PCI DSS requirements. Besides: are you absolutely certain that you do not store any card details? Misunderstanding # 5 Small businesses are never fined by payment card issuers. If card details are stolen from your business, you must be able to demonstrate that you complied with the PCI DSS requirements at the time of the theft. If you are unable to demonstrate this, you will be liable for the loss, irrespective of the size of your business. Furthermore, you may be excluded from accepting card payments and end up being classified in a higher Merchant Level category (see the table on page 8), with stricter requirements and higher audit fees. 15

Misunderstanding # 6 PCI DSS only applies to e-commerce. Any business that stores, processes and/or transmits card details must comply with the PCI DSS requirements. This also includes physical stores (i.e. points-of-sale) and businesses using mail order and telephone order (MO/TO). Misunderstanding # 7 Once the completed Self Assessment Questionnaire has been submitted, the PCI DSS process is completed. Since the details you provide in the SAQ are subject to change, you must continue to comply with the PCI DSS requirements on an ongoing basis after submitting the questionnaire. If there is a problem involving payment card details, you must be able to demonstrate that you were PCI DSS compliant. Misunderstanding # 8 PCI DSS leaves a great deal of room for interpretation. The PCI DSS is the most specific list of security requirements drafted in the industry today. Unlike other security-related standards (e.g. SOX, ISO and ISO 27002), PCI DSS provides more than a framework: it provides a detailed description of the requirements and procedures involved. Misunderstanding # 9 If I have a PA DSS-certified application, I comply with the PCI DSS requirements. The use of a PA DSS-certified application involves a single step. Next, you must implement all the requirements and controls that ensure that all your networks and servers comply with the PCI DSS requirements. If you have outsourced your systems administration, the administrator must comply with the requirements. 16

Terminology PCI DSS Glossary Acquirer Acquirers are responsible for settling the business card payments, for which they enter into a licensing agreement with an international card company. Attestation of Compliance (AoC) This document serves to confirm that you have completed the SAQ accurately and truthfully. Approved Scanning Vendor (ASV) ASVs perform scans at businesses in order to test the IT systems and IT networks of businesses that accept payment cards. ASVs must be certified by the PCI Security Standards Council. A list of certified businesses is available on the website of the PCI Security Council: www.pcisecuritystandards.org. The majority of IT systems and networks must be scanned every three months; this can generally be done remotely. This process is similar to a virus scan on your PC. Certification As part of the certification process, a certification body investigates whether a business complies with specific rules and requirements at the time of certification. Compliance Complying with and/or satisfying with specific laws and/or rules. Compromise Tampering, theft and loss of data and/or systems or the control thereof, with the intention of misuse. Payment Service Provider (PSP) PSPs are responsible for facilitating the technical connection of a business with the acquirer and for processing card transactions. In addition, PSPs also provide other products and services for the settlement of a variety of electronic payments. PCI DSS A set of regulations drafted by the major payment card providers (including Visa and MasterCard) and designed to provide protection against the misuse of payment cards. All partners in the payment card payment chain (including businesses, acquirers, PSPs and IT suppliers) must comply with the PCI requirements. Qualified Security Assessor (QSA) An IT security expert who has been accredited by PCI SCC to perform security checks (OnSite Assessments) at businesses that accept and process cards. 17

Safe harbour solution If a retailer who is PCI DSS compliant nevertheless becomes the victim of a data breach/compromise, the payment card issuer may, in certain circumstances, reduce or waive the fines imposed. Security Audit A physical security check at the location of the business; this includes an inspection of the server rooms and interviews with employees. Security scan Investigation designed to identify weaknesses in the IT infrastructure or the system configuration. Security scans are typically performed online. Self Assessment Questionnaire (SAQ) SAQs are questionnaires in which a business provides information to its Acquirer regarding the implementation of the PCI DSS regulations within its business. The various business categories each have their own questionnaire. The questionnaires contain information on the business method of accepting and processing card payments, as well as processing general business information, links (including contractual commitments) with other businesses, and technical details. Depending on the type of merchant involved (see page 9 for information on the various categories), the SAQ must generally be completed by the merchant once a year and be delivered to the acquirer. 18

Further information For more information, please visit www.paysquare.eu or check one of the websites below. www.paysquare.eu www.visa.com www.mastercard.com www.pcisecuritystandards.org Contact Do you have any questions? Please feel free to contact our Customer Service department. From The Netherlands: T 088 385 73 33 E service@nl.paysquare.eu www.paysquare.nl From Luxemburg: T 24 871 877 E service@lu.paysquare.eu www.paysquare.lu/en The contents of this white paper are for informational purposes only; we accept no liability for any errors or omissions. This information is derived from public sources. Misprints and printing errors reserved. As a professional partner in payment transactions, we like to proactively and objectively inform you about payment transactions through the white papers we publish. In these white papers, we present solutions for a variety of issues, related to specific demands from the market. You can download all our white papers and brochures at the section Customer Service - Downloads at www.paysquare.eu. 19

10.10 LNE 02.16 PaySquare SE Eendrachtlaan 315 3526-LB Utrecht PO Box 30600 3503-AJ Utrecht The Netherlands PaySquare SE, CoC 30196418 From the Netherlands: T 088 385 73 33 E service@nl.paysquare.eu W www.paysquare.nl From Luxembourg: T 24 871 877 E service@lu.paysquare.eu W www.paysquare.lu/en