PCI Compliance: It's Required, and It's Good for Your Business

Similar documents
The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

PCI DSS 3.2 AWARENESS NOVEMBER 2017

PCI COMPLIANCE IS NO LONGER OPTIONAL

Navigating the PCI DSS Challenge. 29 April 2011

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

Merchant Guide to PCI DSS

FAQs. The Worldpay PCI Program. Help protect your business and your customers from data theft

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

Will you be PCI DSS Compliant by September 2010?

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

Commerce PCI: A Four-Letter Word of E-Commerce

Site Data Protection (SDP) Program Update

The Honest Advantage

University of Sunderland Business Assurance PCI Security Policy

PCI DSS COMPLIANCE 101

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

ProcessNow Terminal User Guide

Payment Card Industry Data Security Standards Version 1.1, September 2006

The PCI Security Standards Council

PCI compliance the what and the why Executing through excellence

Understanding PCI DSS Compliance from an Acquirer s Perspective

PCI DSS Illuminating the Grey 25 August Roger Greyling

PCI DSS COMPLIANCE DATA

The IT Search Company

GUIDE TO STAYING OUT OF PCI SCOPE

ISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview

A Perfect Fit: Understanding the Interrelationship of the PCI Standards

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

How do you manage your customers payment card details securely and responsibly? White paper PCI DSS

PCI DATA SECURITY STANDARDS VERSION 3.2. What's Next?

Payment Card Industry (PCI) Data Security Standard

Using GRC for PCI DSS Compliance

Managing Risk in the Digital World. Jose A. Rodriguez, Director Visa Consulting and Analytics

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

White paper PCI DSS. How do you manage your customers payment card details securely and responsibly?

Payment Card Industry (PCI) Compliance

Payment Card Industry (PCI) Data Security Standard

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

PCI DSS Q & A to get you started

Best Practices (PDshop Security Tips)

Payment Card Industry (PCI) Data Security Standard

SIP Trunks. PCI compliance paired with agile and cost-effective telephony

Payment Card Industry (PCI) Data Security Standard

PCI DSS Compliance for Healthcare

Customer Compliance Portal. User Guide V2.0

PCI Compliance Updates

Payment Card Industry (PCI) Data Security Standard

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.2)

Payment Card Industry (PCI) Data Security Standard

PCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier

Protect Comply Thrive. The PCI DSS: Challenge or opportunity?

COMPLETING THE PAYMENT SECURITY PUZZLE

A QUICK PRIMER ON PCI DSS VERSION 3.0

Advanced Certifications PA-DSS and P2PE. Erik Winkler, VP, ControlCase

Payment Card Industry (PCI) Data Security Standard

Comodo HackerGuardian PCI Approved Scanning Vendor

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

PCI DSS. A Pocket Guide EXTRACT. Fourth edition ALAN CALDER GERAINT WILLIAMS

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

IT Audit and Risk Trends for Credit Union Internal Auditors. Blair Bautista, Director Bob Grill, Manager David Dyk, Manager

Donor Credit Card Security Policy

Whitepaper. Simplifying the Payment Card Industry Data Security Standard. Abstract. A Security-Assessment.com Publication. Special points of interest:

Establish and Maintain Secure Cardholder Data with IBM Payment Card Industry Solutions

Payment Card Industry (PCI) Data Security Standard

Data Security Standard

Presented by. Tim Gurganus. Amanda Richardson

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

Payment Card Industry (PCI) Data Security Standard

PCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson

Payment Card Industry (PCI) Data Security Standard

City of Portland Audit: Follow-Up on Compliance with Payment Card Industry Data Security Standard BY ALEXANDRA FERCAK SENIOR MANAGEMENT AUDITOR

UCSB Audit and Advisory Services Internal Audit Report. Credit Cards PCI Compliance. July 1, 2016

PCI DSS and the VNC SDK

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

Credit Union Service Organization Compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

How PayPal can help colleges and universities reduce PCI DSS compliance scope. Prepared by PayPal and Sikich LLP.

Data Sheet The PCI DSS

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

University of Maine System Payment Card Industry Data Security Standard (PCI DSS) Guide for Completing Self Assessment Questionnaire (SAQ) SAQ C

Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy

Payment Card Industry (PCI) Data Security Standard

PCI Compliance. What is it? Who uses it? Why is it important?

PCI DSS v3. Justin

PCI DSS and VNC Connect

WHITE PAPER. Achieve PCI Compliance and Protect Against Data Breaches with LightCyber

Section 1: Assessment Information

Transcription:

PCI Compliance: It's Required, and It's Good for Your Business

INTRODUCTION As a merchant who accepts payment cards, you know better than anyone that the war against data fraud is ongoing and escalating. Whether they occur through hackers, identity thieves, phishers or other cyber criminals, security breaches can mean disaster for your business. Your customers trust you with their personal identifying information, and when that information is compromised, it can be a financial disaster for your business financial restitution will be paid and reputation will be damaged. PCI compliance is one of the most effective ways of minimizing your risk against card fraud. This set of standards, created by major companies in the payment card industry, is industry-mandated for businesses that accept and store customers personal information. Meeting this requirement puts your business in its best position to put up a first line of defense against cyber criminals it s good for your business. PCI COMPLIANCE: IT'S REQUIRED, AND IT'S GOOD FOR YOUR BUSINESS 2

TERMINOLOGY What is PCI compliance? PCI compliance means you have met Payment Card Industry Data Security Standard (PCI DSS) requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. When you are PCI compliant, you are taking a responsible role to make sure that payment card data remains secure throughout every transaction your business processes. This action helps to ensure that both your business and your customers are protected against the costs and disruption of a data breach. PCI compliance follows common sense steps that mirror best security practices. To be proactive, you need to understand a variety of acronyms and terms associated with it. PCI Lexicon Payment Card Industry (PCI) An umbrella term that applies to debit, credit, prepaid, e-purse, ATM and POS (point of sale) cards and associated businesses. Payment Card Industry Security Standards Council (PCI SSC) Founded by American Express, Discover Financial Services, JCB International, Mastercard Worldwide and Visa Inc. as an open global forum to promote the ongoing development, enhancement, storage, dissemination and implementation of PCI Data Security Standards for account data protection. Payment Card Industry Data Security Standard (PCI DSS) Lays out the technical and operational requirements set by the PCI SSC to protect cardholder data. The standards apply to all entities that store, process or transmit cardholder data, with guidance for software developers and manufacturers of applications and devices used in those transactions. PIN Transaction Security (PTS) Also known as PCI PTS (formerly PCI PED), PTS is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing-related activities. Manufacturers must follow the requirements in the design, manufacture and transport of a device to the entity that implements it. Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC. Payment Application Data Security Standard (PA-DSS) For software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC. PCI Self-Assessment Questionnaire (SAQ) A validation tool intended to assist merchants and service providers who are not required to undergo an on-site data security assessment to self-evaluate their compliance with the PCI DSS. There are multiple versions of the PCI SAQ to meet various scenarios. PCI Scan A quarterly test of system components, processes and custom software to ensure security controls. PCI SSC Approved Scanning Vendor (ASV) An organization that validates adherence to certain DSS requirements by performing vulnerability scans of the Internet-facing environments of merchants and service providers. Qualified Security Assessor (QSA) A company that s approved by the PCI SSC to conduct an audit. PCI COMPLIANCE: IT'S REQUIRED, AND IT'S GOOD FOR YOUR BUSINESS 3

WHAT IS PCI COMPLIANCE? LEVELS OF COMPLIANCE The PCI Security Standards Council has created four basic levels of compliance. Your business s level depends on your transaction volume: YOUR LEVEL IS: YOUR BUSINESS DOES: YOU SHOULD: LEVEL 4 Less than 20,000 e-commerce transactions per year Less than 1 million other transactions per year Complete an annual risk assessment using an SAQ LEVEL 3 20,000-1 million transactions per year Complete an annual risk assessment using an SAQ LEVEL 2 1-6 million transactions per year Complete an annual risk assessment using an SAQ LEVEL 1 6 million+ transactions per year Conduct an annual internal audit RISKY BEHAVIOR Merchants like you are at the center of payment card transactions, meaning it s imperative that you use established and standardized security procedures and technologies to thwart theft of cardholder data. Vulnerabilities can be found almost anywhere in a merchant s card processing system, including point-of-sale devices, personal computers, mobile devices and apps, servers and wireless hotspots. THREE STEPS FOR REACHING PCI COMPLIANCE 1. Assess identifying cardholder data, take an inventory of your IT assets and business processes for payment card processing and analyze them for vulnerabilities that could expose cardholder data. 2. Remediate by correcting vulnerabilities and not storing cardholder data unless you need it. 3. Report by compiling and submitting required remediation validation records (if applicable) and compliance reports to the merchant services provider and card brands you do business with. PCI compliance is an ongoing process. Once you achieve compliance, you must continually strive to maintain it. Think of it in terms of three steps: PCI COMPLIANCE: IT'S REQUIRED, AND IT'S GOOD FOR YOUR BUSINESS 4

ASSESSING PCI COMPLIANCE The "Digital Dozen" Whenever you complete an internal audit, risk assessment or PCI scan, your business is being evaluated according to the 12 control objectives outlined in the PCI DSS: Network Security Install and maintain firewalls in your web applications to protect cardholder data Create original system passwords and other security parameters (do not use vendorsupplied defaults) Data Protection Protect stored cardholder data Encrypt all transmissions of cardholder data Vulnerability Management Access Control Restrict business access to cardholder data on a need to know basis Restrict physical access to cardholder data Assign a unique ID to each person who has computer access Monitoring and Testing Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Information Security Maintain a policy that addresses information security Develop and maintain secure systems and applications Regularly update the anti-virus software on all of your systems PCI COMPLIANCE: IT'S REQUIRED, AND IT'S GOOD FOR YOUR BUSINESS 5

MONITORING RISK & COMPLIANCE Data Breach Security from TSYS To help protect your business from the financial and reputational damage inflicted by a data breach, TSYS offers a data breach security program that s designed to help merchants meet the expenses resulting from a suspected or actual breach of payment card data. Features of our data breach security program include: Security is the foundation of reputable credit card processing. At TSYS, we take our responsibility to our merchants and their customers seriously. That s why we re committed to help keep you safe from the daily threat of data breach, credit card fraud and identity theft by working with you to achieve and maintain PCI compliance for your business. A forensic audit as required by the PCI DSS whenever a data breach is suspected to confirm whether a breach has actually occurred and to pinpoint vulnerabilities within the system. Industry fines and assessments met as required by PCI DSS in the event of an unintended breach of confidential customer information, regardless of how it happens. Issuer-related expenses that cover card replacements costs, credit monitoring and other expenses related to a breach. PCI COMPLIANCE: IT'S REQUIRED, AND IT'S GOOD FOR YOUR BUSINESS 6

To learn more: contact 888.845.9457 or visit tsys.com. twitter.com/tsys_tss facebook.com/tsys1 linkedin.com/company/tsys All trademarks contained herein are the sole and exclusive property of their respective owners. Any such use of those marks without the express written permission of their owner is prohibited. 2017 Total System Services, Inc. TSYS is a federally registered service mark of Total System Services, Inc. All rights reserved. TSYS Merchant Solutions is a registered ISO/MSP of Wells Fargo Bank, N.A., Walnut Creek, CA; Synovus Bank, Columbus, GA, and First National Bank of Omaha, Omaha, NE. TransFirst is a registered ISO/MSP of Wells Fargo Bank, N.A., Walnut Creek, CA; Synovus Bank, Columbus, GA; and Deutsche Bank, New York, NY; for Visa and Mastercard transactions only. TS6688f

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback