June 2012 First Data PCI RAPID COMPLY SM Solution You don t have to be a security expert to be compliant. Developer: 06 Rev: 05/03/2012 V: 1.0
Agenda Research Background Product Overview Steps to becoming PCI DSS Compliant Communications & Next Steps Additional Program Information 2
What's In It for Me? After completing this session, you will be able to: Explain why merchants should use the First Data PCI Rapid Comply SM solution. Describe how using the PCI Rapid Comply solution helps merchants. Instruct merchants on how to enroll with PCI Rapid Comply solution. Navigate the PCI Rapid Comply solution website. Prepare for the upcoming communication. Know where to go for help. 3
First Data PCI Rapid Comply SM Solution? Offer a high-quality, integrated merchant experience Create a step-bystep, self-guided approach to help small merchants complete the SAQ. Provide dedicated PCI compliance help desk support. Offer a global solution package including new security and compliance products and services. 4
First Data PCI Rapid Comply SM Solution Easy-to-use online tool that can help merchants achieve and maintain PCI DSS compliance more quickly and easily. Designed by PCI security experts specifically for small to midsize merchants. Pre-SAQ questions help pre-populate corresponding SAQ questions to minimize the volume of questions merchants must answer.* Includes comprehensive support (online and via chat, email and phone) that ensures merchants PCI-related questions get answered. Offers integrated scanning for merchants that are required to pass quarterly scans to achieve PCI DSS compliance. *Merchants are responsible for valid answers to all questions whether or not they are pre-populated. 5
Merchant PCI Classification Approximately 99% of our portfolio is made up of Level 4 merchants. Level 1 merchant Level 2 merchant Level 3 merchant Level 4 merchant Any merchant, regardless of acceptance channel, processing over 6,000,000 Visa transactions per year Any merchant processing 1,000,000 to 6,000,000 Visa transactions per year Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year Any merchant processing less than 20,000 e- commerce transactions per year, and all other merchants processing up to 1,000,000 transactions per year 6
Five Simple Steps to PCI Compliance As a market leader, First Data is leading the way. First Data has taken the step to be the first processing company to offer in-house PCI compliance services with the PCI Rapid Comply SM solution. RENEW annually CERTIFY compliance with a passing SAQ & scan if applicable ENROLL with PCI Rapid Comply Solution VALIDATE with your acquirer COMPLY with the PCI requirements 7
Are Merchants Required to Use the First Data PCI Rapid Comply SM Solution? The benefits of using the First Data PCI Rapid Comply SM solution are that it is offered by and integrated with the merchant s Merchant Services provider. The PCI Rapid Comply solution includes a guided, step-by-step SAQ tool help to complete the annual questionnaire with ease an integrated scanning tool for merchants that are required to pass quarterly scans comprehensive support, online and via chat, email and phone to ensure merchants questions get answered. As our merchants service provider, we hope merchants will choose to use our PCI Rapid Comply solution. However they are free to obtain PCI DSS compliance services from third-party vendors. If a merchant chooses to use a third-party vendor for PCI DSS compliance services, the merchant will need to contract with and pay that vendor directly. In addition to the alternate vendor s charges for PCI DSS compliance services, the merchant will still need to pay to the Compliance Service Fee charged by their Merchant Services provider. The Compliance Service Fee is not affected by the merchant s choice to use a third-party vendor. Merchants using a third-party will also need to ensure their PCI DSS compliance status is reported to First Data. 8
Enroll New merchants may enroll in the First Data PCI Rapid Comply SM solution after receiving their PCI Notification Letter. There are no new or additional charges. The Compliance Services Fee charged by the merchant s Merchant Services provider includes an annual PCI self-assessment questionnaire (SAQ) and quarterly scans, if needed. Register online at www.pcirapidcomply.com. An email is sent for the merchant to proceed with an assessment of their business. Clients and AEs should not enroll on behalf of merchants. ENROLL with the PCI Rapid Comply Solution 9
Comply Complete Self-Assessment Questionnaire (SAQ) for Business. COMPLY with PCI requirements Based on merchant s processing method, they will have to complete an annual PCI questionnaire and a quarterly scan, if required. PCI Rapid Comply SM solution will provide merchants the results of the SAQ and related scans to determine compliance. If the business is not compliant, the PCI Rapid Comply solution provides a custom remediation or Fix It plan to assist in identifying issues preventing PCI DSS compliance. 10
Validate VALIDATE with your acquirer Verifies that the merchant s customers data is secure and gives confidence that the business meets very strict data security requirements. 1 First Data PCI Rapid Comply SM solution provides First Data the validation of merchant s compliance. If merchant uses any other vendor, the merchant s PCI validation documents must be submitted to First Data: Fax - 402-916-8240 Email - PCI.1@firstdata.com 1. Achieving PCI DSS compliance does not prevent a data security breach or compromise, or change the allocation of risk under your merchant agreement. 11
Certify Upon successful completion of validation with First Data, the merchant is Certified PCI DSS compliant. CERTIFY compliance with a passing SAQ & scan if applicable If a merchant fails to become PCI DSS compliant or to report their PCI DSScompliant status with a third-party vendor to First Data, they will be charged a monthly non-receipt of PCI Validation fee by their Merchant Services provider until such time as they become PCI-DSS compliant or report their PCI DSScompliant status to First Data. The PCI Rapid Comply SM solution will provide merchants with a full copy of their completed SAQ and notify First Data of their certification. 12
Renew PCI DSS stipulates that every certification be renewed on an annual basis for self-assessment questionnaires (SAQ) and a quarterly basis for scans, if required. RENEW SAQ Annually & Scans Quarterly This confirms that the merchant remains in compliance with any PCI DSS updated requirements as their business evolves. First Data PCI Rapid Comply SM solution notifies the merchant via email when renewal certification is due. Merchants using third party QSA/ASVs need to inquire about their renewal process. 13
Benefits of the First Data PCI Rapid Comply SM Solution PCI Rapid Comply is integrated with your processor making the process faster and simpler. Pre- SAQ questions let merchants answer fewer questions. Comprehensive chat, email and phone support gets merchants questions answered. Unlimited, automatic and integrated scanning for those merchants who need scans. Includes customized Security and Incident Response Policies at no additional charge. 14
Are there additional fees to use the PCI Rapid Comply SM solution? With the First Data PCI Rapid Comply SM solution, there are no new or additional charges. The Compliance Service Fee charged by the merchant s Merchant Services provider includes their annual PCI self-assessment questionnaire (SAQ) and quarterly scans, if required This fee information, amount and timing, is disclosed to the merchant through the PCI Notification Letter With the PCI Rapid Comply solution, merchant PCI DSS compliance status is sent directly to First Data no additional step for a merchant to complete. 15
Non-Compliance Merchants who fail to become PCI compliant 1 could be putting their businesses at greater risk from the growing threat of payment card data breaches and theft, which may result in substantial penalties (such as fines from banks, regulatory agencies, and card associations), fraud and charge backs, as well as legal costs and lost customers. Merchants who fail to become PCI DSS compliant or to report PCI DSScompliant status with a third-party vendor to First Data, will be charged a monthly non-receipt of PCI Validation fee by their Merchant Services provider until such time as they become PCI DSS-compliant or report their PCI DSS-compliant status to First Data. To avoid the fee the merchant must validate compliance by the 25th of any given month. Merchants who experience a data security breach could even lose their ability to process credit card payments. Research shows that 43% of customers who have been victims of fraud stop doing business with the merchant where the fraud occurred. 2 1. Achieving PCI DSS compliance does not prevent a data security breach or compromise, or change the allocation of risk under your merchant agreement. 2. Javelin Strategy and research June 2009 16
Fines vs. Fees Fines are imposed by the Associations (MasterCard and Visa) and are assessed due to: Breaches and common point of purchase Can range up to $500,000 per incident Due to storage of prohibited data Failure to Validate Compliance as a Level I or II merchant Fees are imposed by the Acquirer (First Data) they include: $19.95 monthly Non Receipt of PCI Data Validation fee Annual or quarterly Compliance Service Fee depending on how merchant is set up. 17
Screenshots 18
First Data Rapid Comply SM Solution www.pcirapidcomply.com Merchants answer fewer questions in some cases 85% fewer. 19
Pre-populated SAQ Questions* Merchants can complete the right SAQ with ease. Help direct merchants to the SAQ that is appropriate for their business. Expedites the overall PCI SAQ completion process. *Merchants are responsible for valid answers to all questions whether or not they are pre-populated. 20
Built-in Help and Comprehensive Support First Data Rapid Comply SM Assistance is available from: 9:00am-9:00pm EST Monday - Friday Built-in Help: Detailed, in-context help for any question on the SAQ. Get your questions answered! Assistance with any part of the PCI process is available by live chat, email or phone. 21
Integrated and Automatic Scanning Automatic scanning helps ensure merchants stay compliant. Offers a simple-to-use scan function for merchants that are required to pass a vulnerability scan as part of the PCI DSS compliance products. Scanning is integrated into the compliance process including automatic quarterly scheduling after a one-time setup process. 22
Customized Security and Incident Policies Customized Security and Incident Response Policies After achieving PCI certification, each merchant is presented with customized Information Security and Incident Response Policies based on the specific SAQ document the merchant completed. 23
Communication Plan Merchants will have the option to enroll or re-enroll in the First Data PCI Rapid Comply SM solution We hope merchants will elect to use our PCI Rapid Comply SM solution. However, Merchants are free to obtain PCI DSS compliance services from third-party vendors. One week after PCI Notification Letter is Sent: The New Merchant Welcome Email is sent from PCI Rapid Comply Subject Line: PCI Compliance Required for {MerchantCompanyName} From: firstdata@pcirapidcomply.com Includes a Username and Temporary Password Branded PCI Notification Letter is sent Merchants will receive a PCI Notification letter dated the 25 th of the month directing them to First Data PCI Rapid Comply. Statement Messages: PCI Reminder statement messages will generate out to merchants the months that quarterly PCI notifications are sent and the month following 24
Quarterly Mailing / Billing Schedule Quarterly Notification schedule to pick up newly boarded merchants Account Boarded Letter Mailed Begin Annual or Monthly Billing Begin Non Validation Fee Oct-Dec 2011 Jan-2012 Feb-2012 Apr-2012 Jan-Mar 2012 Apr-2012 May-2012 Jul-2012 Apr-Jun 2012 Jul-2012 Aug-2012 Oct-2012 Jul-Sept 2012 Oct-2012 Nov-2012 Jan-2013 Oct-Dec 2012 Jan-2013 Feb-2013 Apr-2013 29
First Data PCI Rapid Comply SM Solution Thank You! First Data Learning Organization