PCI DSS COMPLIANCE DATA

Similar documents
PCI COMPLIANCE IS NO LONGER OPTIONAL

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

PCI Compliance: It's Required, and It's Good for Your Business

PCI DSS 3.2 AWARENESS NOVEMBER 2017

Merchant Guide to PCI DSS

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

A QUICK PRIMER ON PCI DSS VERSION 3.0

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

PCI compliance the what and the why Executing through excellence

The Honest Advantage

ISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

Will you be PCI DSS Compliant by September 2010?

Payment Card Industry Data Security Standards Version 1.1, September 2006

Introduction to the PCI DSS: What Merchants Need to Know

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Navigating the PCI DSS Challenge. 29 April 2011

SECURITY PRACTICES OVERVIEW

Commerce PCI: A Four-Letter Word of E-Commerce

PCI DSS COMPLIANCE 101

COMPLETING THE PAYMENT SECURITY PUZZLE

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

A Perfect Fit: Understanding the Interrelationship of the PCI Standards

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

Escaping PCI purgatory.

Total Security Management PCI DSS Compliance Guide

University of Sunderland Business Assurance PCI Security Policy

FAQs. The Worldpay PCI Program. Help protect your business and your customers from data theft

PCI Compliance. What is it? Who uses it? Why is it important?

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Employee Security Awareness Training Program

Clearing the Path to PCI DSS Version 2.0 Compliance

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

Payment Card Industry (PCI) Compliance

Table of Contents. PCI Information Security Policy

PCI DATA SECURITY STANDARDS VERSION 3.2. What's Next?

June 2012 First Data PCI RAPID COMPLY SM Solution

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

SIP Trunks. PCI compliance paired with agile and cost-effective telephony

PRIVACY AND ONLINE DATA: CAN WE HAVE BOTH?

Credit Card Data Compromise: Incident Response Plan

Google Cloud & the General Data Protection Regulation (GDPR)

Google Cloud Platform: Customer Responsibility Matrix. December 2018

PCI DSS and VNC Connect

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Site Data Protection (SDP) Program Update

OPERA Version 4.0+ PABP Guide and PCI Data Security Standard Adherence

PCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson

What is HIPPA/PCI? Understanding HIPAA. Understanding PCI DSS

Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy

PCI DSS and the VNC SDK

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

PCI DSS Illuminating the Grey 25 August Roger Greyling

Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR)

City of Portland Audit: Follow-Up on Compliance with Payment Card Industry Data Security Standard BY ALEXANDRA FERCAK SENIOR MANAGEMENT AUDITOR

PCI DSS Compliance. White Paper Parallels Remote Application Server

GUIDE TO STAYING OUT OF PCI SCOPE

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Security Communications and Awareness

HIPAA COMPLIANCE AND

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Customer Compliance Portal. User Guide V2.0

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

NYDFS Cybersecurity Regulations

in PCI Regulated Environments

PCI Compliance Updates

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Establish and Maintain Secure Cardholder Data with IBM Payment Card Industry Solutions

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

6 Vulnerabilities of the Retail Payment Ecosystem

Information Technology General Control Review

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

PCI PA-DSS Implementation Guide Onslip PAYAPP V2.1.x for Onslip S80, Onslip S90

Webinar: How to keep your hotel guest data secure

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance

Wireless Networking and PCI Compliance

Comodo HackerGuardian PCI Approved Scanning Vendor

How do you manage your customers payment card details securely and responsibly? White paper PCI DSS

Checklist: Credit Union Information Security and Privacy Policies

Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center

The IT Search Company

Projectplace: A Secure Project Collaboration Solution

Security Communications and Awareness

RES Version 3.2 Service Pack 7 Hotfix 5 with Transaction Vault Electronic Payment Driver Version 4.3 PCI Data Security Standard Adherence

COMPLIANCE BRIEF: HOW VARONIS HELPS WITH PCI DSS 3.1

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance

The Future of PCI: Securing payments in a changing world

University of Pittsburgh Security Assessment Questionnaire (v1.7)

White paper PCI DSS. How do you manage your customers payment card details securely and responsibly?

Transcription:

PCI DSS COMPLIANCE DATA AND PROTECTION FROM RESULTS Technology

CONTENTS Overview.... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns and Opportunities Related to PCI DSS... 6 Validation... 6 Achieving PCI DSS Compliance with RESULTS.... 7 Summary.... 8 info@resultstechnology.com 877.435.8877 Page 1

Overview Every electronic transaction creates an opportunity for unscrupulous activities to occur. When these activities are corrupted, the damage can be significant; ranging from a simple one-time illegal purchase by a clerk or waitress using a customer s credit information, to a full-blown identity theft using thousands (even millions) of people s stolen personal data. Neither situation is desirable or tolerable in the business community, especially when both can be prevented or curtailed with the implementation of industry-proven security best practices and the proper systems. That s why businesses that deal with credit transactions must remain particularly diligent, addressing each of the specific danger areas associated with processing. Without the proper security processes and technologies in place, your data could be compromised or stolen, and the repercussions of a breach go much further than lost customer confidence. Lawsuits and financial restitution can be significant, especially if the activity is the result of the retailer not following well publicized best practices. In order to provide greater guidance to businesses that accept credit cards and ensure that their clients are properly protected, the major payment card organizations established a set of standards that have been implemented over the past few years. American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. came together to create the Payment Card Industry Data Security Standard (PCI DSS). These rules provide an actionable framework for securing payment card data, including deterrence, discovery and the appropriate response to breaches and other security-related events. PCI DSS version 2.0 (implemented January 1, 2012) applies equally to all businesses that store, process or transmit bank cardholder data. Failure to comply with these rules can result in hefty penalties, regardless of a merchant s intent or lack of awareness. The latest version extends the implementation, feedback, review and revision processes to a three-year cycle (previously two-years), and updates key security provisions including firewall protection, password and key management, and related documentation. These standards impact a number of organizations that participate in retail operations, including merchants, payment card issuing banks, processors, developers and technology vendors. The Basics of PCI DSS In order to help merchants navigate and better understand the conditions and implications of these standards, the PCI Security Standards Council has taken great pains to distribute the most critical information to everyone involved. Despite their efforts, the material can be cumbersome and hard for many retailers to comprehend. That s where we can help, filtering out the critical details and offering sound advice to help you meet the compliance requirements that pertain to your organization. Even though the PCI Security Standards Council developed the specific standards addressed in this paper, compliance is actually mandated by the individual payment card companies. Visa, MasterCard, American Express, Discover and JCB International each have their own specific requirements and compliance levels. While many of these are minor, merchants need to understand the nuances of each to ensure your data is aptly protected. info@resultstechnology.com 877.435.8877 Page 2

For example, while PCI DSS compliance is divided into four general merchant categories, each credit card company may add their own stipulations to each. Retailers need to not only understand the differences, but also ensure your payment processes adhere to those variations. The general PCI DSS categories include: Compliance Level 1: Merchants processing more than 6 million Visa transactions on an annual basis fall into this category. This includes all types of acceptance channels, meaning debit, credit, prepaid and beyond. Those merchants that fall into this category will need to meet Level 1 merchant requirements to avoid fines and penalties. On-site reviews by internal auditors and network scans are required for merchants at Level 1. Compliance Level 2: When the merchant is processing between 1 million and 6 million Visa transactions annually, it falls into Level 2. The demands are bit less stringent, but the entity must still complete network scans from an approved third-party vendor and submit selfassessments each year. Compliance Level 3: Merchants processing between 20,000 and 1 million Visa e-commerce transactions annually will need to follow the guidelines of Level 3 compliance, which involve network scans and self-assessment questionnaires similar to those under Level 2 compliance. Compliance Level 4: Finally, Level 4 is comprised of merchants that process fewer than 20,000 e-commerce transactions annually. As a note, the PCI Council also affirms that merchants processing as many as 1 million transactions per year through all different acceptance channels also fall into this category of compliance. Requirements will be similar to those under Levels 2 and 3. Although they conduct the fewest transactions, Compliance Level 4 retailers make up approximately 99% of the businesses that process credit cards in the United States and typically have the least amount of IT support. The lack of a dedicated onsite security professional presents a serious risk for retailers. With many businesses lessening their dependence on cash only policies, and others moving to cashless transactions, the focus on PCI DSS compliance is expected to intensify. The first thing merchants need to know is the three critical steps in PCI DSS compliance. 1. PCI DSS Compliance: Assess: identify cardholder data, inventory the company s IT assets and business processes for payment card processing, and analyze each for security weaknesses. Remediate: address perceived vulnerabilities and remove unneeded cardholder data. Report: compile and submit remediation authentication records (if applicable), and provide compliance reports to each bank and payment card company they do business with. info@resultstechnology.com 877.435.8877 Page 3

PCI DSS standards mirror the practices that security-oriented organizations already employ, following industry practices to properly protect the data and infrastructure of the business. While some of the terms and acronyms used by retailers and payment processing vendors may be unique, the basic processes and technologies required to secure their information and infrastructure don t differ significantly. 2. The Solution Provider Role (and Accountability) While PCI DSS can be complicated for the novice solution provider, the payment card industry understands the important part they play in compliance. To help those who build and support secure payment applications, the PCI Security Council created a number of compliance-related resources and programs. That includes the Payment Application Data Security Standard (PA- DSS) and a list of Validated Payment Applications to select from, along with Self-Assessment Questionnaires that allow merchants to authenticate their current security procedures. Compliance goes beyond credit card processing systems. It extends to the network, data storage infrastructure and any method involved in the management or transport of customer data, with responsibility falling on the merchant and those who support it. Solution providers who fail to implement PCI DSS compliant solutions may find themselves liable (at least in part) for any damages their clients and their customers suffer. Noncompliance penalties can range from $1,000 to $100,000 per month for PCI-related violations, while these initial penalties will first be levied by payment brands and from banks. The PCI Council pointed out that this fine will be passed down to the merchant, leading to higher direct costs, as well as hindered relationships with the bank and often higher transaction fees. To ensure your data is protected, solution providers must follow the six control objectives for PCI DSS: 1. Build and Maintain a Secure Network Install and maintain an effective firewall configuration to protect cardholder data Avoid vendor-supplied defaults for system passwords and related protection measures 2. Protect Cardholder Data Protect all stored cardholder data Encrypt transmission of cardholder data across open, public networks 3. Maintain a Vulnerability Management Program Employ and update anti-virus software on a continual basis Develop and maintain secure systems and solutions info@resultstechnology.com 877.435.8877 Page 4

4. Implement Strong Access Control Measures Restrict access to cardholder data by business necessity Assign a unique identification to each person with system and network access 5. Restrict physical access to cardholder data (door locks, alarms and other safeguards) Regularly Monitor and Test Networks Track and monitor all access to networks, applications and cardholder data 6. Regularly test system protection and processes Maintain an Information Security Policy Maintain a policy that addresses data security To address the specific requirements of PCI DSS, providers need to validate every procedure and technology solution you use in electronic payments, from the card swipe device to your data storage policies. That attention to detail must also include a continual review of all vendor offerings, verifying that their data protection methods are effective and identifying (and fixing) potential vulnerabilities. The same diligence is required when it comes to evaluating cloud applications and offsite storage services. By ensuring that vendor offerings are PCI DSS compliant when properly implemented, and periodically validating those systems security settings, we fulfill a big part of your PCI DSS responsibilities. Of course, we still need to work closely with suppliers to communicate potential risks, failures or other issues that could compromise the security of your data. 3. Concerns and Opportunities Related to PCI DSS Keep the Proper Focus The number one goal of any PCI DSS solution is ensuring end-to-end security, from the moment a customer pulls out their credit or debit card until the card-holder data is fully erased from the system. For a brick-and-mortar retailer that protection includes every employee who touches (or sees) the payment card and/or the information it contains. For example, by adding mobile card readers at restaurants, patrons can swipe their own cards at their table, preventing unscrupulous employees from copying the information in back rooms (or anywhere out of eyesight). Other physical security measures that should be implemented include proper system lockdown with a separate PIN for each employee. That not only makes it difficult for unauthorized individuals to gain access to the system and cardholder data, but allows business to better track their employees activities. info@resultstechnology.com 877.435.8877 Page 5

By focusing on two specific areas you can meet the vast majority of requirements: 1. Protect stored cardholder data 2. Encrypt transmission of cardholder data across open, public networks. By amending your onsite payment processes and implementing the proper security technologies, you can begin to meet the PCI DSS requirements, but that still leaves serious gaps outside the business. Has the network been locked down, with effective access protection? Is cardholder data stored improperly onsite, and do you use effective and secure data backup and recovery systems? That s an area where we can really help you meet full PCI DSS compliance, implementing a full solution (from terminal to network support) that addresses each industry best practice and rule. 4. Validation Another key aspect of PCI DSS compliance is the required reporting schedules. Credit card companies validate that retailers and their providers are abiding by the regulations on an annual basis, with the volume of transactions (and risk) determining the depth of that evaluation (as covered previously in The Basics of PCI DSS ). Along with requiring participating businesses to complete a self-assessment questionnaire, MasterCard and Visa perform on-site visits and network scans performed by authorized PCI compliance scanning vendors. The information contained in PCI DSS Reports includes: Summary of findings: a general statement and details of the security assessment Business information: business description, contacts, and provider/processor details Card payment infrastructure: network schematics, transaction flow diagram, terminal and POS (point of sale) solutions employed, wireless network details Third-party relationships: companies with access to cardholder data, such as solution providers, banking institutions and payment card vendors Achieving PCI DSS Compliance with RESULTS Technology We can help you meet PCI DSS compliance regulations with a solution that provides cloud and local backup and data recovery, proactive data security and reliable data retention and restoration. We offer complete data protection services with support for desktops, laptops, and servers, files and folders, Microsoft Exchange Information Store, Exchange mailbox, SQL, System State and VMware and Hyper-V info@resultstechnology.com 877.435.8877 Page 6

images. Backups are highly automated and enable fast and easy restores and are performed from a single management console. Protection of Card Holder Data: Encryption in Storage and Transfer Our solution was developed with PCI DSS compliance regulations in mind, protecting against threats to consumer privacy. We offer a configurable solution to help you conform to these critical compliances and alleviate the security risks associated with data loss and breaches. We can minimize the threat of lost or stolen data during the transfer and storage of data across open networks with multiple layers of encryption. We use 256-bit AES local file encryption and secure data in transit using 128-bit encryption with SSL (Secure Socket Layers) technology. Data that is moved to the cloud is stored and replicated in dual military-grade, SSAE 16 Type 2 certified data facilities which are located on differing coasts for redundancy and security. Data centers have 24/7 biometric controlled security and surveillance, backup generators and redundant connections to the Internet. Data Retention Our solution features the most robust data retention settings in the industry, enabling a PCI DSS compliant-ready solution. The software configures to fit the needs of different file types, number of revisions needed and required length of storage time so the right historical data is retained for the right period of time. Once stored, data is never accessible without a private encryption key, mitigating the risk of unauthorized data access. Data Recovery and Testing Providing a PCI compliance solution requires the ability to test and restore your data. This process must be easy and reliable to ensure compliance. With our solution, we can restore data directly back to your server, guaranteeing that data is recovered quickly and accurately, without the need to connect to the computer remotely or be onsite at your place of business. Performing a test restore is just as easy. We can restore back to your production server or our own office, making the process to test a restore fast and reliable. Summary PCI DSS compliance is one of the largest challenges facing merchants, though it s just one of the many barriers to success. The complex variables relating to PCI make it a challenge to comply, but our team has the technology and expertise to help you meet regulatory standards. We understand PCI s data retention and transportation requirements and have the software and services you need to store your data in a fashion that satisfies regulations. Please note that nothing in this white paper is intended to constitute legal advice. For more information about PCI and compliance with PCI requirements please consult your legal counsel. info@resultstechnology.com 877.435.8877 Page 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback