Merchant Guide to PCI DSS

Similar documents
PCI DSS 3.2 AWARENESS NOVEMBER 2017

Navigating the PCI DSS Challenge. 29 April 2011

PCI COMPLIANCE IS NO LONGER OPTIONAL

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

FAQs. The Worldpay PCI Program. Help protect your business and your customers from data theft

PCI Compliance: It's Required, and It's Good for Your Business

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

White paper PCI DSS. How do you manage your customers payment card details securely and responsibly?

How do you manage your customers payment card details securely and responsibly? White paper PCI DSS

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

PCI DSS COMPLIANCE 101

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

The IT Search Company

Payment Card Industry (PCI) Data Security Standard

University of Sunderland Business Assurance PCI Security Policy

PCI compliance the what and the why Executing through excellence

Payment Card Industry Data Security Standards Version 1.1, September 2006

June 2012 First Data PCI RAPID COMPLY SM Solution

Commerce PCI: A Four-Letter Word of E-Commerce

SIP Trunks. PCI compliance paired with agile and cost-effective telephony

A QUICK PRIMER ON PCI DSS VERSION 3.0

Webinar: How to keep your hotel guest data secure

PCI DATA SECURITY STANDARDS VERSION 3.2. What's Next?

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Payment Card Industry (PCI) Data Security Standard

Site Data Protection (SDP) Program Update

Payment Card Industry (PCI) Data Security Standard

Will you be PCI DSS Compliant by September 2010?

PCI DSS Illuminating the Grey 25 August Roger Greyling

Protect Comply Thrive. The PCI DSS: Challenge or opportunity?

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Compliance

Managing Risk in the Digital World. Jose A. Rodriguez, Director Visa Consulting and Analytics

Payment Card Industry (PCI) Data Security Standard

GUIDE TO STAYING OUT OF PCI SCOPE

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.2)

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Customer Compliance Portal. User Guide V2.0

ISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview

SAQ A AOC v3.2 Faria Systems LLC

Payment Card Industry (PCI) Data Security Standard

A Perfect Fit: Understanding the Interrelationship of the PCI Standards

Data Sheet The PCI DSS

City of Portland Audit: Follow-Up on Compliance with Payment Card Industry Data Security Standard BY ALEXANDRA FERCAK SENIOR MANAGEMENT AUDITOR

UCSB Audit and Advisory Services Internal Audit Report. Credit Cards PCI Compliance. July 1, 2016

Section 1: Assessment Information

Understanding PCI DSS Compliance from an Acquirer s Perspective

Protect Comply Thrive. The PCI DSS: Challenge or opportunity?

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Best Practices (PDshop Security Tips)

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

in PCI Regulated Environments

Payment Card Industry (PCI) Data Security Standard

PCI Compliance. What is it? Who uses it? Why is it important?

Comodo HackerGuardian PCI Approved Scanning Vendor

Data Security Standard

PCI DSS COMPLIANCE DATA

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

Payment Card Industry (PCI) Data Security Standard

STARTING YOUR PCI COMPLIANCE JOURNEY

Payment Card Industry (PCI) Data Security Standard

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

How to Take your Contact Centre Out of Scope for PCI DSS. Reducing Cost and Risk in Credit Card Transactions for Contact Centres

PCI DSS Compliance for Healthcare

Payment Card Industry (PCI) Data Security Standard

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Credit Union Service Organization Compliance

UC SAN DIEGO 2018 MERCHANT PCI DSS CYCLE

Payment Card Industry (PCI) Data Security Standard

University of Maine System Payment Card Industry Data Security Standard (PCI DSS) Guide for Completing Self Assessment Questionnaire (SAQ) SAQ C

PCI DSS Q & A to get you started

IT Audit and Risk Trends for Credit Union Internal Auditors. Blair Bautista, Director Bob Grill, Manager David Dyk, Manager

How PayPal can help colleges and universities reduce PCI DSS compliance scope. Prepared by PayPal and Sikich LLP.

Blueprint for PCI Compliance with Network Detective

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

The Honest Advantage

Using GRC for PCI DSS Compliance

Payment Card Industry (PCI) Data Security Standard

PCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier

The Future of PCI: Securing payments in a changing world

Payment Card Industry (PCI) Data Security Standard

Section 1: Assessment Information

Payment Card Industry (PCI) Data Security Standard

Top Five Privacy and Data Security Issues for Nonprofit Organizations

Payment Card Industry (PCI) Data Security Standard

Introduction to the PCI DSS: What Merchants Need to Know

SECURITY PRACTICES OVERVIEW

Transcription:

0800 085 3867 www.cardpayaa.com Merchant Guide to PCI DSS

Contents What is PCI DSS and why was it introduced?... 3 Who needs to become PCI DSS compliant?... 3 Card Pay from the AA Simple PCI DSS - 3 step approach to helping businesses... 3 What does the Card Pay from the AA Simple PCI DSS programme include?... 3 How does a business become compliant?... 4 There are 4 different levels to determine PCI validation requirements... 4 There are 12 broad requirements to complying with PCI DSS... 4 Common objections businesses have about PCI... 5

What is PCI DSS and why was it introduced? PCI DSS stands for the Payment Card Industry Data Security Standard. This standard is managed by the Payment Card Industry Security Standards Council. PCI DSS is a set of minimum security requirements to help handle payment information securely. It was developed by the major payment card brands (MasterCard, Visa, Amex, Discover & JCB) in 2004. Any business accepting cards for payment of goods or services must be compliant with PCI DSS. Card Pay like most Acquirers, have outsourced their PCI DSS programme to a specialist company Sysnet. They operate the customer portal, communications, and attestation on our behalf. The Card Pay PCI programme is called Simple PCI DSS. Note: Card Pay are one of the few Acquirers who do not charge customers fees for PCI. Who needs to become PCI DSS compliant? If you accept payments by Credit or Debit card you are affected. Any business that stores, processes or transmits any cardholder data must take responsibility for PCI and achieve compliance. Card Pay Simple PCI DSS - 3 step approach Merchants logon to the Simple PCI DSS portal and answer some questions The questions focus around how your business is set up to handle credit and debit card payments. Using dynamic profiling, you are only asked questions relevant to your business in order to figure out your security risk level. Merchants are assisted in understanding how to protect their business To help businesses understand and identify areas of your business that might be at risk, you will are brought through the security assessment that matches your business type, including any scanning if needed. Merchants will finally be asked to confirm and validate their compliance You will be asked to confirm and validate all of your responses and any tasks you were required to undertake. This is referred to as your Attestation of Compliance (AoC). What does the Card Pay Simple PCI DSS include? 1. Dedicated online portal (https://simplepcidss.eu/services/login/login) 2. Dedicated program helpdesk with telephone and online chat support 3. Security & compliance advice and assistance

How does a business become compliant? To report your PCI DSS compliance, businesses need to identify and complete the appropriate Self-Assessment Questionnaire (SAQ) for your business type. You also must ensure security controls are in place at all times to maintain your compliance. Securing your business requires the following steps: Analysis of business practice and processes Research of appropriate security solutions Implementing and maintaining security solutions. Core to this is protecting your customers payment card data. Customers trust businesses to keep their information safe and you should repay that trust with, at the very least, compliance with PCI DSS. There are 4 different levels to determine PCI validation requirements These levels are prescribed by the card schemes. See the table below to understand the different levels and the compliance requirements within each. Level Criteria Validation requirement 1 Any merchant processing in excess of 6 Million MasterCard OR Visa transactions a year, regardless of acceptance channel. Any merchant that has lost data due to a security breech or hacking with the last 12 months. 2 Any merchant processing between 1 and 6 Million MasterCard OR Visa transactions a year, regardless of acceptance channel 3 Any e-commerce merchant processing between 20,000 and 1 Million MasterCard OR Visa transactions a year 4 Merchants processing fewer than 20,000 Visa or MasterCard ecommerce transactions annually and all other merchants processing up to one million Visa or MasterCard transactions annually. Merchants currently in scope of deadlines are those who process fewer than 1 million Visa ecommerce transactions per year Annual Report on Compliance (ROC) (by either a Qualified Security Assessor, or qualified internal security resource) Compliant quarterly network scan by Approved Scan Vendor (ASV) Attestation of Compliance Form Annual Report on Compliance (ROC) (by either a Qualified Security Assessor, or qualified internal security resource) Compliant quarterly network scan by Approved Scan Vendor (ASV) Attestation of Compliance Form Annual Self-Assessment Questionnaire (SAQ) Compliant quarterly network scan by ASV Attestation of Compliance Form Level 4 merchants register compliance through our Simple PCI DSS merchant portal https://simplepcidss.eu/services/login/login There are 12 broad requirements to complying with PCI DSS Build and maintain a secure computer network 1. Install and maintain a security protection programme (known as a firewall configuration) to protect the card data you may hold 2. Do not use computer passwords that have been provided by external suppliers or businesses. Ensure you issue your own unique passwords and security measures Protect cardholder data 3. Protect stored data but do not store card and transaction data unnecessarily. Such as: The full card number, The contents of any information within the magnetic strip, The card security code (CVV2), The PIN if you operate an ATM machine. 4. If you are sending out card data or sensitive information by email you must always ensure that you encrypt it. If you are using the postage system, you should ensure it is at least by registered post which requires signed receipt upon delivery.

Maintain an IT vulnerability management program 5. Use and regularly update anti-virus software 6. Develop and maintain secure computer systems and applications Implement robust control measures / Control access to card data 7. Only access card data when there is a business requirement 8. Assign a unique ID to each member of your staff who has computer access 9. Restrict physical access to the storage area where the cardholder data is kept. Regularly monitor and test your computer networks 10. Regularly check to see who accesses your computers and cardholder data that you hold. 11. Regularly test your security systems and processes. Make information security a priority 12. Create and maintain your own security policy to ensure you remain compliant with PCI DSS guidance. Common objections businesses have about PCI 1 Why do I have to do this, isn t my terminal secure? Having a PCI validated POS solution helps with the annual PCI DSS assessment, however, it does not guarantee PCI DSS compliance. Every business has a responsibility to ensure that the relevant policies, procedures and controls are in place (& practiced) to minimise exposure and reduce the likelihood of a breach. 2 How often do I have to comply with PCI DSS? Annually. This is to ensure businesses are maintaining compliance with the standard, and to identify if anything new has come into scope for the assessment as a result of growth and/or expansion. For example: The introduction of an ecommerce site or the addition of a new premises will affect the risk factors. 3 I outsource all my cardholder data functions via a third party service provider, do I still need to do this? Outsourcing cardholder data functions to a third-party service provider does not exclude a business from PCI DSS compliance. It may reduce the scope and effort involved in the annual assessment, providing the third party is PCI DSS compliant. 4 What happens if I don t comply with the PCI DSS? Not being compliant with the PCI DSS can leave a business at risk of a data breach and related costs. These can be quite substantial and can include: card scheme fines and card replacement costs. Other factors include: reputational damage and loss of customer confidence not to mention businesses being vulnerable to lawsuits and audits.

EVO Payments International GmbH, Branch UK, trading as Card Pay from the AA is licensed by the Federal Financial Supervisory Authority BaFin (Bundesanstalt fur Finanzdienstleistungsaufsicht) in Germany and is regulated by the Financial Conduct Authority (No. 656608).

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback