Presentation is loading. Please wait.

Presentation is loading. Please wait.

Credit Card Compliance

Published byElwin Cameron Modified over 6 years ago

Similar presentations

Presentation on theme: "Credit Card Compliance"— Presentation transcript:

1 Credit Card Compliance
Overview for merchants

2 Agenda Credit card flow overview The compliance players Types of payment transactions Overview of the security standard Merchant Impact Review agenda

3 Role Level Transaction Flow
Card Association 4 3 Issuing Bank 5 6 Aquiring Bank 2 Consumer Merchant 7 Interactive exercise for a very generalized payment processing flow. We will do a more detailed one later. Pass out nametags with roles and have them pass around credit cards as you step through the process. 1

4 The scope of compliance responsibility falls to each merchant account and organizations may roll many merchant accounts into one umbrella account. In this case, all of the merchants must be compliant for the overall account to be compliant. Compliance Players

5 The Compliance Players
Card Brands PCI Council Banks Merchants There are four major players in the PCI-DSS standard, and one more that I’ll mention later.

6 Card Brands: Who Card Brands PCI Council Banks Merchants
The card brands are the driver behind the standard and the push for cardholder security. Better security means fewer customer hassles and fewer dollars paid out under fraud protection clauses. JCB is Japan Credit Bank

7 Card Brands: What Set rules for adhering to the standards
PCI Council Banks Merchants Card Brands: What Set rules for adhering to the standards How you demonstrate compliance Four tiers based on volume of transactions CU and CU Foundation are both at levels that allow self-assessment for compliance Set penalties for violations The different card brands used to have independent security standards, which was bad for merchants. Now they have separate, but similar, rules for how closely merchants are monitored for compliance. The compliance monitoring is done by tiers based on the volume of transactions by the merchant, with a heavy bias on online transactions. The four tiers fall into two groups with identical requirements. Originally there were four levels of requirements, but the card brands have tightened the requirements.

8 Card brands are executive committee
PCI Council Banks Merchants Card brands are executive committee Banks and large companies are advisory board 700 companies are members NACUBO and Treasury Institute represent higher education as general members The card brands are the executive committee on the council, but the bulk of the membership are banks and large merchants. Higher education is represented by two groups on the council: the Treasury Institute for Higher Education and NACUBO. They are our avenues for feedback on the standard. The latest Council gathering and feedback meeting for the next revisions to the standard just completed in early October The Treasury Institute has a PCI related blog which is very good.

9 Develop security standards
Card Brands PCI Council Banks Merchants Develop security standards PCI-DSS (Data Security Standard) SAQ (Self-assessment questionnaires) PTS (Pin Transaction Security) PA-DSS (Payment Application) P2PE (Point-to-Point Encryption) The council develops the security standards. There are three main standards: PCI-DSS is what we’re focused on – it’s the standard for merchants and service providers. PTS is a hardware standard for companies who make PIN entry devices. PA-DSS is a software development standard for companies who make and sell software that handles cardholder data. PTS only applies to hardware that provides PIN entry and not swipe systems that do not handle PIN entry. We are focused on PCI-DSS, but we care about PTS and PA-DSS when we buy products to handle cards.

10 Certify third parties Qualified Security Assessors (QSA)
Card Brands PCI Council Banks Merchants Certify third parties Qualified Security Assessors (QSA) Internal Security Assessors (ISA) Authorized Scanning Vendors (ASV) Certified Forensic Investigators (PFI) Validated Payment Applications Approved PIN Transaction Security Devices The council also validates third-parties in the PCI compliance chain. QSA – trained and authorized to assess compliance to the standard ISA – internal compliance assessors like myself ASV – authorized to provide the required third-party vulnerability scanning service Software and hardware that meet the PA-DSS and PTS standards. The Council maintains lists of these authorized third-parties and products. Using validated third-parties is a key aspect of PCI compliance.

11 Card Brands PCI Council Banks Merchants Acquiring Banks Provide merchant accounts for card processing Require merchants to be PCI compliant Pass along any fines from card brands XXXXX is our “acquiring bank” Insert acquiring bank logo Banks are the enforcement arm in the process – they require their merchants to be compliant and request their annual reports on compliance. If a problem arises, they may be fined by the card brands, then pass the fines along to the offending merchant. These fines can easily reach hundreds of thousands of dollars for exposure of cardholder data and tens of thousands of failure to comply to the standard without data exposure occurring.

12 Card Brands PCI Council Banks Merchants Issuing Banks Issue credit cards to consumers Manages consumer’s line of credit, bill, etc. Banks are the enforcement arm in the process – they require their merchants to be compliant and request their annual reports on compliance. If a problem arises, they may be fined by the card brands, then pass the fines along to the offending merchant. These fines can easily reach hundreds of thousands of dollars for exposure of cardholder data and tens of thousands of failure to comply to the standard without data exposure occurring.

13 Card Brands PCI Council Banks Merchants Merchants Groups provided an account by an acquiring bank to process card payments (our organization) has (X) merchant accounts Separate accounts for different business and card handling processes Every merchant account must be assessed as compliant annually The scope of compliance responsibility falls to each merchant account and organizations may roll many merchant accounts into one umbrella account. In this case, all of the merchants must be compliant for the overall account to be compliant.

14 Service Providers Anyone handling cardholder data on behalf of a merchant (other than the bank) They have the same PCI-DSS requirements, but different assessment rules Must provide documentation of compliance (may do so via VISA online registry) The extra level I mentioned earlier – service providers. They must also adhere to PCI-DSS and have stricter requirements for how closely they are monitored. Validated service providers has been a tricky issue. Many companies have gotten into the service provider market without realizing they need to be validated and going through the process. Contracts with service providers must include language describing the PCI-DSS compliance responsibilities.

15 Square/Stripe/etc Some credit card service perform transactions under their own merchant accounts and then send payments to you Check with (organizational finance department) about whether these services are authorized

16 Recap Card Brands set compliance rules and penalties PCI Council defines standards and certifies third-parties Banks enforce compliance Merchants and Service Providers must be compliant The scope of compliance responsibility falls to each merchant account and organizations may roll many merchant accounts into one umbrella account. In this case, all of the merchants must be compliant for the overall account to be compliant.

17 The scope of compliance responsibility falls to each merchant account and organizations may roll many merchant accounts into one umbrella account. In this case, all of the merchants must be compliant for the overall account to be compliant. Transaction flows

18 Swipe transactions Insert acquiring bank logo Acquiring Bank
Customer either makes an in-person purchase, calls or mails and a merchant employee either swipes their card or keys their information into a swipe device connected to a telephone line that connects to the bank to process and register the transaction. Insert acquiring bank logo Acquiring Bank

19 Point of sale transactions
System Application Database – On-campus or Hosted by Vendor Customer makes in-person purchase and their card is swiped on a point of sale system that connects to a POS management server, which then connects to a transaction processor (probably a third-party chosen by the POS vendor), which then registers the transaction with the bank. Transaction processor Insert acquiring bank logo Acquiring Bank

20 Web-based transactions
Web-based “shopping cart” On-campus or hosted by vendor Or Payment Gateway Customer visits website directly, which handles the product/service selection, accepts basic information from the customer, then redirects to the Payment Gateway for accepting the credit card information, which then connects to the bank to register the transaction. Once the transaction is completed, the customer is directed back to the merchant website. Or, customer visits in person, mails or calls and a merchant employee enters the purchase information into the same webpage and the same payment process. When entering customer cardholder data is handled within the department, the computer used to enter this information must also be compliant. Insert acquiring bank logo Acquiring Bank

21 Transaction Flow (website)
Card Association Aquiring Bank Issuing Bank Web host Consumer Web design Review agenda Merchant

22 The scope of compliance responsibility falls to each merchant account and organizations may roll many merchant accounts into one umbrella account. In this case, all of the merchants must be compliant for the overall account to be compliant. The PCI-DSS Standard

23 The PCI-DSS Standard PCI-DSS 3.1
Twelve sections 200+ total items (different subsets apply to different transaction processes – called merchant type or SAQ level) Applies to all merchants and service providers, regardless of size All merchants must annually self-assess compliance or hire a third-party assessor Updated periodically It’s a fairly long standard, covering a variety of topics, but always focused on the cardholder data. I covers technical requirements, procedures and policies. The self-assessment process involves filling out a form that has the merchant provide a yes/no/NA for each line item. There is a short-form for those who only use telephone line swipe units.

24 PCI-DSS Overview Build and maintain secure network
Protect cardholder data Maintain vulnerability mgt program Implement strong access control Monitor and test networks Information security policy It’s a fairly long standard, covering a variety of topics, but always focused on the cardholder data. There are six “goals”, 12 high level topics and more than 200 line items. It covers technical requirements, procedures and policies. The self-assessment process involves filling out a form that has the merchant provide a yes/no/NA for each line item. There is a short-form for those who only use telephone line swipe units.

25 Other standards Payment Application DSS – software we buy must meet this standard PIN Transaction Security – PIN entry devices we buy must meet this Point to Point Encryption – optional features built into some equipment We won’t go into any detail on this standard, but if we purchase software than handles credit card numbers, we should check the list before purchasing.

26 The scope of compliance responsibility falls to each merchant account and organizations may roll many merchant accounts into one umbrella account. In this case, all of the merchants must be compliant for the overall account to be compliant. MERCHANT Impact

27 Merchant responsibilities
Accountable for everything under your merchant accounts (even if handled by third party) Have compliance ownership and a plan Meet security requirements Data and physical security Policies and training Ensure compliance is addressed in contracts Annual self-assessment Participation in quarterly scans (when applicable)

28 Common daily actions Use dedicated computers for credit card processing Swipe machines and computers are physically secured Make sure card numbers are masked on-screen and on print-outs Never use for sending/receiving card numbers Ensure paper copies are secure (locked cabinet), then shredded (cross-cut)

29 More information (campus PCI website): (link) PCI Security Standards Council website: Treasury Institute for Higher Education: and VISA Cardholder Information Security Program: MasterCard merchant security:

30 Recap Accepting card payments means accepting the responsibilities of addressing security Merchants are responsible for their compliance and verifying contractor compliance PCI-DSS has lots of detailed specifics under a common-sense set of categories Applicable requirements differ by type of transaction process We must annually self-assess compliance

31 Questions

Download ppt "Credit Card Compliance"

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,

Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,
October 28, 2013. Who? What? When? Why? Comply with PCI compliance policies set forth by industry Create internal policies and procedures to protect.

October 28, Who? What? When? Why? Comply with PCI compliance policies set forth by industry Create internal policies and procedures to protect.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
Mobile Payment Security The Good, the Bad and the Ugly

Mobile Payment Security The Good, the Bad and the Ugly
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Navigating the New SAQs (Helping the 99% validate PCI compliance)

Navigating the New SAQs (Helping the 99% validate PCI compliance)
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
This refresher course will:

This refresher course will:
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden.

Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Similar presentations

Ads by Google