Presentation is loading. Please wait.

Presentation is loading. Please wait.

KioskCom 2008 Fast Transact, Inc | 2590 Willamette Dr NE, 2nd Floor | Lacey WA 98516 | 800.687.8505 / fax 360.357.1425 Fast Transact, Inc. is a registered.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "KioskCom 2008 Fast Transact, Inc | 2590 Willamette Dr NE, 2nd Floor | Lacey WA 98516 | 800.687.8505 / fax 360.357.1425 Fast Transact, Inc. is a registered."— Presentation transcript:

1 KioskCom 2008 Fast Transact, Inc | 2590 Willamette Dr NE, 2nd Floor | Lacey WA 98516 | 800.687.8505 / fax 360.357.1425 Fast Transact, Inc. is a registered ISO/MSP for Bank of America, N.A. Charlotte, N.C. and Wells Fargo Bank, N.A. Walnut Creek, C.A. PCI Compliance Protecting Consumer Data

2 KioskCom 2008 A Brief History PCI Compliance

3 KioskCom 2008 PCI = The Payment Card Industry Comprised of the 5 major payment-card brands:  Visa International  MasterCard Worldwide  American Express  Discover Financial Services  JBC

4 KioskCom 2008 In 2005, they formed the PCI Security Standards Council Main Objectives:  Creation, ownership, and management of the PCI DSS (Data Security Standard)  Classify audit requirements to certify compliance  Provide a certification process for compliance assessors and network scanning vendors

5 KioskCom 2008 The PCI DSS comprises a common set of industry tools and measurements designed to ensure the safe handling of sensitive consumer information.  In January of 2007, Visa introduced its Payment Application Best Practices (Visa PABP).  This broadened the scope of PCI DSS compliance to include any third-party payment application.  Third-party payment applications include payment gateways and ANY third-party software that store, processes or transmits credit/debit card data.

6 KioskCom 2008 According to an October 23, 2007 Visa Bulletin, the PCI Security Standards Council has adopted Visa’s PABP program and will be releasing the standard as the Payment Application Data Security Standard during 2008.

7 KioskCom 2008 Q: Where does my company fit into the PCI DSS? Unlike other regulatory programs, compliance with the PCI DSS relies on the merchant to perform a self-assessment to determine if they are compliant. Merchant Level Description 1 Any merchant – regardless of acceptance channel – processing over 6,000,000 Visa transactions per year. Any merchant that Visa, at it sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. 2 Any merchant – regardless of acceptance channel – processing 1,000,000 to 6,000,000 Visa transactions per year. 3 Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year. 4 Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants – regardless of acceptance channel – processing up to 1,000,000 Visa transactions per year.

8 KioskCom 2008 Compliance Requirements by Merchant Level Level Validation Action Description 1  Annual On-site PCI Data Security Assessment  Quarterly Network Scan  Qualified Security Assessor or Internal Audit if signed by Officer of the company  Approved Scanning Vendor 2  Annual PCI Self-Assessment Questionnaire  Quarterly Network Scan  Merchant  Approved Scanning Vendor 3  Same as Level 2 4  Annual PCI Self-Assessment Questionnaire  Quarterly Network Scan  Merchant  Approved Scanning Vendor

9 KioskCom 2008 Compliance Time Line Compliance Time Line PCI DSS 1.1 sets an enforcement date for acquirers to validate PCI compliance for Level 1 and Level 2 merchants. The enforcement dates are as follows:  LEVEL 1 MERCHANTS: September 30, 2007  New LEVEL 1 MERCHANTS: 1 year after identification as Level 1  LEVEL 2 MERCHANTS: December 31, 2007  New LEVEL 2 MERCHANTS: September 20, 2007  LEVEL 1 and LEVEL 2 MERCHANTS: Prohibited Data Retention Attestation form, or Confirmation of Report Accuracy to acquirer by March 31, 2007  LEVEL 3 MERCHANTS: contact acquirer  LEVEL 4 MERCHANTS: Must have compliance plan submitted, via acquirer, to Visa by July 30, 2007

10 KioskCom 2008 Q: I use third-party software that has transaction processing imbedded. How do I ensure my software is compliant with the most up-to-date PABP and PA DSS requirements?

11 KioskCom 2008 The full list of PABP validated payment applications can be found at: Visa.com – PABA Validated List Visa.com – PABA Validated List  An annual validation is required for those payment applications with major upgrade or product version changes.  If there are no changes to the product, Visa will require a letter signed by an Officer of the software company indicating no changes to the payment application and continued adherence to the Payment Application Best Practices.

12 KioskCom 2008 Not only have the PCI DSS deadlines come and gone, new mandates have gone into effect to enforce payment applications to adhere to the PABP. As of January 1, 2008, acquirers must not board new merchants that use known vulnerable payment applications. By October 1, 2008 ALL merchant levels MUST be PCI DSS compliant OR use a PABP-compliant application.

13 KioskCom 2008 The Impact of Non-compliance

14 KioskCom 2008 Q: “I am non-compliant... so what! What can happen to me?”  Level 1 and 2 merchant can be charged $5k to $25k PER MONTH of non-compliance status.  If a security breach is not reported to Visa in a timely manner, a $100k – 500k fine can be levied.  If a full card number is stored OR provided on a customer receipt the merchant can be fined $100 - $1,000 PER TRANSACTION.

15 KioskCom 2008 It’s generally believed that these fines are never imposed, that they exist to “scare” merchants. In 2006, Visa levied $4.6 million in fines, up from a 2005 total of $3.4 million, to its acquirers. $$$ WRONG $$$

16 KioskCom 2008 Have you ever heard of TJ Maxx or Marshalls? December 2007, TJX (parent company of TJ Maxx, Marshall’s and other discount retailers) alerted Law Enforcement that more than 45 million consumer records were stolen by data thieves. Since then, they have spent more than $20m on investigation, consumer notification, and an expert legal team to protect them against the multitude of lawsuits the breach generated.

17 KioskCom 2008 March 27, 2008:  The FTC ruled that TJX was in violation of the “FTC Act of 1914,” by failing to employ reasonable measures to protect the sensitive consumer information on its networks.  The March 2008 ruling will help acquirers and other transaction processors become less liable for breaches caused by poor security on the part of their merchant or sales organization.

18 KioskCom 2008 As reported by InformationWeek.com, in-store computer kiosks are partly to blame.  The kiosks allowed individuals to apply for jobs electronically; however, the kiosks were not protected by a firewall and therefore acted as a gateway into the company’s IT systems.  Even though the kiosks were NOT performing transactions, they provided a way for data thieves to get to credit card information through unsecured USB ports.

19 KioskCom 2008 Historically, acquirers are responsible for any fines incurred due to non-PCI DSS compliant merchants.  August 1, 2008: The Plastic Card Security Act of Minnesota takes effect.  This legislation marks the first time that the cost associated with data breaches has shifted from the financial institutions to the retailers that mishandle consumer financial data.

20 KioskCom 2008 PCI “Lessons”

21 KioskCom 2008 Important lessons regarding PCI DSS and PABP:  Look for weak links within your organization’s network. If you don’t find them someone else will.  Fines are real. They can and will be levied against those not complying with the PCI Security Standards. and most importantly... customer data cannot be stolen if merchants are not retaining it!

22 KioskCom 2008 FTI PROGRAM CONTACTS: Terry RobertsAdriane Armbruster Director of Software IntegrationSenior Account Executive  800-687-8505 ext. 126  800-687-8505 ext. 106 FTI POST-SALE CONTACTS: Fast Transact, Inc 2590 Willamette Dr NE, 2 nd Floor Lacey WA 98516 Phone: 360.357.1400 Toll Free: 800.687.8505 Fax: 360.357.1425 info@FastTransact.com info@FastTransact.com Customer Service Monday - Friday 6 am - 11 pm (PST) Phone: 360.357.1400 Toll Free: 800.687.8505 support@FastTransact.com support@FastTransact.com Technical Support Monday - Friday 6 am - 11pm (PST) Phone: 360.357.1400 Toll Free: 800.687.8505 support@FastTransact.com support@FastTransact.com Contact List

23 KioskCom 2008 Bibliography  Greenemeir, Larry. “The TJX Effect.” Information Week. 11 Apr 2007. Information Week. 8 Nov 2007. www.informationweek.comwww.informationweek.com  “FTC Files Settlement Agreement with TJX.” TheGreenSheet.com. 28 Mar 2008. 1 Apr 2008. www.greensheet.comwww.greensheet.com  Visa Announces New Payment Application Security Mandates. VISA International. VISA International, 2007.  Wollenhaupt, Gary. “PCI Standards Weight Heavy on ATMs, Kiosks.” Self Service World. 4 Jun 2007. Irvington Writers Studio. 8 Nov 2007. www.selfserviceworld.comwww.selfserviceworld.com  Payment Card Industry (PCI) Data Security Standard. PCI Security Standards Council. Wakefield, MA: PCI Security Standards Council, 2006.  “Fine Data.” PCI Compliance Guide. 3 Apr 2008. www.pcicomplianceguide.orgwww.pcicomplianceguide.org  “Cardholder Information Security Program.” Visa International. 3 Apr 2008. www.visa.comwww.visa.com

Download ppt "KioskCom 2008 Fast Transact, Inc | 2590 Willamette Dr NE, 2nd Floor | Lacey WA 98516 | 800.687.8505 / fax 360.357.1425 Fast Transact, Inc. is a registered."

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
ISACA January 8, 2013. IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.

ISACA January 8, IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.
National Bank of Dominica Ltd. 2011 Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.

National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
Mobile Payment Security The Good, the Bad and the Ugly

Mobile Payment Security The Good, the Bad and the Ugly
PCI DSS for Retail Industry

PCI DSS for Retail Industry
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
ETA UNIVERSITY MARCH 19, 2015 Deana Rich R ICH C ONSULTING, I NC. Edward A. Marshall A RNALL G OLDEN G REGORY LLP Payments 101: Overview of the Payments.

ETA UNIVERSITY MARCH 19, 2015 Deana Rich R ICH C ONSULTING, I NC. Edward A. Marshall A RNALL G OLDEN G REGORY LLP Payments 101: Overview of the Payments.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
University of Utah Financial and Business Services

University of Utah Financial and Business Services
Smart Payment Processing ™ 800-846-4472 www.MercuryPay.com Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.

Smart Payment Processing ™ Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.
1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005.

1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.

Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.

© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden.

Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden.

Similar presentations

Ads by Google