PowerPay

1
PCI What It Is And What It Means To The You

2
Contents

• PCI History
• What is PCI
• What is not PCI
• Who must protect Card Data
• Merchant PCI Compliance
• Definitions
• Useful Web Sites
• Questions

3
PCI History
4
PCI History

• Late 90s - Visa recognized a need to protect
  Card Data to prevent theft
• June, 2001 Visa mandated rules to protect Card
  Data
• Later the other card associations followed Visas
  lead with their own programs

5
PCI History

• The Four Programs Were Called
• Visa CISP Cardholder Information Security
  Program
• MasterCard SDP Site Data Protection
• American Express DSOP - Data Security Operating
  Policy
• Discover DISC - Discover Information Security
  Compliance

6
PCI History

• Once there were four programs
• Confusion ensued
• There were now four sets of rules, guidelines,
  penalties and fines

7
The Solution

8
PCI History

• The creation of a standards organization in 2006
  named Payment Card Industry Security Standards
  Council
• Also Known As PCI
• The founding members were the five major card
  brands
• American Express
• MasterCard
• Discover
• Visa
• JCB (Japan Credit Bureau)
• Primarily seen in Hawaii, California and other
  major T E Markets in the USA

9
PCI History

• Not The Perfect Solution
• The Good News
• The security guidelines have been consolidated
  under a single entity PCI DSS Data Security
  Standard
• Your Compliance and IT staff will appreciate this
• The Bad News
• Due to federal restraint of trade laws, the card
  brands can not collude on the rules, penalties
  and fines
• So we must still please multiple masters
• For the most part, Visas rules are the most
  restrictive and therefore are used as the
  bellweather guideline

10
What Is PCI
11
What Is PCI
(This is the most important slide)

• PCI is the industry group responsible for
  defining the security standards for protecting
  Card Data
• What is the protected Card Data?
• SIX DATA ITEMS (FIVE ARE ON THE CARD)
• The Full Contents of the Magnetic Stripe
• The Credit Card Account Number
• Also known as the PAN or Primary Account Number
• Cardholder Name
• The Card Security Code (aka CVV2, CVC2 or CID)
• PIN / PIN Block
• The Expiration Date

12
What Is PCI

• Twelve Requirements
• Install and maintain a firewall configuration
• Do not use default passwords
• Protect cardholder data
• Encrypt transmission of cardholder data
• Use and regularly update anti-virus software
• Develop and maintain secure systems
  applications
• Restrict access to cardholder data

13
What Is PCI

• Twelve Requirements (continued)
• Assign a unique ID to each person with computer
  access
• Restrict physical access to cardholder data
• Track and monitor all access to network resources
  and cardholder data
• Regularly test security systems and processes
• Maintain a policy that addresses information
  security for employees and contractors

14
What Is PCI

• PCI Is Not
• The FTCs Identity Theft Programs
• Personally Identifiable Information (PII)
• Protection of Social Security Numbers
• FACTA
• HIPAA
• Sorbanes Oxley (SOX)
• Gramm Leach Bliley Act
• FFIEC
• The Patriot Act (OFAC or AML)

15
What Is PCI

• PCI Is Not (continued)
• A Legal Issue (With the exception of Minnesota)
• Rather it is a contractual agreement between the
  merchant and the card brands to protect certain
  pieces of Card Data
• If you break that agreement, it will cost you a
  minimum of 10,000 for a security assessment plus
  you can be charged fees for damages, fines for
  breaking the agreement and in egregious
  situations have your merchant contract
  permanently canceled (TMF)

16
What Is PCI

• Who must protect Card Data?
• Anyone that handles it - Primarily
• Merchants
• Processors
• Paymentech, Global, TSYS, FDR, etc.
• Banks
• Issuers Acquirers (HSBC)
• Third Party Providers
• Gateways (Authorize.net, Plug NPay, etc.)
• Gift Cards, Loyalty Cards, etc.
• ISOs
• PowerPay
• With the exception of the Merchant, every other
  entity that PowerPay uses is PCI Compliant

17
Merchant PCI Compliance
18
Merchant PCI Compliance

• What do you, the merchant, have to do to become
  PCI compliant?
• It depends on two different parameters
• Your Merchant Level (As defined by Visa)
• How you process the Card Data
• Credit Card Terminal
• Stand Alone Dial-Up PC or ECR
• Internet Connected PC or ECR
• Computers via the Internet (eCommerce)

19
Merchant PCI Compliance

• Merchant Levels Defined (By Visa)
• Any merchant processing over 6,000,000 annual
  Visa transactions, Or Any merchant that has
  suffered a breach that resulted in data
  compromise, Or Any merchant Visa, in its sole
  discretion, determines must meet Level 1
  Requirements, Or Any merchant identified by any
  other payment card brand as Level 1
• Any merchant processing 1,000,000 up to 6,000,000
  annual Visa transactions
• Any merchant processing 20,000 up to 1,000,000
  annual Visa eCommerce transactions
• Any merchant processing less than 20,000 Visa
  eCommerce transactions annually or up to
  1,000,000 annual Visa transactions

20
Merchant PCI Compliance

• Merchant Level Requirements
• All levels must Comply With The PCI DSS and
  Perform Quarterly Network Scans
• Level 1 Must also Perform An Annual On-Site PCI
  Security Audit
• Levels 2, 3 4 Must Complete The Appropriate PCI
  Self Assessment Questionnaire (SAQ)

21
Merchant PCI Compliance

• SAQs Defined
• A Q 11 - Card-not-present (e-commerce or
  mail/telephone-order) merchants, all cardholder
  data functions outsourced. This would never apply
  to face-to-face merchants.
• B Q 31 - Imprint-only merchants with no
  electronic cardholder data storage or Stand-alone
  dial terminal merchants, no electronic cardholder
  data storage
• C Q 41 - Merchants with POS systems
  connected to the Internet, no electronic
  cardholder data storage
• D Q 226 - All other merchants (not included
  in Types 1-4 above) and all service providers
  defined by a payment brand as eligible to
  complete an SAQ

22
Merchant PCI Compliance

• Device Dependencies
• Credit Card Terminal
• As long as the software is supplied by PowerPay
  and you are a Level 4 merchant you are PCI
  Compliant
• Our terminal applications are PCI DSS Compliant
• You do not need to perform the network scan
• For now, you do not have to complete the SAQ
• Level 1, 2 and 3 merchants are very unlikely to
  be using a Credit Card Terminal due to the
  quantity of daily transactions necessary to reach
  these levels

23
Merchant PCI Compliance

• Device Dependencies (continued)
• Stand Alone PC or ECR
• You must ensure your software and networks are
  PCI DSS compliant
• Best recommendation is to use PABP or PA-DSS
  software (Easy Pay)
• For Level
• 1 merchants you must perform an annual On-Site
  PCI Security Audit
• 2 or 3 merchants you must complete the SAQ
• 4 merchants you may optionally complete the SAQ
• If applicable, perform Quarterly Network Scans

24
Merchant PCI Compliance

• Device Dependencies (continued)
• Networked PC or ECR
• You must ensure your software and networks are
  PCI DSS compliant
• Best recommendation is to use PABP or PA-DSS
  software (Easy Pay)
• For Level
• 1 merchants you must perform an annual On-Site
  PCI Security Audit
• 2 or 3 merchants you must complete the SAQ
• 4 merchants you may optionally complete the SAQ
• Perform Quarterly Network Scans

25
Merchant PCI Compliance

• Device Dependencies (continued)
• Computers via the Internet (eCommerce)
• You must ensure your software and networks are
  PCI DSS compliant
• Best recommendation is to use PABP or PA-DSS
  software, Gateway and shopping cart
• For Level
• 1 merchants you must perform an annual On-Site
  PCI Security Audit
• 2 or 3 merchants you must complete the SAQ
• 4 merchants you may optionally complete the SAQ
• Perform Quarterly Network Scans

26
Merchant PCI Compliance

• Two More PCI Compliance Areas
• Certified Payment Applications
• This is a Visa standard known as PABP Payment
  Application Best Practice
• In early 2008 PCI will take over this standard
  and rename it PA-DSS - Payment Application Data
  Security Standard
• PowerPays Easy Pay Software
• It is currently PABP certified
• It will become PA-DSS certified once it is
  available
• Certified PIN Pads
• PCI also has standards for PIN Entry Devices -
  PEDs
• All PIN Pads purchased from PowerPay will

27
Merchant PCI Compliance

• Important Dates
• January 1, 2008
• Newly boarded merchants must not use known
  vulnerable payment applications (Primarily PC and
  ECR based merchants)
• October 1, 2008
• Newly boarded Level 3 and 4 merchants must be PCI
  DSS compliant or use PABP and/or PA-DSS compliant
  applications
• July 1, 2010
• All merchants must be using only PABP and/or
  PA-DSS compliant applications

28
Definitions
29
Definitions

• PCI SSC Payment Card Industry Security Standards
  Council
• PCI DSS Payment Card Industry Data Security
  Standard
• PABP Payment Application Best Practices
• PA-DSS Payment Application Data Security
  Standard Due out early 2008
• CAP Certified Application Provider
• ASV Approved Scanning Vendor
• SAQ Self Assessment Questionnaire
• QSA Qualified Security Assessor
• PED PIN Entry Device (PIN Pad)
• ROC Report of Compliance
• TMF Terminated Merchant File

30
Useful Web Sites
31
Useful Web Sites

• Electronic Transaction Association
• Listing of Current State Laws
• (Download PDF at bottom of page)
• http//www.electran.org/content/view/523/42

32
Useful Web Sites

• Visa
• Main CISP Page
• http//usa.visa.com/merchants/risk_management/cisp
  .html
• Merchant Information
• http//usa.visa.com/merchants/risk_management/cisp
  _overview.html

33
Useful Web Sites

• MasterCard
• Main Security Page
• http//www.mastercard.com/us/merchant/security/ind
  ex.html

34
Useful Web Sites

• PCI Security Standards Council
• Main
• http//www.pcisecuritystandards.org
• FAQs
• https//www.pcisecuritystandards.org/about/faqs.ht
  mq1
• Site Map
• https//www.pcisecuritystandards.org/map/index.htm
  
• Approved Scanning Vendors
• https//www.pcisecuritystandards.org/pdfs/asv_repo
  rt.html

35
Useful Web Sites

• BBB
• http//www.bbb.org/securityandprivacy
• There are many good resources on this site
• I recommend downloading a copy of Security
  Privacy - Made Simpler - A document targeting
  Small Business Owners with digestible
  information about securing their customer and
  employee data. Seven (7) major corporations
  partnered with the BBB on this initiative.
• To Download, look for the following on the Web
  page
• Click here to download your complimentary copy of
  Security Privacy - Made Simpler

36
Questions ? ? ?