PCI Compliance and the Online Merchant
PCI Compliance Explained
Melanie Beam
Director, Business Development
What does PCI DSS mean?
PCI DSS = Payment Card Industry Data Security Standard
The standards were developed by the founding brands of the PCI Security Standards Council: American Express, Discover, JCB, MasterCard and Visa, to assist in the broad adoption of consistent data security measures globally.
It’s the set of security rules the card companies agreed upon after years of separate standards.
This is new, right?
The PCI DSS was introduced in 2004.
The Payment Card Industry Security Standards Council (PCI SSC) was launched in 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process.
Do I have to be PCI Compliant?
PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
If customers pay you with credit or debit cards, then you need to be compliant at some level.
Acquirers (merchant account providers) are responsible for enforcing merchant compliance with the PCI requirements. If you have not yet, you will probably receive a letter from your merchant account provider detailing the what merchant level you are currently at. (with some exceptions; ie. Paypal)
PCI DSS Principles and RequirementsPrinciple Associated Requirements
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
What are the merchant levels?
Merchant Level Annual Transaction Volume
Level 1 Any merchant -- regardless of acceptance channel -- processing over 6M card transactions per year. Any merchant that the card companies, determine should meet the Level 1 merchant requirements to minimize risk.
Level 2 Any merchant -- regardless of acceptance channel -- processing 1M to 6M card transactions per year.
Level 3 Any merchant processing 20,000 to 1M ecommerce credit card transactions per year.
Level 4 Any merchant processing fewer than 20,000 ecommerce card transactions per year, and all other merchants -- regardless of acceptance channel -- processing up to 1M transactions per year.
These are based on your annual transaction volumes
MOST ECOMMERCE MERCHANTS FALL INTO LEVEL 3 OR 4
How do I become compliant?
Every merchant is required to complete a Self Assessment Questionnaire (SAQ) to become certified as PCI compliant.
There are five SAQ validation types that determine which of the four SAQ’s to complete.
Self Assessment Questionnaire ValidationSAQ Type Card holder Data Example Hosting Environment
Type 1
(The Easiest)
All cardholder data functions are performed by a PCI compliant third-party. No cardholder data can be stored or transmitted.
The purchaser must be redirected to the service provider’s website to complete the purchase. Using Paypal Payments Standard is an example.
Does not require PCI compliant web hosting, but may be necessary to complete the SAQ-A.Not required to perform a quarterly vulnerability scan, but recommended.
Type 4
(Most Merchants)
Ecommerce merchants with shopping cart applications that transmit cardholder data via the Internet for processing. No cardholder data can be stored.
Credit card payments are made at the merchant’s website. Using a shopping cart solution with Authorize.net is an example.
Requires the operating service providers are PCI-DSS certified.
This includes the web hosting provider and data center.
Not required to perform quarterly scans, but recommended.
Must comply with SAQ-C.
Type 5
(The Hardest)
Card holder data can be stored for later use. Allows the customers to save cards for later purchases.
Managed PCI compliant product like Rack Space PCI hosting and PCI Compliant Ecommerce application.
Must comply with requirements in SAQ-D. and may require a Report on Compliance from a Qualified Security Assessor.These are the same the requirements that are required of PCI certified service providers and are typically out of the financial and technical reach of most small ecommerce retailers.
Cost to comply is well over $50,000 and requires written policies and procedures.
Now that you know, what do you do?
Fill out the SAQ that applies to your business. If required,(recommended for every level merchant) sign up for
quarterly external scans with an approved scanning vendor. *Both the SAQ’s and approved vendors can be found at pcisecuritystandards.org*
Understand that that no single product or service will make you compliant-you have work to do too!
Be informed! Check your providers-hosting, ecommerce, and payment gateway
Ask for a copy of their ROC, CORA or check them against the CISP and PCI lists.
“Within the standards of PCI” does not mean compliant.
The Time Is Now
PCI Compliance applies to you, right now.
Waiting until your bank asks you to prove compliance can prove very costly.
Look for help from compliant vendors, but make sure you use several solutions. There’s no silver bullet!
PCI Compliance seems difficult but requires good, sound security policies and should be part of your business plan
Mountain Media’s Ecommerce Platform and Data Center are PCI Level 1 Compliant
Mountain Media is one of only a handful of ecommerce companies to achieve the highest level of PCI DSS certification.
*All technicians that manage systems must have background checks before starting employment as well as adhere to a host of HR procedures.
* Physical access to the data center must have robust authentication systems in place
* Video surveillance of data center access points with 3-month storage * Firewall systems with stringent rule sets * Intrusion detection systems * Host Intrusion detection systems * Data servers must be on a private network (behind a second firewall with strict
access rules) * Server maintenance and upgrades must follow strict procedures and policies
Please contact us for comprehensive PCI Compliant eCommerce at 877-583-0300
Or visit www.mountainmedia.com
PAYMENT CARD PAYMENT CARD INDUSTRY (PCI) INDUSTRY (PCI) SECURITY SECURITY STANDARDSSTANDARDS
Source: October 2008. Statistics based on data gathered from 443 account data compromise cases investigated since 2001.
ACCOUNT DATA COMPROMISE STATISTICS
John Jacobs Moneris SolutionsMerchant Acquirer
Moneris Solutions Proprietary Information
ACCOUNT DATA COMPROMISE STATISTICSCases segmented by Payment Card Acceptance Channel Majority of account compromises in North American occur at Brick & Mortar merchants Brick & Mortar merchants are most commonly attacked in North America because unlike EMEA merchants are using
outdated payment application and process their transactions over the Internet.
Moneris Solutions Proprietary Information
ACCOUNT DATA COMPROMISE STATISTICSCases Segmented by System Type The majority of account compromises cases involve PC based POS software applications or e-commerce shopping
carts. Hardware based POS terminals remain the most secure way to process transactions
Moneris Solutions Proprietary Information
ACCOUNT DATA COMPROMISE STATISTICSCases Segmented by Responsibility for Payment System Administration In North America the majority of the account compromises occur in environments where merchants utilizes third party
payment applications and relies on third parties for support. The result is outdated systems that are not configured and secured correctly.
Moneris Solutions Proprietary Information
NEW ACCOUNT DATA COMPROMISE TRENDS In 2008 a notable new compromise trend surfaced in the industry – data in transit.
In the past attackers were looking for stored cardholder data.
Many merchants were and still are storing full magnetic strip data.
Through the card brands efforts to eliminate storage of prohibited data, less and less merchants are storing full magnetic stripe data.
Due to this the attack vectors have evolved and attackers are not only looking for stored data but are also looking to capture data in transit.
Though many merchants may not be storing data, many have insecure networks which allow an attacker to gain unauthorized access to systems and start capturing data in real-time.
The last two significant compromises reported in the US used this technique.
Moneris Solutions Proprietary Information
PCI SSC – SECURITY STANDARDS OVERVIEW
Moneris Solutions Proprietary Information
PCI DSS - VISA SERVICE PROVIDER LEVELS DEFINED
Level Level Description Validation Action Validated By
1 VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 transactions per year
Annual On-Site PCI Data Security Assessment
Quarterly Network Scan
Qualified Security Assessor
Approved Scanning Vendor
2 Any service provider that stores, processes and/or transmits less than 300,000 transactions per year
Annual PCI Self Assessment Questionnaire
Quarterly Network Scan
Service Provider
Approved Scanning Vendor
Below are the Service Provider levels and PCI DSS validation requirements that have been established by Visa.
The levels above went into effect on February 01, 2009. Visa list of compliant Service Providers: http://usa.visa.com/merchants/risk_management/cisp_service_providers.html As of February 01, 2009 only Service Providers that have validated their PCI DSS compliance as a Level 1 Service
Provider listed.
Moneris Solutions Proprietary Information
PCI DSS - EFFECTS OF NOT COMPLYING PCI DSS was put in place to protect cardholder data and reduce the risk of an account data compromise
Merchants that are not compliant with PCI DSS are at higher risk of experiencing a security breach.
Merchants that refuse to comply with PCI DSS or fail to demonstrate compliance with PCI DSS may face the following:
Fines due to non-compliance Termination of card processing services
A Merchant or Service Provider that experiences a security breach that involves the compromise of cardholder data may face the following consequences:
Cost of forensic investigation Fines due to non-compliance Costs incurred by card issuers due to the breach (card monitoring & card replacement fees) Liability for percentage of the fraud that occurred due to the breach Termination of card processing services Potential brand damage
Awarded To:
June 4, 2009
eCom Merchant
eCom Merchant ("Client") is enrolled in Compliance Validation Services to meet the Payment Card Industry Data Security Standard (PCI DSS). Validation Service has been accredited by all the major card associations' data security programs including:Etc……
Moneris Solutions Proprietary Information
ADDITIONAL INFORMATION
Moneris Solutions Moneris USA Corporate Website – www.monerisusa.com/pcisecurity Moneris Canada Corporate Website – www.moneris.com/pci
PCI Security Standards Council PCI SSC Website – www.pcisecuritystandards.org PCI DSS – www.pcisecuritystandards.org/security_standards/pci_dss.shtml PCI PA-DSS – www.pcisecuritystandards.org/security_standards/pa_dss.shtml PCI PED – www.pcisecuritystandards.org/security_standards/ped/index.shtml PCI Security Assessor Listings – www.pcisecuritystandards.org/qsa_asv/find_one.shtml PCI DSS Self Assessment Questionnaires – www.pcisecuritystandards.org/saq/index.shtml
Visa Visa Cardholder Information Security Program (CISP) – www.visa.com/cisp
MasterCard MasterCard Site & Data Protection (SDP) Program – www.mastercard.com/sdp