Results for

icon-search-large No search results yet
Enter your search query above

PCI DSS - Purpose of this policy

The Payment Card Industry Data Security Standard (PCI DSS) contains the security requirement which applies to you  and all card processing service providers who accept credit cards, online or offline. It defines a standard of due care and protection of sensitive Cardholder information. The standard applies to all parties that either store, process, transmit or access Cardholder data.

This  policy applies to you if you  want to process credit card transactions with Ingenico ePayments. In order to do so you need to become PCI DSS compliant. After you have read the policy you know how to:

  • Become compliant,
  • Remain compliant and how to proof this to Ingenico ePayments,
  • Determine the validation level,
  • Use the right Self-Assessment Questionnaire (SAQ),
  • Act in case of a PCI-DSS related data breach.

This document  will help you become compliant. Ingenico ePayments welcomes  any questions you have on PCI-DSS.

Scope

It is a requirement for you  to report on your PCI DSS compliance. We want to make it as easy as possible for you to achieve and maintain PCI DSS compliance in order to help you to protect your business and your customers from the negative effects of a card data breach.  Compliance is required if you  accept credit cards. The requirements apply to all payment channels, including retail, mail/telephone order and e-commerce. You are required to report your compliance status on an annual basis. Failure to do so may result in significant fines or penalties from the card associations being passed on to you,  or even withdrawal of card acceptance facilities. You are liable for any fines, charges or penalties arising from non PCI-DSS compliance.  This policy is updated towards PCI-DSS 3.1 and contains information which you are obliged to use as from January 2015.

PCI-DSS Stakeholders

You are not the only one involved with PCI-DSS.  Below the main stakeholders are given:

PCI-SCC

The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI-DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover, JCB International, MasterCard and Visa Inc., the Council has more than 650 Participating Organizations representing merchants (like yourself), banks, processors and vendors worldwide.

Payment Service Provider

A business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data. Ingenico ePayments is such a Payment Service Provider.

Merchant (you)

You are an  entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that if you accept payment cards as payment for goods and/or services, you can also be a service provider, if the services sold result in: storing, processing, or transmitting cardholder data on behalf of other merchants or service providers.

Consumer (your client)

The consumer is the person behind the screen of his/her device, entering his/her payment details in the confidence that the payment will be handled securely, responsibly and honorably, and that he/she will receive his purchase in good order and due course. Also, all consumers need to be instructed to never disclose any card details to third parties like: a Merchant, a Payment Service Provider, Acquirer of Card brand will never ask for the consumers Personal Account Number (PAN), security code (CVV) or PIN.

Payment Brands

The 5 payment brands Visa, MasterCard, Discover, American Express and JCB are the founders of the Security Standards Council, or PCI SSC and are still involved in the development of the PCI-DSS. They are also the issuers of the cards and accept transactions from acquirers. All payment brands monitor all transactions to prevent fraudulent activities.

Acquirer

An acquiring bank (or acquirer) is a bank or financial institution that processes credit or debit card payments on behalf of you or a payment service provider. The term acquirer indicates that the bank accepts or acquires credit card payments from the card-issuing banks within an association.

Goals of the PCI Data Security Standard

The goals of the PCI-Data Security Standard (PCI-DSS), as determined by the PCI-SSC (Standards Security Council) not only protects  card data but also protects your company. It ensures that you:

  • Build and maintain a secure network,
  • Maintain a vulnerability management program,
  • Implement strong access control measures,
  • Regularly monitor and test networks,
  • Maintain an information security policy.

Key Benefits

Importance of PCI-DSS compliance

Compliance with PCI DSS brings major benefits to your business, while failure to comply can have serious and long-term negative consequences. These are the benefits to your business:

  • Protection of customer’s personal data,
  • Increased customer confidence through a higher level of data security,
  • Maintain customer trust and safeguard reputation,
  • Maintain acquirers and payment brands trust and safeguard reputation.

Compliance is an ongoing process, not a one-time event. It helps you to prevent security breaches and theft of payment card data, not just today, but also in the future because:

  • You want to stay ahead of the threats as data compromise becomes ever more sophisticated,
  • You will benefit from continuous improvements to PCI Security Standards,
  • The possibility of training your security professionals,
  • When you stay compliant, you are part of the solution – a united, global response to fighting payment card data compromise.

Compliance has also indirect benefits:

  • If you are PCI DSS compliant, you will likely be better prepared to comply with other regulations, such as HIPAA, SOX, etc.
  • You will be supporting information security management

It is now more important than ever that you ensure and maintain tighter security around operations and the storing and transmitting of Card data. Think of:

  • Fraud losses
  • Harm to your business
  • Card-reissuance costs (these are passed to you)
  • Cardholder inconvenience
  • Loss of consumer confidence
  • Adverse publicity, brand and reputational damage.

Process Flow

The steps to become and stay PCI DSS compliant

In order to become PCI DSS compliant you must repeat several assessments either each quarter or each year. These are the repeating three steps to follow in order to become and stay PCI-DSS compliant:

pci1

Assess

You start with:

  1. Identifying cardholder data in your environment and creating an inventory of your IT assets and business processes used for processing credit cards,
  2. Analyzing them for vulnerabilities.

The analysis consist of two major parts:

  1. A technical assessment (the Quarterly Network Scan). This external vulnerability scan helps you to identify whether your systems that are connected to the internet have vulnerabilities. You must perform this scan by using an Approved Scanning Vendor (ASV) (see Approved Scanning Vendor). By performing network scans on a regular basis your organization can keep track of newly added systems, servers and network changes which might influence the security footprint of your organization. If you need a clean scan each quarter, we recommend to perform a vulnerability scan each month to stay ahead of any new vulnerabilities.
  2. A PCI-DSS compliance assessment: how you decide do this depends on the number of credit card transactions you process. Either you:
    1. Fill in a Self-Assessment Questionnaire (SAQ) or;
    2. You request a Qualified Security Assessor (QSA) to perform an assessment.

Remediate

Are there any issues found by the technical or the compliance assessment?

  • Then they need to be remediated first.
  • Credit card data should only be stored when it is absolutely vital for your business operation. Do not store cardholder data unless you need it, do not forget to check log files and audit trails for card data.
  • The less data is stored the less effort it will cost to protect the data.

Report

After the issues are fixed, you must complete both assessments again and an Attestation of Compliance form. To prove your PCI-DSS compliant status you must supply:

  • The Attestation of Compliance form,
  • The scan report provided by the ASV,
  • The completed SAQ or if applicable the Report on Compliance (ROC) supplied by the QSA.

Determine your validation level

As a next step, you need to know that you will fall  into one of four compliance levels, based on your transaction volume over a 12-month period. The transaction volume is based on the aggregate number of transactions (inclusive of credit, debit and prepaid) from you ‘Doing Business As’ (DBA). First, you must determine which validation level you are in. This will determine your effort that is needed to become compliant.

Please be aware that the different card brands operate under slightly different criteria to determine your level. You can use the following scheme to determine your validation requirements for the various card brands, depending on your number of card transactions.  Exceptions of the different Card brands are listed separately if they differ from the Visa levels. If you have suffered a breach that resulted in an account data compromise, you may have been escalated to a higher validation level as determined by the card brands.

  • Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) if signed by officer of the company.
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance Form
  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance Form
  • Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) if signed by officer of the company.
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance Form
LEVELCRITERIAVALIDATION REQUIREMENTS
1 You process over 6 million transactions annually (all channels)
or
If you are global, you need to be identified as Level 1 by any Visa region
  • Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) if signed by officer of the company.
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance Form
2 You process 1 million to 6 million transactions annually (all channels)
  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
3 You process 20,000 to 1 million e-commerce transactions annually
  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance Form
4 You process less than 20,000 e-commerce transactions annually and all other merchants process up to 1 million transactions annually
  • Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) if signed by officer of the company.
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance Form

Exception per Card Brand

MasterCard

  • All levels: if Visa levels apply, then MasterCard will apply the same level.
  • All levels: volume is based on combined volume of MasterCard and Maestro transactions.
  • Level 1: If you use MasterCard in its sole discretion, MasterCard will determine that you meet Level 1 requirements to minimize risk to the system.

AMEX

  • Level 1: 5 million or more AMEX Card transactions
  • Level 2: 50,000 t0 2.5 million AMEX Card transactions
  • Level 3: less than 50,000 AMEX Card transactions

Discover

  • All levels if Visa levels apply then Discover will apply the same level.

If you wish, we can assist you in determining your validation level and validation requirements.

Approved Scanning Vendor

If you have an internet facing address, you need to perform a network scan by an Approved Scanning Vendor (ASV). A list of ASV’s can be found on the PCI-SCC site using the following link:                      https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php

  • Level 4: you do not have to perform a ASV scan unless appropriate.

Qualified Security Assessor

If you have determined that you are level, 1 the Report on Compliance must be completed by a Qualified Security Assessor (QSA). You can find a list of QSA companies by using the following link:

 https://www.pcisecuritystandards.org/approved_companies_providers/qsa_companies.php

Determine Self-Assessment Questionnaire

Are you not a level 1? Then you need to complete a Self-Assessment Questionnaire (SAQ). The SAQ is a validation tool that assists you in self-evaluating your compliance with the PCI DSS. You need to fill in one of the below questionnaires. Which one depends on your business model and technical implementation:

SAQHOW DO YOU ACCEPT PAYMENT CARDS?
A Card-not-present (e-commerce or mail/telephone-order): all cardholder data functions outsourced. This does not apply if you conduct business face-to-face.
A-EP E-commerce: partially outsource your e-commerce payment channel to PCI DSS validated third parties and you do not electronically store, process, or transmit any cardholder data on their systems or premises.
B Imprint-only: no electronic cardholder data storage, or standalone, dial-out terminals with no electronic cardholder data storage.
B-IP You may be either brick-and-mortar (card-present) or mail/telephone-order (card-not-present), which means you do not store cardholder data on any computer system.
C-VT You use only web-based virtual terminals, no electronic cardholder data storage.
C You have payment application systems connected to the Internet, no electronic cardholder data storage.
D If you do not fall into any of the descriptions for SAQ types A through C above.

Description of SAQs’ (Self-Assessment Questionnaire)

SAQ A

SAQ A is the assessment for you if you:

  • Have completely outsourced your cardholder data functions to validated third parties. In this case you only retain paper reports or receipts with cardholder data.
  • You are either an e-commerce or mail/telephone-order merchant (card-not-present)
  • And you must not store, process, or transmit any cardholder data in electronic format on your systems or premises.

Having an SAQ A compliance, you confirm that, for your payment channel

  • your company accepts only card-not-present (e-commerce or mail/telephone-order) transactions;
  • All payment acceptance and processing are entirely outsourced to PCI DSS validated third-party service providers;
  • Your company has no direct control of the manner in which cardholder data is captured, processed, transmitted, or stored;
  • Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions;
  • Your company has confirmed that all third party(s) handling acceptance, storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and
  • Your company retains only paper reports or receipts with cardholder data, and these documents are not received electronically.

Additionally, for e-commerce channels:

  • The entirety of all payment pages delivered to the consumer’s browser originates directly from a third-party PCI DSS validated service provider(s).

Applicable for you if you use the following services:

  • Ingenico MyCheckout - the consumer is redirected to the MyCheckout hosted payment pages. The payment forms are entirely provided by our payment servers.
  • iOS SDK and Android SDK - the payment data in the app of the consumer is encrypted with a key obtained by the consumers device from our platform, sent to you and relayed to our platform. SAQ-A applies as well as section 6 of SAQ D. Please validate this with your account manager.

SAQ A-EP

SAQ A-EP is the assessment for you if you if you:

  • Are in the e-commerce industry and have a website(s) that does not itself receive cardholder data, but which does affect the security of the payment transaction and/or the integrity of the page that accepts the consumer’s cardholder data, or;
  • If you are in the e-commerce industry and you partially outsource your e-commerce payment channel to PCI DSS validated third parties and do not electronically store, process, or transmit any cardholder data on their systems or premises.

Having SAQ A-EP compliance, you confirm that for this payment channel:

  • Your company accepts only e-commerce transactions;
  • All processing of cardholder data is outsourced to a PCI DSS validated third-party payment processor;
  • Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor;
  • Your e-commerce website is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate the website from all other systems);
  • If your website is hosted by a third-party provider, the provider is validated to all applicable PCI DSS requirements (e.g., including PCI DSS Appendix A if the provider is a shared hosting provider);
  • All elements of payment pages that are delivered to the consumer’s browser originate from either the merchant’s website or a PCI DSS compliant service provider(s);
  • Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions;
  • Your company has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and
  • Your company retains only paper reports or receipts with cardholder data, and these documents are not received electronically.

Applicable to you if you use the following services:

  • JavaScript SDK - the payment data in the browser of the consumer is encrypted with a key obtained by the consumers device from our platform, sent to you and relayed to our processing site.

SAQ B

SAQ B is not described in detail because there are no applicable products for Ingenico ePayments.

SAQ B-IP

SAQ B-IP is not described in detail because there are no applicable products for Ingenico ePayments.

SAQ C-VT

Do you process cardholder data only via isolated virtual terminals on personal computers connected to the Internet? Then you must fill in a SAQ C-VT.

A virtual terminal is web-browser based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where you manually enter payment card data via a securely connected web browser. Unlike physical terminals, virtual terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual terminals are typically used instead of physical terminals in environments with low transaction volumes.

You process cardholder data only via a virtual terminal and do not store cardholder data on any computer system. These virtual terminals are connected to the Internet to access a third party that hosts the virtual terminal payment processing function. This third party may be a processor, acquirer, or other third-party service provider who stores, processes, and/or transmits cardholder data to authorize and/or settle your transactions.

This SAQ option is intended to apply only to you if you manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution.

SAQ C-VT

  • Brick-and-mortar (card-present), or
  • Mail/telephone-order (card-not-present)

Having SAQ C-VT compliance, you confirm that for this payment channel:

  • Your company’s only payment processing is via a virtual payment terminal accessed by an Internet-connected web browser;
  • Your company’s virtual payment terminal solution is provided and hosted by a PCI DSS validated third-party service provider;
  • Your company accesses the PCI DSS-compliant virtual payment terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment (this can be achieved via a firewall or network segmentation to isolate the computer from other systems);
  • Your company’s computer does not have software installed that causes cardholder data to be stored (for example, there is no software for batch processing or store-and-forward);
  • Your company’s computer does not have any attached hardware devices that are used to capture or store cardholder data (for example, there are no card readers attached);
  • Your company does not otherwise receive or transmit cardholder data electronically through any channels (for example, via an internal network or the Internet);
  • Your company retains only paper reports or paper copies of receipts, and these documents are not received electronically; and
  • Your company does not store cardholder data in electronic format.

Applicable to you if you use the following services:

  • Call Centre Application - the call center employee is opening the payment forms of Ingenico ePayments in a browser. The payment forms are entirely provided by our payment servers.

SAQ C

Are your payment application systems (for example, point-of-sale systems) connected to the Internet (for example, via DSL, cable modem, etc.)? Then you must fill in a SAQ C. 

Having SAQ C compliance, you process cardholder data via a point-of-sale (POS) system or other payment application systems connected to the Internet, do not store cardholder data on any computer system, and may be either brick-and-mortar (card-present) or a mail/telephone-order (card-not-present).

Having a SAQ C compliance, you confirm that for this payment channel:

  • Your company has a payment application system and an Internet connection on the same device and/or same local area network (LAN);
  • The payment application system/Internet device is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate payment application system/Internet device from all other systems);
  • The physical location of the POS environment is not connected to other premises or locations, and any LAN is for a single location only;
  • Your company retains only paper reports or paper copies of receipts, and these documents are not received electronically; and
  • Your company does not store cardholder data in electronic format.

SAQ D

If you do not meet  the criteria for any other SAQ type you fill in a SAQ D.

Examples of environments that use SAQ D may include but are not limited to:

  • E-commerce: if you accept cardholder data on your website.
  • If you have an electronic storage of cardholder data

Applicable to you if you use the following services:

  • REST API - You do not use: Ingenico MyCheckout (the hosted payment pages), Android SDK, iOS SDK or JavaScript SDK solutions and sends in payment requests to our platform using the REST API interface.

Attestation of Compliance Form

After you have filled in any of the SAQ’s, you must complete and sign the Attestation of Compliance (AoC) form. The AoC form declares your compliance status. The AoC form can be downloaded from the PCI-SSC site: https://www.pcisecuritystandards.org/security_standards/documents.php.

The selected AoC form needs to match the completed SAQ, so select either A, A-EP, C, C-VT or D. For level 1, the AoC form (D) must be completed by a Qualified Security Assessor (QSA).

PCI-SSC Prioritized Approach

Are you undergoing an on-site assessment, or do you use SAQ D?

Then it is good to know that there is a document available that helps you becoming PCI DSS compliant. This is the so-called Prioritized Approach. This document explains the approach and contains a tool that you can use to monitor your progress in becoming compliant.

If this approach is suitable we suggest to follow the PCI-SSC documentation for additional information. The Prioritized Approach has been adopted to reflect the changes in PCI-DSS 3.0.

What Is the Prioritized Approach?

The Prioritized Approach provides six security milestones that will help you to incrementally protect yourself against the highest risk factors and escalating threats while being on the road to PCI DSS compliance. The Prioritized Approach and its milestones are intended to provide the following benefits:

  • Roadmap that an organization can use to address its risks in priority order
  • Pragmatic approach that allows for “quick wins”
  • Supports financial and operational planning
  • Promotes objective and measurable progress indicators
  • Helps promote consistency among assessors

Milestones for Prioritizing PCI DSS Compliance Efforts

Click here for more information on Milestones for Prioritizing PCI DSS Compliance Efforts.

Additional Information

What you must do in case of a suspected breach

Being PCI DSS compliant  minimizes the possibility of theft or fraudulent use of credit card data. However, a breach can still occur or be suspected due to human errors, internal fraud or previously unknown vulnerabilities. What do you need to do if you suspect or establish a credit card data breach?

Suspected Breach Notification

Yourself

If you suspect a credit card breach you must immediately inform your acquirer(s), payment service provider(s) and/or card brands.

You can send a (suspected) breach related to Ingenico ePayments to your account manager.

Common Point-of-Purchase (CPP) report

Your acquirer(s) will investigate and determine whether all of the cards reported fraudulent have been used at the same merchant over the same time period. This test, known as “common point of purchase” or CPP, is the core means to determine the source of a card breach.

You will receive a Common Point-of-Purchase  (CPP) report through your acquirer or your payment service provider .

When faced with a Common Point-of-Purchase  (CPP) report it is vital for you to act quickly and communicate directly with your acquirer(s) and/or payment service provider(s). In doing so the financial consequences and the negative business impact resulting from the card breach may be minimized.

PCI Forensic Investigator (PFI)

After informing your acquirer(s) and payment service provider(s) you must make immediate contact with a PCI Forensic Investigator (PFI). The PFI investigates where in your environment the breach occurred, the extent of the data compromise and the remediation steps you must take. It is strongly recommended that you contact a reliable PFI as quickly as possible after detecting the (suspected) breach. You can find a suitable PFI company on the PCI Security Standards Council list: https://www.pcisecuritystandards.org/approved_companies_providers/pfi_companies.php

Mitigation

If it is determined by the PFI that there has been a data breach, it’s vital that you take steps to mitigate or eliminate the existing exposure immediately. Delays resulting in longer exposure times can increase the size of the breach and also increase the related fines levied by the card brands. In some cases, the fines from the card brands are passed from the acquirer to the Payment Service Providers and ultimately to you. Any findings or conclusions of the initial investigation must be provided in written documentation  to the card brand within three (3) business days determined by the card brands.

The card brands typically assess fines within 90 days of an incident taking place, but the acquirer cannot be sure of an amount until after all investigative work has been completed.

On site Investigation

After signing the contract, the chosen PFI should set up communications between the acquirer and you. This helps ensure that you address this breach effectively and engage qualified professionals to assess where the breach occurred and its magnitude. Then recommend remediation steps to you to correct the breach and limit the exposure of the breach.

Once engaged with you directly, the PFI will discuss next steps and schedule an on-site visit.      

It is crucial that the PFI conducts a live review of a payments environment to ensure a reasonable view of the circumstances surrounding the breach. At the conclusion of the visit he will provide an analysis report conveyed to the appropriate people at your site with details of the data gathered. This analysis should also be shared by PFI or you with the acquirer which, in turn, should create an even deeper, more meaningful dialogue between the acquirer and you. In addition to this on-site work, the PFI will conduct an off-site assessment shortly thereafter and a full report – including  remediation recommendations to you – will be provided to both you and the acquirer.

Once the on-site is finished, the PFI will provide the documented results to you. Within five (5) business days the report you must present at the card brands.  It’s important that an acquirer follows up with you to solicit feedback on his experience and understanding of the remediation steps outlined in the report. You must address points of exposure immediately to avoid further cardholder data leakage. The following link is a template/example for a PFI Preliminary Incident Response Report; https://www.pcisecuritystandards.org/documents/PFI_Preliminary_Incident_Response_Report_Template.pdf?v=1

Final report

The PFI provides a final report outlining all remediation steps, recommendations, breach points and other items to the acquirer, card brands and yourself. Typically reports include: 

  • System and network deficiencies.
  • Timeframe of card data exposures.
  • An outline of possible intrusions.
  • The number of cards that are at risk as a result of the incident.
  • Any outstanding security remediation steps.

The following link is a template/example for a PFI Final Incident Report:

https://www.pcisecuritystandards.org/documents/PFI_Final_Incident_Response_Report_Template.pdf?v=1

It is important to you not only to be aware of this report, but also review its content, to ensure its delivery to the card brand(s) that delivered the original CPP alert(s). You provide the final forensic report to the card brands within ten (10) business days of completion of the review.

Remediation completion

Within several weeks of the final report being delivered, a conference call should also be scheduled between you and acquirer to check on remediation completion and discuss outstanding support needs. Creating a simple status update spreadsheet by you is an effective way to track ongoing conversations between the acquirer and yourself and monitor ongoing PCI DSS compliance. Also, providing evidence of a completed SAQ or on-site audit and valid scanning report will be important components of a comprehensive response to the card brands involved.

Additional Information

Tips and tricks

Secure networks

  • Buy and use only approved PIN entry devices at your points-of-sale. See the following website to find approved devices at the PCI Security Standards Council: https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php.
  • Buy and use only validated payment software at your POS or website shopping cart. See the following website to find approved devices at the PCI Security Standards Council: https://www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php?agree=true.
  • Do not store any sensitive cardholder data in computers or on paper, unless you really need it. If needed make sure the process is secured, e.g. encryption, data deletion. Sensitive Authentication Data (includes the full track contents of the magnetic stripe or chip, card verification codes and values, PINs and PIN blocks, CVV) may never be stored in any form.
  • Use a firewall on your network and PC’s.
  • Make sure your wireless router is password-protected and uses encryption.
  • Use strong passwords, regularly change passwords. Be sure to change default passwords on hardware and software, these are known to hackers!
  • Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.
  • Teach your employees about security and protecting cardholder data. Security awareness is essential in protecting your environment.
  • Follow the PCI Data Security Standard which will give a base level of defense against cyber criminals. To better protect your environment, you have to go beyond the PCI Data Security Standard.
  • Although the standard requires quarterly scans we recommend to perform monthly scans. Performing monthly scans will provide earlier detection of vulnerabilities and less risk.

References

Document list

PCI DSS E-Commerce Guidelines:

https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf

PCI-DSS SAQ A-D:

https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs

Self-Assessment Questionnaire, Instructions and Guidelines:

https://www.pcisecuritystandards.org/documents/pci_dss_SAQ_Instr_Guide_v2.1.pdf

PCI-DSS Prioritized Approach:

 https://www.pcisecuritystandards.org/documents/Prioritized_Approach_for_PCI_DSS_v3_.pdf

PCI-DSS Prioritized Approach Tool:

https://www.pcisecuritystandards.org/documents/Prioritized_Approach_v3.xlsx

PCI_DSS_Prioritized_Approach_Summary_of_Changes_v2_to_v3:

https://www.pcisecuritystandards.org/documents/PCI_DSS_Prioritized_Approach_Summary_of_Changes_v2_to_v3.pdf

 

PCI DSS - Purpose of this policy

The Payment Card Industry Data Security Standard (PCI DSS) contains the security requirement which applies to you  and all card processing service providers who accept credit cards, online or offline. It defines a standard of due care and protection of sensitive Cardholder information. The standard applies to all parties that either store, process, transmit or access Cardholder data.

This  policy applies to you if you  want to process credit card transactions with Ingenico ePayments. In order to do so you need to become PCI DSS compliant. After you have read the policy you know how to:

  • Become compliant,
  • Remain compliant and how to proof this to Ingenico ePayments,
  • Determine the validation level,
  • Use the right Self-Assessment Questionnaire (SAQ),
  • Act in case of a PCI-DSS related data breach.

This document  will help you become compliant. Ingenico ePayments welcomes  any questions you have on PCI-DSS.

Scope

It is a requirement for you  to report on your PCI DSS compliance. We want to make it as easy as possible for you to achieve and maintain PCI DSS compliance in order to help you to protect your business and your customers from the negative effects of a card data breach.  Compliance is required if you  accept credit cards. The requirements apply to all payment channels, including retail, mail/telephone order and e-commerce. You are required to report your compliance status on an annual basis. Failure to do so may result in significant fines or penalties from the card associations being passed on to you,  or even withdrawal of card acceptance facilities. You are liable for any fines, charges or penalties arising from non PCI-DSS compliance.  This policy is updated towards PCI-DSS 3.1 and contains information which you are obliged to use as from January 2015.

PCI-DSS Stakeholders

You are not the only one involved with PCI-DSS.  Below the main stakeholders are given:

PCI-SCC

The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI-DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover, JCB International, MasterCard and Visa Inc., the Council has more than 650 Participating Organizations representing merchants (like yourself), banks, processors and vendors worldwide.

Payment Service Provider

A business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data. Ingenico ePayments is such a Payment Service Provider.

Merchant (you)

You are an  entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that if you accept payment cards as payment for goods and/or services, you can also be a service provider, if the services sold result in: storing, processing, or transmitting cardholder data on behalf of other merchants or service providers.

Consumer (your client)

The consumer is the person behind the screen of his/her device, entering his/her payment details in the confidence that the payment will be handled securely, responsibly and honorably, and that he/she will receive his purchase in good order and due course. Also, all consumers need to be instructed to never disclose any card details to third parties like: a Merchant, a Payment Service Provider, Acquirer of Card brand will never ask for the consumers Personal Account Number (PAN), security code (CVV) or PIN.

Payment Brands

The 5 payment brands Visa, MasterCard, Discover, American Express and JCB are the founders of the Security Standards Council, or PCI SSC and are still involved in the development of the PCI-DSS. They are also the issuers of the cards and accept transactions from acquirers. All payment brands monitor all transactions to prevent fraudulent activities.

Acquirer

An acquiring bank (or acquirer) is a bank or financial institution that processes credit or debit card payments on behalf of you or a payment service provider. The term acquirer indicates that the bank accepts or acquires credit card payments from the card-issuing banks within an association.

Goals of the PCI Data Security Standard

The goals of the PCI-Data Security Standard (PCI-DSS), as determined by the PCI-SSC (Standards Security Council) not only protects  card data but also protects your company. It ensures that you:

  • Build and maintain a secure network,
  • Maintain a vulnerability management program,
  • Implement strong access control measures,
  • Regularly monitor and test networks,
  • Maintain an information security policy.

Key Benefits

Importance of PCI-DSS compliance

Compliance with PCI DSS brings major benefits to your business, while failure to comply can have serious and long-term negative consequences. These are the benefits to your business:

  • Protection of customer’s personal data,
  • Increased customer confidence through a higher level of data security,
  • Maintain customer trust and safeguard reputation,
  • Maintain acquirers and payment brands trust and safeguard reputation.

Compliance is an ongoing process, not a one-time event. It helps you to prevent security breaches and theft of payment card data, not just today, but also in the future because:

  • You want to stay ahead of the threats as data compromise becomes ever more sophisticated,
  • You will benefit from continuous improvements to PCI Security Standards,
  • The possibility of training your security professionals,
  • When you stay compliant, you are part of the solution – a united, global response to fighting payment card data compromise.

Compliance has also indirect benefits:

  • If you are PCI DSS compliant, you will likely be better prepared to comply with other regulations, such as HIPAA, SOX, etc.
  • You will be supporting information security management

It is now more important than ever that you ensure and maintain tighter security around operations and the storing and transmitting of Card data. Think of:

  • Fraud losses
  • Harm to your business
  • Card-reissuance costs (these are passed to you)
  • Cardholder inconvenience
  • Loss of consumer confidence
  • Adverse publicity, brand and reputational damage.

Process Flow

The steps to become and stay PCI DSS compliant

In order to become PCI DSS compliant you must repeat several assessments either each quarter or each year. These are the repeating three steps to follow in order to become and stay PCI-DSS compliant:

pci1

Assess

You start with:

  1. Identifying cardholder data in your environment and creating an inventory of your IT assets and business processes used for processing credit cards,
  2. Analyzing them for vulnerabilities.

The analysis consist of two major parts:

  1. A technical assessment (the Quarterly Network Scan). This external vulnerability scan helps you to identify whether your systems that are connected to the internet have vulnerabilities. You must perform this scan by using an Approved Scanning Vendor (ASV) (see Approved Scanning Vendor). By performing network scans on a regular basis your organization can keep track of newly added systems, servers and network changes which might influence the security footprint of your organization. If you need a clean scan each quarter, we recommend to perform a vulnerability scan each month to stay ahead of any new vulnerabilities.
  2. A PCI-DSS compliance assessment: how you decide do this depends on the number of credit card transactions you process. Either you:
    1. Fill in a Self-Assessment Questionnaire (SAQ) or;
    2. You request a Qualified Security Assessor (QSA) to perform an assessment.

Remediate

Are there any issues found by the technical or the compliance assessment?

  • Then they need to be remediated first.
  • Credit card data should only be stored when it is absolutely vital for your business operation. Do not store cardholder data unless you need it, do not forget to check log files and audit trails for card data.
  • The less data is stored the less effort it will cost to protect the data.

Report

After the issues are fixed, you must complete both assessments again and an Attestation of Compliance form. To prove your PCI-DSS compliant status you must supply:

  • The Attestation of Compliance form,
  • The scan report provided by the ASV,
  • The completed SAQ or if applicable the Report on Compliance (ROC) supplied by the QSA.

Determine your validation level

As a next step, you need to know that you will fall  into one of four compliance levels, based on your transaction volume over a 12-month period. The transaction volume is based on the aggregate number of transactions (inclusive of credit, debit and prepaid) from you ‘Doing Business As’ (DBA). First, you must determine which validation level you are in. This will determine your effort that is needed to become compliant.

Please be aware that the different card brands operate under slightly different criteria to determine your level. You can use the following scheme to determine your validation requirements for the various card brands, depending on your number of card transactions.  Exceptions of the different Card brands are listed separately if they differ from the Visa levels. If you have suffered a breach that resulted in an account data compromise, you may have been escalated to a higher validation level as determined by the card brands.

  • Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) if signed by officer of the company.
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance Form
  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance Form
  • Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) if signed by officer of the company.
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance Form
LEVELCRITERIAVALIDATION REQUIREMENTS
1 You process over 6 million transactions annually (all channels)
or
If you are global, you need to be identified as Level 1 by any Visa region
  • Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) if signed by officer of the company.
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance Form
2 You process 1 million to 6 million transactions annually (all channels)
  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
3 You process 20,000 to 1 million e-commerce transactions annually
  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance Form
4 You process less than 20,000 e-commerce transactions annually and all other merchants process up to 1 million transactions annually
  • Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) if signed by officer of the company.
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance Form

Exception per Card Brand

MasterCard

  • All levels: if Visa levels apply, then MasterCard will apply the same level.
  • All levels: volume is based on combined volume of MasterCard and Maestro transactions.
  • Level 1: If you use MasterCard in its sole discretion, MasterCard will determine that you meet Level 1 requirements to minimize risk to the system.

AMEX

  • Level 1: 5 million or more AMEX Card transactions
  • Level 2: 50,000 t0 2.5 million AMEX Card transactions
  • Level 3: less than 50,000 AMEX Card transactions

Discover

  • All levels if Visa levels apply then Discover will apply the same level.

If you wish, we can assist you in determining your validation level and validation requirements.

Approved Scanning Vendor

If you have an internet facing address, you need to perform a network scan by an Approved Scanning Vendor (ASV). A list of ASV’s can be found on the PCI-SCC site using the following link:                      https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php

  • Level 4: you do not have to perform a ASV scan unless appropriate.

Qualified Security Assessor

If you have determined that you are level, 1 the Report on Compliance must be completed by a Qualified Security Assessor (QSA). You can find a list of QSA companies by using the following link:

 https://www.pcisecuritystandards.org/approved_companies_providers/qsa_companies.php

Determine Self-Assessment Questionnaire

Are you not a level 1? Then you need to complete a Self-Assessment Questionnaire (SAQ). The SAQ is a validation tool that assists you in self-evaluating your compliance with the PCI DSS. You need to fill in one of the below questionnaires. Which one depends on your business model and technical implementation:

SAQHOW DO YOU ACCEPT PAYMENT CARDS?
A Card-not-present (e-commerce or mail/telephone-order): all cardholder data functions outsourced. This does not apply if you conduct business face-to-face.
A-EP E-commerce: partially outsource your e-commerce payment channel to PCI DSS validated third parties and you do not electronically store, process, or transmit any cardholder data on their systems or premises.
B Imprint-only: no electronic cardholder data storage, or standalone, dial-out terminals with no electronic cardholder data storage.
B-IP You may be either brick-and-mortar (card-present) or mail/telephone-order (card-not-present), which means you do not store cardholder data on any computer system.
C-VT You use only web-based virtual terminals, no electronic cardholder data storage.
C You have payment application systems connected to the Internet, no electronic cardholder data storage.
D If you do not fall into any of the descriptions for SAQ types A through C above.

Description of SAQs’ (Self-Assessment Questionnaire)

SAQ A

SAQ A is the assessment for you if you:

  • Have completely outsourced your cardholder data functions to validated third parties. In this case you only retain paper reports or receipts with cardholder data.
  • You are either an e-commerce or mail/telephone-order merchant (card-not-present)
  • And you must not store, process, or transmit any cardholder data in electronic format on your systems or premises.

Having an SAQ A compliance, you confirm that, for your payment channel

  • your company accepts only card-not-present (e-commerce or mail/telephone-order) transactions;
  • All payment acceptance and processing are entirely outsourced to PCI DSS validated third-party service providers;
  • Your company has no direct control of the manner in which cardholder data is captured, processed, transmitted, or stored;
  • Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions;
  • Your company has confirmed that all third party(s) handling acceptance, storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and
  • Your company retains only paper reports or receipts with cardholder data, and these documents are not received electronically.

Additionally, for e-commerce channels:

  • The entirety of all payment pages delivered to the consumer’s browser originates directly from a third-party PCI DSS validated service provider(s).

Applicable for you if you use the following services:

  • Ingenico MyCheckout - the consumer is redirected to the MyCheckout hosted payment pages. The payment forms are entirely provided by our payment servers.
  • iOS SDK and Android SDK - the payment data in the app of the consumer is encrypted with a key obtained by the consumers device from our platform, sent to you and relayed to our platform. SAQ-A applies as well as section 6 of SAQ D. Please validate this with your account manager.

SAQ A-EP

SAQ A-EP is the assessment for you if you if you:

  • Are in the e-commerce industry and have a website(s) that does not itself receive cardholder data, but which does affect the security of the payment transaction and/or the integrity of the page that accepts the consumer’s cardholder data, or;
  • If you are in the e-commerce industry and you partially outsource your e-commerce payment channel to PCI DSS validated third parties and do not electronically store, process, or transmit any cardholder data on their systems or premises.

Having SAQ A-EP compliance, you confirm that for this payment channel:

  • Your company accepts only e-commerce transactions;
  • All processing of cardholder data is outsourced to a PCI DSS validated third-party payment processor;
  • Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor;
  • Your e-commerce website is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate the website from all other systems);
  • If your website is hosted by a third-party provider, the provider is validated to all applicable PCI DSS requirements (e.g., including PCI DSS Appendix A if the provider is a shared hosting provider);
  • All elements of payment pages that are delivered to the consumer’s browser originate from either the merchant’s website or a PCI DSS compliant service provider(s);
  • Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions;
  • Your company has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and
  • Your company retains only paper reports or receipts with cardholder data, and these documents are not received electronically.

Applicable to you if you use the following services:

  • JavaScript SDK - the payment data in the browser of the consumer is encrypted with a key obtained by the consumers device from our platform, sent to you and relayed to our processing site.

SAQ B

SAQ B is not described in detail because there are no applicable products for Ingenico ePayments.

SAQ B-IP

SAQ B-IP is not described in detail because there are no applicable products for Ingenico ePayments.

SAQ C-VT

Do you process cardholder data only via isolated virtual terminals on personal computers connected to the Internet? Then you must fill in a SAQ C-VT.

A virtual terminal is web-browser based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where you manually enter payment card data via a securely connected web browser. Unlike physical terminals, virtual terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual terminals are typically used instead of physical terminals in environments with low transaction volumes.

You process cardholder data only via a virtual terminal and do not store cardholder data on any computer system. These virtual terminals are connected to the Internet to access a third party that hosts the virtual terminal payment processing function. This third party may be a processor, acquirer, or other third-party service provider who stores, processes, and/or transmits cardholder data to authorize and/or settle your transactions.

This SAQ option is intended to apply only to you if you manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution.

SAQ C-VT

  • Brick-and-mortar (card-present), or
  • Mail/telephone-order (card-not-present)

Having SAQ C-VT compliance, you confirm that for this payment channel:

  • Your company’s only payment processing is via a virtual payment terminal accessed by an Internet-connected web browser;
  • Your company’s virtual payment terminal solution is provided and hosted by a PCI DSS validated third-party service provider;
  • Your company accesses the PCI DSS-compliant virtual payment terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment (this can be achieved via a firewall or network segmentation to isolate the computer from other systems);
  • Your company’s computer does not have software installed that causes cardholder data to be stored (for example, there is no software for batch processing or store-and-forward);
  • Your company’s computer does not have any attached hardware devices that are used to capture or store cardholder data (for example, there are no card readers attached);
  • Your company does not otherwise receive or transmit cardholder data electronically through any channels (for example, via an internal network or the Internet);
  • Your company retains only paper reports or paper copies of receipts, and these documents are not received electronically; and
  • Your company does not store cardholder data in electronic format.

Applicable to you if you use the following services:

  • Call Centre Application - the call center employee is opening the payment forms of Ingenico ePayments in a browser. The payment forms are entirely provided by our payment servers.

SAQ C

Are your payment application systems (for example, point-of-sale systems) connected to the Internet (for example, via DSL, cable modem, etc.)? Then you must fill in a SAQ C. 

Having SAQ C compliance, you process cardholder data via a point-of-sale (POS) system or other payment application systems connected to the Internet, do not store cardholder data on any computer system, and may be either brick-and-mortar (card-present) or a mail/telephone-order (card-not-present).

Having a SAQ C compliance, you confirm that for this payment channel:

  • Your company has a payment application system and an Internet connection on the same device and/or same local area network (LAN);
  • The payment application system/Internet device is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate payment application system/Internet device from all other systems);
  • The physical location of the POS environment is not connected to other premises or locations, and any LAN is for a single location only;
  • Your company retains only paper reports or paper copies of receipts, and these documents are not received electronically; and
  • Your company does not store cardholder data in electronic format.

SAQ D

If you do not meet  the criteria for any other SAQ type you fill in a SAQ D.

Examples of environments that use SAQ D may include but are not limited to:

  • E-commerce: if you accept cardholder data on your website.
  • If you have an electronic storage of cardholder data

Applicable to you if you use the following services:

  • REST API - You do not use: Ingenico MyCheckout (the hosted payment pages), Android SDK, iOS SDK or JavaScript SDK solutions and sends in payment requests to our platform using the REST API interface.

Attestation of Compliance Form

After you have filled in any of the SAQ’s, you must complete and sign the Attestation of Compliance (AoC) form. The AoC form declares your compliance status. The AoC form can be downloaded from the PCI-SSC site: https://www.pcisecuritystandards.org/security_standards/documents.php.

The selected AoC form needs to match the completed SAQ, so select either A, A-EP, C, C-VT or D. For level 1, the AoC form (D) must be completed by a Qualified Security Assessor (QSA).

PCI-SSC Prioritized Approach

Are you undergoing an on-site assessment, or do you use SAQ D?

Then it is good to know that there is a document available that helps you becoming PCI DSS compliant. This is the so-called Prioritized Approach. This document explains the approach and contains a tool that you can use to monitor your progress in becoming compliant.

If this approach is suitable we suggest to follow the PCI-SSC documentation for additional information. The Prioritized Approach has been adopted to reflect the changes in PCI-DSS 3.0.

What Is the Prioritized Approach?

The Prioritized Approach provides six security milestones that will help you to incrementally protect yourself against the highest risk factors and escalating threats while being on the road to PCI DSS compliance. The Prioritized Approach and its milestones are intended to provide the following benefits:

  • Roadmap that an organization can use to address its risks in priority order
  • Pragmatic approach that allows for “quick wins”
  • Supports financial and operational planning
  • Promotes objective and measurable progress indicators
  • Helps promote consistency among assessors

Milestones for Prioritizing PCI DSS Compliance Efforts

Click here for more information on Milestones for Prioritizing PCI DSS Compliance Efforts.

Additional Information

What you must do in case of a suspected breach

Being PCI DSS compliant  minimizes the possibility of theft or fraudulent use of credit card data. However, a breach can still occur or be suspected due to human errors, internal fraud or previously unknown vulnerabilities. What do you need to do if you suspect or establish a credit card data breach?

Suspected Breach Notification

Yourself

If you suspect a credit card breach you must immediately inform your acquirer(s), payment service provider(s) and/or card brands.

You can send a (suspected) breach related to Ingenico ePayments to your account manager.

Common Point-of-Purchase (CPP) report

Your acquirer(s) will investigate and determine whether all of the cards reported fraudulent have been used at the same merchant over the same time period. This test, known as “common point of purchase” or CPP, is the core means to determine the source of a card breach.

You will receive a Common Point-of-Purchase  (CPP) report through your acquirer or your payment service provider .

When faced with a Common Point-of-Purchase  (CPP) report it is vital for you to act quickly and communicate directly with your acquirer(s) and/or payment service provider(s). In doing so the financial consequences and the negative business impact resulting from the card breach may be minimized.

PCI Forensic Investigator (PFI)

After informing your acquirer(s) and payment service provider(s) you must make immediate contact with a PCI Forensic Investigator (PFI). The PFI investigates where in your environment the breach occurred, the extent of the data compromise and the remediation steps you must take. It is strongly recommended that you contact a reliable PFI as quickly as possible after detecting the (suspected) breach. You can find a suitable PFI company on the PCI Security Standards Council list: https://www.pcisecuritystandards.org/approved_companies_providers/pfi_companies.php

Mitigation

If it is determined by the PFI that there has been a data breach, it’s vital that you take steps to mitigate or eliminate the existing exposure immediately. Delays resulting in longer exposure times can increase the size of the breach and also increase the related fines levied by the card brands. In some cases, the fines from the card brands are passed from the acquirer to the Payment Service Providers and ultimately to you. Any findings or conclusions of the initial investigation must be provided in written documentation  to the card brand within three (3) business days determined by the card brands.

The card brands typically assess fines within 90 days of an incident taking place, but the acquirer cannot be sure of an amount until after all investigative work has been completed.

On site Investigation

After signing the contract, the chosen PFI should set up communications between the acquirer and you. This helps ensure that you address this breach effectively and engage qualified professionals to assess where the breach occurred and its magnitude. Then recommend remediation steps to you to correct the breach and limit the exposure of the breach.

Once engaged with you directly, the PFI will discuss next steps and schedule an on-site visit.      

It is crucial that the PFI conducts a live review of a payments environment to ensure a reasonable view of the circumstances surrounding the breach. At the conclusion of the visit he will provide an analysis report conveyed to the appropriate people at your site with details of the data gathered. This analysis should also be shared by PFI or you with the acquirer which, in turn, should create an even deeper, more meaningful dialogue between the acquirer and you. In addition to this on-site work, the PFI will conduct an off-site assessment shortly thereafter and a full report – including  remediation recommendations to you – will be provided to both you and the acquirer.

Once the on-site is finished, the PFI will provide the documented results to you. Within five (5) business days the report you must present at the card brands.  It’s important that an acquirer follows up with you to solicit feedback on his experience and understanding of the remediation steps outlined in the report. You must address points of exposure immediately to avoid further cardholder data leakage. The following link is a template/example for a PFI Preliminary Incident Response Report; https://www.pcisecuritystandards.org/documents/PFI_Preliminary_Incident_Response_Report_Template.pdf?v=1

Final report

The PFI provides a final report outlining all remediation steps, recommendations, breach points and other items to the acquirer, card brands and yourself. Typically reports include: 

  • System and network deficiencies.
  • Timeframe of card data exposures.
  • An outline of possible intrusions.
  • The number of cards that are at risk as a result of the incident.
  • Any outstanding security remediation steps.

The following link is a template/example for a PFI Final Incident Report:

https://www.pcisecuritystandards.org/documents/PFI_Final_Incident_Response_Report_Template.pdf?v=1

It is important to you not only to be aware of this report, but also review its content, to ensure its delivery to the card brand(s) that delivered the original CPP alert(s). You provide the final forensic report to the card brands within ten (10) business days of completion of the review.

Remediation completion

Within several weeks of the final report being delivered, a conference call should also be scheduled between you and acquirer to check on remediation completion and discuss outstanding support needs. Creating a simple status update spreadsheet by you is an effective way to track ongoing conversations between the acquirer and yourself and monitor ongoing PCI DSS compliance. Also, providing evidence of a completed SAQ or on-site audit and valid scanning report will be important components of a comprehensive response to the card brands involved.

Additional Information

Tips and tricks

Secure networks

  • Buy and use only approved PIN entry devices at your points-of-sale. See the following website to find approved devices at the PCI Security Standards Council: https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php.
  • Buy and use only validated payment software at your POS or website shopping cart. See the following website to find approved devices at the PCI Security Standards Council: https://www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php?agree=true.
  • Do not store any sensitive cardholder data in computers or on paper, unless you really need it. If needed make sure the process is secured, e.g. encryption, data deletion. Sensitive Authentication Data (includes the full track contents of the magnetic stripe or chip, card verification codes and values, PINs and PIN blocks, CVV) may never be stored in any form.
  • Use a firewall on your network and PC’s.
  • Make sure your wireless router is password-protected and uses encryption.
  • Use strong passwords, regularly change passwords. Be sure to change default passwords on hardware and software, these are known to hackers!
  • Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.
  • Teach your employees about security and protecting cardholder data. Security awareness is essential in protecting your environment.
  • Follow the PCI Data Security Standard which will give a base level of defense against cyber criminals. To better protect your environment, you have to go beyond the PCI Data Security Standard.
  • Although the standard requires quarterly scans we recommend to perform monthly scans. Performing monthly scans will provide earlier detection of vulnerabilities and less risk.

References

Document list

PCI DSS E-Commerce Guidelines:

https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf

PCI-DSS SAQ A-D:

https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs

Self-Assessment Questionnaire, Instructions and Guidelines:

https://www.pcisecuritystandards.org/documents/pci_dss_SAQ_Instr_Guide_v2.1.pdf

PCI-DSS Prioritized Approach:

 https://www.pcisecuritystandards.org/documents/Prioritized_Approach_for_PCI_DSS_v3_.pdf

PCI-DSS Prioritized Approach Tool:

https://www.pcisecuritystandards.org/documents/Prioritized_Approach_v3.xlsx

PCI_DSS_Prioritized_Approach_Summary_of_Changes_v2_to_v3:

https://www.pcisecuritystandards.org/documents/PCI_DSS_Prioritized_Approach_Summary_of_Changes_v2_to_v3.pdf