Why Comply with PCI Security Standards? • Compliance with the PCI DSS means that your systems are secure, and customers can trust you with their sensitive payment card information: – Trust means your customers have confidence in doing business with you – Confident customers are more likely to be repeat customers, and to recommend you to others • Compliance improves your reputation with acquirers and payment brands
14
Embed
Why Comply with PCI Security Standards? Compliance with the PCI DSS means that your systems are secure, and customers can trust you with their sensitive.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Why Comply with PCI Security Standards?
• Compliance with the PCI DSS means that your systems are secure, and customers can trust you with their sensitive payment card information:– Trust means your customers have confidence in doing business with you– Confident customers are more likely to be repeat customers, and to
recommend you to others
• Compliance improves your reputation with acquirers and payment brands
But if you are not compliant ……..• Compromised data negatively affects consumers, merchants,
and financial institutions• Just one incident can severely damage your reputation and
your ability to conduct business effectively, far into the future
• Account data breaches can lead to catastrophic loss of sales, relationships and standing in your community, and depressed share price if yours is a public company
• Possible negative consequences also include:– Lawsuits and Insurance claims– Higher transaction fees, higher compliance fees or even
terminated account from Acquirer– Fines from Card Companies and Government bodies
But if you are not compliant ……..
Q: What are the penalties for non-compliance?
A: The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The bank will most likely pass this fine on downstream until it eventually hits the merchant. Furthermore, the bank will also most likely either terminate the merchant relationship or increase transaction fees.
What are EMV and PCI?
• Authentication technology for the point of sale part of the transaction when the physical card is actually present.
• When this chip is embedded on a card, it helps ensure the card being used is real and that it belongs to the person using it. It drastically reduces the chances of your business accepting lost, stolen or counterfeit cards.
• Security controls to protect the cardholder's confidential information on payment cards, not just at the moment the card is swiped or dipped, but all the way through the transaction process.
• They also apply when payments are made online or via telephone, where the card is not present, to make sure your customers' card data is kept safe.
What are the PCI standards?
What does PCI DSS cover?Objective Requirement
Build and Maintain a Secure Network1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security
PCI DSS - the Point of Sale
PCI DSS Requirement 9
“Restrict physical access to cardholder data”
PCI DSS 3.0 – Requirement 9.9
“Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. – These requirements apply to card-reading devices
used in card-present transactions (that is, card swipe or dip) at the point of sale.
– Requirement 9.9 is a best practice until June 30, 2015, after which it becomes a requirement.”
Version 3.0 came into effect on 1st January, 2014
PCI DSS – Requirement 9.9.1 – 9.9.3
• Maintain an up-to-date list of devices– Make, model of devices– Location – Device serial number– Take pictures of devices and surroundings• Cabling, ceilings, items around devices
• Periodically inspect device surfaces from tampering
• Provide staff training to be aware of security and evidence of tampering.
PCI DSS RecommendationsNew DocumentSeptember 2014
PCI’s recommendation on how to meet PCI DSS 3.0 Requirement 9
• Security measures to take at the Point of Sale
• How to avoid skimming attacks
• How to physically secure your payment terminal using– Stands & Locking cables
Skimming Prevention – Page 19
“Secure all terminals to the physical structure of the payment location when possible”
Skimming Prevention: Best Practices for Merchants, September 2014
Skimming Prevention – Page 18
“Mount and secure the terminal and cables with locking stands, cable trays, and other securing mechanisms”
Skimming Prevention: Best Practices for Merchants, September 2014
Skimming Prevention – Page 21“Consider cable locks: Some terminals have slots so that you can attach a cable lock (as used to secure laptop computers) to the terminal. This can then be used to thread the payment terminal cable to the cash register and then secured to prevent both the terminal and the cable from being compromised. This is strongly recommended as a best practice. To insert a skimming device, it is often necessary to remove the terminal from its location, or swap the existing terminal for another compromised terminal”
1
2 3
Skimming Prevention: Best Practices for Merchants, September 2014