PCI COMPLIANCE IS UNDERSTANDING PCI COMPLIANCE … · UNDERSTANDING PCI COMPLIANCE ... 2015, to...
Transcript of PCI COMPLIANCE IS UNDERSTANDING PCI COMPLIANCE … · UNDERSTANDING PCI COMPLIANCE ... 2015, to...
UNDERSTANDING PCI COMPLIANCE
Just a Few Easy Steps and You’re Compliant:• Ourprogramgivesyouaccesstoasimpleonlinequestionnairethatwillhelpensurethat
youarecompliant;• WesendproofofyourcompliancetotheCardAssociationswhenyouhavesuccessfully
completedthequestionnaire;and• WeprovideFREEquarterlyorannualnetworkvulnerabilityscansshouldyouberequired
bytheCardAssociationstoconductthem.
ThePCISecurityStandardswebsite,www.pcisecuritystandards.org,explainsthecertificationprocessandlistsapprovedQSAs.
Please refer to the instructions on the next page for help navigating through the required Self-Assessment Questionnaire (SAQ). We’ve also included a graphical navigation guide on pages 3 - 11 for additional help.
Toprotectthedatasecurityofyourbusinessandyourcustomers,thecreditcardindustryintroduceduniformPaymentCardIndustryDataSecurityStandards(PCIDSS).
Thesestandardsrequireallmerchantsacceptingcreditanddebitcardstoprovideannualproofthatyouarecompliantwithindustryregulations.
Participation in a certified PCI DSS compliance program is required of every merchant, for every MID, regardless of your bank or processor. Non-compliance can result in costly fees and the boosted threat of a security breach.
Fortunately,wemakeiteasyforyoucomplywithallPCImandates.Soyoucanmeetindustryregulations,protectyourcardholderdataandprotectyourfinancialresources,allwithonesimpleprogram.
- continued -
PCI COMPLIANCE IS NO LONGER OPTIONAL
YOUR PARTICIPATION IS MANDATORY
Page 1
Complete These Simple Steps to Certify Compliance: 1. AccessthefollowingURL,onorafter April 1, 2015, through your web browser:https://www.mybackofficetools.com/
Please note: Themybackofficetools.comlinkwilltakeyoutoVIMAS,aninteractivetoolthatwillhelpyounavigatetotheSelf-AssessmentQuestionnaire.Ifyouareafirst-timeVIMASuser,yourtemporaryusernameisyourfullMerchantIDNumber(MID)andyourtemporarypasswordisCynxxxx,wherethex’sarethelastfourdigitsofyourSocialSecurityNumber;forinstance,ifthelastfourdigitsofyourSSNis“1234,”thepasswordwouldbeCyn1234.Onceloggedin,youwillbepromptedtocreateapasswordofyourchoice.
2. Afterloggingin,alinktothe“MerchantPCIComplianceProgram”canbefoundinthe“Extras/Priorities”boxintheupperrighthandcornerofyourscreen.
3. Clickthe“MerchantPCIComplianceProgram”hyperlink.
4. Youwillbetakentoamainmenu.Clickthe“ViewRegistrationInformation”hyperlink.It is very important to ensureyour email address is correct so that you can receive all PCI status and confirmation emails. Ifyourinformationisnotcorrect,pleaseclickthe“MerchantProfile”menuatthetop.Thenclick“MerchantAddress”.Then,intheemailbox,typeinyourcorrectemailaddress.ClickSave.
5. Clickthe“Begin/ResumePCIQuestionnaire”hyperlink.
6. Youwillbepromptedtoanswersixsimple“yesorno”questionsaboutyourprocessingenvironment.
7. Whenyouhaveansweredallsixquestions,a“ReviewQuestionnaire”screenwillloadwhereyoucaneitheredityouranswersorbegintheSelf-AssessmentQuestionnaire(SAQ)byclickingthe“BeginTest”button.
8. IfyouchoosetocompletetheSAQatanothertime,ormuststopforanyreasonandaccessthesystemlater,youcanaccesstheSAQbyclickingthe“Begin/ResumePCIQuestionnaire”buttononthePCImainmenu.
9. CompletetheSAQ.Whenyouhavefinished,youwillbeaskedtoattesttotheinformationyouhaveentered,andyouwillbeabletoprintyourvalidationofcompliance.
10. VERY IMPORTANT:Pleaseprintthevalidationyoureceiveforyourrecordsandkeepitinasafeplace.ThiswillserveasproofthatyouhavesuccessfullycompletedtheSAQ.
NOTE: Completion of the SAQ is required prior to May 29, 2015, to avoid being assessed a monthly non compliance fee until certification is proven. If you are already certified for 2015 from an approved ASV/QSA, you must submit your certification of compliance prior to April 29, 2015, to avoid being billed the annual PCI compliance fee.
You may submit your proof in one of the following ways:>>Byfaxto718.559.4822(keepacopyofyoursuccessfulfaxtransmissionreceipt)>>Bymail(returnreceiptrequested)to:
CertificationmustbecompletedeveryyearforeveryoneofyourMIDs.Formoreinformation,pleasecallthenumberlistedinyourletter.
UNDERSTANDING PCI COMPLIANCE
Please print your validation for your records and keep it in a safe place. This validation serves as proof that you have successfully completed the required SAQ.
Processing Center Customer Service P.O. Box 246Alpharetta, GA 30009-0246
Page 2
UNDERSTANDING PCI COMPLIANCE
First Time VIMAS Users:• Accessthislink:https://www.mybackofficetools.com• LoginusingyourfullMerchantIDNumber(MID)astheUsername• YourtemporarypasswordisCynfollowedbythelastfourdigitsof
yourSocialSecurityNumber;e.g.,Cyn1234
Returning Users:• LogintoVIMASusingyournormalprocedures• Ifyouneedtoresetyourpasswordthesystemwillautomatically
promptyou.Simplykeyyournewpasswordinbothfieldsandclick“Renew”.Note:Th e“Reset”buttonistoclearfieldsifyoumakeanerrorwhenkeyingyournewpassword.
- continued -
STEPS TO COMPLETE SELF-ASSESSMENT QUESTIONNAIRE
STEP 1: Log Into VIMAS
Page 3
UNDERSTANDING PCI COMPLIANCE
ClicktheMerchantPCIComplianceProgramhyperlink(thethirdhyperlinkunder“Extras/Priorities”box)toaccessthemainmenuoftheSelf-AssessmentQuestion-naire(SAQ).
- continued -
STEPS TO COMPLETE SELF-ASSESSMENT QUESTIONNAIRE
ClicktheView Registration Informationhyperlink
STEP 2: Launch the PCI Questionnaire
STEP 3: View Your Registration Information
Page 4
UNDERSTANDING PCI COMPLIANCE
Reviewtheinformationonthisscreen,toconfirmthatyourcontactinformation,includingyouremailaddress,isaccurate.
Ifyourinformationisnotcorrect,pleaseclickthe“MerchantProfile”menuatthetop.Thenclick“MerchantAddress”.Then,intheemailbox,typeinyourcorrectemailaddress.
ThenclickSave.
Onceyouhavereviewedyourinformation,thenclickReturn to Main Menu.
- continued -
STEPS TO COMPLETE
SELF-ASSESSMENT QUESTIONNAIRE
STEP 4: Review Your Contact Information
Page 5
UNDERSTANDING PCI COMPLIANCE
ClicktheBegin/Resume PCI Questionnaire hyperlink.
- continued -
STEPS TO COMPLETE SELF-ASSESSMENT QUESTIONNAIRE
Youwillbebepromptedtoansweraseriesofsix“yes”or“no”questionsaboutyourprocessingenvironment.Clicking“Yes”or“No”automaticallynavigatesyoutothenext
screen.PleasenotethatyoumustanswerallquestionsbeforeyoucanbegintheSelfAssessmentQuestionnaire(SAQ).
STEP 5: Begin/Resume PCI Questionnaire
Six Preliminary Questions Will Appear
Page 6
UNDERSTANDING PCI COMPLIANCE
- continued -
STEPS TO COMPLETE SELF-ASSESSMENT QUESTIONNAIRE
Ifyouneedtoeditananswer,simplychecktheapplicableboxandclicktheEdit Answers button.Ifallanswersarecorrect,clicktheBegin Testbutton.
Then,theSelfAssessmentQuestionnairewillload.Youmustanswerallquestionsinordertocompletethequestionnaireandcertifyyourvalidationofcompliance.Ifyouneedtostopforanyreason,yourpreviousanswerswillbesaved.YoucanthenlogbackintoVIMASata
latertimeandclicktheBegin/Resume PCI Questionnairelinktofinish.
STEP 6: Confirm Preliminary Information Questions
Page 7
UNDERSTANDING PCI COMPLIANCE
- continued -
STEPS TO COMPLETE SELF-ASSESSMENT QUESTIONNAIRE
A screen will load with a “Confirm Attestations” link.
YoumustcheckeachcheckboxtoattestthatyouhavecompletedtheSelfAssessmentQuestionnaire(SAQ).Then,fillintherequiredfields(ExecutiveName,ExecutiveTitleand
E-mail),andclicktheConfirm Attestations button.
Please print and keep a copy of this page for your records.
STEP 7: Complete Attestation
Page 8
UNDERSTANDING PCI COMPLIANCE
- continued -
STEPS TO COMPLETE SELF-ASSESSMENT QUESTIONNAIRE
Important: IfyouarechosentocompleteSAQC,you’veindicatedthatyouhaveawebsiteorpaymentapplicationthatisattachedtotheInternet.UnderPCIregulations,ascanofyourwebsiteorapplicationonaquarterlybasisisrequired.
Pleaseexpectanemailfromdonotreply@mybackofficetools.com.Thisemailwillcon-tainlogincredentialstotheComodowebsite,whereyoumustcompleteyourrequiredscan.YouwillalsoreceiveanemailfromComodo([email protected]),within48businesshourswithadditionalinstructions.
If you do not receive either of the two emails above, please contact the customer support number listed in your merchant PCI letter.
For SAQ C: This Screen Appears
Page 9
UNDERSTANDING PCI COMPLIANCE
- continued -
STEPS TO COMPLETE SELF-ASSESSMENT QUESTIONNAIRE
Important: If you are chosen to complete SAQ D, please ensure you read the instructions carefully.
NOTE: Onlyhostingorserviceproviders(suchasshoppingcartproviders)shouldcompletethisSAQandarequirednetworkscan.
For SAQ D: This Screen Appears
Page 10
UNDERSTANDING PCI COMPLIANCE
- continued -
STEPS TO COMPLETE SELF-ASSESSMENT QUESTIONNAIRE
Important: Although you completed the SAQ, you will be required to perform a scan.
Pleaseexpectanemailfromdonotreply@mybackofficetools.com.ThisemailwillcontainlogincredentialstotheComodowebsite,whereyoumustcompleteyourrequiredscan.YouwillalsoreceiveanemailfromComodo([email protected]),within48businesshourswithadditionalinstructions.
If you do not receive either of the two emails above, please contact the customer support number listed in your merchant PCI letter.
FOR SAQ D Important: Required Scan Information
Page 11
UNDERSTANDING PCI COMPLIANCE
- continued -
ThE TWELVE BASIC STEPS TO AChIEVING PCI COMPLIANCE
For more information, visit the PCI Security Standards Council website at https://www.pcisecuritystandards.org.
Goals PCI DSS Requirements
Build and Maintain a Secure Network 1. Installandmaintainafirewallconfigurationtoprotectcardholderdata
2. Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters
Protect Cardholder Data 3. Protectstoreddata4. Encrypttransmissionofcardholderdataacross
open,publicnetworksMaintain a Vulnerability Management Pro-gram
5. Useandregularlyupdateanti-virussoftware6. Developandmaintainsecuresystemsand
applicationsImplement Strong Access Control Mea-sures
7. Restrictaccesstocardholderdatabybusinessneed-to-know
8. AssignauniqueIDtoeachpersonwithcomputeraccess
9. RestrictphysicalaccesstocardholderdataRegularly Monitor and Test Networks 10. Trackandmonitorallaccesstonetwork
resourcesandcardholderdata11. Regularlytestsecuritysystemsandprocesses
Maintain an Information Security Policy 12. Maintainapolicythataddressesinformationsecurity
PCIDSSrequirementsareglobaldatasecuritystandardsthatanybusinessofanysizemustadheretoinordertoacceptpaymentcards,andtostore,processand/ortransmitcardholderdata.
Payment Card Industry Data Security Standard (PCI DSS) Requirements
Page 12
UNDERSTANDING PCI COMPLIANCE
- continued -
MERChANT PCI COMPLIANCE PROGRAM
Q: What is the ‘PCI DSS’?A:PCIDSSstandsfor“PaymentCardIndustryDataSecurityStandards”andrepresentsasetofsecurityrequirementscreatedbythePaymentCardIndustry,layingoutwhatMerchantsneedtodotoprotectcustomerinformation.ThePCICouncilrequiresthatMerchantsmeetthissetofsecurityrequirementsiftheirbusinessaccepts,transmits,orprocessescustomerpaymentcards(suchascreditcardsordebitcards).Merchantsthatdonotcomplywiththeserequirements,arenon-compliant,inviolationofthecardbrandrules,andcanbeeasilybreachedinanumberofways.Theconsequencesfornon-compliancearesevere;thepaymentbrandsmay,attheirdiscretion,imposefinesandpenaltiesataminimumof$5,000forasingledatabreach.Plus,merchantsriskhavingtheircard-processingprivilegesrevoked,leavingthemunabletoacceptcustomerpay-mentcards.Allofthiscollectivelyresultsinalossofrevenue.FormoreinformationaboutPCIDSS,pleasevisithttps://www.pcisecuritystandards.org/
Q: To whom does PCI apply?A:PCIappliestoALLorganizationsormerchants,regardlessofsize,thataccept,transmit,orstoreanypaymentcardinformation.
Q: What do I have to do in order to satisfy the PCI requirements?A:TosatisfytherequirementsofPCI,allmerchantsmustcompletethesesteps:NOTE:PleaseseedefinitionsofMerchantLevelsinthequestionbelowthisone.
• Level1merchantsmustcompleteanannualOnsiteassessmentbyaPCISSCapprovedQualifiedSecurityAssessor(QSA),plusanAttestationofCompliancefromaReportonCompliance(ROC),plusaQuarterlyNetworkScan.
• Level2,3,and4merchantsmustcompleteanannualself-assessmentquestionnaire(“SAQ”),aquarterlynetworkscan.NotethatthisonlyappliestomerchantswithexternallyfacingIPaddresses;e.g.,e-Commercemerchantsormerchantswhoutilizeapaymentgateway/shoppingcart),byanApprovedScanningVendor(“ASV”),andcompleteanAttestationofCompliance.
• Completetheappropriateversion(currentlyA,B,C,CVTorD)oftheSAQinaccordancewiththePCISecurityCouncil’sguidelines.
• Allmerchantswhoarealreadycertifiedfor2015, or whose certificate of compliance is not due to expireMUSTsubmitproofofcomplianceby April 29 , 2015, via one of the following methods:
• By mail: Processing Center Customer Service
P.O. Box 246 Alpharetta, GA 30009-0246
• By Fax:Attention:CustomerService,at718.559.4822• AllmerchantsmustbePCIDSScompliantandusePA-DSS(PaymentApplicationDataSecurityStandards)
compliantapplications.
Frequently Asked Questions
Page 13
- continued -
UNDERSTANDING PCI COMPLIANCE
- continued -
MERChANT PCI COMPLIANCE PROGRAM
Q: How are the different Merchant Levels defined?A: The following table defines the levels:
1 • AnyMerchantthatprocessesover6millionVisaorMasterCardtransactionsperyear(regardlessofwhetherthetransactionsaree-Commerceornot),OR
• AnyMerchantthatisdeclaredtobeLevel1byanyCardAssociation• AnyMerchantthathassufferedasecurityincidentorattackthatresultedinanaccount
datacompromise2 • AnyMerchantprocessing1millionto6millionVisaorMasterCardtransactionsperyear.3 • AnyMerchantprocessing20,000to1millionVisaorMasterCarde-Commercetransactions
peryear.4 • Anymerchantprocessingfewerthan20,000Visae-Commercetransactionsperyear,andallother
merchantsprocessingfewerthan1milliontransactionsperyear.
Q: What is the Self-Assessment Questionnaire (SAQ)? A: The PCI DSS SAQ is a validation tool for merchants to assist in self-evaluating compliance with the PCI DSS. All merchants are required to complete the annual SAQ, attest to the information they’ve entered and print and save their Attestation of Compliance. This means that you are meeting the PCI DSS requirements.
Q: What is a Qualified Security Assessor (QSA)? A. Qualified Security Assessors are organizations that have been qualified to have their employees assess compliance to the PA-DSS standard. They have been certified to validate an entity’s adherence to the PA-DSS standard.
Q: What is an Approved Scanning Vendor? A. Approved Scanning Vendors (ASVs) are organizations that validate adherence to certain DSS requirements by performing vulnerability scans of Internet facing environments of merchants and service providers.
Q: Why do I need a scan?A. The Card Associations require all merchants with externally- facing IP addresses (e-Commerce merchants or merchants who utilize a payment gateway/shopping cart) to undergo a quarterly network scan by an Approved Scanning Vendor (“ASV”), and complete an attestation of compliance. The scan checks your website and IP addresses to ensure there are no vulnerabilities subject to outside attacks.
Frequently Asked Questions
Page 14
UNDERSTANDING PCI COMPLIANCEMERChANT PCI COMPLIANCE PROGRAM
Q: How do I validate my compliance?A:AfteryoucompleteyourSAQ,youwillbeaskedtoattesttotheinformationyouenteredandprintyourvalidationofcompliance.Thatisallyouneedtodo,becauseoursystemwillnotifyusthatyouhavecompletedtheSAQ.
Ifyouhavealreadybeencertifiedfor2015,youmustsubmityourcertificationofcompliancefroman approvedASV/QSAbynolaterthanApril 29, 2015, toavoidtheannualPCIbillingfeeforourprogram.Ifyouarenotcertifiedfor2015,youmustcompleteyourSAQprior to May 29, 2015,inordertoavoidamonthlyPCInon-compliancefeeuntilyoucompletetheSAQ.
You may submit your certification in one of the following ways:
Via fax: 718.559.4822(keepacopyofyoursuccessfulfaxtransmissionreceipt),orVia mail: ProcessingCenterCustomerService
P.O. Box 246Alpharetta, GA 30009-0246
Q: What am I getting for the PCI program annual fee?A:TheannualfeecoversthecostforustomanagetheprogramasrequiredbytheCardAssociations.
Throughourprogram,you’llbegivenaccesstoouronlineSAQ,andwe’llsubmitproofofyourcompliancedirectlytotheCardAssociations.WealsoprovideFREEquarterlyorannualnetworkvulnerabilityscansshouldyouberequiredbytheCardAssociationstoconductthem.
Frequently Asked Questions
Page 15