C&H Financial Services. PCI and Tin Compliance Basics

Transcription

1 C&H Financial Services PCI and Tin Compliance Basics

2 What Is PCI? (Payment Card Industry) Developed by the PCI Security Standards Council and major payment brands For enhancing payment account data security risk management, policies/procedures, network architecture, PA DSS compliance, vulnerability scans Helps secure cardholder data that is stored, processed or transmitted The PCI DSS specifies 12 requirements that address technology and business processes There are four levels of merchants this program is for Levels 3 & 4 Each merchant must complete and comply with the appropriate SAQ (A-D) Our product will take a merchant through this process automatically The SAQ is for merchants not requiring an on-site assessment After SAQ completion, the merchant will either pass or require remediation activities Proof of PCI compliance is given to them via documentation

3 PCI Goals The PCI Goals are designed for good business: 1. Build and maintain a secure network 2. Protect cardholder data 3. Maintain a vulnerability management program 4. Implement strong access control measures 5. Regularly monitor and test networks 6. Maintain an information security policy and incident response plan (required for compliance)

4 6 Goals = 12 Requirements Build and Maintain a Secure Network 1: Install and maintain a firewall configuration to protect cardholder data 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3: Protect stored cardholder data 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5: Use and regularly update anti-virus software 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures 7: Restrict access to cardholder data by business need-to-know 8: Assign a unique ID to each person with computer access 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks 10: Track and monitor all access to network resources and cardholder data 11: Regularly test security systems and processes Maintain an Information Security Policy 12: Maintain a policy that addresses information security

5 Why Become PCI Compliant? Millions of dollars in loss due to retail identity and credit card theft Protecting consumer data is the law Every minute organized crime rings auction stolen credit card data Deadlines for avoiding compliance have passed Merchants can lose their right to accept credit cards Consumers expect a safe CC transactions PCI builds a healthy and secure business New merchants can t be boarded that aren t PCI compliant PCI compliance must be married with effective PA DSS compliance from service providers 5

6 Risks If Not PCI Compliant Penalties, fines, losses Providers assessing non-compliance fees Significant chargeback risks and costs Damage to business reputation resulting in loss of business revenue Negative media coverage especially for larger chains and multilocation operations Impact to consumer confidence results in loss of business and revenue Potential data breaches Data breaches that do occur typically lead to business closure 6

7 What PCI Is Not PCI DSS Compliance does not equal PA-DSS Compliance PA DSS is an equipment/application standard There is no POS bundle that will prevent a merchant from assessing PCI compliance Having a PCI compliant Payment Application is required, but it does not remove the liability of being PCI compliant from the merchant PCI compliance is not an option Merchants can t simply go to another agent or ISO to escape PCI compliance They must accept that being PCI compliant is a part of the cost of doing business PCI compliance will not eliminate Data Breaches It will help merchants create a more secure operating environment for credit card transactions It will help show intent to operate securely when investigated after a breach

8 What s In Scope PCI Impact With Various Terminal solutions

9 What is considered a terminal? Virtual Terminal : browser-based Network-Based: TCP/IP terminal Cellular Terminal: 3G - GPRS Wireless Terminal: or WiFi Land Line Phone Dial Up Includes cellular with dial-up access

10 Typical Terminal Compliance Issues Is the merchant s terminal PA DSS compliant? Is data stored on the terminal after authorization? If data is stored on terminal, is it encrypted? Does the terminal transmit data securely with SSL or a VPN? If terminal is wireless, does it support secure wireless through WPA or WPA2? Hardware certification programs (PTS, PIN/PED) do not make merchants PCI compliant AND does not eliminate their need to be PCI DSS compliant.

11 What does IN SCOPE mean? Typically a device or network is IN SCOPE if it is connected to the cardholder data environment. IN SCOPE components may include: Computer(s) Server Network Switch Wireless Router Firewall

12 Land Line Phone Dial Up Terminal What s In Scope Scenario 1 Merchant network is OUT OF SCOPE for PCI POS terminal is IN SCOPE INTERNET

13 What s In Scope Scenario 2 Network Enabled Terminal Anything connected to switch = all of merchant s network is IN SCOPE Significant SAQ impact if data is stored on network PA/POS terminal is IN SCOPE INTERNET Network Traffic

14 Cell Phone Based Terminal Merchant network is OUT OF SCOPE for PCI POS terminal is IN SCOPE Cell Network is equivalent of dial-up What s In Scope INTERNET Scenario 3 Encrypted Call Over Cell Network

15 Wireless Terminal WiFi Anything connected to switch = all of merchant s network is IN SCOPE Significant SAQ impact if data is stored on network INTERNET POS terminal is IN SCOPE What s In Scope Scenario 4 Wifi

16 Bottom Line Merchant will feel lost Give care and consideration when choosing terminal for merchant Provide strong communication to help configure terminal(s) or plan terminal upgrade implementation plan as part of PCI compliance program Give merchant PA DSS terminal information early to help them complete their PCI SAQ Panoptic can provide PrePopulatedPCI templates that will provide accurate PA/POS answers on SAQ if data provided prior to merchant account activation

17 Industries Most Compromised Food Service Petroleum & Convenience Retail Entertainment Travel Of the data breaches reported, more than 90% are Level 4 Merchants

18 PCI Is A Condition of Business PCI compliance is not a single event It is something that is affected easily New location New PA/POS package New employees New sales channels Every event that may impact how a merchant collects and stores credit card data requires they update their PCI compliance Merchant will have to be PCI compliant to be allowed to continue accepting credit cards, avoid fees/fines and minimize investigative objections in the event of a data breach

19 Tin Compliance For many years, merchants were Under-Reporting Cash Transactions on State and Federal Tax Return Some merchants used fake Social Security and EIN numbers. The IRS made all the credit card processors verify all merchant account SS and EIN numbers. Processor gets fined for any mismatched SS or EIN numbers Tin mismatch fee is 100% avoidable by any merchant who is doing business on the up-and-up. Where a mismatch exists, merchants are given the opportunity correct the error and the fee is waived.

20 How will TIN Compliancy impact merchants? Merchant acquirers are required to store Reportable payment card transactions Correct legal name and address Taxable Identification Number (TIN) C&H Financial required to produce and file Federal IRS 1099-K form for each merchant C&H Financial must supply a copy to each participating merchant by January 31 for previous years activity and will file forms with the IRS. If a discrepency is found with TIN s, C&H is required to hold 28% of merchants reportable card transactions until the issue is resolved. To avoid withholding of funds, C&H will notify the merchant if we are unable to verify the TIN and/or legal name with IRS records.

21 As a merchant what can you do? Verify the TIN placed on the original merchant application is correct Review your tax records Contact your accountant/tax advisor Consult your company s Legal or Tax Department For more information, please visit