CCV s self-service payment solutions drive PCI-DSS-compliant security

Similar documents
PCI COMPLIANCE PCI COMPLIANCE RESPONSE BREACH VULNERABLE SECURITY TECHNOLOGY INTERNET ISSUES STRATEGY APPS INFRASTRUCTURE LOGS

Getting Out of PA-DSS Scope and Eliminating the High Cost of EMV: What you need to know

Straight Answers on PCI and EMV

PCI Point-to-Point Encryption (P2PE)

PROTECT AGAINST A DATA BREACH & ADDRESS PCI DSS COMPLIANCE WITH TRUSTCOMMERCE

Policies and Procedures

Understanding the SAQs for PCI DSS v3.0

EMV Chip Cards. Table of Contents GENERAL BACKGROUND GENERAL FAQ FREQUENTLY ASKED QUESTIONS GENERAL BACKGROUND...1 GENERAL FAQ MERCHANT FAQ...

Payment Card Industry Compliance. May 12, 2011

CardConnect P2PE Merchant Instruction Manual

Semi-Integrated EMV Payment Solution

Version 7.4 & higher is Critical for all Customers Processing Credit Cards!

The Co- operative Food enhances PCI DSS compliance

Account Data Protection

EMV, PCI, Tokenization, Encryption What You Should Know for Presented by: The Bryan Cave Payments Team

White Paper PCI-Validated Point-to-Point Encryption On Microsoft Azure. By Christopher Kronenthal, Chief Technology Officer

FUTURE OF CREDIT CARD PAYMENT APPLICATION SECURITY:

Self-Assessment Questionnaire (SAQ) A and Attestation of Compliance Guidance Document. Self-Assessment Questionnaire A

Unattended Payment Terminal

PCI BLOG. P2PE, EMV, Tokenization, Oh My!

Receivables and Secure Payment Processing

Payment Card Industry (PCI) Data Security Standard. FAQs for use with ROC Reporting Instructions for PCI DSS version 2.0

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD SELF-ASSESSMENT QUESTIONNAIRE (SAQ) A GUIDE

Merchant Services What You Need to Know. Agenda 6/5/2017. Overview of Merchant Services. EMV, Tokenization/Encryption, and PCI (Oh My!

PCI Information Session. May NCSU PCI Team

EMV and Educational Institutions:

White Paper. Payment fraud threatens retail business. P2PE helps you fight back

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

BLUEFIN PAYMENT SYSTEMS

Tokenization: The Future of Payments

PCI DSS Security Awareness Training. The University of Tennessee and The University of Tennessee Foundation. for Credit Card Merchants at

Wirecard CEE Integration Documentation

Attestation of Compliance, SAQ A, Version 3.1

C&H Financial Services. PCI and Tin Compliance Basics

FIS Global Retail Payments. Centralize your enterprise with ONE trusted partner.

CLOUD SOFTWARE, ACTIONABLE DATA, SCALABLE SOLUTIONS:

Payment Card Industry Data Security Standard Self-Assessment Questionnaire B Guide

PCI Toolkit

PCI DSS SECURITY AWARENESS

Payment Terminal Services Description

TransKrypt Security Server

Protecting Your Swipe Devices from Illegal Tampering. Point of Sale Device Protection. Physical Security

FI0311 Credit Card Processing

MITIGATE THE RISK OF FRAUD AND COMPLIANCE COSTS with EMV mandates. An NCR white paper

Liverpool Hope University

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 04/29/2016

White Paper. Veritas Configuration Manager by Symantec. Removing the Risks of Change Management and Impact to Application Availability

Attachment 2: Merchant Card Services

Third Party Risk Security Insights and Program Updates

What is Stripe? Is Stripe secure? PCI compliant?

SAMPLE DATA FLOW DIAGRAMS for MERCHANT ENVIRONMENTS

Making Sense of the PCI Puzzle

TOP 20 QUESTIONS TO ASK BEFORE SELECTING AN ENTERPRISE IAM VENDOR

The Changing Landscape of Card Acceptance

Nexo 2016 Annual Conference Arnaud Crouzet. Lessons learned in implementing and deploying standards

TERMS OF USE OF THE SERVICE OF MOBILE PAYMENTS FOR PARKING. 2. What is the service of mobile payments for parking?

The Evolution of Payments on Campus

falanx Cyber PCI-DSS: How can your organisation achieve and maintain compliance?

Point-Of-Sale Device Tampering Training COMPLIANCE MANAGEMENT FINANCIAL SERVICES EAST CAROLINA UNIVERSITY

A REPORT TO THE CITIZENS OF SALT LAKE COUNTY. BEN McADAMS, MAYOR. An Audit of the Key Controls of. Clark Planetarium.

PCI Requirements Office of Business and Finance Issued July 2015

Datacap s Guide to EMV in the US

PCI Requirements Office of Business and Finance Issued July 2015

Fraud in an open, digital payments landscape

Introduction. Scott Jerabek. The CBORD Group. Product Manager

Risk-based Approach to PCI DSS Validation

Protecting Payments Throughout the Ecosystem. Emma Sutcliffe Senior Director, Data Security Standards PCI Security Standards Council

UNDERSTANDING PCI COMPLIANT DESKTOPS

EMV in the U.S. Liability shift; what does this mean for the U.S.?

Covering Your Assets: Payment Landscape and Technology

Card Payment acceptance at Common Use positions at airports

WHO, WHAT, WHY: PCI. Tess Casey Flanagan Senior Manager and Counsel, Global Compliance Operations

Acquirer PCI. Sentiment Survey. Lorem ipsum dolor sit amet, consectetur. Sentiment Survey April 2018

Best Practices For Tokenization Projects In The Payments Industry

In this Document: EMV Payment Tokenisation Payment Account Reference (PAR) FAQ EMV Payment Tokenisation Technical FAQ

Payment Card Industry Data Security Standard Compliance: Key Players and Relationships. By Jason Chan

TAS FOCUS ON. The absolute framework for electronic payment management. cashless 3.0: the ultimate. payment experience IN THIS DOCUMENT

EMV Frequently Asked Questions for Merchants May, 2015

esocket POS Integrated POS solution Knet

COLUMBIA UNIVERSITY CREDIT CARD ACCEPTANCE AND PROCESSING POLICY

Is There a Payment Threat Lurking in Your Medical Office?

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

FTFS. Fault Tolerant Financial Systems

Apple Pay and Tokenization Background and Overview

First Data Merchant Solutions EFTPOS. 8006L2-3CR Integrated PIN Pad. User Guide

What is DTMF Masking?...1. How does it work for credit card payment processing?...2. PCI DSS Compliance for Contact Centres...3

EMV Validation (on-behalf of) Service

100 Hamilton Avenue Palo Alto, California PALANTIR GOTHAM. Upholding Data Protection Regulations in the European Union

Sage Payment Solutions. Reduce your PCI liability with integrated payment solutions

Virtual Terminal Plus Product Insights for Merchants and Sales Offices. A virtual terminal that does virtually everything"

PCI FAQS AND MYTHS. Presented by BluePay

10+ M EFTPOS TERMINALS M Software Solution TransLink.iQ OPERATIONS PER MONTH WITHIN OUTSOURCING PROJECTS

SECURITY SOLUTIONS UTILITIES AND TELECOMMUNICATIONS

Interlink Merchant Triple Data Encryption Standard (TDES) Compliance Webinar

Frequently Asked Questions for Merchants May, 2015

AUTHORIZE.NET SAQ ELIGIBILITY WHITE PAPER NICK TRENC CISSP, CISA, QSA, PA- QSA. North America Europe coalfire.

Contact centre management in the cloud

Post-Sales Support & Services flexible, scalable and reliable solutions / unmatched expertise

User s Starter Kit. For Home or Small Office Use. fcbbanks.com

Credit and Debit Card Fraud

Transcription:

CCV s self-service payment solutions drive PCI-DSS-compliant security White Paper July 2016

1. Introduction This white Paper discusses the basic differences between the current PCI-DSS and the P2PE rules in relation to the effort a trader needs to make to become compliant with one or the other. Reducing the scope of PCI by facilitating a P2PE solution might not necessarily really reduce the scope of the effort required from traders, but may simply shift this to a different place. There is no doubt that data breaches are a rapidly increasing threat for businesses of all sizes, in any geographic region and in every market segment, particularly where consumer payments and account data are involved. Businesses do, however, have to keep up by introducing and upgrading the specific measures that they take against such threats. If they do not, this can have a severe impact on their business. Imagine the kind of negative publicity a data breach in a trader's payment infrastructure could have if consumer payment card data were hacked, published or abused. Many consumers might never return to that trader again, clearly resulting in a loss of business and strengthening the position of that trader's competitors. Of course businesses have challenges in balancing the effort they invest in data security to protect their core business activities and the extent to which they uphold continuous compliance standards to keep the costs of security under control. Despite the fact that PCI-PSS is continuously changing to keep up with an everchanging security environment, traders should consider consistent, full and complete PCI-DSS compliance as the basis for their payment data security measures. As a leading provider of self-service payment solutions within the various European unattended market segments, the mission of CCV is to make payment happen. For CCV this means that its solutions are evolving based on the changing security landscape, rapidly changing consumer behaviour and upcoming new payment technologies such as mobile payments, wearables and the like. It is CCV s natural philosophy that system integrators, traders and, last but not least, consumers can expect a future-proof solution that will continue, even after it has been put in place, to keep up with the rapidly changing requirements of today s extremely dynamic world. CCV therefore constantly ensures that it provides solutions to prevent any clear text consumer data being sent outside the PCI-DSS relevant area at all. This ensures that no unauthorized party can obtain access to such consumer data. CCV s self-service payment solutions drive PCI-DSS compliant security Whitepaper 2

2. Does reducing the scope of PCI using P2PE really represent a reduction or is it only a shift? P2PE is often claimed to significantly reduce the efforts required by traders as a result of compliance with the scope of PCI. The challenge with P2PE is the same as with PCI: The entities subject to PCI DSS compliance worry too much about reducing or limiting its scope but not enough about the security of their business by using the PCI DSS as a benchmark. As a matter of fact, P2PE encryption reduces the amount of effort during the one-time PCI compliance application process by reducing the number of line items in comparison with the PCI- DSS Self-Assessment Questionnaire (SAQ) form. At the same time it increases the amount of effort required from the trader, the system integrator and the service personnel. Even P2PE does not completely eliminate the scope of PCI compliance for a trader such as a car park operator. PCI-DSS remains applicable as long as non-p2pe and P2PE compliant payment systems are active in the same trader environment. To obtain clarity about the role a trader will play and the efforts a trader has to make to achieve PCI-DSS and/or PCI P2PE compliance, it is necessary to obtain a copy of the P2PE Instruction Manual (PIM). Depending on your role, you will discover that a reduced scope may even require additional effort to satisfy the requirements set out in the PIM. PCI scope reduction appears promising at first glance, but at what cost for your business? As part of the preparation and roll-out traders are asked to implement and maintain a number of additional requirements: Trader and Service infrastructure must maintain inventory control and monitoring procedures to identify and locate all devices, including those deployed, awaiting deployment or in transit. As part of the inventory process, multiple device characteristics must be tracked, including model and serial numbers, location and firmware version. Traders and respective service organizations must physically secure all devices in storage. Devices must be secured in transit; for example, between store locations. Procedures must be in place to detect unauthorized or substitute devices. It must be possible to detect any unauthorized or replacement device prior to installation. Traders will naturally need to log all these activities and produce an audit trail for removing POI devices for maintenance or repair and provisions for traders to physically inspect the devices on a regular basis. Trader never receives, stores, processes or transmits clear text account data outside a PCI certified POI device. Third party agreements, relevant trader policies and procedures are executed on POI terminals which must have physical access controls. Trader must have implemented and must continuously comply with the rules set out in the P2PE Instruction Manual (PIM). Trader must keep P2PE compliant equipment completely separate at all times from any legacy non P2PE compliant infrastructure, which requires specific attention for large trader infrastructures with mixed populations of payment solutions and equipment generations. Trader must have ensured and must be able to prove that no legacy account and cardholder data is being kept, stored, processed or transmitted from the P2PE installation. As CCV we fully support the implementation of adequate data security and data protection measures as required by PCI-DSS. Nevertheless we strongly believe that all-or-nothing implementation of the P2PE requirements is not always the ideal approach for traders. In fact it is each trader s existing infrastructure, future plans for their business, type of business and the system integrators capabilities that define the need for the final security measures required to achieve full PCI compliance. CCV s self-service payment solutions drive PCI-DSS compliant security Whitepaper 3

Terminal Vendor Terminal Deployment Facility Processing Host Acquirer Card Association Merchant Location 3. CCV s solution to keep data secure CCV understands the complexity involved for you in becoming and remaining fully PCI-DSS compliant. CCV has therefore implemented a number of security tools in its terminal and processing solutions that help traders to become and remain compliant. The definition of P2PE solution aims to eliminate any clear text account data from the trader s environment and to mainly align surrounding processes and procedures. For years now, the CCV solution has ensured, as a standard procedure, that no account data or card holder data is sent in clear text form from the POI to the trader environment at any time. Using appropriate and certified measures, CCV ensures that all data are automatically fully encrypted and never leave the PCI relevant areas without such encryption. Such critical data are always kept secure in a way that is specifically PCI-compliant. Nevertheless, there are situations where some kinds of data need to be returned to the traders ECR, Parking Management System or the like. To meet the needs of businesses and customers while also maximizing data protection and security, CCV has put some great technology in place that combines both perspectives for the benefit of cardholders and traders. Cardholder-specific PAN data, which need to be sent to the ECR e.g. for receipt printing are truncated and only show the allowed absolute minimum information to give the consumer confidence about the payment transaction, but making it impossible for the trader or any third party to revoke the cardholder's data by any means. In parking situations such as drive in / drive out, any cardholder-related data which needs to be referenced is transmitted to the PMS in a tokenized format only, whereas the secure token is created by a PCI-compliant algorithm to guarantee full consumer privacy and cardholder data protection, while enabling the trader to provide new services and convenience to their customers. Within the POI, all sensitive cardholder data is managed in a secure, PCI-certified environment, protected by state of the art technologies preventing those data and any other sensitive information such as security keys from attacks, sniffing or manipulation. The CCV solution uses a hardware-to-hardware encryption and decryption process along with a POI device that has SRED (Secure Reading and Exchange of Data) listed as a function. This is also part of PCI Point-to-Point encryption requirements. The CCV solution therefore offers advanced security components that drive PCI-DSS compliance. It is common practice for CCV to ensure that, on top of state-of-the-art data encryption, keys are only valid for a single transaction. This fully CCV s self-service payment solutions drive PCI-DSS compliant security Whitepaper 4

secures the communication of payment-related data between the POI and the processing host. In other words the communication between two PCI-relevant elements, e.g. the POI and the processing host, is also fully protected to make sure this data is of no use to any unauthorized third party. This means that CCV uses exactly the same security measures as recommended by P2PE. Of course, at some point in the overall process the secure keys need to be injected into the POI. The key injection into POI terminals is an important, yet critical step in the overall H/W distribution chain and transportation flow. Having implemented certain transport security measures such as: transport key mechanisms electronic and mechanical device protection during transport tracing events which might be subject to illegal attempts CCV ensures that all our terminals and components are fully protected, even when underway from CCVs highly secure environment to our customers highly secure environments. CCV s self-service payment solutions drive PCI-DSS compliant security Whitepaper 5

4. CCV s Solution: Provides full security by minimizing the burden of PCI CCV s approach to data security and data encryption has been designed strategically to keep consumer-related information entirely within PCI-regulated areas, never to send this data to the trader in a clear form and not to store consumer data at all. In other words, the CCV solution does not even prevent consumer clear text data. It takes this to the next level and keeps PCI-DSS relevant clear-text cardholder data away from traders POS environments altogether. On top of that, CCV is continuously working on the latest data security and encryption technologies to help to minimize the burden of PCI for traders. Stefan Trautner Product Marketing Manager CCV Easy, CCV s self-service payment solutions CCV Easy is a trademark of CCV Group B.V. s.trautner@de.ccv.eu www.ccv.eu CCV s self-service payment solutions drive PCI-DSS compliant security Whitepaper 6

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback