SAMPLE DATA FLOW DIAGRAMS for MERCHANT ENVIRONMENTS To protect your environment against payment data theft, you first have to understand how you accept payments. What kind of equipment do you use, who are your Processors and other technology service providers, and how do these things all fit together? Per CU Policy, all CU Merchants must maintain a Data Flow Diagram illustrating the flow of Cardholder Data (CHD) through the CU Merchant s Cardholder Data Environment (CDE). The diagram must begin with where CHD is captured and include all components within the CU Merchant CDE, such as people, POS devices, payment gateways, databases, web servers, and any other necessary payment components. These sample diagrams will help you get started on building a diagram showing the flow of CHD and all components used through your own Merchant environment, as required by CU Policy. *These illustrations are examples only and are not all inclusive. You must successfully investigate and identify all pieces of your environment to ensure proper security is in place. On the following page, select the type of Environment that best describes your Merchant Environment, you will be taken to the Sample Diagram of your choice. Fill in the diagram details with data spcific to your Merchant Environment where indicated in red. BEFORE YOU BEGIN TO CREATE A NEW DIAGRAM, ONE MIGHT ALREADY EXIST FOR YOUR ENVIRONMENT. BE SURE TO ASK AROUND, ESPECIALLY YOUR IT DEPARTMENT TO SEE IF ONE ALREADY EXISTS.
MERCHANT ENVIRONMENTS Click on the payment channel description below that best describes your specific Merchant Environment. PAYMENT CHANNEL DESCRIPTIONS: IN PERSON (CARD PRESENT) Stand-alone payment terminal connected to dedicated phone line. Payments sent to Processor via dial-up phone line. IN PERSON (CARD PRESENT) Handheld payment terminal with cellular connection. Payments sent to Processor via cellular network only. IN PERSON (CARD PRESENT) P2PE Solution, connected to Internet. Payments are sent to Processor via Internet. OVER THE PHONE AND/OR BY MAIL (CARD-NOT-PRESENT) Merchant uses a stand-alone payment terminal connected to dedicated phone line. Payments are sent to Processor via dial-up phone line. OVER THE PHONE AND/OR BY MAIL (CARD-NOT-PRESENT) Merchant usese a P2PE Solution, connected to Internet. Payments are sent to Processor via Internet. OVER THE PHONE AND/OR BY MAIL (CARD-NOT-PRESENT) Merchant uses virtual payment terminal accessed via Internet browser to send payments to Processor via Internet. ONLINE/WEBSITE OVER THE INTERNET (CARD-NOT-PRESENT) Merchant has a website where cardholders enter their credit card data on Merchant's own managed payment page. Payments are sent to Processor via Internet by Merchant. ONLINE/WEBSITE OVER THE INTERNET (CARD-NOT-PRESENT) Merchant has a website where cardholders enter their name and contact info, but are redirected to PCI compliant 3rd party payment page to enter credit card data. Payments are sent to Processor via Internet by 3rd party. ONLINE/WEBSITE OVER THE INTERNET (CARD-NOT-PRESENT) Merchant has fully outsourced their website and payment page to a PCI compliant 3rd party. Payments are sent to Processor via Internet by third-party service provider.
IN PERSON (CARD PRESENT) Stand-alone payment terminal connected to dedicated phone line. Payments sent to Processor via dial-up phone line. TERMINAL The payment terminal is connected to Processor by a dedicated dial-up telephone line Choose your Processor here: terminals: PHONE LINE If you have multiple terminals within your Merchant Environment, enter the details for each below TID: TID: TID: TID:
IN PERSON (CARD PRESENT) Handheld payment terminal with cellular connection. Payments sent to Processor via cellular network only. TERMINAL HANDHELD PAYMENT TERMINAL CELLULAR NETWORK Choose your Processor here: terminals: Payment terminal encrypts card data (for example, using PCI s Secure Reading & Exchange of Data SRED) connects to cellular network ALWAYS BE SURE TO:
IN PERSON (CARD PRESENT) P2PE Solution, connected to Internet. Payments are sent to Processor via Internet. TERMINAL terminals: Obtain diagram provided by P2PE provider.
OVER THE PHONE AND/OR BY MAIL (CARD-NOT-PRESENT) Merchant uses a stand-alone payment terminal connected to dedicated phone line. Payments are sent to Processor via dial-up phone line. TERMINAL Merchant Authorized User workstations: Names of all users with access to Terminal The payment terminal is connected to Processor by a dedicated dial-up telephone line PHONE LINE ALWAYS BE SURE TO:
OVER THE PHONE AND/OR BY MAIL (CARD-NOT-PRESENT) Merchant usese a P2PE Solution, connected to Internet. Payments are sent to Processor via Internet. TERMINAL workstations: Obtain diagram provided by P2PE provider. ALWAYS BE SURE TO:
OVER THE PHONE AND/OR BY MAIL (CARD-NOT-PRESENT) Merchant uses Virtual Payment Gateway Terminal accessed via Internet browser to send payments to Processor via Internet. Gateway: workstations: Names of all users with access to Payment Gateway: MERCHANT PC VIRTUAL PAYMENT GATEWAY TERMINAL FROM PCI DSS COMPLIANT PAYMENT FIREWALL Citrix Server INTERNET ALWAYS BE SURE TO: Use strong passwords
ONLINE/WEBSITE OVER THE INTERNET (CARD-NOT-PRESENT) Merchant has a website where cardholders enter their credit card data on Merchant's own managed payment page. Payments are sent to Processor via Internet by Merchant. Select a Payment Gateway: Homepage URL: Payment Page URL: MERCHANT E-COMMERCE HOME PAGE MERCHANT SHOPPING CART or REGISTRATION PAGES MERCHANT PAYMENT PAGE ROUTER/FIREWALL INTERNET
ONLINE/WEBSITE OVER THE INTERNET (CARD-NOT-PRESENT) Merchant 8 has a website where cardholders enter their name and contact info, then redirected to PCI compliant 3rd party payment page to enter credit card data. Payments are sent to Processor via Internet by 3rd party. Select a Payment Gateway: Enter name of Third Party Service Provider: Homepage URL: Payment Page URL: MERCHANT E-COMMERCE HOME PAGE MERCHANT SHOPPING CART or REGISTRATION PAGES THIRD-PARTY PAYMENT PAGE THIRD-PARTY WEB SITE ROUTER/FIREWALL INTERNET
ONLINE/WEBSITE OVER THE INTERNET (CARD-NOT-PRESENT) Merchant has fully outsourced their website and payment page to a PCI compliant 3rd party. Payments are sent to Processor via Internet by third-party service provider. Select a Payment Gateway: Enter name of Third Party Service Provider: Homepage URL: Payment Page URL: Obtain diagram provided by your Third-Party Service Provider.