190 likes | 315 Views
Protecting your customers private information through PCI Compliance. PCI Compliance Defined.
E N D
Protecting your customers private information through PCI Compliance
PCI Compliance Defined Created by the Payment Card Industry Security Standards Council, the Payment Card Industry (PCI) standard is a set of requirements designed to ensure that ALL organizations that store, process, or transmit cardholder data do so in a secure environment.
Purpose of PCI • Assess • Take an inventory of your IT assets and business processes for payment card processing and analyze them for vulnerabilities that could expose cardholder data. • Remediate • Process of fixing those vulnerabilities • Report • Compiling records required by PCI DSS to validate remediation and submitting compliance reports to the acquiring bank and global payment brands you do business with.
Understanding PCI DSS Standards PCI security for businesses and payment card processors is the result of applying the information security best practices in the Payment Card Industry Data Security Standard (PCI DSS). The standard includes 12 requirements in 6 control objective categories.
Understanding PCI DSS Standards • Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters • Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks • Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications • Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data • Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes • Maintain an Information Security Policy 12. Maintain a policy that addresses information security
What’s at Risk? • Fines • Payment card issuer replacement costs • Acquiring banks fines • Payment Card Industry fines • Insurance • Premiums increase / loss of future coverage • Card Acceptance • Rate increase or shut down by merchant bank • Litigation costs • Potentially significant reputational damage • Forensic Audit • Required after a breach occurs
Costs of a Implementing PCI DSS • Depending on what “Type and Level” you are required to address anywhere from around 15 to 200+ controls related to PCI • Hardware • Software • Internal Resources • External Resources • Verizon Payment Card Industry Compliance Report • shows 78% of organizations were not compliant initially
Determine your risk level • Compliance is based on “Level” and “Type” • Level is based on the number of transactions performed in a 12-month period • Type is defined by how your organization takes credit cards • Self-Assessment Questionnaire (SAQ) https://www.pcisecuritystandards.org/security_standards/documents.php?category=saq_standard
What Can You Do to Protect Your Organization? Appropriately manage your risk • Implement PCI DSS Standards • Eliminate Sensitive Data • Outsourcing • credit card data storage to any entity that has the infrastructure and expertise to protect your customers’ data.
Teachers Life’s problem statement • Insurance application and approval in real-time • Ongoing auto-debit of monthly premiums • Semi-annual invoice and payment facilitation • Member tools to configure funding sources • Advanced tools for Teachers Life to view member sign-ups, send reminders and monitor payments • Must be PCI-compliant!
How ARC solves Teachers Life’s problems • Payment processing • PCI-compliant hosted check-out to collect payment of initial premium • Auto-debit of monthly premiums through Credit Card payments • Semi annual invoice delivery and payment facilitation • Customer portal • A member can opt-in/out of auto-debit, and view all (unpaid) invoices • Self manage their account and funding sources • Supplier portal • Advanced capability for Teachers Life to monitor and administer member payments • Reconcile payments to FIMMAS
Simple. Smart. Secure. • Managed Payment Acceptance • Hosted Checkout or API • No data on your site • Simple integration • Reduced PCI scope
Customer Self Service • Simple interface for customers to manage their payment methods, reducing your internal management of customer payment information
Customer Portal: View and Pay • Online statement available to customers tracking all historical dealings with Teachers Life. • Ability to select and pay invoices
Supplier Portal: Monitor, Notify, Collect • Teachers Life Dashboard tracking status of invoices, workflow and notifications.
Thank you for attending Download this presentation and PCI whitepaper www.versapay.com/FIMMAS/