PCI DSS Compliance

2013 pack for Merchants

This pack contains general information regarding PCI DSS compliance and does not take into account your business' particular requirements. ANZ recommends you seek advice from a PCI-approved Qualified Security Assessor if you have questions or concerns about your business' PCI DSS compliance obligations. ANZ does not warrant the accuracy of this information and accepts no liability if you choose to rely on it. You must not circulate this pack to anyone outside of your organisation without ANZ’s written consent.

2

Contents

Section 1: Introduction to PCI DSS

Section 2: Being PCI DSS compliant?

Section 3: How can ANZ assist?

Section 4: Education Tools and References

3

Section 01Introduction to PCI DSS

3

4

Overview of PCI DSS Roles and Responsibilities

Each of the following stakeholders play an important role in ensuring PCI DSS compliance for all organisations that store, process or transmit payment card information.

PCI Security Standards Council (PCI SSC)

•

The PCI Security Standards Council is an open global forum for the ongoing development,

enhancement, storage, dissemination and

implementation of security standards for account data

protection.

•

Manage security standards for hardware (PCI PTS),

software (PCI PA DSS), data (PCI DSS) used in global

payment industry

•

Maintain lists of Approved Scanning Vendors, QSA Organisations, Internal

Security Assessors, Payment Devices & Applications

Card Schemes

•

Ensure adherence to PCI standards by mandating

timeframes for compliance, incentives, penalties and regular

progress reporting

•

Provide merchant education, training and support materials

Visa

• E.g. All Level 1 Merchants must be PCI DSS compliant by 30

September 2010

MasterCard

•

E.g. From 30 June 2012, Level 1 & 2 merchants must employ a PCI certified Internal Security Assessor to approve their SAQ.

ANZ

•

Manage implementation of PCI security standards and Card

Schemes mandates within our Merchant Services Products,

Merchant Agreements and Service Provider relationships

•

Provide complimentary PCI approved network vulnerability

scanning for our merchants through an online portal

•

Report regularly to Visa and MasterCard on PCI DSS

compliance progress of our Level 1 –

Level 3 merchants

•

Provide education and support to ensure our merchants validate and maintain PCI DSS compliance

ANZ Merchants

•

Complete an annual Self-

Assessment Questionnaire or Onsite Audit

•

Manage non-compliance with PCI DSS by using ‘Prioritised

Approach’

tools and project plan for remediation

•

Complete a compliant network vulnerability scan each quarter

•

Submit a compliant scan and non-compliance project plan updates to ANZ each quarter.

ANZ Merchants

Notes: For details of American Express requirements, please speak to your American Express account manager

5

PCI DSS compliance is about protecting Payment Card Data

PCI DSS stands for Payment Card Industry Data Security Standard.

The PCI DSS requirements are set by the PCI Security Standards Council (PCI SSC)whose founding members are:

As the name suggests, PCI DSS is about how Merchants are expected to protect Payment Card Data.

If you want to accept payments via cards issued by the Card Schemes then you need to understand and comply with these standards. They form part of your Merchant Agreement.

PCIDSS applies to all merchants that store, process and/or transmit Payment Card Data -

however the scope of its impact depends on what merchants solution you use and how you operate your business.

What is Payment Card Data?

6

PCI DSS protects data through data security controls

Goals PCI DSS Requirements

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect data2. Do not use vendor-supplied defaults for system passwords and other security

parameters

Protect Cardholder Data3. Protect stored data4. Encrypt transmission of cardholder data & sensitive information across public

networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to data by businesses need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security

PCIDSS consists of 6 core principles which are accompanied by 12

requirements. Becoming PCI DSS compliant requires that you can show that you have addressed all of the requirements that apply to you.

Depending on how your business handles Payment Card Data will govern how many of these principles will need to be complied with.

How you show that you have done this depends on your Merchant level (generally defined by the number of payment card transactions processed annually).

7

Reference:

PCI SSC PCI DSS Quick Reference Guide

What Payment Card Data can

be stored?

PCI DSS regulates the storing of Payment Card Data

One of the key controls is PCI DSS requirement no. 3 which relates to storing Payment Card Data.

8

Why is protecting Payment Card Data important?

If you don’t protect payment card data and/or take steps to ensure that your service providers do the same, you could be subject to an Account Data Compromise (ADC).

It involves unauthorised access to cardholder data that is held within your business environment in either electronic or physical form. It is usually done by fraudsters who don’t care how large or small the business is.

If you become the subject of an ADC you risk financial penalties, the suspension or termination of your merchant facility.

You also risk damage to your brand and reputation. While many cardholder data compromises in Australia go unpublicised some have resulted in adverse publicity through national media outlets.

PCI DSS Compliance

Financial ($) penalties

Assuring your customers that their data is secure

PCI DSS can help to minimise the occurrence and impact of the theft of Payment Card Data from you.

Suspension or termination

Brand damage

Audit / forensics

Enhanced brand and reputation

Minimising fines and penalties

Non-compliant Compliant

Some examples of how PCI DSS non-compliance can lead to an Account Data Compromise

“

The initial investigation has identified a number of non PCI DSS

compliant practices within the merchant that could have contributed to unauthorised access to payment card data.

These include:

� Multiple website vulnerabilities, identified using an ASV scan

� Stored email based orders that contain cardholder data

� Paper records used to take telephone orders

� Paper records used to transfer transaction details between systems”

Extract from Forensic Investigation Report

Other reasons why is PCI DSS compliance important ?

Risk of Fines and Penalties from the Card Schemes for being PCI DSS non compliant

PCI DSS compliance is mandatory if you store, process and/or transmit payment card information. It's essential to ensure your business complies with the PCI DSS.

If you have been requested to validate compliance and you are unable to do so, you risk financial penalties.

Risk of termination of Merchant Facilities

All banks make PCI DSS compliance a requirement in their Merchant Agreement. If you want to accept payments via cards issued by the Card Schemes then you need to understand

and comply with the PCI DSS standards. Non-

compliance can lead to termination of a Merchant Agreement and notification to Card Schemes.

10

The financial penalties associated with Account Data Compromises and non-compliance

with PCI DSS are summarised in the following slide.

Financial consequences associated with non-compliance

Account Data Compromises –

if you suffer and ADC event, the financial consequences of a data compromise include:

Fines if you have an Account Data compromise

Reason Visa assessments (up to in US$)

MasterCard assessments (up to in US$)

Account data compromise (ADC) Upto $400,000 $5,000 to $500,000

Additional PCI DSS non-

compliance assessments post ADC

NA $100,000 per non-compliant requirement

ADC –

operational reimbursement

Dependent upon number of accounts at risk/type of data at risk/number of accounts reported with confirmed fraud

Dependent upon number of accounts at risk/type of data at risk/number of accounts reported with confirmed fraud

Failure to report an ADC NA Up to US$25,000 per day of non-compliance

PCI DSS non-compliance - the financial consequences of PCI DSS non-compliance include:

Fines for not validating complianceViolations per calendar year MasterCard

(up to in US $) for L1 & L2 MerchantsMasterCard (up to in US$) for L3 Merchants

Visa ( up to in US $) for L1, L2 & L3 Merchants

First violation 25,000 10,000 500

Second violation 50,000 20,000 5,000

Third violation 100,000 40,000 10,000

Fourth violation 200,000 80,000 25,000

Total of 4 violations per Merchant 375,000 150,000 40,500

In addition, we may have no choice but to terminate your merchant facility if PCI DSS compliance isn't achieved by any date communicated to you. If your merchant facility is terminated, a record will be created with the card schemes, which will limit your ability to gain a merchant facility from another bank.

11

12

PCI DSS latest developments

PCI Payment Applications Data Security Standards (PA-DSS)

MasterCard and Visa require merchants accepting cards to use payment applications which adhere to PCI PA-DSS, effective of 1 July 2012. Banks must ensure that their merchants use PCI PA-DSS compliant applications, effective 1 July 2012.

Update of the PCI DSS requirements

Every three years, the PCI Council release a new version of their core standards

-

PCI Data Security Standard (DSS), PCI Payment Application Data Security Standard (PA-DSS) and PIN Transaction Security (PTS) requirements.

The timeline for releases this year is:

May 2013 -

PTS version 4.0

November 2013 -PCI DSS version 3.0 and PA-DSS version 3.0

In response to industry feedback, the release of PCI DSS v3.0 is

likely to include enhanced testing procedures to help assessors assure a more consistent level of assessment. For example, where a current testing procedure may simply say "Verify that....," it will be clarified as to what testing activities should be performed in order to perform the verification. Such clarifications

should help provide assessors with a clearer interpretation of each requirement's objective, as well as providing the assessor with additional support often needed to obtain sufficient evidence that a control is in place.

News Flash

13

Section 02Being PCI DSS compliant

13

14

Your Merchant level tells you what to do for PCI DSS compliance

There are different methods for demonstrating (proving) your level of PCI compliance –

these are based on your Merchant Level.

Merchants are classified into PCI DSS Levels 1-4, based on the volume of credit card transactions processed each year.

Levels 1, 2 and 4 use transaction volumes of all credit card payments, regardless of how payment was initiated.

Level 3 specifically considers e-commerce transactions where a credit card payment is initiated via a website.

.Merchant Level by Transaction

Volume/Type*Validation Action to show that you are

compliant Who can do this

Level 1

Any merchant processing over 6 million 

Visa transactions per year

Annual On‐Site Security Audit Qualified Security Assessor or Internal Audit (ISA 

Certified) & signed by company Officer

Quarterly Network Scan Approved Scan Vendor

Level 2

Any merchant processing 1 million to 6 

million Visa transactions per year, regardless of 

acceptance channel

Annual Self‐Assessment Questionnaire(or Annual On‐Site Security Audit – discretionary)

Merchant (ISA Certified) or Qualified Security 

Assessor

Quarterly Network Scan Approved Scan Vendor

Level 3

Any merchant processing 20,000 to 1 

million Visa ecommerce transactions per year

Annual Self‐Assessment Questionnaire Merchant

Quarterly Network Scan Approved Scan Vendor

Level 4

Any merchant processing less than 

20,000 Visa ecommerce transactions per year, 

and all other merchants processing up to 1 

million Visa transactions per year

Annual Self‐Assessment Questionnaire Merchant

Quarterly Network Scan  Approved Scan Vendor

* other criteria can also determine merchant levels

15

The PCI DSS (Full Requirements) v2

offer guidance in preparing for your annual PCI DSS assessment (pp 5-19).

Guidance is offered on scoping, sampling, network segmentation, outsourcing relationships, wireless environments, compensating controls and the conduct of the assessment.

Determine the scope of your Payment Card Data Environment

16

Quarterly task – perform an external vulnerability scan

There are ongoing quarterly obligations associated with demonstrating (proving) your level of PCI compliance:

Quarterly Network Vulnerability Scan

PCI DSS Requirement 11.2

To ensure PCI DSS compliance, your organisation is required to complete a Network Vulnerability Scan, fix any non-compliant vulnerabilities, and then conduct a final compliant scan each quarter.

An external vulnerability scan enables you to assess the level of security from potential external threats. PCI Approved scanning tools test network equipment, hosts, and applications for known vulnerabilities; the scan is intended to identify such vulnerabilities so they can be corrected.

A network security scan is conducted in a non-intrusive way to remotely review networks and Web applications based on your external-facing Internet Protocol (IP) addresses provided. The scan will identify vulnerabilities in operating systems, services, and devices that could be exploited by hackers to target your company’s private network.

A full technical description of the scan scope can be found in this document on pages 15-20 of the ASV Approved Scanning Vendors Program Guide.

Note: a Vulnerability Scan may not be required if your payment processing page is bank hosted or hosted by a PCI certified payment gateway. This is usually merchants completing either the SAQ A, B, or C-VT versions. Quarterly Scans are compulsory if you qualify for either the SAQ

C or SAQ D version

17

Annual task – perform an PCI DSS ‘self check-up’There are ongoing annual obligations associated with demonstrating (proving) your level of PCI compliance:

Annual Self- Assessment

Questionnaire(SAQ)

ORQSA Onsite

Audit

For many Merchants (Level 2, 3 and 4), you are able to complete your own self check up by completing a Self-Assessment Questionnaire (SAQ).

•

The SAQ can be downloaded from the PCI SSC website at https://www.pcisecuritystandards.org/merchants/self_assessment_form.php

.

•

There are 5 different SAQ types -

each SAQ contains a different number of questions based on how risky or complex the your Payment Card Data environment is.

•

You must select the correct SAQ for the payment processing methods used by your business. You may need to engage your IT Security and Technology staff (or

Web Developer), Operations and Sales staff, Compliance teams and Service Providers to assist with answering the questions.

•

Level 1 Merchants must complete their PCI DSS assessment via an onsite audit.

SAQ D - 288 PCI Requirements SAQ D - 288 PCI Requirements

SAQ C - 80 PCI Requirements SAQ C - 80 PCI Requirements

SAQ C-VT - 51 PCI Requirements SAQ C-VT - 51 PCI Requirements

SAQ B - 29 PCI Requirements SAQ B - 29 PCI Requirements

SAQ A - 13 PCI Requirements SAQ A - 13 PCI Requirements

18

Completing a Self-Assessment Questionnaire

The PCI Council has provided 2 excellent references to help your

business complete the Self-Assessment Questionnaire

PCI DSS – Requirements and Security Assessment Procedures v2.0 October 2010 (PCI DSS (Full Requirements) v2) -

lists each requirement and recommended test procedures to ensure compliance.

Navigating PCI DSS – Understanding the Intent of the Requirements Version 2.0 October 2010(Understanding the Intent of the PCI DSS Requirements) -

lists all the PCI DSS requirements individually, with a descriptive guidance explaining the intent of each.

19

Annual assessment requirements for Level 1 & 2 Merchants

If you are a Level 1 or Level 2 Merchant, your PCI DSS Assessments must be conducted under the supervision of a Qualified Security Assessor or one of your own staff members certified as Internal Security Assessor.

Qualified Security Assessors Qualified Security Assessor (QSA) companies are organisations that have been qualified by the PCI Council to have their employees assess compliance to the

PCI DSS standard –

details of QSA’s located in Australia can be found at: QSA Organisations.

ANZ has strong relationships with several local QSAs and would be happy to facilitate an introduction.

Internal Security Assessors are organisations that have had staff qualified by the PCI Council. The Internal Security Assessor (ISA) Program consists of training from the Council to improve the organisation’s understanding of PCI DSS.

There are a number of requirements around ISA certification at this link ISA Training Information

-

including pre-

registration of your organisation with the PCI Security Standards Council, expertise requirements for the staff participants, online training & assessment prior to attending the training, etc.

Note

For Level 1 and 2 Merchants, choosing whether you will appoint a QSA or train your own staff through the ISA program is an important decision and will require time and resources. We recommend that you address these questions early so that you can comply with your annual assessment requirements.

20

What if you are PCI DSS non-compliant?

Merchants often find that they are non-compliant with PCI DSS after they have completed their annual assessment.

In addition, a merchant’s payment environment can change and just because PCI DSS compliance has been achieved at one point in time, does not mean that the Merchant will always be compliant.

PCI DSS recognises that Merchants may not be compliant and requires that the merchant develop a remediation plan to fix any areas of non-compliance –

your remediation plan should List and prioritise any remediation activities required for PCI validation. This ensures that you're remediating with a risk based approach, dealing with the highest risks first.

The PCI Council has developed the PCI DSS Prioritised Approach

and the PCI DSS Prioritised Tool and Instructions

Input results from your completed Self Assessment Questionnaire into the Prioritised Approach Tool to provide an assessment of priority to remediate non-compliant requirements, based on risk. The Prioritised Approach

Tool groups the PCI DSS requirements into risk-based ‘Milestones’.

Tip

It is important that you are able to demonstrate your commitment to rectify any areas of PCI DSS non-compliance by developing and implementing a remediation plan that is acceptable to ANZ. This can assist in minimising any Card Scheme fines due to non-compliance.

21

2013 - ANZ PCI DSS Reporting Due Dates

Q1 2013 Q2 2013 Q3 2013 Q4 2013

Start of Quarter 1st

January 1st

April 1st

July 1st

October

Your PCI DSS Quarterly Reporting is Due Friday 15th March Friday 14th June Monday 16th September Tuesday 10th December

Collation & Follow-up Monday 25th

–Thursday 28th

March Monday 24th

–Thursday 27th

JuneMonday 23rd

–

Thursday 26th

SeptemberWednesday 18th

– Monday 23rd

December

Schemes Reporting Submission Friday 29th March Friday 28th June Monday 30th September Tuesday 24th December

ANZ prepares Schemes Reports about the PCI DSS compliance of its Merchants on a quarterly basis.

The following process map outlines the actions you should complete in order to ensure that ANZ accurately reports your PCI DSS compliance status.

Submit your compliant Scan and PCI DSS assessment update to ANZ by the Quarterly Reporting Due Date

21

22

In order to meet the various PCI DSS validation requirements, most Merchants will need to do the following types of things:

Understand your Merchant Level

Determine the scope of your Card Data Environment –

that is, understand where and how Payment Card Data forms part of your payment processing activities

Complete a compliant Network Vulnerability Scan (every 3 months (ongoing)) for externally facing IP addresses if they form part of your Card Data Environment

Complete an annual PCI DSS Assessment of your Card Data Environment –

onsite or SAQ as required –

determine what SAQ applies to you

If you are a Level 1 or Level 2 Merchant, you will need to decide whether you will engage a QSA or go down the ISA path

Develop a plan to fix (remediate) any areas of non-compliance –

use the ‘Prioritised Approach’

tool if required

Quarterly submit your compliant Scan and PCI DSS assessment update to ANZ by report date

Summary – PCI DSS Compliance requires good governance

Keeping good records and an audit trail will help you stay on top of your PCI DSS requirementsHint

23

Section 03How can ANZ assist?

23

24

Dedicated ANZ PCI Compliance Manager to assist your business in reaching compliance with PCI DSS. ANZ PCI Compliance Manager provides education, support, management and reporting frameworks and engagement with expert information security resources to assist your business with journey to and maintenance of PCI compliance.

ANZ offers our customers regular planning session for PCI DSS, to identify activities, support requirements and reporting timeframes for the coming year.

Progress meetings as required to support your PCI program.

Access to industry benchmarks and best practice for PCI program management.

Participate in ANZ PCI DSS Merchant Forums -

network, learn and share experience with other merchants.

ANZ is committed to assist Merchants with PCI DSS compliance

ANZ is proud of its achievements to date in helping its merchants address their PCI DSS compliance obligations and can provide the following support services to assist attaining and maintaining PCI DSS compliance.

25

Introducing the ANZ PCI Portal

ANZ can provide unlimited complimentary access to selected merchants to its ANZ PCI Portal (goto ANZ PCI Online Portal)

with easy to follow User Guides. Easy to use

PCI Compliance Validation Task

How the ANZ PCI Portal can help you

PCI Self Assessment You can work out which SAQ is relevant to you by following the prompts in the ANZ PCI Portal or by calling the Vectra Service Desk.

SAQs can be completed online, and electronically filed in the Portal.

Save time, environmentally friendly - paperless.

Vulnerability Scans If you are required to perform a Vulnerability Scan you can do so through the ANZ PCI Portal by following the prompts in the ANZ PCI Portal.

Many options for your ASV Scans, you can choose to run immediately; run at a specific scheduled date/time, or schedule every 90 days to run automatically (perfect for your quarterly PCI Compliance validation).

You can scan many IP Addresses concurrently.

Save money! Convenient.

Fully supported by a Help Desk

Manned by friendly approachable PCI Subject Matter Experts (help-desk based in Australia). Phone and email support provided.

Expertise.

26

Section 04Education Tools & References

26

PCI DSS education and references

Brochures and Guides

Webinars

Training

ANZ Fraud Minimisation, Data Security and Chargeback GuidePCI SSC PCI DSS (Full Requirements) v2PCI SSC Understanding the Intent of the PCI DSS Requirements

PCI SSC PCI DSS Quick Reference GuidePCI SSC PCI DSS Prioritised ApproachPCI SSC Various other PCI DSS supporting documents

PCI SSC PCI FAQS

Visa Guide for Staying PCI Compliant

MasterCard PCI 360 Merchant Education WebinarsAPCA Get Smart About Fraud Online

PCI SSC PCI DSS Awareness Training OnlinePCI SSC Internal Security Assessor (ISA) Training and Certification

The following information may be helpful in further understanding your PCI DSS obligations:

27