Document Comparison

This Guide to Safe Payments is provided by the PCI Security Standards Council (PCI SSC) to inform and educate merchants and other entities involved in payment card processing. For more information about the PCI SSC and the standards we manage, please visit www.pcisecuritystandards.org.

The intent of this document is to provide supplemental information, which does not replace or supersede PCI Standards or their supporting documents.

UNDERSTANDING Understanding your risk As a small business, you are a prime target for data thieves.

When your payment card data is breached, the fallout can strike quickly. Your customers lose trust in your ability to protect their personal information. They take their business elsewhere. There are potential financial penalties and damages from lawsuits, and your business may lose the ability to accept payment cards. A survey of 1,015 small and medium businesses found 60% of those breached close in six months. (NCSA) OF BREACHES HIT SMALLER BUSINESSES …

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements that can help small merchants to protect customer card data located on payment cards.

Small merchants may be familiar with validating their PCI DSS compliance via a Self-Assessment Questionnaire (SAQ).

For more information on PCI DSS, see the Resources at the end of this guide.

TYPES OF DATA ON A PAYMENT CARD Cardholder Expiration date Magnetic stripe (Data on tracks 1 and 2) Card security code (American Express) Card security code (All other payment brands) YOUR CUSTOMERS’ CARD DATA IS A GOLD MINE FOR CRIMINALS. DON’T LET THIS HAPPEN TO YOU! Follow the actions in this guide to protect against data theft.

Examples of payment card data are the primary account number (PAN) and three or four-digit card security code. The red arrows below point to types of data that require protection.

A PAYMENT SYSTEM includes the entire process for accepting card payments. Also called the cardholder data environment (CDE), your payment system may include a payment terminal, an electronic cash register, other devices or systems connected to a payment terminal (for example, Wi-Fi for connectivity or a PC used for inventory), and the connections out to a merchant bank. It is important to use only secure payment terminals and solutions to support your payment system. See page 21 for more information.

Understanding your payment system: Common payment terms 123423487340 981230630736 034603740987 382929293846 262910304826 454900926344 153784 A PAYMENT TERMINAL is the device used to take customer card payments via swipe, dip, insert, tap, or manual entry of the card number. Point-of-sale (or POS) terminal, credit card machine, PDQ terminal, or EMV/chip- enabled terminal are also names used to describe these devices.

ENCRYPTION (or cryptography) makes card data unreadable to people without special information (called …

How is your business at risk? How do you sell your goods or services? There are three main ways:

1. A person walks into your shop and makes a purchase with their card.

2. A person visits your website and pays online.

3. A person calls your shop and provides card details over the phone, or sends the details in the mail or via fax.

The more features your payment system has, the more complex it is to secure.

Think carefully about whether you really need extra features such as Wi-Fi, remote access software, Internet- connected cameras, or call recording systems for your business. If not properly configured and managed, each of these features can provide criminals with easy access to your customers’ payment card data.

If you are an e-commerce merchant, it is very important to understand how or if payment data is captured on your website. In most cases, using a wholly outsourced third …

Understanding your risk: Payment system types Use the Common Payment Systems to help you identify what type of payment system you use, your risk, and the recommended security tips as a starting point for conversations with your merchant bank and vendor partners.

Your security risks vary greatly depending on the complexity of your payment system, whether face-to-face or online.

PROTECT YOUR BUSINESS WITH THESE SECURITY BASICS How do you protect your business? These security basics are organized from easiest and least costly to implement to those that are more complex and costly to implement. The amount of risk reduction that each provides to small merchants is also indicated in the “Risk Mitigation” column.

The good news is, you can start protecting your business today with these security basics:

Use strong passwords and change default ones CHANGE YOUR PASSWORDS REGULARLY. Treat your passwords like a toothbrush. Don’t let anyone else use them and get new ones every three months.

TALK TO YOUR SERVICE PROVIDERS. Ask your vendors or service providers about default passwords and how to change them. Then do it! Also, if your service provider manages passwords for your systems, ask them if they’ve changed those vendor default passwords.

MAKE THEM HARD TO GUESS. The most common passwords are “password” and “123456.” Hackers try easily-guessed passwords because they’re used by half of all people. A strong password has seven or more characters and a combination of upper and lower case letters, numbers, and symbols (like !@#$&*). A phrase can also be a strong password (and may be easier to remember), like “B1gMac&frieS.” DON’T SHARE. Insist on each employee having their own login IDs and passwords

• never share!

Ponemon Institute of SMBs …

Inspect payment terminals for tampering Be vigilant and follow these steps:

KEEP A LIST of all payment terminals and take pictures (front, back, cords, and connections) so you know what they are supposed to look like.

LOOK FOR OBVIOUS SIGNS of tampering, such as broken seals over access cover plates or screws, odd/different cabling, or new devices or features you don’t recognize. The Council’s guide (referenced below) can help.

PROTECT TERMINALS. Keep them out of customers’ reach when not in use and restrict public viewing of the screens. Make sure your payment terminals are secure before you close your shop for the day, including any devices that read your customers’ payment cards or accept their personal identification numbers (PINs).

CONTROL REPAIRS. Only allow payment terminal repairs from authorized repair personnel, and only if you are expecting them. Tell your staff too. Monitor any third-parties with physical access to your payment terminals, even if they …

Use trusted business partners and know how to contact them COMMON VENDORS Refer to the table in the Questions to ask your Vendors for more details about these common vendors:

• Payment application

• Payment system installers (called Integrators/ Resellers)

• Service providers that perform payment processing, or e-commerce hosting or processing

• Service providers that help you meet PCI DSS requirement(s) (for example, providing firewall or antivirus services)

• Providers of Software as KNOW WHO TO CALL. Who is your merchant bank? Who else helps you process payments? Who did you buy your payment device/software from and who installed it for you? Who are your service providers? KEEP A LIST. Now that you know who to call, keep company and contact names, phone numbers, website addresses, and other contact details where you can easily find them in an emergency.

CONFIRM THE SECURITY OF YOUR SERVICE PROVIDERS. Is your service provider adhering to PCI DSS requirements? …

Someone else’s information and details to gain access to systems or data that person is not authorized to have access to.

25% OF BREACHES INVOLVE INTERNAL ACTORS.

Don’t give hackers easy access to your systems If your vendor supports or troubleshoots your payment system from their office (and not from your location) they are using the Internet and remote access software to do this.

Examples of products your vendor may install on your terminal and use to support you remotely include VNC & LogMeIn.

Risk Mitigation FIND OUT. Ask your payment system vendor or service provider if they use remote access to support or access your business systems.

ASK HOW TO LIMIT USE OF REMOTE ACCESS. Many remote access programs are always on, or always available by default, meaning the vendor can access your systems remotely all the time (this also means that hackers can access your systems too since many vendors use commonly-known passwords …

Risk Mitigation For the best protection, make your data useless to criminals WORK WITH YOUR PAYMENT SYSTEMS VENDOR OR SERVICE PROVIDER. You should encrypt all card data you store or send. Make sure your payment system is using encryption and/or tokenization technology. If you are not sure, ask them.

USE PCI DEVICES THAT ENCRYPT CARD DATA. The PCI Council approves payment terminals that protect PIN data and payment terminals and “secure card readers” that additionally encrypt card data. See the List of PCI Approved PTS Devices.

USE SECURE PCI ENCRYPTION SOLUTIONS. Ask whether your payment terminal encryption is done via a Point-to-Point Encryption solution and is on the PCI Council’s List of PCI P2PE Validated Solutions.

ARE YOU A MERCHANT NOW MOVING TO EMV CHIP TERMINALS? This is a great opportunity to make an investment in a terminal that supports EMV and also provides the added security of encryption and tokenization.

UPGRADE YOUR SOLUTION. …

Infographics and Videos Resource URL Infographic: It’s Time to Change Your Password https://www.pcisecuritystandards.org/pdfs/its_time_to_change_your_password_infographic.pdf Infographic: Fight Cybercrime by Making Stolen Data Worthless to Thieves https://www.pcisecuritystandards.org/documents/PCI-CyberCrime-FinalR.pdf Video: Learn Password Security in 2 Minutes https://www.youtube.com/watch?v=FsrOXgZKa7U Video: Passwords https://www.youtube.com/watch?v=dNVQk65KL8g Infographic: Passwords https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Strong-Passwords.pdf Video: Patching https://www.youtube.com/watch?v=0NGz1mGO3Jg Infographic: Patching https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Patching.pdf Video: Remote Access https://www.youtube.com/watch?v=MxgSNFgvAVc Infographic: Remote Access https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Secure-Remote-Access.pdf

This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.

The PCI Security Standards Council is a global forum for the industry to come together to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. Read more about PCI SSC’s Global Payment Security Engagement Initiative at www.pcisecuritystandards.org/pdfs/PCI_SSC_Partnering_for_ Global_Payment_Security.pdf The Council maintains, evolves, and promotes the Payment Card Industry Security Standards. It also provides critical tools needed for implementation of the standards such as assessment and scanning qualifications, self-assessment questionnaires, training and education, and product certification programs.

The Council’s founding members, American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc., have agreed to incorporate the PCI Data Security Standard (PCI DSS) as part of the technical requirements for each of their data security compliance programs. Each founding member also recognizes the Qualified Security Assessors and Approved …