Document Comparison

This Guide to Safe Payments is provided by the PCI Security Standards Council (PCI SSC) to inform and educate merchants and other entities involved in payment card processing. For more information about the PCI SSC and the standards we manage, please visit www.pcisecuritystandards.org.

The intent of this document is to provide supplemental information, which does not replace or supersede PCI Standards or their supporting documents.

UNDERSTANDING YOUR RISK Understanding your risk As a small business, you are a prime target for data thieves.

When your payment card data is breached, the fallout can strike quickly. Your customers lose trust in your ability to protect their personal information. They take their business elsewhere. There are potential financial penalties and damages from lawsuits, and your business may lose the ability to accept payment cards. A survey of 1,015 small and medium businesses found 60% of those breached close in six months. (NCSA) OF BREACHES HIT …

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements that can help small merchants to protect customer card data located on payment cards.

Small merchants may be familiar with validating their PCI DSS compliance via a Self-Assessment Questionnaire (SAQ).

For more information on PCI DSS, see the Resources at the end of this guide.

TYPES OF DATA ON A PAYMENT CARD Cardholder name Expiration date Magnetic stripe (Data on tracks 1 and 2) Card security code (American Express) Card security code (All other payment brands) YOUR CUSTOMERS’ CARD DATA IS A GOLD MINE FOR CRIMINALS. DON’T LET THIS HAPPEN TO YOU! Follow the actions in this guide to protect against data theft.

Examples of payment card data are the primary account number (PAN) and three or four-digit card security code. The red arrows below point to types of data that require protection.

A PAYMENT SYSTEM includes the entire process …

Understanding your E-commerce Payment System An E-COMMERCE WEBSITE houses and presents your business website and shopping pages to your customers. The website may be hosted and managed by you or by a third party hosting provider.

An E-COMMERCE PAYMENT SYSTEM encompasses the entire process for a customer to select products or services and for the e-commerce merchant to accept card payments, including a website with shopping pages and a payment page or form, other connected devices or systems (for example Wi-Fi or a PC used for inventory), and connections to the merchant bank (also called a payment service provider or payment gateway). Depending on the merchant’s e-commerce payment scenario, an e-commerce payment system is either wholly outsourced to a third party, partially managed by the merchant with support from a third party, or managed exclusively by the merchant.

When you sell products or services online, you are classified as a e-commerce merchant. …

Understanding your Petroleum & Fuel System An ELECTRONIC PAYMENT SERVER (EPS) (may also be part of the Site Controller) is a software payment application, usually present in a semi-integrated system, that gives point-of-sale (POS) systems a way to perform payment transactions in a standard way, independent of the payment networks providing authorization. The EPS separates payment from the POS system or outdoor sales processor (OSP). The EPS manages payment requests from the POS systems and OSP, card data acquisition from the EMV terminals, and payment authorizations for all POS systems and the OSP. Generally, all payment business logic is implemented within the EPS. The POS, OSP, and EMV terminals are considered “dumb” devices programmed to implement only the interface to/from the EPS.

A FUEL SITE CONTROLLER is a software application designed to interface with the various forecourt devices of a fuel station, but primarily the fuel dispensers. The fuel site controller …

How is your business at risk? How do you sell your goods or services? There are three main ways:

1. A person walks into your shop and makes a purchase with their card.

2. A person visits your website and pays online.

3. A person calls your shop and provides card details over the phone, or sends the details in the mail or via fax.

The more features your payment system has, the more complex it is to secure.

Think carefully about whether you really need extra features such as Wi-Fi, remote access software, Internet- connected cameras, or call recording systems for your business. If not properly configu ed and managed, each of these features can provide criminals with easy access to your customers’ payment card data.

If you are an e-commerce merchant, it is very important to understand how or if payment data is captured on your website. In most cases, using a wholly outsourced …

Understanding your risk: Payment system types Use the Common Payment Systems to help you identify what type of payment system you use, your risk, and the recommended security tips as a starting point for conversations with your merchant bank and vendor partners.

Your security risks vary greatly depending on the complexity of your payment system, whether face-to-face or online.

PROTECT YOUR BUSINESS WITH THESE SECURITY BASICS How do you protect your business? These security basics are organized from easiest and least costly to implement to those that are more complex and costly to implement. The amount of risk reduction that each provides to small merchants is also indicated in the “Risk Mitigation” column.

The good news is, you can start protecting your business today with these security basics:

Use strong passwords and change default ones CHANGE YOUR PASSWORDS REGULARLY. Treat your passwords like a toothbrush. Don’t let anyone else use them and get new ones every three months.

TALK TO YOUR SERVICE PROVIDERS. Ask your vendors or service providers about default passwords and how to change them. Then do it! Also, if your service provider manages passwords for your systems, ask them if they’ve changed those vendor default passwords.

MAKE THEM HARD TO GUESS. The most common passwords are “password” and “123456.” Hackers try easily-guessed passwords because they’re used by half of all people. A strong password has seven or more characters and a combination of upper and lower case letters, numbers, and symbols (like !@#$&*). A phrase can also be a strong password (and may be easier to remember), like “B1gMac&frieS.” DON’T SHARE. Insist on each employee having their own login IDs and passwords

• never share!

Ponemon Institute of SMBs …

Inspect payment terminals for tampering Be vigilant and follow these steps:

KEEP A LIST of all payment terminals and take pictures (front, back, cords, and connections) so you know what they are supposed to look like.

LOOK FOR OBVIOUS SIGNS of tampering, such as broken seals over access cover plates or screws, odd/different cabling, or new devices or features you don’t recognize. The Council’s guide (referenced below) can help.

PROTECT TERMINALS. Keep them out of customers’ reach when not in use and restrict public viewing of the screens. Make sure your payment terminals are secure before you close your shop for the day, including any devices that read your customers’ payment cards or accept their personal identific tion numbers (PINs).

CONTROL REPAIRS. Only allow payment terminal repairs from authorized repair personnel, and only if you are expecting them. Tell your staff too. Monitor any third-parties with physical access to your payment terminals, even if …

Use trusted business partners and know how to contact them COMMON VENDORS Refer to the table in the Questions to ask your Vendors for more details about these common vendors:

• Payment terminal vendors

• Payment application vendors

• Payment system installers (called Integrators/ Resellers)

• Service providers that perform payment processing, or e-commerce hosting or processing

• Service providers that help you meet PCI DSS requirement(s) (for example, providing fi ewall or antivirus services)

• Providers of Software as a Service KNOW WHO TO CALL. Who is your merchant bank? Who else helps you process payments? Who did you buy your payment device/software from and who installed it for you? Who are your service providers? KEEP A LIST. Now that you know who to call, keep company and contact names, phone numbers, website addresses, and other contact details where you can easily find them in an eme gency.

CONFIRM THE SECURITY OF YOUR SERVICE PROVIDERS. Is …

Someone else’s information and details to gain access to systems or data that person is not authorized to have access to.

25% OF BREACHES INVOLVE INTERNAL ACTORS.

Don’t give hackers easy access to your systems If your vendor supports or troubleshoots your payment system from their office (and not from your location) they are using the Internet and remote access software to do this.

Examples of products your vendor may install on your terminal and use to support you remotely include VNC & LogMeIn.

Risk Mitigation FIND OUT. Ask your payment system vendor or service provider if they use remote access to support or access your business systems.

ASK HOW TO LIMIT USE OF REMOTE ACCESS. Many remote access programs are always on, or always available by default, meaning the vendor can access your systems remotely all the time (this also means that hackers can access your systems too since many vendors use commonly-known passwords …

Risk Mitigation For the best protection, make your data useless to criminals WORK WITH YOUR PAYMENT SYSTEMS VENDOR OR SERVICE PROVIDER. You should encrypt all card data you store or send. Make sure your payment system is using encryption and/or tokenization technology. If you are not sure, ask them.

USE PCI DEVICES THAT ENCRYPT CARD DATA. The PCI Council approves payment terminals that protect PIN data and payment terminals and “secure card readers” that additionally encrypt card data. See the List of PCI Approved PTS Devices.

USE SECURE PCI ENCRYPTION SOLUTIONS. Ask whether your payment terminal encryption is done via a Point-to-Point Encryption solution and is on the PCI Council’s List of PCI P2PE Validated Solutions.

ARE YOU A MERCHANT NOW MOVING TO EMV CHIP TERMINALS? This is a great opportunity to make an investment in a terminal that supports EMV and also provides the added security of encryption and tokenization.

UPGRADE YOUR SOLUTION. …

Infographics and Videos Resource URL Infographic: It’s Time to Change Your Password https://www.pcisecuritystandards.org/pdfs/its_time_to_change_your_password_infographic.pdf Infographic: Fight Cybercrime by Making Stolen Data Worthless to Thieves https://www.pcisecuritystandards.org/documents/PCI-CyberCrime-FinalR.pdf Video: Passwords https://www.youtube.com/watch?v=dNVQk65KL8g Infographic: Passwords https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Strong-Passwords.pdf Video: Patching https://www.youtube.com/watch?v=0NGz1mGO3Jg Infographic: Patching https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Patching.pdf Video: Remote Access https://www.youtube.com/watch?v=MxgSNFgvAVc Infographic: Remote Access https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Secure-Remote-Access.pdf

This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.

The PCI Security Standards Council is a global forum for the industry to come together to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. Read more about PCI SSC’s Global Payment Security Engagement Initiative at www.pcisecuritystandards.org/pdfs/PCI_SSC_Partnering_for_ Global_Payment_Security.pdf The Council maintains, evolves, and promotes the Payment Card Industry Security Standards. It also provides critical tools needed for implementation of the standards such as assessment and scanning qualific tions, self-assessment questionnaires, training and education, and product certific tion programs.

The Council’s founding members, American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc., have agreed to incorporate the PCI Data Security Standard (PCI DSS) as part of the technical requirements for each of their data security compliance programs. Each founding member also recognizes the Qualified Security Assessors …