Document Comparison
Small_Merchant_Guide_to_Safe_Payments.pdf
→
Small_Merchant_Guide_to_Safe_Payments_v3.0%20-%20April%202024.pdf
94% similar
28 → 29
Pages
6660 → 7135
Words
30
Content Changes
Content Changes
30 content changes. 16 administrative changes (dates, page numbers) hidden.
Added
p. 8
Understanding your Petroleum & Fuel System An ELECTRONIC PAYMENT SERVER (EPS) (may also be part of the Site Controller) is a software payment application, usually present in a semi-integrated system, that gives point-of-sale (POS) systems a way to perform payment transactions in a standard way, independent of the payment networks providing authorization. The EPS separates payment from the POS system or outdoor sales processor (OSP). The EPS manages payment requests from the POS systems and OSP, card data acquisition from the EMV terminals, and payment authorizations for all POS systems and the OSP. Generally, all payment business logic is implemented within the EPS. The POS, OSP, and EMV terminals are considered “dumb” devices programmed to implement only the interface to/from the EPS.
A FUEL SITE CONTROLLER is a software application designed to interface with the various forecourt devices of a fuel station, but primarily the fuel dispensers. The fuel site controller …
A FUEL SITE CONTROLLER is a software application designed to interface with the various forecourt devices of a fuel station, but primarily the fuel dispensers. The fuel site controller …
Added
p. 16
• Payment terminal vendors
Modified
p. 3
UNDERSTANDING Understanding your risk As a small business, you are a prime target for data thieves.
UNDERSTANDING YOUR RISK Understanding your risk As a small business, you are a prime target for data thieves.
Modified
p. 5
TYPES OF DATA ON A PAYMENT CARD Cardholder Expiration date Magnetic stripe (Data on tracks 1 and 2) Card security code (American Express) Card security code (All other payment brands) YOUR CUSTOMERS’ CARD DATA IS A GOLD MINE FOR CRIMINALS. DON’T LET THIS HAPPEN TO YOU! Follow the actions in this guide to protect against data theft.
TYPES OF DATA ON A PAYMENT CARD Cardholder name Expiration date Magnetic stripe (Data on tracks 1 and 2) Card security code (American Express) Card security code (All other payment brands) YOUR CUSTOMERS’ CARD DATA IS A GOLD MINE FOR CRIMINALS. DON’T LET THIS HAPPEN TO YOU! Follow the actions in this guide to protect against data theft.
Modified
p. 6
A PAYMENT SYSTEM includes the entire process for accepting card payments. Also called the cardholder data environment (CDE), your payment system may include a payment terminal, an electronic cash register, other devices or systems connected to a payment terminal (for example, Wi-Fi for connectivity or a PC used for inventory), and the connections out to a merchant bank. It is important to use only secure payment terminals and solutions to support your payment system. See page 21 for more information.
A PAYMENT SYSTEM includes the entire process for accepting card payments. Also called the cardholder data environment (CDE), your payment system may include a payment terminal, an electronic cash register, other devices or systems connected to a payment terminal (for example, Wi-Fi for connectivity or a PC used for inventory), and the connections out to a merchant bank. It is important to use only secure payment terminals and solutions to support your payment system. See page 22 for more information.
Modified
p. 6
A MERCHANT BANK is a bank or financial institution that processes credit and/or debit card payments on behalf of merchants. Acquirer, acquiring bank, and card or payment processor are also terms for this entity.
A MERCHANT BANK is a bank or financial institution th t processes credit and/or debit card payments on behalf of merchants. Acquirer, acquiring bank, and card or payment processor are also terms for this entity.
Modified
p. 8 → 9
Think carefully about whether you really need extra features such as Wi-Fi, remote access software, Internet- connected cameras, or call recording systems for your business. If not properly configured and managed, each of these features can provide criminals with easy access to your customers’ payment card data.
Think carefully about whether you really need extra features such as Wi-Fi, remote access software, Internet- connected cameras, or call recording systems for your business. If not properly configu ed and managed, each of these features can provide criminals with easy access to your customers’ payment card data.
Modified
p. 13 → 14
Protect card data and only store what you need ASK AN EXPERT. Ask your payment terminal vendor, service provider, or merchant bank where (or if) your systems store data and if you can simplify how you process payments. Also ask how to conduct specific transactions (for example, for recurring payments) without storing the card’s security code.
Protect card data and only store what you need ASK AN EXPERT. Ask your payment terminal vendor, service provider, or merchant bank where (or if) your systems store data and if you can simplify how you process payments. Also ask how to conduct specific t ansactions (for example, for recurring payments) without storing the card’s security code.
Modified
p. 13 → 14
OUTSOURCE. The best way to protect against data breaches is not to store card data at all. Consider outsourcing your card processing to a PCI DSS compliant service provider. See Resources on page 25 for lists of compliant service providers.
OUTSOURCE. The best way to protect against data breaches is not to store card data at all. Consider outsourcing your card processing to a PCI DSS compliant service provider. See Resources on page 26 for lists of compliant service providers.
Modified
p. 13 → 14
SEE PAGE 23 Risk Mitigation ENCRYPTION PRIMER Cryptography uses a mathematical formula to render plaintext unreadable to people without special knowledge (called a key). Cryptography is applied to stored data as well as data transmitted over a network.
SEE PAGE 24 Risk Mitigation ENCRYPTION PRIMER Cryptography uses a mathematical formula to render plaintext unreadable to people without special knowledge (called a key). Cryptography is applied to stored data as well as data transmitted over a network.
Modified
p. 14 → 15
PROTECT TERMINALS. Keep them out of customers’ reach when not in use and restrict public viewing of the screens. Make sure your payment terminals are secure before you close your shop for the day, including any devices that read your customers’ payment cards or accept their personal identification numbers (PINs).
PROTECT TERMINALS. Keep them out of customers’ reach when not in use and restrict public viewing of the screens. Make sure your payment terminals are secure before you close your shop for the day, including any devices that read your customers’ payment cards or accept their personal identific tion numbers (PINs).
Modified
p. 15 → 16
• Payment application
• Payment application vendors
Modified
p. 15 → 16
• Service providers that help you meet PCI DSS requirement(s) (for example, providing firewall or antivirus services)
• Service providers that help you meet PCI DSS requirement(s) (for example, providing fi ewall or antivirus services)
Modified
p. 15 → 16
• Providers of Software as KNOW WHO TO CALL. Who is your merchant bank? Who else helps you process payments? Who did you buy your payment device/software from and who installed it for you? Who are your service providers? KEEP A LIST. Now that you know who to call, keep company and contact names, phone numbers, website addresses, and other contact details where you can easily find them in an emergency.
• Providers of Software as a Service KNOW WHO TO CALL. Who is your merchant bank? Who else helps you process payments? Who did you buy your payment device/software from and who installed it for you? Who are your service providers? KEEP A LIST. Now that you know who to call, keep company and contact names, phone numbers, website addresses, and other contact details where you can easily find them in an eme gency.
Modified
p. 15 → 16
CONFIRM THE SECURITY OF YOUR SERVICE PROVIDERS. Is your service provider adhering to PCI DSS requirements? For e-commerce merchants, it is important that your payment service provider is PCI DSS compliant too! See Resources on page 25 for lists of compliant service providers.
CONFIRM THE SECURITY OF YOUR SERVICE PROVIDERS. Is your service provider adhering to PCI DSS requirements? For e-commerce merchants, it is important that your payment service provider is PCI DSS compliant too! See Resources on page 26 for lists of compliant service providers.
Modified
p. 16 → 17
Install patches from your vendors Risk Mitigation ASK your vendor or service provider how it notifies you of new security patches, and make sure you receive and read these notices.
Install patches from your vendors Risk Mitigation ASK your vendor or service provider how it notifies you o new security patches, and make sure you receive and read these notices.
Modified
p. 18 → 19
ASK HOW TO LIMIT USE OF REMOTE ACCESS. Many remote access programs are always on, or always available by default, meaning the vendor can access your systems remotely all the time (this also means that hackers can access your systems too since many vendors use commonly-known passwords for remote access). Reduce your risk
• ask your vendor how to disable remote access when not needed, and how to enable it when your vendor or service provider specificallyrequests it.
• ask your vendor how to disable remote access when not needed, and how to enable it when your vendor or service provider specifically
ASK HOW TO LIMIT USE OF REMOTE ACCESS. Many remote access programs are always on, or always available by default, meaning the vendor can access your systems remotely all the time (this also means that hackers can access your systems too since many vendors use commonly-known passwords for remote access). Reduce your risk
• ask your vendor how to disable remote access when not needed, and how to enable it when your vendor or service provider specifically equests it.
• ask your vendor how to disable remote access when not needed, and how to enable it when your vendor or service provider specifically equests it.
Modified
p. 19 → 20
Use anti-virus software INSTALL ANTI-VIRUS SOFTWARE TO PROTECT YOUR PAYMENT SYSTEM. It is easy to install and can be obtained from your local office supply shop or IT retailer.
Use anti-virus software INSTALL ANTI-VIRUS SOFTWARE TO PROTECT YOUR PAYMENT SYSTEM. It is easy to install and can be obtained from your local office supply shop or I retailer.
Modified
p. 20 → 21
TALK TO A PCI ASV. These vendors can help you with tools that automatically identify vulnerabilities and misconfigurations in your Internet-facing payment systems, e-commerce website, and/or networks and provide you with a report if, for example, you need to apply a patch. The PCI Council’s list (referenced to the left) can help you find a scanning vendor.
TALK TO A PCI ASV. These vendors can help you with tools that automatically identify vulnerabilities and misconfigu ations in your Internet-facing payment systems, e-commerce website, and/or networks and provide you with a report if, for example, you need to apply a patch. The PCI Council’s list (referenced to the left) can help you find a scanning vendo .
Modified
p. 21 → 22
LOOK FOR PCI DSS COMPLIANT SERVICE PROVIDERS. Make sure your payment service provider is compliant with PCI DSS. Check Mastercard’s and Visa’s lists to confirm that they are listed: MasterCard’s List of Compliant Service Providers Visa’s Global Registry of Service Providers Visa Europe’s Registered Agents REFER TO THIS LIST OF VENDOR QUESTIONS. Use Questions to ask your Vendors to help you know what to ask your vendors and service providers.
LOOK FOR PCI DSS COMPLIANT SERVICE PROVIDERS. Make sure your payment service provider is compliant with PCI DSS. Check Mastercard’s and Visa’s lists to confirm th t they are listed: MasterCard’s List of Compliant Service Providers Visa’s Global Registry of Service Providers Visa Europe’s Registered Agents REFER TO THIS LIST OF VENDOR QUESTIONS. Use Questions to ask your Vendors to help you know what to ask your vendors and service providers.
Modified
p. 21 → 22
Risk Mitigation Your customers enter their personal identification numbers (PINs) for their payment cards into your payment terminal or PIN entry device. It is important to use secure devices to protect your customers’ PIN data.
Risk Mitigation Your customers enter their personal identific tion numbers (PINs) for their payment cards into your payment terminal or PIN entry device. It is important to use secure devices to protect your customers’ PIN data.
Modified
p. 21 → 22
For PCI payment terminals and secure card readers that encrypt card data, see page 23.
For PCI payment terminals and secure card readers that encrypt card data, see page 24.
Modified
p. 22 → 23
USE A FIREWALL. A properly configured firewall acts as a buffer to keep hackers and malicious software from getting access to your payment systems, your e-commerce website, and/or your card data. Check with your payment terminal vendor or service provider to make sure you have one and ask them for help configuring it correctly.
USE A FIREWALL. A properly configu ed fi ewall acts as a buffer to keep hackers and malicious software from getting access to your payment systems, your e-commerce website, and/or your card data. Check with your payment terminal vendor or service provider to make sure you have one and ask them for help configuring it correctly.
Modified
p. 22 → 23
USE PERSONAL FIREWALL SOFTWARE OR EQUIVALENT when payment systems are not protected by your business firewall (for example, when connected to public Wi-Fi).
USE PERSONAL FIREWALL SOFTWARE OR EQUIVALENT when payment systems are not protected by your business fi ewall (for example, when connected to public Wi-Fi).
Modified
p. 23 → 24
SEE PAGE 21 PCI-approved secure card readers and payment terminals that encrypt card data do it using technology called “Secure Reading and Exchange of Data (SRED)” - ask your vendor if your payment terminal encrypts card data with SRED.
SEE PAGE 22 PCI-approved secure card readers and payment terminals that encrypt card data do it using technology called “Secure Reading and Exchange of Data (SRED)” - ask your vendor if your payment terminal encrypts card data with SRED.
Modified
p. 23 → 24
What is tokenization? See page 13 for an explanation.
What is tokenization? See page 14 for an explanation.
Modified
p. 26 → 27
Infographics and Videos Resource URL Infographic: It’s Time to Change Your Password https://www.pcisecuritystandards.org/pdfs/its_time_to_change_your_password_infographic.pdf Infographic: Fight Cybercrime by Making Stolen Data Worthless to Thieves https://www.pcisecuritystandards.org/documents/PCI-CyberCrime-FinalR.pdf Video: Learn Password Security in 2 Minutes https://www.youtube.com/watch?v=FsrOXgZKa7U Video: Passwords https://www.youtube.com/watch?v=dNVQk65KL8g Infographic: Passwords https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Strong-Passwords.pdf Video: Patching https://www.youtube.com/watch?v=0NGz1mGO3Jg Infographic: Patching https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Patching.pdf Video: Remote Access https://www.youtube.com/watch?v=MxgSNFgvAVc Infographic: Remote Access https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Secure-Remote-Access.pdf
Infographics and Videos Resource URL Infographic: It’s Time to Change Your Password https://www.pcisecuritystandards.org/pdfs/its_time_to_change_your_password_infographic.pdf Infographic: Fight Cybercrime by Making Stolen Data Worthless to Thieves https://www.pcisecuritystandards.org/documents/PCI-CyberCrime-FinalR.pdf Video: Passwords https://www.youtube.com/watch?v=dNVQk65KL8g Infographic: Passwords https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Strong-Passwords.pdf Video: Patching https://www.youtube.com/watch?v=0NGz1mGO3Jg Infographic: Patching https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Patching.pdf Video: Remote Access https://www.youtube.com/watch?v=MxgSNFgvAVc Infographic: Remote Access https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Secure-Remote-Access.pdf
Modified
p. 28 → 29
The PCI Security Standards Council is a global forum for the industry to come together to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. Read more about PCI SSC’s Global Payment Security Engagement Initiative at www.pcisecuritystandards.org/pdfs/PCI_SSC_Partnering_for_ Global_Payment_Security.pdf The Council maintains, evolves, and promotes the Payment Card Industry Security Standards. It also provides critical tools needed for implementation of the standards such as assessment and scanning qualifications, self-assessment questionnaires, training and education, and product …
The PCI Security Standards Council is a global forum for the industry to come together to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. Read more about PCI SSC’s Global Payment Security Engagement Initiative at www.pcisecuritystandards.org/pdfs/PCI_SSC_Partnering_for_ Global_Payment_Security.pdf The Council maintains, evolves, and promotes the Payment Card Industry Security Standards. It also provides critical tools needed for implementation of the standards such as assessment and scanning qualific tions, self-assessment questionnaires, training and education, and …
Modified
p. 28 → 29
The Council’s founding members, American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc., have agreed to incorporate the PCI Data Security Standard (PCI DSS) as part of the technical requirements for each of their data security compliance programs. Each founding member also recognizes the Qualified Security Assessors and Approved Scanning Vendors qualified by the PCI Security Standards Council.
The Council’s founding members, American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc., have agreed to incorporate the PCI Data Security Standard (PCI DSS) as part of the technical requirements for each of their data security compliance programs. Each founding member also recognizes the Qualified Security Assessors and Approved Scanning Vendors qualified by the PCI Security tandards Council.
Modified
p. 28 → 29
All five payment brands, along with Strategic Members, share equally in the Council’s governance, have equal input into the PCI Security Standards Council and share responsibility for carrying out the work of the organization. Other industry stakeholders are encouraged to join the Council as Strategic or Affiliate members and Participating Organizations to review proposed additions or modifications to the standards. Participating Organizations may include merchants, banks, processors, hardware and software developers, and point-of-sale vendors.
All five payment b ands, along with Strategic Members, share equally in the Council’s governance, have equal input into the PCI Security Standards Council and share responsibility for carrying out the work of the organization. Other industry stakeholders are encouraged to join the Council as Strategic or Affili te members and Participating Organizations to review proposed additions or modific tions to the standards. Participating Organizations may include merchants, banks, processors, hardware and software developers, and point-of-sale vendors.