Document Comparison
Small_Merchant_Questions_to_Ask_Your_Vendors_July2016.pdf
→
Small_Merchant_Questions_to_Ask_Your_Vendors.pdf
38% similar
10 → 11
Pages
2594 → 3138
Words
22
Content Changes
Content Changes
22 content changes. 7 administrative changes (dates, page numbers) hidden.
Added
p. 3
Introduction Questions to Ask your Vendors is a supplement to the Guide to Safe Payments, part of the Data Security Essentials for Small Merchants. By providing questions to ask your vendors and service providers, this is intended to assist with your understanding of how those entities support the protection of your customers’ card data.
Please refer to the Guide to Safe Payments and the other Data Security Essentials for Small Merchants at the following:
Vendors and Service Providers The table below describes the most common types of payment vendors and service providers, their functions, and PCI standards or programs that apply to those functions. See the Appendix for a list of questions applicable to each type of vendor or service provider.
PCI Point-to-Point Encryption Payment terminal is on the List of PCI Approved PTS Devices Encryption solution is on the List of PCI P2PE Solutions Payment processors, e-commerce payment service providers, payment gateways, …
Please refer to the Guide to Safe Payments and the other Data Security Essentials for Small Merchants at the following:
Vendors and Service Providers The table below describes the most common types of payment vendors and service providers, their functions, and PCI standards or programs that apply to those functions. See the Appendix for a list of questions applicable to each type of vendor or service provider.
PCI Point-to-Point Encryption Payment terminal is on the List of PCI Approved PTS Devices Encryption solution is on the List of PCI P2PE Solutions Payment processors, e-commerce payment service providers, payment gateways, …
Added
p. 11
Which questions apply to which vendors/solution providers? Type of Vendor/Service Provider Applicable Questions Payment application vendor 1•15 Payment terminal vendors, payment solution vendors Payment processors, e-commerce payment service providers, payment gateways, contact centers E-commerce hosting providers 1•15 Providers of software as a service, cloud-based hosting provider Providers of services that may help you meet PCI DSS requirements Integrators/resellers 5•9
Removed
p. 3
Introduction This document has been prepared as an aid to small-merchant owners and operators. By providing questions to ask your vendors and service providers, this is intended to assist with your understanding of how those entities support the protection of your customers’ card data.
Questions to Ask your Vendors was developed as a supplement to the Guide to Safe Payments, part of the Payment Protection Resources for Small Merchants. Please refer to the Guide to Safe Payments and the other Payment Protection Resources for Small Merchants at the following:
Questions to Ask your Vendors was developed as a supplement to the Guide to Safe Payments, part of the Payment Protection Resources for Small Merchants. Please refer to the Guide to Safe Payments and the other Payment Protection Resources for Small Merchants at the following:
Modified
p. 3
RESOURCE URL Guide to Safe Payments https://www.pcisecuritystandards.org/pdfs/Small_ Merchant_Guide_to_Safe_Payments.pdf Common Payment Systems https://www.pcisecuritystandards.org/pdfs/Small_ Merchant_Common_Payment_Systems.pdf Glossary of Payment and Information Security Terms https://www.pcisecuritystandards.org/pdfs/Small_ Merchant_Glossary_of_Payment_and_Information_ Security_Terms.pdf Vendors and Service Providers, and How They Function Small businesses/merchants may come into contact with a number of payment vendors or services providers, and it is important for merchants to understand the type of vendor they are working with and ensure the vendor has taken appropriate steps to protect card data.
RESOURCE URL Guide to Safe Payments https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Guide_to_ Safe_Payments.pdf Common Payment Systems https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Common_ Payment_Systems.pdf Glossary of Payment and Information Security Terms https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Glossary_of_ Payment_and_Information_Security_Terms.pdf Evaluation Tool https://www.pcisecuritystandards.org/merchants/ This tool is provided for merchant information only. An option for merchants is to use it as a first step to gain insight about security practices relevant to the way they accept payments, to provide their initial responses, and to see their results.
Removed
p. 4
Vendors and Service Providers TYPE OF VENDOR/ SERVICE PROVIDER FUNCTION
PCI STANDARD OR PROGRAM LOOK FOR:
Payment terminal vendor Sell and support devices used to accept card payments (e.g., payment terminal).
Payment processors, e-commerce hosting providers/processors Store, process, or transmit cardholder data on your behalf.
May also host and manage your e-commerce server/website and/or develop and support your website.
PCI DSS Ask for their PCI DSS Attestation of Compliance and whether their assessment included the service you are using. Service provider is on one of these lists: MasterCard’s List of Compliant Service Providers Visa’s Global Registry of Service Providers Visa Europe’s Registered Member Agents Integrators/resellers Install PA-DSS validated payment applications on your behalf.
Providers of services that satisfy PCI DSS requirement(s) Manage/operate systems or services on your behalf (e.g., firewall management, patching/AV services).
PCI DSS Ask for their PCI DSS Attestation of Compliance and whether their assessment included the service you are using. Service provider is on …
PCI STANDARD OR PROGRAM LOOK FOR:
Payment terminal vendor Sell and support devices used to accept card payments (e.g., payment terminal).
Payment processors, e-commerce hosting providers/processors Store, process, or transmit cardholder data on your behalf.
May also host and manage your e-commerce server/website and/or develop and support your website.
PCI DSS Ask for their PCI DSS Attestation of Compliance and whether their assessment included the service you are using. Service provider is on one of these lists: MasterCard’s List of Compliant Service Providers Visa’s Global Registry of Service Providers Visa Europe’s Registered Member Agents Integrators/resellers Install PA-DSS validated payment applications on your behalf.
Providers of services that satisfy PCI DSS requirement(s) Manage/operate systems or services on your behalf (e.g., firewall management, patching/AV services).
PCI DSS Ask for their PCI DSS Attestation of Compliance and whether their assessment included the service you are using. Service provider is on …
Modified
p. 4
Payment application vendor Sell and support applications that store, process, and/or transmit cardholder data.
Type of Vendor/Service Provider Function PCI Standard or Program Payment application vendor Sell and support applications that store, process, and/or transmit cardholder data.
Modified
p. 4
Payment Application Data Security Standard (PA-DSS) Application is on the List of PCI PA-DSS of Validated Payment Applications.
Payment Application Data Security Standard (PA-DSS) Application is on the List of PCI PA-DSS of Validated Payment Applications Payment terminal vendors, payment solution vendors Sell and support devices or solutions (e.g., payment terminals or encryption solutions) used to accept card payments.
Modified
p. 4
PCI Data Security Standard (PCI DSS) Ask for their PCI DSS Attestation of Compliance and whether their assessment included the service you are using. Service provider is on one of these lists: MasterCard’s List of Compliant Service Providers Visa’s Global Registry of Service Providers Visa Europe’s Registered Member Agents Providers of software as a service Develop, host and/or manage your cloud-based web application or payment application (e.g., online ticketing or booking application).
PCI Data Security Standard (PCI DSS) Ask for their PCI DSS Attestation of Compliance and whether their assessment included the service you are using.
Modified
p. 4
Qualified Integrators and Resellers (QIR) Ask whether vendor is a PCI Qualified Integrator or Reseller (QIR). Vendor is on the List of PCI QIRs.
Integrators/resellers Install merchant payment systems. Qualified Integrators and Resellers (QIR) Ask whether the vendor is a PCI Qualified Integrator or Reseller (QIR). Vendor is on the List of PCI QIRs.
Modified
p. 4 → 5
• Check here to see whether the payment terminal is PCI PTS approved: List of PCI Approved PTS Devices
Removed
p. 5
QUESTION Asked by the merchant to the vendor DESIRED ANSWER FROM VENDOR RECOMMENDED ACTION Based on the vendor’s response HOW SECURE IS YOUR SOLUTION OR PRODUCT?
1. Does your solution/product ensure the secure capture and transmission of cardholder data? For face-to-face card-present payment transactions: YES
• Check here to see whether the payment terminal is PCI PTS approved:
For card-not-present payment transactions (including e-commerce, mail order/telephone order): YES
• Check here to see whether the payment application is PCI PA-DSS validated: List of PCI PA-DSS of Validated Payment Applications OR
• Check here to see whether the service provider is a PCI DSS Compliant Service Provider: MasterCard’s List of Compliant Service Providers Visa’s Global Registry of Service Providers Visa Europe’s Registered Member Agents The table below contains a series of questions for merchants to ask their vendors/service providers to determine whether the proper controls are in place to protect card data.
1. Does your solution/product ensure the secure capture and transmission of cardholder data? For face-to-face card-present payment transactions: YES
• Check here to see whether the payment terminal is PCI PTS approved:
For card-not-present payment transactions (including e-commerce, mail order/telephone order): YES
• Check here to see whether the payment application is PCI PA-DSS validated: List of PCI PA-DSS of Validated Payment Applications OR
• Check here to see whether the service provider is a PCI DSS Compliant Service Provider: MasterCard’s List of Compliant Service Providers Visa’s Global Registry of Service Providers Visa Europe’s Registered Member Agents The table below contains a series of questions for merchants to ask their vendors/service providers to determine whether the proper controls are in place to protect card data.
Modified
p. 5
• Check here to see whether the payment application is PCI PA-DSS validated: List of PCI PA-DSS of Validated Payment Applications
• Check here to see whether the encryption solution is PCI P2PE validated:
• Check here to see whether the payment application is PCI PA-DSS validated: List of PCI PA-DSS of Validated Payment Applications
Modified
p. 5
List of PCI P2PE Validated Solutions If NO, ask Question 2.
List of PCI P2PE Validated Solutions For card-not-present payment transactions (including e-commerce, mail order/telephone order):
Removed
p. 6
QUESTION Asked by the merchant to the vendor DESIRED ANSWER FROM VENDOR RECOMMENDED ACTION Based on the vendor’s response HOW SECURE IS YOUR SOLUTION OR PRODUCT? continued
2. Does our agreement with you (the vendor) include clauses that state that you will maintain PCI DSS compliance for your product/service (or become PCI DSS validated)? Vendors with products/solutions that are or will become PCI DSS compliant should be willing to have that status included in a written agreement.
For additional information on evidence to look for regarding PCI DSS compliant products/solutions, refer to Question 1 above.
2. Does our agreement with you (the vendor) include clauses that state that you will maintain PCI DSS compliance for your product/service (or become PCI DSS validated)? Vendors with products/solutions that are or will become PCI DSS compliant should be willing to have that status included in a written agreement.
For additional information on evidence to look for regarding PCI DSS compliant products/solutions, refer to Question 1 above.
Removed
p. 6
3. Does your product/solution store payment card information locally (in my store/shop location)? If it does, merchants can consider a tokenization or encryption solution to better secure card data. See the Guide to Safe Payments for more information about encryption and tokenization.
If YES, merchant should confirm with vendor that the data is stored per PCI DSS requirements. If not, consider another vendor.
4. Does your product/solution protect payment card information with strong encryption? Encryption is a way of securing information so it is less likely to be stolen. If you can, select from the List of PCI P2PE Validated Solutions, where card data is secured as soon as you receive it and is protected as it travels through your network.
QUESTION Asked by the merchant to the vendor DESIRED ANSWER FROM VENDOR RECOMMENDED ACTION Based on the vendor’s response HOW SECURE IS THE INSTALLATION OF MY PRODUCT? 5. If vendor is installing …
If YES, merchant should confirm with vendor that the data is stored per PCI DSS requirements. If not, consider another vendor.
4. Does your product/solution protect payment card information with strong encryption? Encryption is a way of securing information so it is less likely to be stolen. If you can, select from the List of PCI P2PE Validated Solutions, where card data is secured as soon as you receive it and is protected as it travels through your network.
QUESTION Asked by the merchant to the vendor DESIRED ANSWER FROM VENDOR RECOMMENDED ACTION Based on the vendor’s response HOW SECURE IS THE INSTALLATION OF MY PRODUCT? 5. If vendor is installing …
Removed
p. 8
If NO, consider another vendor.
QUESTION Asked by the merchant to the vendor DESIRED ANSWER FROM VENDOR RECOMMENDED ACTION Based on the vendor’s response DO YOU PROVIDE ME WITH ONGOING SUPPORT AND MAINTENANCE FOR YOUR PRODUCT/SOLUTION? IF SO, HOW?
6. Is your product/solution installed on my network or systems? YES The vendor should provide on-going maintenance and support for software updates and security patches. In addition, they should provide and offer support for future version releases. It is in your best interest to have vendors/suppliers that fully support their products and assist you with installations/patches to ensure any changes to the system align to PCI requirements.
If the response is YES, see follow-up questions at left.
If NO, go to Question 7.
Follow-up questions if response to above is YES:
• Do you install patches and updates to the system/solution?
• Do you do this in a manner that aligns to PCI DSS requirements?
• How do you …
QUESTION Asked by the merchant to the vendor DESIRED ANSWER FROM VENDOR RECOMMENDED ACTION Based on the vendor’s response DO YOU PROVIDE ME WITH ONGOING SUPPORT AND MAINTENANCE FOR YOUR PRODUCT/SOLUTION? IF SO, HOW?
6. Is your product/solution installed on my network or systems? YES The vendor should provide on-going maintenance and support for software updates and security patches. In addition, they should provide and offer support for future version releases. It is in your best interest to have vendors/suppliers that fully support their products and assist you with installations/patches to ensure any changes to the system align to PCI requirements.
If the response is YES, see follow-up questions at left.
If NO, go to Question 7.
Follow-up questions if response to above is YES:
• Do you install patches and updates to the system/solution?
• Do you do this in a manner that aligns to PCI DSS requirements?
• How do you …
Modified
p. 8 → 9
MasterCard’s List of Compliant Service Providers Visa’s Global Registry of Service Providers Visa Europe’s Registered Merchant Agents
Removed
p. 9
If NO, go to Question 9.
QUESTION Asked by the merchant to the vendor DESIRED ANSWER FROM VENDOR RECOMMENDED ACTION Based on the vendor’s response DO YOU PROVIDE ME WITH ONGOING SUPPORT AND MAINTENANCE FOR YOUR PRODUCT/SOLUTION? continued
8. Do you require remote access to my payment system/solution to support it? Remote access is frequently exploited in payment-data breaches. Remote access functionality should be limited to brief periodic use, and disabled at all other times.
If YES, ask follow-up questions at left.
Follow-up questions if response to above is YES:
• Do you require remote access to be always active? Remote access functionality should be limited to brief periodic use, and disabled at all other times.
•If remote access is required to be always active
• consider another vendor or solution.
• What steps do you take to secure remote access connections? Your vendor should use multi-factor authentication AND a different username and password for each customer they …
QUESTION Asked by the merchant to the vendor DESIRED ANSWER FROM VENDOR RECOMMENDED ACTION Based on the vendor’s response DO YOU PROVIDE ME WITH ONGOING SUPPORT AND MAINTENANCE FOR YOUR PRODUCT/SOLUTION? continued
8. Do you require remote access to my payment system/solution to support it? Remote access is frequently exploited in payment-data breaches. Remote access functionality should be limited to brief periodic use, and disabled at all other times.
If YES, ask follow-up questions at left.
Follow-up questions if response to above is YES:
• Do you require remote access to be always active? Remote access functionality should be limited to brief periodic use, and disabled at all other times.
•If remote access is required to be always active
• consider another vendor or solution.
• What steps do you take to secure remote access connections? Your vendor should use multi-factor authentication AND a different username and password for each customer they …
Modified
p. 10
The vendor/service provider should agree to cooperate with a forensics investigator, if there are questions about the managed service or solution they provide.
The vendor/service provider should agree to cooperate with a forensics investigator if there are questions about the managed service or product/solution they provide.
Modified
p. 10
The vendor/service provider should indemnify the merchant for fines incurred in the event there is a breach and it is determined that the vendor solution is the root cause.
The vendor/service provider should agree to help you for fines incurred in the event there is a breach and it is determined that the vendor product/solution is the cause.
Modified
p. 10
13. Does the vendor/service provider carry insurance to cover data breaches related to their product/solution? Having insurance illustrates the vendor/service provider has thought through their responsibility and liability related to cardholder data breaches. If they do carry insurance, ask about the scope of coverage and whether your implementation will be covered.
Modified
p. 10
• Do you send the notifications?
• Send the notifications?