Document Comparison
Small_Merchant_Common_Payment_Systems.pdf
→
Small_Merchant_Common_Payment_Systems_v3.0%20%E2%80%93%20April%202024.pdf
91% similar
67 → 72
Pages
12079 → 13644
Words
61
Content Changes
Content Changes
61 content changes. 52 administrative changes (dates, page numbers) hidden.
Added
p. 6
Understanding your Petroleum & Fuel System A FUEL ISLAND is the area of a convenience and retail fuel site where fuel dispensers are physically located. Generally, the fuel island is part of the site’s forecourt. The fuel island can be either manned or unmanned. Unmanned fuel islands are often described as self-service.
A MANAGED NETWORK SERVICE PROVIDER (MNSP) is a service provider who administers site level network connectivity, failover, on premise network device configurations, remote connectivity such as VPN, and/ or network security features. The MNSP is responsible for maintaining the controls that protect network devices from misconfiguration, including insecure configuration. These providers generally have remote access to a site’s network, and thus a compromise of a MNSP system could lead to a compromise of the cardholder data environment.
A BACK OFFICE PC is a dedicated personal computer used to manage nonconsumer business operations for a convenience and retail fuel site. The …
A MANAGED NETWORK SERVICE PROVIDER (MNSP) is a service provider who administers site level network connectivity, failover, on premise network device configurations, remote connectivity such as VPN, and/ or network security features. The MNSP is responsible for maintaining the controls that protect network devices from misconfiguration, including insecure configuration. These providers generally have remote access to a site’s network, and thus a compromise of a MNSP system could lead to a compromise of the cardholder data environment.
A BACK OFFICE PC is a dedicated personal computer used to manage nonconsumer business operations for a convenience and retail fuel site. The …
Added
p. 35
WIRELESS PAYMENT TERMINAL INTEGRATED PAYMENT TERMINAL PAYMENT MIDDLEWARE ROUTER/ FIREWALL How do you start to protect card data today?* TYPE 7 OVERVIEW TYPE 7 THREATS TYPE 7 RISKS TYPE 7 PROTECTIONS *Click on the icons above for the Guide to Safe Payments and information about these security basics. For simple definitions of payment and security terms, see our Glossary.
Added
p. 39
How do you start to protect card data today?* ELECTRONIC CASH REGISTER ROUTER/ FIREWALL GENERAL USE COMPUTERS PAYMENT TERMINAL TYPE 8 OVERVIEW TYPE 8 THREATS TYPE 8 RISKS TYPE 8 PROTECTIONS *Click on the icons above for the Guide to Safe Payments and information about these security basics. For simple definitions of payment and security terms, see our Glossary.
Added
p. 49
Where is your card data at risk? TYPE 11 OVERVIEW TYPE 11 THREATS TYPE 11 RISKS TYPE 11 PROTECTIONS MERCHANT E-COMMERCE WEB SITE MERCHANT PAYMENT PAGE MERCHANT SHOPPING PAGES INTERNET Merchant responsibility Electronic card data at a third party (e-commerce hosting, payment gateway, shopping cart provider, etc.) Electronic card data because of weaknesses in your website server or infrastructure.
How do criminals get your card data? TYPE 11 OVERVIEW TYPE 11 THREATS TYPE 11 RISKS TYPE 11 PROTECTIONS MERCHANT E-COMMERCE WEB SITE MERCHANT PAYMENT PAGE MERCHANT SHOPPING PAGES INTERNET Merchant responsibility They steal card data by compromising your website due to vulnerabilities or poor security practices. For example, SQL injection is a common technique used to steal data from websites.
How do criminals get your card data? TYPE 11 OVERVIEW TYPE 11 THREATS TYPE 11 RISKS TYPE 11 PROTECTIONS MERCHANT E-COMMERCE WEB SITE MERCHANT PAYMENT PAGE MERCHANT SHOPPING PAGES INTERNET Merchant responsibility They steal card data by compromising your website due to vulnerabilities or poor security practices. For example, SQL injection is a common technique used to steal data from websites.
Added
p. 56
WIFI OR CELLULAR NETWORK For this scenario, risks to card data are present at above. Risks explained on next page.
Added
p. 67
How do you start to protect card data today?* Protect card data and only keep what you need Inspect your payment terminals for damage or changes Ask your vendor partners for help if you need it Protect in-house access to your card data Make your card data useless to criminals TYPE 15 OVERVIEW TYPE 15 THREATS TYPE 15 RISKS TYPE 15 PROTECTIONS MERCHANT RESPONSIBILITY MOBILE PHONE OR TABLET P2PE SOLUTION PROVIDER LISTED ON PCI SSC’S WEBSITE Encrypted Account Data Encrypted Account Data PIN ENTRY DEVICE AND/OR SECURE CARD READERS PROVIDED BY PCI-LISTED P2PE SOLUTION PROVIDER PAYMENT TERMINAL PROVIDED BY PCI-LISTED P2PE SOLUTION PROVIDER P2PE INSTRUCTION MANUAL (PIM) FROM P2PE SOLUTION PROVIDER *Click on the icons above for the Guide to Safe Payments and information about these security basics. For simple definitions of payment and security terms, see our Glossary.
BACK OFFICE PC PIN PAD / PAYMENT TERMINAL NETWORK SWITCH ELECTRONIC PAYMENT …
BACK OFFICE PC PIN PAD / PAYMENT TERMINAL NETWORK SWITCH ELECTRONIC PAYMENT …
Added
p. 70
BACK OFFICE PC NETWORK SWITCH ELECTRONIC PAYMENT SERVER (EPS) FIREWALL / MNSP INTERNET INTERNET MNSP PROCESSOR / ACQUIRER FUEL SITE CONTROLLER CONVENIENCE STORE FUEL ISLAND located on the Forecourt Common Petroleum & Fuels Environment 16 How do criminals get your card data? TYPE 16 OVERVIEW TYPE 16 THREATS TYPE 16 RISKS TYPE 16 PROTECTIONS Mobile Payments / Above Site
• eCommerce Threats POS System
• “Skimming” equipment attached to (or embedded into) your payment terminal.
• PIN pad overlay devices can harvest payment card data and steal consumer PINs.
• Access via misconfigured or out- of-date software
• Access via insecure Wi-Fi devices
• Intentional bypassing of firewall rules and or physical connections
• Unauthorized devices attached to the network Unattended Terminal
• Pump doors that are easy to open because of weak / default locks
• Outdated un-secure card readers
• Untrusted assets connected for upgrades (Pump Techs laptop)
• Fraudsters posing as a pump tech
• Insecure forecourt controller communications …
• eCommerce Threats POS System
• “Skimming” equipment attached to (or embedded into) your payment terminal.
• PIN pad overlay devices can harvest payment card data and steal consumer PINs.
• Access via misconfigured or out- of-date software
• Access via insecure Wi-Fi devices
• Intentional bypassing of firewall rules and or physical connections
• Unauthorized devices attached to the network Unattended Terminal
• Pump doors that are easy to open because of weak / default locks
• Outdated un-secure card readers
• Untrusted assets connected for upgrades (Pump Techs laptop)
• Fraudsters posing as a pump tech
• Insecure forecourt controller communications …
Added
p. 71
Common Petroleum & Fuels Environment 16 How do you start to protect card data today?* TYPE 16 OVERVIEW TYPE 16 THREATS TYPE 16 RISKS TYPE 16 PROTECTIONS BACK OFFICE PC PIN PAD / PAYMENT TERMINAL NETWORK SWITCH ELECTRONIC PAYMENT SERVER (EPS) FIREWALL / MNSP INTERNET INTERNET MNSP PROCESSOR / ACQUIRER FUEL SITE CONTROLLER CONVENIENCE STORE FUEL ISLAND located on the Forecourt *Click on the icons above for the Guide to Safe Payments and information about these security basics. For simple definitions of payment and security terms, see our Glossary. For additional questions for your vendor, see Small Merchant Questions for Vendors.
Modified
p. 3
1) Overview 2) Risks - where card data is exposed 3) Threats - how criminals can get card data 4) Protections - recommended ways to protect card data.
• Each payment system diagram includes four views: 1) Overview 2) Risks - where card data is exposed 3) Threats - how criminals can get card data 4) Protections - recommended ways to protect card data.
Modified
p. 4
An ELECTRONIC CASH REGISTER (or till) registers and calculates transactions, and may print out receipts, but it does not accept customer card payments.
An ELECTRONIC CASH REGISTER (or till; may also be known as POS System) registers and calculates transactions, and may print out receipts, but it does not accept customer card payments.
Modified
p. 7 → 8
Dial-up payment terminal shows it is dialing for each transaction The payment terminal is connected to bank by a dial-up telephone line PHONE LINE Paper documents with card data For this scenario, risks to card data are present at above. Risks explained on next page.
Modified
p. 10 → 11
PHONE LINE DIAL-UP PAYMENT TERMINAL TYPE 1 OVERVIEW TYPE 1 THREATS TYPE 1 RISKS TYPE 1 PROTECTIONS Protect card data and only keep what you need Inspect your payment terminals for damage or changes Ask your vendor partners for help if you need it Limit in-house access to your card data *Click on the icons above for the Guide to Safe Payments and information about these security basics. For simple definitions of payment and security terms, see our Glossary.
Modified
p. 23 → 24
Encrypting card data reduces your risk. If your payment terminal encrypts card data, ask your terminal vendor how (e.g. does it use PCI’s Secure Reading and Exchange of Data (SRED) to encrypt).
Modified
p. 24 → 25
Payment terminal connected to electronic cash register. Payments sent via Internet by electronic cash register. 5 PAYMENT TERMINAL ELECTRONIC CASH REGISTER ROUTER/ FIREWALL Where is your card data at risk?
Payment terminal connected to electronic cash register. Payments sent via Internet by electronic cash register.
Modified
p. 25 → 26
ELECTRONIC CASH REGISTER ROUTER/ FIREWALL How do criminals get your card data? They may also steal your terminal, replacing it with a modified one used to get your card data.
Modified
p. 26 → 27
How do you start to protect card data today?* Use strong passwords Protect card data and only keep what you need Inspect your payment terminals for damage or changes Install patches from your payment terminal vendor Ask your vendor partners for help if you need it Protect in-house access to your card data Limit remote access for your vendor partners - don’t give hackers easy access Get regular vulnerability scanning Use secure payment systems Protect your business from the Internet …
Modified
p. 27 → 28
INTEGRATED PAYMENT TERMINAL PAYMENT MIDDLEWARE Payment terminal and electronic cash register combined Card is swiped by a staff member; diagram is not applicable for chip cards No separate PIN entry device No other equipment connected to merchant payment system Encrypting card data reduces your risk. If your payment terminal encrypts card data, ask your terminal vendor how (e.g. does it use PCI’s Secure Reading and Exchange of Data (SRED) to encrypt).
Modified
p. 28 → 29
Integrated payment terminal and payment middleware share card data. Payments sent via Internet. 6 Where is your card data at risk?
Integrated payment terminal and payment middleware share card data. Payments sent via Internet.
Modified
p. 29 → 30
INTEGRATED PAYMENT TERMINAL PAYMENT MIDDLEWARE ROUTER/ FIREWALL Integrated payment terminal and payment middleware share card data. Payments sent via Internet. 6 They steal your terminal, replacing it with a modified one used to get your card data.
INTEGRATED PAYMENT TERMINAL PAYMENT MIDDLEWARE ROUTER/ FIREWALL Integrated payment terminal and payment middleware share card data. Payments sent via Internet.
Modified
p. 30 → 31
INTEGRATED PAYMENT TERMINAL PAYMENT MIDDLEWARE ROUTER/ FIREWALL How do you start to protect card data today?* TYPE 6 OVERVIEW TYPE 6 THREATS TYPE 6 RISKS TYPE 6 PROTECTIONS Use strong passwords Protect card data and only keep what you need Inspect your payment terminals for damage or changes Install patches from your payment terminal vendor Ask your vendor partners for help if you need it Protect in-house access to your card data Limit remote access for your vendor partners - …
Modified
p. 31 → 32
WIRELESS PAYMENT TERMINAL Integrated payment terminal with disabled card reader or with no card reader present Card data shared with terminal and middleware No other equipment connected to merchant payment systems Encrypting card data reduces your risk. If your payment terminal encrypts card data, ask your terminal vendor how (e.g. does it use PCI’s Secure Reading and Exchange of Data (SRED) to encrypt).
Modified
p. 32 → 33
Wireless payment terminal (“pay-at-table”) with integrated payment terminal and payment middleware. Payments sent via Internet. 7 WIRELESS PAYMENT INTEGRATED PAYMENT TERMINAL PAYMENT MIDDLEWARE ROUTER/ FIREWALL Where is your card data at risk?
Wireless payment terminal (“pay-at-table”) with integrated payment terminal and payment middleware. Payments sent via Internet.
Modified
p. 33 → 34
WIRELESS PAYMENT INTEGRATED PAYMENT TERMINAL PAYMENT MIDDLEWARE Wireless payment terminal (“pay-at-table”) with integrated payment terminal and payment middleware. Payments sent via Internet. 7 They steal card data via “skimming” equipment they attach to (or embed into) your payment terminal.
WIRELESS PAYMENT TERMINAL INTEGRATED PAYMENT TERMINAL PAYMENT MIDDLEWARE Wireless payment terminal (“pay-at-table”) with integrated payment terminal and payment middleware. Payments sent via Internet.
Removed
p. 34
Wireless payment terminal (“pay-at-table”) with integrated payment terminal and payment middleware. Payments sent via Internet. 7 WIRELESS PAYMENT INTEGRATED PAYMENT TERMINAL PAYMENT MIDDLEWARE ROUTER/ FIREWALL How do you start to protect card data today?* TYPE 7 OVERVIEW TYPE 7 THREATS TYPE 7 RISKS TYPE 7 PROTECTIONS Use strong passwords Protect card data and only keep what you need Inspect your payment terminals for damage or changes Install patches from your payment terminal vendor Ask your vendor partners for help if you need it Protect in-house access to your card data Limit remote access for your vendor partners - don’t give hackers easy access Get regular vulnerability scanning Use secure payment systems Protect your business from the Internet Use anti-virus software Make your card data useless to criminals *Click on the icons above for the Guide to Safe Payments and information about these security basics.
Modified
p. 35 → 36
ELECTRONIC CASH REGISTER ROUTER/ FIREWALL GENERAL USE COMPUTERS PAYMENT TERMINAL Card data can be entered on electronic cash register or payment terminal Encrypting card data reduces your risk. If your payment terminal encrypts card data, ask your terminal vendor how (e.g. does it use PCI’s Secure Reading and Exchange of Data (SRED) to encrypt).
Modified
p. 36 → 37
Payment terminal connects to electronic cash register with additional connected equipment. Payments sent via Internet. 8 ELECTRONIC CASH REGISTER ROUTER/ FIREWALL GENERAL USE PAYMENT TERMINAL Electronic card data inside payment terminal or electronic cash register Electronic card data in transit from payment terminal to processor Where is your card data at risk?
Payment terminal connects to electronic cash register with additional connected equipment. Payments sent via Internet.
Modified
p. 37 → 38
ELECTRONIC CASH REGISTER ROUTER/ FIREWALL PAYMENT TERMINAL How do criminals get your card data? They insert “malware”(software) onto a payment system that enables them to steal card data.
Modified
p. 38 → 39
Use strong passwords Protect card data and only keep what you need Inspect your payment terminals for damage or changes Install patches from your payment terminal vendor Ask your vendor partners for help if you need it Protect in-house access to your card data Limit remote access for your vendor partners - don’t give hackers easy access Get regular vulnerability scanning Use secure payment systems Protect your business from the Internet Use anti-virus software Make your card data useless to …
Modified
p. 39 → 40
E-commerce merchant with fully-outsourced payment page/form. Payments sent by PCI DSS compliant third-party service provider. 9 LOWER MERCHANT E-COMMERCE WEB SITE
E-commerce merchant with fully-outsourced payment page/form. Payments sent by PCI DSS compliant third-party service provider.
Modified
p. 39 → 40
PCI DSS COMPLIANT THIRD-PARTY SERVICE MERCHANT ROUTER / FIREWALL THIRD-PARTY PAYMENT PAGE MERCHANT SHOPPING PAGES Merchant website may be hosted and managed by the merchant or by a third party hosting provider on the merchant’s behalf. Either way, the merchant has no access to the payment page.
PCI DSS COMPLIANT THIRD-PARTY SERVICE PROVIDER MERCHANT ROUTER / FIREWALL THIRD-PARTY PAYMENT PAGE MERCHANT SHOPPING PAGES INTERNET Merchant website may be hosted and managed by the merchant or by a third party hosting provider on the merchant’s behalf. Either way, the merchant has no access to the payment page.
Modified
p. 39 → 40
Customer enters own card data into third-party payment page Merchant responsibility Third-party service provider responsibility Customer card data captured by payment services provider’s payment page/form Merchant’s entire payment page/form is outsourced to and hosted by a PCI DSS compliant third-party For this scenario, risks to card data are present at above. Risks explained on next page.
Customer enters own card data into third-party payment page Merchant responsibility Third-party service provider responsibility Customer card data captured by payment services provider’s payment page/form Merchant’s entire payment page/ form is outsourced to and hosted by a PCI DSS compliant third-party For this scenario, risks to card data are present at above. Risks explained on next page.
Modified
p. 40 → 41
Where is your card data at risk? Electronic card data (even though merchant doesn’t capture or store it) because of weaknesses on merchant website Electronic card data at a third party (e-commerce hosting, service provider, shopping cart provider, etc.) TYPE 9 OVERVIEW TYPE 9 THREATS TYPE 9 RISKS TYPE 9 PROTECTIONS MERCHANT E-COMMERCE WEB SITE
Modified
p. 41
E-commerce merchant with fully-outsourced payment page/form. Payments sent by PCI DSS compliant third-party service provider. 9 LOWER How do criminals get your card data? They steal card data from service providers using a variety of methods (install malware, via misconfigured software, etc.).
E-commerce merchant with fully-outsourced payment page/form. Payments sent by PCI DSS compliant third-party service provider.
Modified
p. 42 → 43
Use strong passwords Protect card data and only keep what you need Ask your vendor partners for help if you need it Protect in-house access to your card data E-commerce merchant with fully-outsourced payment page/form. Payments sent by PCI DSS compliant third-party service provider. 9 LOWER How do you start to protect card data today?* TYPE 9 OVERVIEW TYPE 9 THREATS TYPE 9 RISKS TYPE 9 PROTECTIONS MERCHANT E-COMMERCE WEB SITE
Use strong passwords Protect card data and only keep what you need Ask your vendor partners for help if you need it Protect in-house access to your card data E-commerce merchant with fully-outsourced payment page/form. Payments sent by PCI DSS compliant third-party service provider.
Modified
p. 42 → 43
PCI DSS COMPLIANT THIRD-PARTY SERVICE MERCHANT ROUTER / FIREWALL THIRD-PARTY PAYMENT PAGE MERCHANT SHOPPING PAGES Merchant responsibility Third-party service provider responsibility *Click on the icons above for the Guide to Safe Payments and information about these security basics.
PCI DSS COMPLIANT THIRD-PARTY SERVICE PROVIDER MERCHANT ROUTER / FIREWALL THIRD-PARTY PAYMENT PAGE MERCHANT SHOPPING PAGES INTERNET Merchant responsibility Third-party service provider responsibility *Click on the icons above for the Guide to Safe Payments and information about these security basics. For simple definitions of payment and security terms, see our Glossary.
Modified
p. 43 → 44
E-commerce merchant fully or partially presents the payment page to customers. Payments sent from customer browser direct to PCI DSS compliant third-party service provider. 10 HIGHER For this scenario, risks to card data are present at above. Risks explained on next page.
E-commerce merchant fully or partially presents the payment page to customers. Payments sent from customer browser direct to PCI DSS compliant third-party service provider.
Modified
p. 43 → 44
PCI DSS COMPLIANT THIRD-PARTY SERVICE PROVIDER MERCHANT ROUTER / FIREWALL MERCHANT PAYMENT PAGE MERCHANT SHOPPING PAGES Merchant website may be hosted and managed by the merchant or by a third party hosting provider on the merchant’s behalf.
PCI DSS COMPLIANT THIRD-PARTY SERVICE PROVIDER MERCHANT ROUTER / FIREWALL MERCHANT PAYMENT PAGE MERCHANT SHOPPING PAGES INTERNET Merchant website may be hosted and managed by the merchant or by a third party hosting provider on the merchant’s behalf.
Modified
p. 44 → 45
Where is your card data at risk? TYPE 10 OVERVIEW TYPE 10 THREATS TYPE 10 RISKS TYPE 10 PROTECTIONS Electronic card data because of weaknesses on merchant website (even though merchant doesn’t capture or store it) Electronic card data on the payment page MERCHANT E-COMMERCE WEB SITE
Modified
p. 45 → 46
How do criminals get your card data? TYPE 10 OVERVIEW TYPE 10 THREATS TYPE 10 RISKS TYPE 10 PROTECTIONS They steal card data by compromising your website due to vulnerabilities or poor security practices, and changing your payment page to transparently take copies of your customers’ card data as sales go through They steal data by compromising your web application to change your checkout process or payment pages They steal card data from outsourced providers using a variety of methods …
Modified
p. 46 → 47
How do you start to protect card data today?* Use strong passwords Protect card data and only keep what you need Install patches from your payment terminal vendor Ask your vendor partners for help if you need it Protect in-house access to your card data Limit remote access for your vendor partners - don’t give hackers easy access Use anti-virus software Get regular vulnerability scanning Use secure payment systems Protect your business from the Internet Make your card data useless …
Modified
p. 46 → 47
PCI DSS COMPLIANT THIRD-PARTY SERVICE PROVIDER MERCHANT ROUTER / FIREWALL MERCHANT PAYMENT PAGE MERCHANT SHOPPING PAGES Merchant responsibility Third-party service provider responsibility *Click on the icons above for the Guide to Safe Payments and information about these security basics. For simple definitions of payment and security terms, see our Glossary.
PCI DSS COMPLIANT THIRD-PARTY SERVICE PROVIDER MERCHANT ROUTER / FIREWALL MERCHANT PAYMENT PAGE MERCHANT SHOPPING PAGES INTERNET Merchant responsibility Third-party service provider responsibility *Click on the icons above for the Guide to Safe Payments and information about these security basics. For simple definitions of payment and security terms, see our Glossary.
Modified
p. 47 → 48
E-commerce merchant accepts card data using payment page presented to customers from own website. Payments sent via the merchant website. 11 HIGHER For this scenario, risks to card data are present at above. Risks explained on next page.
E-commerce merchant accepts card data using payment page presented to customers from own website. Payments sent via the merchant website.
Modified
p. 47 → 48
TYPE 11 OVERVIEW TYPE 11 THREATS TYPE 11 RISKS TYPE 11 PROTECTIONS MERCHANT E-COMMERCE WEB SITE MERCHANT ROUTER / FIREWALL MERCHANT PAYMENT PAGE MERCHANT SHOPPING PAGES Merchant website may be hosted and managed by you or by a third-party hosting provider on merchant’s behalf. Merchant manages the payment page.
TYPE 11 OVERVIEW TYPE 11 THREATS TYPE 11 RISKS TYPE 11 PROTECTIONS MERCHANT E-COMMERCE WEB SITE MERCHANT ROUTER / FIREWALL MERCHANT PAYMENT PAGE MERCHANT SHOPPING PAGES INTERNET Merchant website may be hosted and managed by you or by a third-party hosting provider on merchant’s behalf. Merchant manages the payment page.
Modified
p. 48 → 49
E-commerce merchant accepts card data using payment page presented to customers from own website. Payments sent via the merchant website. 11 HIGHER Where is your card data at risk? TYPE 11 OVERVIEW TYPE 11 THREATS TYPE 11 RISKS TYPE 11 PROTECTIONS MERCHANT E-COMMERCE WEB SITE MERCHANT PAYMENT PAGE MERCHANT SHOPPING PAGES Merchant responsibility Electronic card data at a third party (e-commerce hosting, payment gateway, shopping cart provider, etc.) Electronic card data because of weaknesses in your website server or infrastructure.
E-commerce merchant accepts card data using payment page presented to customers from own website. Payments sent via the merchant website.
Modified
p. 49 → 50
E-commerce merchant accepts card data using payment page presented to customers from own website. Payments sent via the merchant website. 11 HIGHER How do criminals get your card data? TYPE 11 OVERVIEW TYPE 11 THREATS TYPE 11 RISKS TYPE 11 PROTECTIONS MERCHANT E-COMMERCE WEB SITE MERCHANT PAYMENT PAGE MERCHANT SHOPPING PAGES Merchant responsibility They steal card data by compromising your website due to vulnerabilities or poor security practices. For example, SQL injection is a common technique used to steal data …
E-commerce merchant accepts card data using payment page presented to customers from own website. Payments sent via the merchant website.
Modified
p. 50 → 51
How do you start to protect card data today?* TYPE 11 OVERVIEW TYPE 11 THREATS TYPE 11 RISKS TYPE 11 PROTECTIONS CHECKOUT PAY NOW MERCHANT E-COMMERCE WEB SITE MERCHANT ROUTER / FIREWALL MERCHANT PAYMENT PAGE MERCHANT SHOPPING PAGES INTERNET Merchant responsibility *Click on the icons above for the Guide to Safe Payments and information about these security basics. For simple definitions of payment and security terms, see our Glossary.
Modified
p. 51 → 52
PIN ENTRY DEVICE PIN ENTRY DEVICE CELLULAR NETWORK SECURE CARD READER (PAYMENT TERMINAL) SECURE CARD READER (PAYMENT TERMINAL) Secure card reader attached to merchant-owned off-the-shelf mobile phone/tablet Different devices are used to read magnetic stripe card data, enter personal identification number (PIN), and read chip card data Mobile payment terminal only connects to the Internet over the cellular network and does not use Wi-Fi For merchants when at non-fixed locations (flea market, trade show, etc.) Secure card reader is listed …
Modified
p. 53 → 54
How do criminals get your card data? They use applications in “app store” that enable them to bypass the secure card reader and steal card data or PIN data when you download that app onto your phone/ tablet.
Modified
p. 54 → 55
How do you start to protect card data today?* Inspect your secure card readers and PIN entry devices for damage or changes Install patches from your vendors Ask your vendor partners for help if you need it Protect your business from the Internet Use a secure card reader and PIN entry device Make your card data useless to criminals Protect card data and only keep what you need Protect in-house access to your card data Limit remote access for your …
Modified
p. 55 → 56
PCI-listed encrypting secure card reader and mobile payment terminal. Payments sent via cellular network or Wi-Fi. 13 WIFI OR CELLULAR For this scenario, risks to card data are present at above. Risks explained on next page.
PCI-listed encrypting secure card reader and mobile payment terminal. Payments sent via cellular network or Wi-Fi.
Modified
p. 57 → 58
WIFI OR CELLULAR NETWORK How do criminals get your card data? They access merchant’s phone/tablet through insecure public Wi-Fi (no firewall and/or unknown security) to bypass the secure card reader and steal card or PIN data They use applications in “app store” that enable them to bypass the secure card reader and steal card or PIN data when you download that app onto your phone/tablet.
Modified
p. 58 → 59
WIFI OR CELLULAR NETWORK How do you start to protect card data today?* Protect in-house access to your card data Inspect your secure card readers and PIN entry devices for damage or changes Install patches from your payment terminal vendor Ask your vendor partners for help if you need it Protect your business from the Internet Limit remote access for your vendor partners - don’t give hackers easy access Make your card data useless to criminals Use a secure card …
Modified
p. 59 → 60
MERCHANT PC MERCHANT PHONE/TABLET A “virtual terminal” is a web page accessed by the merchant, for example, with a computer or a tablet Merchant manually enters card data via their web browser into the virtual terminal For merchants without a traditional payment terminal. They manually enter transactions one at a time and usually have low payment transaction volume (for example, those doing sales from home) There are no card readers or terminals connected to the merchant’s device or network Acquirer …
Modified
p. 61 → 62
MERCHANT PC MERCHANT PHONE/TABLET VIRTUAL TERMINAL FROM PCI DSS COMPLIANT PAYMENT PROCESSOR ROUTER/ FIREWALL How do criminals get your card data? They access your phone/tablet through insecure public Wi-Fi (no firewall and/or unknown security) to steal card or PIN data.
Removed
p. 62
Virtual payment terminal accessed via merchant Internet browser. Payments sent via Internet. 14 LOWER MERCHANT PC MERCHANT PHONE/TABLET ROUTER/ FIREWALL How do you start to protect card data today?* Use strong passwords Install patches from your payment terminal vendor Ask your vendor partners for help if you need it Limit remote access for your vendor partners - don’t give hackers easy access Use anti-virus software Get regular vulnerability scanning Use a firewall (or personal firewall software if using public Wi-Fi) TYPE 14 OVERVIEW TYPE 14 THREATS TYPE 14 RISKS TYPE 14 PROTECTIONS VIRTUAL TERMINAL FROM PCI DSS COMPLIANT PAYMENT PROCESSOR *Click on the icons above for the Guide to Safe Payments and information about these security basics.
Modified
p. 63
Payment terminal encrypts card data via a PCI- listed Point-to-Point Encryption Solution. Payments sent to PCI-listed P2PE Solution Provider. 15 LOWEST MERCHANT RESPONSIBILITY PIN ENTRY DEVICE AND/OR SECURE CARD READERS (PROVIDED BY P2PE SOLUTION PROVIDER) PAYMENT TERMINAL (PROVIDED BY P2PE SOLUTION PROVIDER) P2PE INSTRUCTION MANUAL (PIM) (PROVIDED BY P2PE SOLUTION PROVIDER) MOBILE PHONE P2PE SOLUTION PROVIDER LISTED ON PCI SSC’S WEBSITE Encrypted Account Data Encrypted Account Data The solution in included on PCI’s List of P2PE Validated Solutions (hint: look …
Virtual payment terminal accessed via merchant Internet browser. Payments sent via Internet. MERCHANT PC MERCHANT PHONE/TABLET ROUTER/ FIREWALL How do you start to protect card data today?* Use strong passwords Install patches from your payment terminal vendor Ask your vendor partners for help if you need it Limit remote access for your vendor partners - don’t give hackers easy access Use anti-virus software Get regular vulnerability scanning Use a firewall (or personal firewall software if using public Wi-Fi) TYPE 14 …
Modified
p. 64 → 65
Payment terminal encrypts card data via a PCI- listed Point-to-Point Encryption Solution. Payments sent to PCI-listed P2PE Solution Provider. 15 Where is your card data at risk? TYPE 15 OVERVIEW TYPE 15 THREATS TYPE 15 RISKS TYPE 15 PROTECTIONS MERCHANT RESPONSIBILITY MOBILE PHONE P2PE SOLUTION PROVIDER LISTED ON PCI SSC’S WEBSITE Encrypted Account Data Encrypted Account Data PIN ENTRY DEVICE AND/OR SECURE CARD READERS PROVIDED BY PCI-LISTED P2PE SOLUTION PAYMENT TERMINAL PROVIDED BY PCI-LISTED P2PE SOLUTION P2PE INSTRUCTION MANUAL (PIM) …
Payment terminal encrypts card data via a PCI- listed Point-to-Point Encryption Solution. Payments sent to PCI-listed P2PE Solution Provider. Where is your card data at risk? TYPE 15 OVERVIEW TYPE 15 THREATS TYPE 15 RISKS TYPE 15 PROTECTIONS MERCHANT RESPONSIBILITY MOBILE PHONE OR TABLET P2PE SOLUTION PROVIDER LISTED ON PCI SSC’S WEBSITE Encrypted Account Data Encrypted Account Data PIN ENTRY DEVICE AND/OR SECURE CARD READERS PROVIDED BY PCI-LISTED P2PE SOLUTION PROVIDER PAYMENT TERMINAL PROVIDED BY PCI-LISTED P2PE SOLUTION PROVIDER P2PE …
Modified
p. 65 → 66
How do criminals get your card data? TYPE 15 OVERVIEW TYPE 15 THREATS TYPE 15 RISKS TYPE 15 PROTECTIONS MERCHANT RESPONSIBILITY MOBILE PHONE OR TABLET P2PE SOLUTION PROVIDER LISTED ON PCI SSC’S WEBSITE Encrypted Account Data Encrypted Account Data PIN ENTRY DEVICE AND/OR SECURE CARD READERS PROVIDED BY PCI-LISTED P2PE SOLUTION PROVIDER PAYMENT TERMINAL PROVIDED BY PCI-LISTED P2PE SOLUTION PROVIDER P2PE INSTRUCTION MANUAL (PIM) FROM P2PE SOLUTION PROVIDER They steal card data recorded on paper (written down/received from mail order/telephone …
Removed
p. 66
Payment terminal encrypts card data via a PCI- listed Point-to-Point Encryption Solution. Payments sent to PCI-listed P2PE Solution Provider. 15 How do you start to protect card data today?* Protect card data and only keep what you need Inspect your payment terminals for damage or changes Ask your vendor partners for help if you need it Protect in-house access to your card data Make your card data useless to criminals TYPE 15 OVERVIEW TYPE 15 THREATS TYPE 15 RISKS TYPE 15 PROTECTIONS MERCHANT RESPONSIBILITY MOBILE PHONE P2PE SOLUTION PROVIDER LISTED ON PCI SSC’S WEBSITE Encrypted Account Data Encrypted Account Data PIN ENTRY DEVICE AND/OR SECURE CARD READERS PROVIDED BY PCI-LISTED P2PE SOLUTION PAYMENT TERMINAL PROVIDED BY PCI-LISTED P2PE SOLUTION P2PE INSTRUCTION MANUAL (PIM) FROM P2PE SOLUTION *Click on the icons above for the Guide to Safe Payments and information about these security basics.
Modified
p. 67 → 72
Infographics and Videos Resource Link URL Infographic: It’s Time to Change Your Password https://www.pcisecuritystandards.org/pdfs/its_time_to_change_your_password_infographic.pdf Infographic: Fight Cybercrime by Making Stolen Data Worthless to Thieves https://www.pcisecuritystandards.org/documents/PCI-CyberCrime-FinalR.pdf Video: Learn Password Security in 2 Minutes https://www.youtube.com/watch?v=FsrOXgZKa7U Infographic: PCI Firewall Basics https://www.pcisecuritystandards.org/pdfs/Small-Merchant-Firewall-Basics.pdf Video: Passwords https://www.youtube.com/watch?v=dNVQk65KL8g Infographic: Passwords https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Strong- Passwords.pdf Video: Patching https://www.youtube.com/watch?v=0NGz1mGO3Jg Infographic: Patching https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Patching.pdf Video: Remote Access https://www.youtube.com/watch?v=MxgSNFgvAVc Infographic: Remote Access https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Secure-Remote- Access.pdf
Infographics and Videos Resource Link Infographic: It’s Time to Change Your Password https://listings.pcisecuritystandards.org/pdfs/its_time_to_change_your_password_infographic.pdf Infographic: Fight Cybercrime by Making Stolen Data Worthless to Thieves https://listings.pcisecuritystandards.org/documents/PCI-CyberCrime-FinalR.pdf Infographic: PCI Firewall Basics https://listings.pcisecuritystandards.org/pdfs/Small-Merchant-Firewall-Basics.pdf Video: Passwords https://www.youtube.com/watch?v=dNVQk65KL8g Infographic: Passwords https://listings.pcisecuritystandards.org/documents/Payment-Data-Security-Essential- Strong-Passwords.pdf Video: Patching https://www.youtube.com/watch?v=0NGz1mGO3Jg Infographic: Patching https://listings.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Patching.pdf Video: Remote Access https://www.youtube.com/watch?v=MxgSNFgvAVc Infographic: Remote Access https://listings.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Secure- Remote-Access.pdf
Modified
p. 67 → 72
PCI Data Security Essentials for Small Merchants and Related Guidance Resource Link URL Common Payment Systems https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Common_Payment_Systems.pdf Small Merchant Questions for Vendors https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Questions_To_Ask_Your_Vendors.pdf Small Merchant Glossary https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Glossary_of_Payment_and_Information_ Security_Terms.pdf Evaluation Tool: Acquirer Overview https://www.pcisecuritystandards.org/pdfs/PCI-DSE-Overview-for-Acquirers.pdf Evaluation Tool: Small Merchant Overview https://www.pcisecuritystandards.org/pdfs/PCI-DSE-Overview-for-Small-Merchants.pdf
PCI Data Security Essentials for Small Merchants and Related Guidance Resource Link Common Payment Systems https://listings.pcisecuritystandards.org/pdfs/Small_Merchant_Common_Payment_Systems.pdf Small Merchant Questions for Vendors https://listings.pcisecuritystandards.org/pdfs/Small_Merchant_Questions_To_Ask_Your_Vendors.pdf Small Merchant Glossary https://listings.pcisecuritystandards.org/pdfs/ Small_Merchant_Glossary_of_Payment_and_Information_Security_Terms.pdf Evaluation Tool: Acquirer Overview https://listings.pcisecuritystandards.org/pdfs/PCI-DSE-Overview-for-Acquirers.pdf Evaluation Tool: Small Merchant Overview https://listings.pcisecuritystandards.org/pdfs/PCI-DSE-Overview-for-Small-Merchants.pdf