Transcript Merchante Solutions - Security

Business Name
Date
Merchant e-Solutions (MeS) Overview
• Started in 1999
• Headquartered in Redwood City, CA. - operations center located in
Spokane, WA - 200 US Employees
• Cielo – Largest Latin America processor – 1800 employees
• Won Stevie Award in 2012 for excellence in customer service
• Innovative Technology and Proprietary Platform, Payment Gateway
• Process 14 billion annually for 70,000 merchants
• In 2012 57% of our business ecommerce customers
• PCI Compliant
Securing Card Acceptance
• Securing the system
• Securing the transaction
Security Timeline
• 2001 – Visa mandates CISP (Cardholder Information Security
Program)
• 2004 – In a joint effort – Visa/MC create industry standard PCI DSS
(Payment Card Industry Data Security Standard)
• 2006 – PCI Security Standards Council takes over all documentation
efforts for PCI
• 2008 – Acquirers must not board any non PCI compliant
• 2010 – Acquirers must ensure existing merchants are using PCI
compliant product and deactivate any non compliant products
• 2013 – Chip cards
Card Associations still responsible for mandating all rules
CISP Mandates
• Build and Maintain a Secure Network
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy
Recent Statement Message
Point-of-Sale Security Tips! When it comes to hackers stealing your
information, it may be easy to think that will never happen to me. But you
might be surprised to know that most attacks are directed against small
companies and most can be prevented with a few small and relatively easy
steps. 1) Change administrative passwords on all point-of-sale systems.
Hackers scan the internet for easily guessable passwords. 2) Implement a
firewall. 3) Avoid using computers with point-of-sale systems to browse the
web. 4) Make sure the point-of-sale solution your business uses to process
transactions meets Payment Card Industry (PCI) Data Security Standards
(DSS). To confirm that third-party solutions are compliant, go to this link:
www.usa.visa.com/download/merchants/cisp-list-of-pcidss-compliantservice-providers.pdf . Following these simple practices will help protect
your business and your customers from credit card information securityrelated problems.
Everyone Responsible for Compliance
• Third Party Entities
• Merchants
• Acquirers and Processors
• Cardholders
PCI Validation Measures
Merchant Level*
Description
Merchants processing over 6 million Visa transactions annually (all channels) or global merchants
identified as Level 1 by any Visa region**
1
Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant
requirements to minimize risk to the Visa system.
2
Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa
transactions per year.
3
Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
4
Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other
merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per
year.
Compliance Basics
Level
Validation Action
Validated By
•Annual On-site PCI Data Security
Assessment and
•Quarterly Network Scan
•Qualified Security Assessor or Internal Audit
if signed by Officer of the company
•Approved Scanning Vendor
•Merchant
2
•Annual PCI Self-Assessment Questionnaire
and
•Quarterly Network Scan
3
•Annual PCI Self-Assessment Questionnaire
and
•Quarterly Network Scan
1
4*
•Annual PCI Self-Assessment Questionnaire
and
•Quarterly Network Scan (if applicable)
•Approved Scanning Vendor
•Merchant
•Approved Scanning Vendor
•Merchant
•Approved Scanning Vendor
Importance of PCI Compliance
• Fines by Acquirer for Non Compliance
• Card Association Fines
• Breach Risks
Importance of PCI Compliance
• TJ Maxx – 45.7 mm cards exposed - $40mm fine
• Aloha – unknown – retailers out of business
• Citigroup -unknown
• Heartland – 100 million cards exposed
• Global Payments – unknown
• Individual Cardholder Fraud
Accepting the Card
• Goal is to get paid and not pay a lot for it
• Decrease chargebacks
• Add enhanced value for recurring customers
Fraud Tools
• Swiping transaction and capturing signature
• Clearing transaction in timely manner
• Address Verification (AVS) – address and zip
• Card Verification Value (CVV)
• Verified by Visa
• MasterCard Secure Code
• Chip Cards (2013)
• Validate Only
• Judgment Call
Non use of fraud measures
• Result in higher interchange fees
• Integrity Fees
• Misuse Fees
• Chargeback Potential Increases
Example of Downgrade
• Swiped/CNP Purchasing B2B
• 2.40% plus $0.10 per item
• Downgrades – Purchasing Standard
• 2.95% plus $0.10 per item
Example of Adding Enhancing Values
• Swiped/CNP Purchasing B2B
• 2.40% plus $0.10 per item
• Downgrades – Purchasing Standard
• 2.95% plus $0.10 per item
• Purchasing Level 2 (adding customer code & sales tax)
• 2.05% plus $0.10 per item
• Purchasing Level 3 (adding line item detail)
• 1.95% plus $0.10 per item
Contacts
Cheryl Hansen
Davisware
847-426-6000 Ext 119
Angela Floyd
Merchant e-Solutions
803-968-1635