p2pe understanding the regulations encryption for securing ...€¦ · pci compliance understanding...
TRANSCRIPT
P A Y M E N T S I N T E G R A T I O N S E C U R I T Y
paymetric.com
PCI Compliance
Understandingthe Regulations
for SecuringCustomer Data
Tokenization
Encryption
P2PE
Cardholder Data
PCI DSS
2
ePayment and Data Security
22
What is PCI compliance?Who does it apply to?
Any merchant, bank, service provider or processor that accepts, transmits or stores cardholder data.
With the increasing threat of security breaches, companies must
take every precaution to ensure sensitive payment cardholder data
is not compromised. Payment Card Industry Data Security Standards
(PCI DSS) outline the steps merchants and service providers must
take to ensure the safe handling of sensitive information.
This eBook provides a quick overview with some tips for
safeguarding your customer’s account and payment information.
YOU, as a merchant and a consumer – with over 21 million Americans a�ected by a data breach last year which is nearly 7% of the US population.
Who does it protect?
• Cardholder name• Expiration date• Service code
What is ‘cardholder data’?
• Up to $500,000 per incident • Possible increase in transaction fees, or termination of relationship with bank • Reputation costs (damage to the brand) due to lost customer trust
The Penalties: How does non-compliance a�ect merchants?
Requires merchants and service providers to meet a minimum level of security standards to protect confidential customer information
Mandates the use of firewalls, message encryption, computer access controls and antivirus software
Requires frequent security audits and network monitoring
Forbids the use of default passwords
PCI DSS at a glance:Cardholder
name
Expiration date
Service code
2
ePayment and Data Security
23
12 standard requirements of PCI DSS
Goals PCI DSS Requirement
Build and maintain a secure network
1. Install and maintain a firewall configuratino to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protectcardholder data
Maintain a vulnerability management program
5. Use and regularly update anti-virus software or programs6. Develop and maintain secure systems and applications
Implement strong access control measures
7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data
Regularly monitor and test networks
10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes
Maintain an information security policy
12. Maintain a policy that addresses information security for employees and contractors
Tokenization is e�ective in protecting stored cardholder data
and other sensitive information or Personal Identifiable Information
(PII)
Encryption (P2PE) is a secure solution
for transmitting cardholder data and sensitive
information across open public networks
#3
#4
This eBook focuses on how to protect cardholder data which are addressed by requirements 3 and 4.
3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public networks
224
ePayment and Data Securityhow it works
Tokenization is an e�ective approach for
protecting stored cardholder data. Tokenization
is a technology solution that protects raw card-
holder data from entering enterprise systems,
and during communication between and storage
within enterprise systems. Paymetric’s patented
tokenization solution stores card numbers in an
o�-site, secure data vault. The payment card
numbers are replaced with tokens in all other
databases and applications so the sensitive
information cannot be accessed in the event
of a security breach. Not storing cardholder
data anywhere greatly reduces the scope of
PCI Requirement.
3# What isTokenization? 1234
Payment Service Providers
1234
This diagram shows how an ePayment solution prevents raw card numbers (1234) from ever entering a merchant’s system. When a field comes up for raw card number entry, the ePayment solution captures the number outside of the merchant’s ERP application, retrieves and stores it securely, and returns a (token) in its place.
This enables the application to contain no usable credit card numbers, only tokens. This reduces the number of audit items by 60 percent, saving significant cost and time. An environment without raw credit card numbers may qualify for Self Assessment Questionnaire (SAQ) C with 139 questions instead of SAQ D with 326 questions. And unlike an encrypted card number, a token can’t be reverse-engineered to reveal the actual card number.
Tokenization replaces a credit card number
with a randomly generated code
(token) of novalue to hackers.
ProcessorCustomer
Merchant
ePayment and Data Security
Point-to-point encryption (P2PE) is also
included in the new 3.0 PCI guidelines
and it is important to understand how to
reach compliance and the role of P2PE
in a retail or call center environment.
nsures card numbers are
encrypted at the pin pad in the P2PE
device and while in transit all the way to
the payment processor.
P2PE hardware is tamper proof, which
prevents somebody from gaining access
to the data by modifying the hardware.
4# What isP2PE?
Included in the new PCI 3.0 guidelines
Technology solution that removes credit card numbers from the entire network and PCs
Keeps sensitive cardholder data from entering call center systems
P2PE at a glance:
how it works
P2PE Service
Service Provider
MerchantData Center
Point-to-PointEncryption
TOKEN
CALLCENTER
PIN PAD
Removes your network from PCI scope
Dramatically reduces PCI scope and costs
Protects your organization from data breach
225
P2PE e
ePayment and Data Security
5 ways to reduce PCI DSS scope:
Consolidate: Identify and eliminate redundant data sets and consolidate applications and information storage
Centralize: Store encrypted data in a highly secure on-site central data vault
Encrypt: End-To-End Encryption (E2EE) or Point-To-Point Encryption (P2PE) ensures card numbers are encrypted
at the point-of-sale and while in transit, all the way to the payment processor
Outsource: Outsourcing all or some of payment card processing to a PCI DSS compliant service provider - especially
relevant to companies conducting eCommerce transactions
Tokenize: With card numbers stored in an o�-site highly secure data vault, tokenization replaces the card numbers
with tokens in all other databases and applications
The technique that works best for most Card Not Present (CNP) merchants is a combination of outsourcing and tokenization as described above. Tokenization enables businesses to eliminate the storage and/or transmission of cardholder data in enterprise systems and applications. Implementing tokenization makes compliance easier than replacing an existing application with a PCI DSS compliant one.
22
1
2
3
4
5
22226
Make the Right Moves for PCI Compliance
ePayment and Data Security
Maintaining PCI Compliance ensures
that your organization reduces scope,
reduces costs and minimizes the risk of
falling victim to a data breach. Make sure
that you are making the right moves to
protect your cardholder data.
Contact Paymetric and let our experts
show you how.
855-476-0134
www.paymetric.com
What to learn more?
Podcast: Call Center SolutionsKeep sensitive cardholder data from entering your call center and dramatically reduce PCI scope and costs.
Datasheets:Paymetric P2PERemove call center workstations, virtual terminals, and keyboards from your PCI DSS Cardholder Data Environment.
Paymetric Data Security Proprietary Tokenization Solution.
Case Studies:Learn how we have helped over 700 leading worldwide brands streamline payment processing, improve security and minimize PCI DSS impact.
Share This eBook
thank you!227
About PaymetricPaymetric, Inc. is the global leader in integrated and secure electronic payment solutions for the enterprise to enable
companies to streamline the order-to-cash process, reduce the scope and financial burden of achieving PCI compliance
and improve return on electronic payment acceptance. Paymetric is a recognized industry leader with award winning
solutions and world class client service.
P A Y M E N T S I N T E G R A T I O N S E C U R I T Y
paymetric.comContact Paymetric at [email protected] or 1-855-476-0134 to learn more.
©2016 Paymetric, Inc. All rights reserved. The names of third parties and their products referred to herein may be trademarks or registered trademarks of such third parties. All information provided herein is provided “AS-IS” without any warranty.
28