pci security best practices and payment trends · "pci dss applies to all entities involved in...
TRANSCRIPT
![Page 1: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/1.jpg)
PCI Security Best Practicesand Payment Trends
By Lisa Fennell & Randy Schroder, NISC
![Page 2: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/2.jpg)
Objectives
DISCOVER THE METHODS HACKERS ARE USING TO STEAL
YOUR CREDIT CARD DATA
REVIEW PAYMENT CARDHOLDER INDUSTRY DATA SECURITY
STANDARDS (PCI-DSS)
DISCUSS SECURITY BEST PRACTICES FOR PAYMENT
PROCESSING TO REDUCE RISK
TAKE A LOOK AT SOME OF THE LATEST TRENDS IN PAYMENT
SOLUTIONS
![Page 3: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/3.jpg)
![Page 4: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/4.jpg)
![Page 5: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/5.jpg)
![Page 6: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/6.jpg)
what we think we look like TO AN ATTACKER…
![Page 7: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/7.jpg)
services(web/mail/dns)
web applications(java, php, .net)
employees
what we REALLY look like TO AN ATTACKER…
![Page 8: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/8.jpg)
Data Compromise - internal
Statistics
• $50 Billion stolen annually from U.S. businesses by employees
• 7% of annual revenues lost to theft or fraud
• 75% of employees have stolen at least once from their employer
• 37.5% of employees who have stolen at least twice from their employer
• 33% of all business bankruptcies caused by employee theft
![Page 9: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/9.jpg)
Data Compromise - Internal
Employee Access
• In 2007 an employee (Database Administrator) of FIS subsidiary Certegy Check Services stole 3.2 million customer records including credit card, banking and personal information.
• Another means a dishonest employee can steal a customer's card is through use of a small, battery-operated "card skimmer." This hand-held device reads a card's magnetic stripe and records the cardholder data for later download to a computer. From there, the numbers can be used to make unauthorized purchases or create counterfeit cards.
![Page 10: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/10.jpg)
Data Compromise - External
External Vulnerabilities
• Firewall and Wireless network security
• Point of Sale system compromises
• Data decryption point and data storage
• Network communications sniffers
• Malware (Trojan Viruses)
• Social Engineering (Phishing)
![Page 11: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/11.jpg)
Data Compromise -External
Firewall
• Capital One announced a massive data breach on July 29, 2019 reporting that a hacker accessed the information of over 100 million Americans and 6 million Canadians who have applied for credit cards since 2005.
• The breach took advantage of a misconfigured firewall to access the bank’s credit card customer data.
![Page 12: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/12.jpg)
Data Compromise -External
Wireless
• In 2007, thieves used retailer TJX’s wireless networks to access systems that were used to store payment transactions at stores across the country for more than 45 million customer credit and debit cards.
![Page 13: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/13.jpg)
Data Compromise -External
Card Terminals
• Older magnetic strip card POS systems still vulnerable to malware that haven’t been upgraded to chip-and-PIN.
• Deep insert skimmers are different from typical insert skimmers because they are hidden within the card reader transport.
![Page 14: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/14.jpg)
Skimmers found at WalmartAn overlay skimmer made to be fitted to an Ingenico credit card terminal has a PIN pad overlay to capture the user’s PIN, and a mechanism for recording the data stored on a card’s magnetic stripe when customers swipe their cards at self-checkout aisles.
*Image provided by Brian Krebs of krebsonsecurity.com
![Page 15: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/15.jpg)
Skimmers found at Walmart• Here’s how this overlay skimmer looks when it’s attached.
• Think you’d be able to spot it?
*Image provided by Brian Krebs of krebsonsecurity.com
![Page 16: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/16.jpg)
Data Compromise -External
Point of Sale
• Home Depot had 56 million credit and debit cards stolen in 2014, costing the company $63 million.
• Hackers used a vendor's stolen log-on credentials to penetrate Home Depot's computer network and install custom-built malware on self-checkout registers that stole customer payment-card data and e-mail addresses.
![Page 17: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/17.jpg)
Data Compromise -External
Data Decryption
• Target had 40 million credit and debit cards stolen in 2013 when hackers compromised Target’s environment where card data was decrypted. Hackers used a vendor's sign-in credentials to install malicious software.
• Millions of the card accounts stolen were for sale on the black market, going from $20 to more than $100 per card.
![Page 18: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/18.jpg)
Data Compromise -External
Network Sniffers
• In 2008, Heartland Payment Systems had the then largest-ever data breach of 130 million credit cards stolen
• The breach occurred when criminal hackers managed to sneak malware onto Heartland's network that sniffed card data that was processed and stored
![Page 19: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/19.jpg)
Data Compromise -External
Malware/Viruses
• In 2013, visitors to NBC.com affiliated websites were infected by a Citadel malware trojan virus through an Ad Banner from a third-party company
• Once injected, it seeks to capture personal information, including banking credentials
• The Citadel virus was only picked up by 3 out of 46 scanners (Fortinet, Panda and Rising), so it was very effective at eluding detection
• This virus invades computers through vulnerabilities in PDF and Java software
• To avoid being a victim, you should use the latest versions of Java or Adobe PDF
![Page 20: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/20.jpg)
Data Compromise: Social Engineering• Verizon Data Breach Report
• Cybercriminals increasingly using social engineering and phishing attacks to steal account credentials
• Stolen credentials used in 4 out of 5 breaches
• Attackers not creating new accounts
• Using accounts already there
• They’ve broken passwords and can hide out in regular traffic
![Page 21: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/21.jpg)
The scope of PCI
Major payment card companies formed the PCI
Council
Requirements are not a law - industry
self-regulated
Acquirer (ie. Fiserv) is authority for SAQ selection
•Merchants are contractually obligated to Acquirer to maintain compliance
Mission is to protect card data
and limit scope and risk
![Page 22: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/22.jpg)
PCISecurityStandards
.org
![Page 23: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/23.jpg)
The scope of PCI
The primary account number (PAN) is the defining factor for cardholder data.
Cardholder Data also includes Cardholder
Name, Expiration Date, and Service Code when
combined with PAN.
![Page 24: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/24.jpg)
The scope of PCI
Sensitive Authentication Data for additional data
elements may be transmitted or processed
(but not stored).
Mag-stripe or chip data
CAV2/CVC2/CVV2/CID
PINs/PIN blocks
![Page 25: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/25.jpg)
PCI-DSS Requirements
![Page 26: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/26.jpg)
Who does it apply to?
"PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD)." (Emphasis PCI Council)
Payment Card Industry (PCI) Data Security Standard
![Page 27: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/27.jpg)
Merchant Penalties for Non-compliance
• Merchant categories:• Level 3 Merchants are over 20,000 e-transactions
• Level 4 Merchants are under 20,000 e-transactions
• Credit card penalties for PCI non-compliance:
Visa Monthly Fines:
(only level 3)
$5,000 for months 1-3
$25,000 for months 4-6
$50,000 for months 7 & beyond
MasterCard Monthly Fines:
(only level 3)
1st year: $10,000
2nd year: $20,000
3rd year: $40,000
4th year: $80,000
Fiserv Monthly Fines:
(both level 3 and level 4)
$19.95 per MID
![Page 28: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/28.jpg)
Path to PCI Compliance
NISC has developed a Centralized Payment Gateway to transmit credit card data to First Data and is a level 1 service provider audited annually by Trustwave
![Page 29: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/29.jpg)
Encryption and
TokenizationFISERV’S
TRANSARMORSOLUTION REPLACES
THE PERMANENT ACCOUNT NUMBER
(PAN) WITH A “TOKEN”
COMBINES ENCRYPTION AND TOKENIZATION TO
PROTECT DATA
FISERV WARRANTS THE TOKEN AGAINST COMPROMISE AND FRAUDULENT USE
![Page 30: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/30.jpg)
What are my options?
Determine which Self-Assessment Questionnaire (SAQ):
• SAQ A: e-Commerce Only as Customer Self-Service
• (Smarthub web/mobile, Pay Now and/or IVR SecurePay)
• SAQ B or B-IP: Card Terminals (Verifone) – only if no e-Commerce
• SAQ C-VT: PC-based Virtual Terminals - only if no e-Commerce
• SAQ D: e-Commerce + Card Terminals (Verifone) and/or PC-based Virtual Terminals
Note: PCI Compliance rules only apply to your employees and equipment handling cards, not to customer’s equipment.
![Page 31: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/31.jpg)
Fiserv® Clover® Security Solution
• Easy-to-use online tool helps merchants quickly and easily achieve and
maintain PCI DSS compliance
• Includes network scanning for merchants for quarterly scans
![Page 32: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/32.jpg)
How does NISC help members with this?• NISC has a CyberSecurity team for PCI
assistance
• Subscribe to the NISC Community Cybersecurity and Payment spaces
• NISC’s PCI Toolkit provides clear direction and relevant downloads
![Page 33: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/33.jpg)
NISC’s five-tier Cybersecurity Services arsenal
![Page 34: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/34.jpg)
NISC’s CyberSecurity Educational Kit NISC has developed a free
tool kit available to Members which includes educational animations, social media options and other marketing materials such as bill inserts to help share the message of cyber security awareness.
![Page 35: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/35.jpg)
NISC Payment Options for Customers
SmartHub Web or Mobile App
CallCapture Secure Payments IVR*
Pay Now Website (no registration required)
Auto-Pay Recurring Payments
![Page 36: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/36.jpg)
NISC Payment Options for Employees
iVUE Cash Register with Verifone device*
One time payments can be keyed, swiped or contactless on Verifone
New iVUE Connect Cashier Persona with Verifone Device*
Signing up for auto-pay is available
*No Network Isolation of PC required since card data is encrypted on Verifone card terminal and does not pass through PC
![Page 37: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/37.jpg)
iVUE Connect or Cash Register with Verifone
Verifone MX925 and P200Plus • EMV and Contactless Compliant
![Page 38: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/38.jpg)
Front Counter with Glass using two Verifones
![Page 39: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/39.jpg)
PCI & EMV - What’s the difference?
"PCI DSS provides a baseline of technical and operational requirements designed to protect account data."
Payment Card Industry (PCI) Data Security Standard, v3.2.1: https://www.pcisecuritystandards.org/document_library
"EMV® Chip Specifications describe the requirements...to enable secure contact and contactless transactions…"
EMV Payment Acceptance: https://www.emvco.com/about/overview/
![Page 40: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/40.jpg)
Verifone’s VHQ web toolVHQ is Verifone’s solution for monitoring/managing the devices
• Any software updates will be pushed from VHQ
![Page 41: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/41.jpg)
Auto-Pay File Upload
Auto-pay file card numbers are tokenized in iVUEand not in PCI scope
![Page 42: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/42.jpg)
Mobile Devices
Future integration of AppSuite with Verifone card terminal
• Keeps phone or tablet out of PCI scope
• Secure encrypted transmission of card data
![Page 43: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/43.jpg)
Prepaid Billing Solution
Easy and Convenient
Increased control over energy costs
Smaller, incremental payments
Avoid security deposit
Appealing to all income brackets and age levels
![Page 44: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/44.jpg)
![Page 45: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/45.jpg)
NISC’s Prepaid Customers in 37 states
• 245 Live
• 36 in Progress or Scheduled
![Page 46: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/46.jpg)
NISC’s Prepaid Customers
![Page 47: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/47.jpg)
Payment Considerations for Prepaid
Typical customer pays 4 – 5 times per month
Payments must be convenient, 24/7 access
Higher percentage of unbanked customers
Consider credit card fees (4 times normal)
Consider # NSF checks for check payments
Payment arrangements are % based
![Page 48: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/48.jpg)
US Payments Kiosks
• Indoor, Outdoor, and Through-the-wall models.
• Cash, check or charge payments.
• For more information please contact:
Tyler Bush, USP
Ph: 918-728-3822
![Page 49: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/49.jpg)
MoneyGram real-time Payment interface
• Real-time cash payment interface for utilities at Walmart, CVS Pharmacy, and many other retail outlets.
• No setup or monthly costs to the utility
• Customer charged a $1.50 fee
![Page 50: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/50.jpg)
Fidelity Express real-time Payment interface
• Fidelity Express real-time cash payment solution available at many “mom and pop” stores in 18 states.
• $2,500 setup fee from NISC.
• Customer fee is negotiated with FE (typically $1.50)
![Page 51: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/51.jpg)
Western Union real-time Payment interface
• Western Union real-time cash payment solution at Walgreens and many other stores.
• No setup or monthly costs to the utility
• Customer pays $1.50 fee
• Online Locator select -“Quick Collect”
NISC Confidential
![Page 52: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/52.jpg)
Online Bill Payment Services
A customer can enroll on their bill payment service for viewing their bill, or can simply pay it without enrolling
![Page 53: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/53.jpg)
Online Bill Payment Services• Enrolled customers can see the PDF image of their bill and make payments
• Funds are deposited to utility’s account within 24 hours.
• Exception Handling for Rejects and Returns
![Page 54: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/54.jpg)
Incomm/Cashtie future option in 2020
• “Vanilla Direct” will provide a real-time cash payment solution at Dollar General, Family Dollar, CVS Pharmacy and others.
• Barcode Integration with SmartHub Web & Mobile and AMS bill print.
![Page 55: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/55.jpg)
Barcode Delivery Methods
55 CONFIDENTIAL AND PROPRIETARY
Bill Statements Prepaid CardSmartHub Mobile SmartHub Web
![Page 56: PCI Security Best Practices and Payment Trends · "PCI DSS applies to all entities involved in payment card processing— including merchants, processors, acquirers, issuers, and](https://reader033.vdocuments.net/reader033/viewer/2022060417/5f1491f0f680e9530562c791/html5/thumbnails/56.jpg)