• No results found

Ruby VASC Instructor Guide

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Ruby VASC Instructor Guide"

Copied!
7
0
0

Loading.... (view fulltext now)

Download now ( 7 Page )

Full text

(1)

Module 8: PCI /PA-DSS Overview

Client Services, Training

(2)

Published: March 11, 2011

VeriFone, Inc.

Integrated Systems

300 South Park Place Blvd., Suite 100

Clearwater, FL 33759

Office: (727) 953-4000

Fax: (727) 953-4001

Printed in the United States of America

© 2010 VeriFone, Inc.

All rights reserved.

No part of this publication may be copied, distributed, stored in a retrieval

system, translated into any human or computer language, or transmitted in

any form or by any means, without the prior written consent of VeriFone, Inc.

The content of this document is subject to change without notice. The

information contained herein does not represent a commitment on the part of

VeriFone, Inc.

VeriFone, Inc. is a registered trademark of VeriFone, Inc.

(3)

Document Revision History

Revision Date Author Description

1.0 02/12/10 John_B1 Original Documentation

1.1 03/11/11 John_B11 Changed Module number to 8

Published: 02/12/10 Page: 3

(4)

Subject: PCI /PA-DSS Overview Skill Level: 2 - Intermediate Time Involved: 1 Hour 30 Minutes Objective(s)

 Students will be able to:

 Demonstrate a knowledge of PCI-DSS, PA-DSS  Explain how PCI-DSS impacts Merchant’s and VASC’s  Demonstrate the steps for a compliant installation  Understanding the Software Download Agreement

Documentation Needed

Ruby VASC Instructor Guide: Module 8: PCI /PA-DSS Overview Module VASC Service Manual: Card Security, PCI Handouts

Equipment Needed

 Pencils, pens, highlighters, and post-its for students

 1 Ruby SuperSystem for each student (this includes power brick, Y-Cable, AC Power and a Printer) installed with the software application you are choosing to teach.

Class Preparation

Tables and chairs should be set up either classroom or U-shaped style. You will need 3’ of table space for each student.

Determine the application you will be using. This application will need to be installed on each student’s Ruby terminal.

(5)

Instructor Notes

Instruct and show students how to navigate to the Card Security section in the VASC Service Manual.

Points to Stress:

 To counter the growing identity theft and credit card problem, the major credit card providers have joined together to introduce a compliance standard called PCI-DSS or the Payment Card Industry – Data Security Standard.

 PCI-DSS applies to any company that accepts card based payments.

 PCI DSS was developed to protect cardholder data. The PCI-DSS requirements cover security management, policies, procedures, network architecture and other critical protective measures.

 The PCI-DSS standard mandates that all merchants, service providers, and software developers follow 12 critical points to ensure cardholder information, such as account numbers, PINs, etc. is protected.

 Being ignorant of knowing how to be PCI compliant is not a defense. Some merchants believe once you setup compliancy, it’s DONE!... not the case. Merchants are responsible for being PCI compliant. Also, maintaining security should be a common goal.

Pass-out the following handout to students:

VASC Handout – 12 Points for PCI-DSS PA-DSS

PA-DSS stands for Payment Application Data Security Standards. PA-DSS – Applies to Payment Applications such as –Ruby, –Sapphire, and Topaz. The goal of PA-DSS is to protect account numbers and support a merchant's ability to comply with PCI DSS.

Points to Stress:

 Where PCI-DSS is directed at merchant implementation, PA-DSS is directed at software vendors and provides standards for building, testing, distributing and supporting software that is meant for card payment processing. PA-DSS is also meant to provide software vendors a guideline so they may facilitate a merchants ability to be PCI-DSS compliant.

 For each software application, VeriFone has a PA-DSS Implementation Guide that provides a breakdown by topic of what is necessary to install a site to ensure PCI-DSS compliancy. The PA-DSS Implementation Guide is available at all times on VeriFone’s Premier Portal and a new copy should be downloaded each time you visit a location for installation and a copy should be left at the site for the merchant as part of the training.

Published: 02/12/10 Page: 5

(6)

The PA-DSS Implementation Guide is a living document that may be updated at any time, because of this you should not retain old copies. You should ALWAYS download a fresh copy from the Premier Portal before providing it to a site or referencing it.

How Does PA-DSS Affect VASCs?

As a VASC when performing software installations you must ensure the following: 1. Become familiar with the PA-DSS Implementation Guide and adhere to the procedures within this document when installing and upgrading card payment processing equipment.

2. The merchant's POS system is installed with the most current software application. 3. When configuring the site's card network, ensure the communication devices (routers, hubs, datawire, etc.) are protected and configured properly. If the site will be using TCP/IP configurations please work with the site's IT personnel to ensure the appropriate firewalls, port forwarding, and IP addressing is configured properly. 4. Work with the Site Manager to ensure the default UserIDs and Passwords for the POS system and computer systems have been changed prior to leaving the site. 5. For sites with a Sapphire Mini-Server ensure the Site Manager is familiar with the LogIn switch. This switch should ALWAYS be in the UP POSITION. This will prevent users from receiving and transmitting data into the Sapphire.

Should the site need help with a card transaction situation, it may be necessary for the VeriFone HelpDesk Agent to obtain card transaction information. The VeriFone HelpDesk Agent will instruct the site personnel to put the LogIn switch in the DOWN POSITION. After gathering the necessary information the VeriFone HelpDesk Agent will instruct the site personnel to put the Log-In switch to the UP POSITION. 6. Ensure the Merchant is given the following documents:

1. Do’s and Don’ts Handout

2. What Should I do About PCI Compliance?

(7)

Published: 02/12/10 Page: 7 VeriFone Confidential

PA-DSS 14 Requirements for Vendors

Review the following 14 requirements for Vendors with the students.

1

Do not retain full magnetic stripe data or CVV2/PIN data

2

Protect stored data (including account numbers)

3

Provide secure password features

4

Log application activity

5

Develop secure applications

6

Protect wireless transmissions

7

Test applications to address vulnerabilities

8

Facilitate secure network implementations

9

Never store cardholder data on a server connected to the Internet

10

Facilitate secure remote software update

11

Facilitate secure remote access to application

12

Encrypt sensitive traffic over public networks

13

Encrypt all non-console admin access

14

Maintain instructional documents for customers, resellers, and

integrators

Download Disclaimer on VeriFone’s Premier Portal

When downloading any application on VeriFone’s Premier Portal you will have to agree to the following disclaimer:

Download Acknowledgment of BUYPAK 5.04.16 Ruby Production

Software

It is required that you print or download a copy of the PA-DSS Implementation Guide. Also, you MUST review the guide with the merchant and leave a copy with the merchant.

Make sure students are aware of this disclaimer when downloading software from VeriFone’s Premier Portal.

PCI-DSS Training Module

References

Download now ( PDF - 7 Page - 90.29 KB )

Related documents

Preparing for PCI DSS 3.0 & Ensuring a Seamless Transition. November 2013

• Vulnerability Management Program Development PCI Certification Services •PCI DSS Gap Analysis and Certification Services •PA DSS Gap Analysis and Certification

PCI Compliance for Large Computer Systems

DSS= Data Security Standard PCI SSC= PCI Security Standards Council QSA= Qualified Security Assessor SAQ=Self Assessment... PCI DSS Structure

Merchant guide to PCI DSS

 Annual Report on Compliance (ROC) (by either a Qualified Security Assessor, or qualified internal security resource)..  Compliant quarterly network scan by Approved Scan

Payment Card Industry Data Security Standards Compliance

The council develops, maintains and manages the PCI Security Standards, which include the Data Security Standard DSS, Payment Application Data Security Standard PA-DSS, and

How To Write A Work Paper

Testing Procedure 1.1.4.a requires the assessor to verify that the PA-DSS Implementation Guide gives appropriate instructions for the removal of any such data and that

The PCI Security Standards Council. Jeremy King European Director

Software Developers PCI PA-DSS Payment Applications PCI Security & Compliance P2PE Merchants & Service Providers PCI DSS Secure Environments.. PCI

LESS IS MORE PCI DSS SCOPING DEMYSTIFIED

► Controls to meet PCI DSS requirements are appropriate for the level of risk ► Checks and balances help to ensure people follow processes at all times ► All systems are

PCI PA-DSS Requirements. For hardware vendors

The resident payment application does not meet all PA-DSS requirements, but the hardware that the application is resident on is listed on the PCI SSC’s Approved PIN