Module 8: PCI /PA-DSS Overview
Client Services, Training
Published: March 11, 2011
VeriFone, Inc.
Integrated Systems
300 South Park Place Blvd., Suite 100
Clearwater, FL 33759
Office: (727) 953-4000
Fax: (727) 953-4001
Printed in the United States of America
© 2010 VeriFone, Inc.
All rights reserved.
No part of this publication may be copied, distributed, stored in a retrieval
system, translated into any human or computer language, or transmitted in
any form or by any means, without the prior written consent of VeriFone, Inc.
The content of this document is subject to change without notice. The
information contained herein does not represent a commitment on the part of
VeriFone, Inc.
VeriFone, Inc. is a registered trademark of VeriFone, Inc.
Document Revision History
Revision Date Author Description
1.0 02/12/10 John_B1 Original Documentation
1.1 03/11/11 John_B11 Changed Module number to 8
Published: 02/12/10 Page: 3
Subject: PCI /PA-DSS Overview Skill Level: 2 - Intermediate Time Involved: 1 Hour 30 Minutes Objective(s)
Students will be able to:
Demonstrate a knowledge of PCI-DSS, PA-DSS Explain how PCI-DSS impacts Merchant’s and VASC’s Demonstrate the steps for a compliant installation Understanding the Software Download Agreement
Documentation Needed
Ruby VASC Instructor Guide: Module 8: PCI /PA-DSS Overview Module VASC Service Manual: Card Security, PCI Handouts
Equipment Needed
Pencils, pens, highlighters, and post-its for students
1 Ruby SuperSystem for each student (this includes power brick, Y-Cable, AC Power and a Printer) installed with the software application you are choosing to teach.
Class Preparation
Tables and chairs should be set up either classroom or U-shaped style. You will need 3’ of table space for each student.
Determine the application you will be using. This application will need to be installed on each student’s Ruby terminal.
Instructor Notes
Instruct and show students how to navigate to the Card Security section in the VASC Service Manual.
Points to Stress:
To counter the growing identity theft and credit card problem, the major credit card providers have joined together to introduce a compliance standard called PCI-DSS or the Payment Card Industry – Data Security Standard.
PCI-DSS applies to any company that accepts card based payments.
PCI DSS was developed to protect cardholder data. The PCI-DSS requirements cover security management, policies, procedures, network architecture and other critical protective measures.
The PCI-DSS standard mandates that all merchants, service providers, and software developers follow 12 critical points to ensure cardholder information, such as account numbers, PINs, etc. is protected.
Being ignorant of knowing how to be PCI compliant is not a defense. Some merchants believe once you setup compliancy, it’s DONE!... not the case. Merchants are responsible for being PCI compliant. Also, maintaining security should be a common goal.
Pass-out the following handout to students:
VASC Handout – 12 Points for PCI-DSS PA-DSS
PA-DSS stands for Payment Application Data Security Standards. PA-DSS – Applies to Payment Applications such as –Ruby, –Sapphire, and Topaz. The goal of PA-DSS is to protect account numbers and support a merchant's ability to comply with PCI DSS.
Points to Stress:
Where PCI-DSS is directed at merchant implementation, PA-DSS is directed at software vendors and provides standards for building, testing, distributing and supporting software that is meant for card payment processing. PA-DSS is also meant to provide software vendors a guideline so they may facilitate a merchants ability to be PCI-DSS compliant.
For each software application, VeriFone has a PA-DSS Implementation Guide that provides a breakdown by topic of what is necessary to install a site to ensure PCI-DSS compliancy. The PA-DSS Implementation Guide is available at all times on VeriFone’s Premier Portal and a new copy should be downloaded each time you visit a location for installation and a copy should be left at the site for the merchant as part of the training.
Published: 02/12/10 Page: 5
The PA-DSS Implementation Guide is a living document that may be updated at any time, because of this you should not retain old copies. You should ALWAYS download a fresh copy from the Premier Portal before providing it to a site or referencing it.How Does PA-DSS Affect VASCs?
As a VASC when performing software installations you must ensure the following: 1. Become familiar with the PA-DSS Implementation Guide and adhere to the procedures within this document when installing and upgrading card payment processing equipment.
2. The merchant's POS system is installed with the most current software application. 3. When configuring the site's card network, ensure the communication devices (routers, hubs, datawire, etc.) are protected and configured properly. If the site will be using TCP/IP configurations please work with the site's IT personnel to ensure the appropriate firewalls, port forwarding, and IP addressing is configured properly. 4. Work with the Site Manager to ensure the default UserIDs and Passwords for the POS system and computer systems have been changed prior to leaving the site. 5. For sites with a Sapphire Mini-Server ensure the Site Manager is familiar with the LogIn switch. This switch should ALWAYS be in the UP POSITION. This will prevent users from receiving and transmitting data into the Sapphire.
Should the site need help with a card transaction situation, it may be necessary for the VeriFone HelpDesk Agent to obtain card transaction information. The VeriFone HelpDesk Agent will instruct the site personnel to put the LogIn switch in the DOWN POSITION. After gathering the necessary information the VeriFone HelpDesk Agent will instruct the site personnel to put the Log-In switch to the UP POSITION. 6. Ensure the Merchant is given the following documents:
1. Do’s and Don’ts Handout
2. What Should I do About PCI Compliance?
Published: 02/12/10 Page: 7 VeriFone Confidential
PA-DSS 14 Requirements for Vendors
Review the following 14 requirements for Vendors with the students.
1
Do not retain full magnetic stripe data or CVV2/PIN data
2
Protect stored data (including account numbers)
3
Provide secure password features
4
Log application activity
5
Develop secure applications
6
Protect wireless transmissions
7
Test applications to address vulnerabilities
8
Facilitate secure network implementations
9
Never store cardholder data on a server connected to the Internet
10
Facilitate secure remote software update
11
Facilitate secure remote access to application
12
Encrypt sensitive traffic over public networks
13
Encrypt all non-console admin access
14
Maintain instructional documents for customers, resellers, and
integrators
Download Disclaimer on VeriFone’s Premier Portal
When downloading any application on VeriFone’s Premier Portal you will have to agree to the following disclaimer:
Download Acknowledgment of BUYPAK 5.04.16 Ruby Production
Software
It is required that you print or download a copy of the PA-DSS Implementation Guide. Also, you MUST review the guide with the merchant and leave a copy with the merchant.
Make sure students are aware of this disclaimer when downloading software from VeriFone’s Premier Portal.
PCI-DSS Training Module