What a Processor Needs from a University to Validate Compliance

What a Processor Needs from a University

to Validate Compliance

Lisa T. Conroy

Merchant Compliance Manager

Vantiv

Disclosures

2

The information included in this presentation is for

information purposes only, and is not intended as legal

or financial advice. The information does not amend or

alter your obligations under your agreement with Vantiv,

or under the operating regulations of any credit card or

debit card association.

This presentation is based upon information available to

Vantiv as of the date of this

Agenda

• Define Industry Participants & Their Roles

• Reiterate Key Points on PCI DSS Applicability

• Define Merchant Levels & Validation Tools

• Discuss Validation and Reporting Process

• Explain Visa Small Merchant Data Security Mandates

• Describe Validation Enforcement, Fines, & Extensions

• Review Service Provider Levels & Validation

• Global open body formed to develop, enhance, disseminate and assist

with the understanding of security standards for payment account

security.

• Standards Under Management

– PCI DSS – Merchants and Service Providers

– PA DSS – Software Application Developers

– PTS – Hardware Manufacturers

– P2PE – Merchants & Solution Providers

• Training & Certification Programs – QSA, PA QSA, P2PE QSA, ASV, PFI, ISA,

QIR, PCI-P, PCI Awareness, Acquirer

The Card Brands

• Founding Members of the PCI SSC

• Executive Committee of PCI SSC

• Maintain Enforcement Programs

– Amex DSOP, Discover DISC, MasterCard SDP, &

Visa CISP

Acquirers & Processors

• May or may not be the same entity

• Acquirers are responsible for ensuring

merchants comply with the PCI DSS

Key Points to Remember

• It’s an Industry Standard

• PCI DSS applies to everyone – service providers and

merchants of all sizes!

• Even if you outsource some or all of your card processing, PCI

compliance and validation still apply

• Applies to all systems that store, process, or transmit

cardholder data – not just the ones for which you have been

explicitly told to validate compliance

Compliance vs. Validation

10

Validation: A snapshot of your

compliance status

• Entails completion of the Self-Assessment Questionnaire (SAQ) or an On-Site Audit

(depending on your merchant level) in order to “validate” that your organization is compliant according to PCI DSS requirements

• Also requires the quarterly submission of External Network Vulnerability Scans

Compliance:

Ongoing security

controls and procedures that

help to protect your business on

a 24/7 basis

• Entails continual adherence to the PCI DSS requirements

Validation does not necessarily mean Compliance

11

Visa & MasterCard Merchant

Levels:

Level 1 merchants have more rigorous compliance validation requirements.

All other merchants, regardless of acceptance channel

Level 4

merchants also

have

compliance

requirements.

transactions per year Any merchant,

regardless of

acceptance channel, processing 1-6 million Visa® _{or MasterCard}®

Amex & Discover Merchant Levels

Card transactions per year (or if you've been selected a Level 1 by American Express)

• Level 2: 50,000 to 2.5 million American Express

Card transactions per year (Service providers: less than 2.5 million transactions)

• Level 3 Designated: Less than 50,000 American

Express Card Transactions per year and has

been designated by American Express as being

required to submit validation documents. (merchants only; does not apply to service providers).American Express will contact these designated merchants and provide them details for reporting their security status by submitting PCI validation documents.

• Level 3: Less than 50,000 American Express Card

transactions per year (merchants only; does not apply to service providers)

• Level 1: All merchants processing more than 6 million card transactions annually on the

Discover network. Any merchant that Discover, in its sole discretion1_{, determines should meet}

the Level 1 compliance validation and reporting requirements All merchants required by

another payment brand or acquirer to validate and report their compliance as a Level 1 merchant

• Level 2: All merchants processing between 1 million and 6 million card transactions annually

on the Discover network

• Level 3: All merchants processing between 20,000 and 1 million card-not-present only

Merchant Validation

Who Determines Merchant Level?

• Acquirers/Processors are responsible for classifying

merchants appropriately

• Periodic volume queries covering prior 12 months

• Sends formal notification to merchant with validation

requirements and timeline

Validation Considerations for a Higher

Education Merchants

• TALK TO YOUR ACQUIRER OR PROCESSOR!

• Consider working with a QSA

• Single assessment or separate SAQ per location

• Connectivity arrangements

Self-Assessment Questionnaires

(SAQ)

Validation Enforcement &

Extension Requests

• Potential fines are most likely in connection

with level 1s, 2s, and 3s

• Fines levied at the corporate/university level

• Typically recur monthly or quarterly until resolved

New Visa Small Merchant Mandates

Level 4 Merchant Validation

Programs

• Scalability challenges

• Partner with QSA/ASV firm for online

validation portal and help desk support

• Implement non-validation fee programs

Third-Party Compliance

22

Requirement 12.8 – Addresses Third-Party

compliance within PCI DSS requirements

Merchant is responsible for monitoring

compliance status of Third Parties and ensuring

the use of appropriate contractual language

Use of Gateway/Service Provider does not

exempt merchant from compliance requirements

Potential to use SAQ A

Service Provider Levels

Validation Actions

Level 1

Any processor directly connected to a Visa or MasterCard or any service provider that stores, processes and/or transmits over 300,000

transactions per year

Report on

Compliance

(ROC)

Not

Applicable

Required

Quarterly

Level 2**

Any service provider that stores, processes and/or transmits less than 300,000 transactions per year

Not

Applicable

Required

Annually

Required

Quarterly

**Effective February 1, 2009, Level 2 service providers were no longer listed on Visa’s List of PCI DSS Compliant Service Providers. Entities that wish to be on the List of PCI DSS Compliant Service Providers must validate as a Level 1 provider.

Service Provider Validation

Service Provider Considerations

• Where possible, use only providers that have

engaged a QSA for validation

• If you have a level 2 service provider that self

validated, only accept SAQ D

• Their areas of non-compliance are your risk

• If a provider states they cannot afford some aspect of

compliance or validation, you may want to consider

one that can

• Carefully review your contracts with service

providers

Next Steps

• Talk to your processor

• Consider PCI SSC training programs

• If you are not validating compliance today, get

started now!

Helpful PCI Resources

• PCI Security Standards Council –

www.pcisecuritystandards.org

– PCI DSS, PA DSS, PTS, & P2PE Standards

– Downloadable Self Assessment Questionnaires – List of ASVs, QSAs, PFIs, PA QSAs, QIRs, etc.

– List of PA DSS Validated Payment Applications, validated P2PE solutions, validated PTS devices – Searchable FAQ Tool

– PCI Supporting Documents

• Visa

_{CISP website –}

_{www.visa.com/cisp}

– Merchant & Service Provider Levels Defined – List of CISP Compliant Service Providers – Important Alerts, Bulletins and Webinar

• MasterCard

_{SDP website –}

_{www.mastercard.com/sdp}

– Merchant & Service Provider Levels Defined – List of CISP Compliant Service Providers

– PCI 360 Merchant Education Program – on demand educational webinars