Information for merchants. Program implementation details for merchants. Payment Card Industry Data Security Standard (PCI DSS)

Program implementation details

for merchants

In view of the rising number of instances of credit card fraud, credit card organizations MasterCard International and Visa International have respectively initiated programs named MasterCard Site Data Protection (SDP) and Visa Account Information to increase security during saving, processing and/or relay of card data. The credit card organizations have requested acquirers (merchant banks) to prove that you and your service provider have taken appropriate technical and organizational security measures which prevent card data from being compromised.

These programs are intended for service providers and merchants who save, process and/or relay card data using your own systems.

If card data (governed by an E-commerce, MOTO or POS acceptance contract) are compromised, this could give rise to significant damage claims by the operators of the payment systems and acquirers. Consequently, you and your service provider must provide proof of having taken appropriate technical and organizational measures to protect card, transaction and account data against misuse and unauthorized access. In December 2004 (MasterCard) and February 2005 (Visa), the payment systems’ hitherto discrete technical requirements were merged to form the Payment Card Industry (PCI) Data Security Standard. In April 2008, the PCI DSS was supplemented by software evaluation according to the PCI Payment Application – Data Security Standard (PA DSS), Version 1.2.

Introduction

Financial Services, JCB, MasterCard Worldwide and Visa International announced the founding of an independent body named PCI Security Standards Council (PCI SSC). This council is responsible for advancing the Payment Card Industry Data Security Standard (PCI DSS).

In October 2008, the PCI SSC updated PCI DSS Version 1.1 to PCI DSS Version 1.2. As of 31.12.2008, certification according to the old Version 1.1 of the standard is no longer accepted. The standard’s new version comprises

• PCI DSS Requirements and Security Assessment Procedures, 1.2 (release: October 2008)

• PCI DSS Self-Assessment Questionnaire, 1.2 (release: October 2008)

• PCI DSS Security Scanning Procedures, 1.1 (release: September 2006)

• PA DSS Requirements and Security Assessment Procedures, 1.2 (release: October 2008)

This version can be found at:

To prove compliance with the programs, you are subject to the following actions depending on your category (described further below):

• You perform an initial evaluation of your security measures using a PCI DSS Self-Assessment Questionnaire. This questionnaire must be newly filled out on an annual basis.

• Every year, the Internet interface operated by the merchant (if relevant) undergoes four PCI DSS Security Scans intended to detect weak points susceptible to attacks.

• Conformance to security requirements is examined on location through a PCI DSS Security Audit.

The table below provides an overview of the security checks required in accordance with the number of performed transactions.

Categorization according to MasterCard1 _{and Visa}2 _{is based on}

the following criteria:

• Level 1:

- Regardless of the distribution channel (POS, MOTO or E-commerce), all merchants who annually handle more than 6 million transactions with MasterCard or Visa

- All merchants who have been targets of data compromise and misuse

- All merchants assigned to Level 1 on the basis of another credit card brand

- All merchants assigned to this category following assessment by MasterCard or Visa with the intention of minimizing risk to payment systems

1 _{According to MasterCard Global Security Bulletin No. 1,}

14th _{January 2005}

2 _{According to Visa Member Letter EU 06/05, 2}nd _{February 2005}

Merchant category Self Assessment Security Scan Security Audit

Level 1 – 4 x annually 1 x annually

Level 2 1 x annually 4 x annually 1 x annually*

• Level 2:

- Regardless of the distribution channel (POS, MOTO or E-commerce), all merchants who annually handle 1 million to 6 million transactions with MasterCard or Visa

- All merchants assigned to Level 2 on the basis of another credit card brand

• Level 3:

- All merchants handling 20,000 to 1 million transactions with MasterCard or Visa

- All merchants assigned to Level 3 on the basis of another credit card brand

• Level 4:

- All merchants handling less than 20,000 transactions with MasterCard or Visa, and not assigned to Level 1, 2 or 3

Compliance Validation by means of the PCI questionnaire, PCI Security Scans and PCI Security Audits is performed

by accredited partners (PCI Qualified Security Assessor and PCI Approved Scanning Vendor) of the credit card organizations.

Advantages of PCI DSS for merchants:

The binding rules of PCI DSS enhance IT security and help prevent fraud. The added security during processing of payment cards in compliance with PCI provides the following benefits in particular:

• Increased data protection for your customers

• Higher level of customer confidence, potentially resulting in greater credit card usage and turnover

• High protection against security breaches which would lead to financial damage and claims for compensation

• Safeguarding of corporate image

• Evaluations of the security of systems for saving, processing and relaying data on credit card owners

• Lower entrepreneurial risk through minimization and avoidance of data disclosure

• Lower costs of PCI Compliance through structured networks

The individual steps involved in providing proof of PCI Compliance are described next.

As a Postbank P.O.S. Transact GmbH contracted merchant, you will have received a notification with information for accessing Postbank P.O.S. Transact´s PCI DSS platform. Please register yourself on the platform and check the master data stored there for your company. After that, please follow the instructions and platform´s integrated help utility to demonstrate your PCI compliance.

Procedure

Registering on the PCI DSS platform

Merchant classification

SAQ Selection Wizard

Completing the SAQ

Merchants (Levels 2-4 ) must annually assess their technical and organizational measures by responding to online PCI Self-Assessment Questionnaires prepared for this purpose.

Covering all six areas of the PCI Data Security Standard, the questions examine compliance with twelve requirements:

I. Build and Maintain a Secure Network

1st _{requirement: Establishment and maintenance}

of a firewall for data protection

2nd _{requirement: Modification of the default}

system-passwords and other security parameters issued by the merchant

II. Protect Cardholder Data

3rd _{requirement: Protection of saved data}

4th _{requirement: Encrypted transmission of card}

owner data and other sensitive information via public networks

III. Maintain a Vulnerability Management Program

5th _{requirement: Use and regular updating of}

anti-virus programs

6th _{requirement: Development and maintenance}

of secure systems and applications

IV. Implement Strong Access Control Measures

7th _{requirement: Restriction of access to data}

according to the need-to-know principle 8th _{requirement: Assignment of unique IDs to all}

persons with computer access

9th _{requirement: Restriction of physical access to}

card owner data

V. Regularly Monitor and Test Networks

10th _{requirement: Tracking and monitoring of all}

access to network resources and card owner data

11th _{requirement: Regular testing of security}

systems and processes

VI. Maintain an Information Security Policy

12th _{requirement: Maintenance of an information}

security policy

Security Scans are meant to reveal shortcomings in the investigated system’s architecture and configuration. Intruders could exploit such shortcomings in order to steal credit card data.

An accredited PCI certifier performs PCI Security Scans in compliance with the requirements laid down in PCI Security Scanning Procedures. Non-intrusive and non-destructive, these scans do not affect the availability or integrity of the target systems. Instead, the scans involve sending ordinary requests to the target systems essentially without disrupting their proper operations.

Via the Internet, the systems are examined for possible shortcomings by means of Security Scanners and manual analyses. The employed tools check for deficiencies in network components, operating systems and applications.

PCI DSS Security Scan

advance. The PCI Security Scan is subsequently performed using standardized and defined PCI DSS Security Scanning Procedures. You receive the results of the PCI Security Scan in a report written in English. Formulated according to PCI DSS specifications, the report rates each detected shortcoming by assigning it to one of five categories (ranging from “low” to “urgent”). The scan is meant to systematically reveal all weak points and deficiencies which could permit the system to be infiltrated.

If the PCI Security Scan performed according to the PCI Security Scanning Procedures yields less than satisfactory results, you as the merchant must take appropriate measures for improving the shortcomings. A new PCI Security Scan is then performed to ascertain whether your measures were effective.

1 _{https://www.pcisecuritystandards.org/pdfs/pci_scanning_}

The PCI Security Audit comprises a check on-location for adherence to the PCI Data Security Standard. As part of the Security Audit, merchants categorized as Level 1 are subjected to additional tests described later on.

Preparation for a PCI Security Audit involves the following steps:

1. Formal application for obtaining the service from a certifier and provisional agreement of an

appointment for a PCI Security Audit.

2. Delivery of documents for performing the Security Audit:

The PCI certifier delivers documents titled “PCI Data Security Audit Procedures and Reporting” and “Guideline for the preparation of the PCI security audit” in electronic form to the customer. At the same time, the certifier issues a password and a public PGP-key for safeguarding future

communications.

3. An electronic online PCI Self-Assessment

Questionnaire is released so that the customer can carry out an initial, optional assessment of their PCI-Compliance.

Step 1: Evaluating the information

The required information is submitted to the certifier no later than two weeks before the agreed Security Audit.

PCI DSS Security Audit

As part of the PCI Security Audit, the certifier carries out random, in-situ checks of the details confirmed in writing by the merchant in a document titled “PCI Data Security Standard – Requirements and Security Assessment Procedures”. Covering all six areas of the PCI Data Security Standard, the check includes:

• Scrutinizing the business model

• Examining how card transactions are performed with the employed IT systems (data flow)

• Conducting interviews with staff, especially those who

- perform security functions at the company - have access to card data

- are responsible for maintaining and operating systems used to save, process or relay card data

• Viewing log files of relevant applications

• Inspecting relevant rooms such as the server room, the computer centre, etc.

Step 3: Report draft

The certifier prepares an informal report of the audit results on the basis of the document titled “PCI Data Security Standard – Requirements and Security Assessment Procedures”, and discusses the results with you.

Step 4: Provisional version of the report

Following mutual consultation, the certifier incorporates your feedback into the report draft and submits it to the payment systems. The payment systems review the draft and return it, accompanied by their own comments, to the certifier.

Step 5: Final version of the report

Taking into consideration the comments issued by the payment systems, the certifier amends the audit report and sends the final version to you as well as the payment systems.

If you have any questions relating to the Postbank Service Agreement for Card Acceptance, please do not hesitate to contact: