PCI Testing

Penetration Testing for the Business

The major question that we should ask ourselves is whether penetration testing is mandatory? PCI test is a crucial process if your business has to remain safe. A lot of unguided speculations have been running around the media, due to misinformation. Traders rely on untested facts, which exposes them to possible fines because of lack of compliance. Any business person should first consider evaluating his or her PCI compliance. Therefore, linking with experts in the field of PCI would improve the performance of validation.

The frequently asked question.

Through our process to provide knowledge on PCI, we encounter different questions. Subsequently, we strive to give well-informed feedback for the benefit of our clients.

Question: in the version 3.0, the regulations state that I should apply for penetration testing. While doing the test in version 2.0, I did not find any restrictions based on future improvements. Besides, is it a MUST to have version 3.0 testing?

Answer: version 3.0 penetration is a requirement by the PCI DSS. Although the testing is not new compared to the version 2.0, there have been some improvements. The decision to restructure the guideline was arrived at after the council realized the importance to heighten security of the cardholder. It is, therefore, a must for any trader to conduct the PCI test in version 3.0

Key Changes in Penetration PCI

The following paragraph will show the critical changes in PCI penetration

  • The methodology adopted to test PCI penetration should be acceptable in industry-based
  • Testing should cover the applications and networks to ascertain for vulnerabilities.
  • The trader should perform penetration on both internal and external networks, on an annual basis. Furthermore, the business can conduct penetration due to change of network infrastructure or on request.
  • Any problem identified in the process of testing should be solved and retested to ensure it’s cleared.

Additionally, the following posts would guide you in understanding the penetration process:

https://www.pcicomplianceguide.org/the-top-5-questions-to-ask-a-prospective-penetration-tester/

https://www.pcicomplianceguide.org/dont-be-fooled-theres-no-such-thing-as-an-automated-penetration-test/

The PCI Security Standard Council has provided penetration guidance document. Use the link provided to access the same:

https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf.

Accessing Credit Card Data by Phone

Is taking Credit Card by Phone PCI compliance?

The proliferation of e-commerce has gained acceptance in the present times. Organizations are embracing phone payments, therefore, increasing efficiency. Most importantly, they are able  to maximize their market performance. Taking credit cards by phone is a question that has disturbed many traders. This is because they fear the fraudsters. The PCI compliance phone has to be used to conduct the process.

How to accept credit Card information by Phone

A myriad of business owners have raised concern over the accessibility of credit card data. Besides that, accessing the credit card information by phone and remain PCI compliance could be a challenge. Additionally,questions regarding the authenticity and security of data tops the list of discontentment. Simultaneously, it is paramount to ask ourselves whether phones should be used to generate credit card information. Since there is human involvement, the validity of the process could be questioned. The good news is that you can take your credit card by phone, and remain PCI compliant!

How taking the credit card via the phone works

learn how you can take the credit card using your phone, bi visiting our official site provided ;www.pcicompliance.com.

Improving the Knowledge of PCI

It is essential to go through the document that is available at PCI Security Standards Council. Additionally,the information contained in the report elucidates the methods to protect telephone-based card data.

How do you heighten the security of the Card Data?

PCI compliance guideline assists you to answer compelling questions. You can access the services through the link provided below.

http://www.pcicompliance.com

https://www.pcisecuritystandards.org/

https://www.pcicomplianceguide.org

To enhance the security of your business and clients, make an appointment with the experts using the contacts provided on the site.

Don’t forget to subscribe to this blog for more tips and educative announcements.

 

PAN Storage and the PCI DSS

The Tricks of Storing PAN Data

The PAN is an acronym which most people don’t understand its meaning. It stands for Primary Account Number, and it is necessary to protect and safeguard such information. It is obligated by the PCI DSS, to conceal the data, to avoid exposing the customers’ personal information. Storing PAN increases the risks in your business, and if you have not a business reason to store, leave it.

If you have to store PAN data, then you have to comply with the PCI DSS requirements 3.4. This is are policies laid down to guide on safeguarding both the users and the clients. The storage has to be done in a way that the card data is unreadable, through the following methods:

  • One –way hashes based ion strong cryptography
  • Truncation
  • Index tokens and pads
  • Strong cryptography with associated key-management processes and procedures

The following paragraph illustrate the examples of hashing in action.

Card-not-present transaction with card-present verification at time of pick-up:  If you book for a rail ticket online, one is required to produce the real card when collecting the ticket. This is used for verification purposes, to ensure you are the real person who made the ticket request. The kiosk attendant might ask you to insert the card. To avoid storage of PAN data, the rail attendant can choose to store hashed data.

Recurring payment transactions:  Another illustration is in fraud management system that is able to store only has values of PAN data. By storing only hash values of PAN data within the Fraud Management system you are not exposing real PAN data, even to fraud analysts.

How storage of PAN influence the scope of compliance

The only way to save yourself from PCI DSS compliance complication is to evade storage of PAN data. Engaging in this activity would require a lot of validation, to ascertain you’ve really adhered to the set down procedures.

Aligning your business requirements with a reduced PCI Scope

Enhancing security of stored PAN data, is a sophisticated endeavor to engage into. However, if your business has a true need to do so, then it’s worth to get it right.

PCI Compliance

Merchants and Providers PCI Compliance

There has been a tremendous growth of organization which accepts credit cards in their operations. As the changes in technology are witnessed rapidly, the payments methods are also evolving. The surge desire to increases the sales, hence boost revenue has attracted various businesses to embrace the era of cashless payments. Although the convenience of credit cards is by far valuable compared to cash transactions, the number of risks have increased. The cases of frauds involving credit cards and other modes of online payments have hit the media headline, signaling the seriousness of the matter.

Merchants have no clear understanding of their role in preventing any risks associated with payments. They just know they are sellers but have little knowhow of their role in the business. Lack of clear awareness is, further, exposing them to the contrary repercussions that come along with money fraudsters. They should understand their responsibilities well, to abate such cases.

Do You Classify Yourself as a Merchant?

Well, the PCI Security Standards Council (SSC) has placed a definition of the merchant, to eradicate the confusion that might contribute to respective parties understanding their roles. A merchant is defined as the entity which allows transaction using cards that bears the logos of any of the PCI SSC member. Some of those members are American Express, Discover, JCB, MasterCard or Visa. More information concerning the members can be accessed at:www.pcisecuritystandards.org

Merchants should, therefore, adhere to the standards set out by the council. One of the major issues that every trader must be aware of is their service providers. Additionally, the parties involved in service delivery should understand their roles, to avoid breaching the stipulated policies.

Are you a provider of services?

PCI service providers are companies and individuals that are entrusted with processing, storage, and transmission of the customer’s card data. Most of them are not aware of their functions, which places them at a higher end of litigations for negating the security of the clients. This information can be derived from www.pcisecuritystandards.org.Examples of service providers are hosting, billing account management, back office services among others. These providers are not aware they are service providers.

The Scoop of Responsibilities for Being Both a Merchant and a Service Provider.

Is it possible to be both a provider and a merchant? The question is answered by the PCI Security Standards Council definition. The council highlights that a merchant can accept cards for payments of goods and services and also act as the provider of services by transmitting card data. The definition is backed up by the information derived from the following site: www.pcisecuritystandards.org

Building Trust with Customers as a Service Provider

Providing the services to the clients would require great demonstration of quality service, through adherence to the PCI standards. This is not only helpful to the image of the business, but also prevents the owner from the fines by the court. It all begins with validating the PCI Service Provider compliance.

  1. Choose to complete PCI level 1 assessment, which is achieved alongside Quality Security Assessor (QSA).It is meant to ensure that the providers protect the customers’ data to mitigate the cases of leakage.
  2. If one is not able to complete level 1 assessment but qualifies the second level, he or she can take self-assessment, which would require a complete SAQ service provider.
  3. Work with merchants and assist them to meet PCI compliance requirements. The council has provided a document that can be used as a reference to cross check the responsibilities of every party.
  4. Ensure that you appear in the list of Visa Global Registry of Service Providers. This is where the merchants browse to see the authenticity of the providers.

Compliance with PCI is a move to legitimize your business, and improve the perception from the outside world. Every organization should understand its role, and apparently strive to uphold the laid down policies.

PCI Compliance FAQ

What does PCI stand for?

The term PCI refers to The Payment Card Industry Data Security Standard – also known as PCI DSS. This is a set of standards to make sure any company that accepts, processes, stores, or transmits credit card information is secure.

The PCI DSS is set and managed by the Payment Card Industry Security Standards Council (the PCI SSC) founded on September 7th 2006. This is an independent body set up by many of the large credit card brands including Visa, MasterCard, JCB, Discover, and American Express.

Security standards in the Payment Card Industry (PCI) are always improving to keep payment account security at its highest all throughout the transaction process. The PCI council is not held responsible for making sure members of a transaction follow security standards, this is always down to the acquirer or payment brand.

Who does the PCI Data Security Standard (PCI DSS) apply to?

All organizations who accept, process, store, or transmit any credit card information should follow the PCI DSS. The number of transactions or size of the organization is irrelevant.

Can anyone see the PCI DSS?

Yes, you can find the PCI Data Security Standard on the PCI Security Standards Council website here.

What levels of PCI compliance are there? And which merchant falls into which?

Based on the number of Visa transactions a merchant has carried out in the past 12 months, they will fall into one of four levels. The number of transactions for a merchant Doing Business As (DBA) includes all prepaid, debit, and credit card transactions. Visa acquirers have to include the volume of transactions from all DBAs if an organization has more than one name that it does business as. If the corporate entity doesn’t aggregate transaction data for more than one DBA, Visa acquirers will carry on considering only the DBA’s individual transaction volume to work out what their merchant level is.

Visa defines the four merchant levels as follows:

1) Merchants processing over 6 million Visa transactions every year including all channels or a merchant classed as a global level one merchant.

2) Merchants which process between one and six million Visa transactions per year over all channels.

3) Merchants processing over 20,000 and under one million Visa e-commerce transactions a year.

4) Only e-commerce merchants which process fewer than 20,000 Visa transactions per year.

Any merchant that has been compromised may be escalated to a higher merchant level by Visa.

What does a level 4 merchant need to do in order to comply with the PCI DSS requirements?

First, you will need to look at the following chart to work out which Self-Assessment Questionnaire (SAQ) your business must use to comply:

Add image on site

You then need to fill in the Self-Assessment Questionnaire that applies to your business.

If your business comes under the categories of A-EP, B-IP, C, D-Merchant, or D-Service Provider, you will need to pass a vulnerability scan with an Approved Scanning Vendor (ASV).

The Attestation of Compliance must be completed by a Qualified Security Assessor (QSA) or merchant to comply with the PCI DSS. This can be found in the SAQ tool.

Finally, the business must submit the Self-Assessment Questionnaire along with evidence of passing a vulnerability scan (if applicable), and The Attestation of Compliance, and any other documents requested by your acquirer.

Does the PCI DSS still apply to me even if I only accept card payments over the phone?

Absolutely. Any business that stores, processes, or transmits transaction data has to comply.

Does an organization need to be PCI compliant if it uses a third-party processor?

Still yes. The company will still need to comply with the PCI DSS even if they use a third-party processor. The only way this helps is that it may decrease risk exposure and effort to prove compliance.

If a business operates from multiple locations, do they all need to show PCI DSS compliance?

Usually validation is only required once per year for all locations if your business locations all come under the same tax ID. You must also pass and submit a scan carried out by an Approved Scanning Vendor (ASV) if required under the Self-Assessment Questionnaire.

My business only does e-commerce, which Self-Assessment Questionnaire should I use?

 This depends on which setup you use for the shopping cart section of your site. Take a look at this chart by ControlScan to work out which SAQ applies to you:

Does my business still need to comply with the PCI DSS if it doesn’t store any payment data?

Yes, PCI compliance applies to any organization that accepts credit or debit cards as a form of payment. It may be easier to comply with the PCI DSS than it is to store card data, as this always carries some level of risk.

Which cards are classed as in scope for PCI?

This includes any card that is branded with the five PCI SSC participating logos – Visa, MasterCard, JCB, Discover, and American Express. This applies regardless of whether the card is a debit, credit, or prepaid card.

I have an SSL certificate on my site, does this make me PCI compliant?

SSL certificates can’t prevent intrusions or malicious attacks, therefore they do not make a business PCI compliant. An SSL certificate secures the connection between the web server and the browser of the customer, and it shows that the owners of the website are a legitimate organization, but it does not