PCI SECURITY STANDARDS COUNCIL PUBLISHES SUPPLEMENTAL PCI DSS SCOPING GUIDANCE

Guidance Clarifies Scoping Principles Outlined in the PCI Data Security Standard —
WAKEFIELD, Mass., 9 December 2016 — Incorrectly identifying where and how payment data is at risk in an organization’s systems continues to lead to data breaches. Today, the PCI Security Standards Council (PCI SSC) published Guidance for PCI DSS Scoping and Network Segmentation to help businesses address this challenge.

PCI Data Security Standard (PCI DSS) Requirement 1.1 states that organizations need to maintain a cardholder data flow diagram to help identify which systems are in scope and need protection. Yet data breach investigation reports continue to find that companies suffering compromises were unaware that cardholder data was present on their compromised systems. This guidance provides a method to help organizations identify systems that, at a minimum, need to be included in scope for PCI DSS. It includes guidance on how segmentation can be used to help reduce the number of systems that require PCI DSS controls and illustrative examples of some common segmentation approaches.

“For years, we have preached the need to simplify and minimize the footprint of cardholder data,” said PCI SSC Chief Technology Officer Troy Leach. “One way to accomplish this is through good segmentation. It allows an organization to focus their attention on a limited number of assets and more readily address security issues as they arise. As a result, it should also reduce the level of effort to comply with PCI DSS.”

While segmentation is not a PCI DSS requirement, it is a strongly recommended practice. Segmentation of networks included in or connected to the cardholder data environment is important for organizations as it can limit the exposure of payment data in a system, simplify PCI DSS compliance efforts and reduce the chance of being targeted by a criminal. However, as improper segmentation can put cardholder data at risk, it’s critical that organizations understand and implement segmentation properly.

The guidance was developed with industry input and collaboration in order to address common questions from PCI SSC stakeholders on scoping and segmentation. Christian Janoff, PCI SSC Board of Advisor member and Security Solutions Architect for Cisco, works regularly with merchants using scoping and segmentation products and was a leading contributor to the guidance. “Knowing the scope of your cardholder data environment and properly segmenting to protect it has been a challenge for many organizations. By providing guidance, we hope this will help to simplify the process, making it easier to secure payment card data,” he said. “We at Cisco are proud to partner with the Council and industry peers to bring additional scoping and segmentation guidance to the industry.”

Guidance for PCI DSS Scoping and Network Segmentation is intended for organizations looking to understand scoping and segmentation principles when applying PCI DSS to their environments. It also provides a method for facilitating effective scoping discussions between entities and is useful for:

  • • Merchants, acquirers, issuers, service providers (issuer processors, token service providers, and others) responsible for meeting PCI DSS requirements for their enterprises;
    • Assessors responsible for performing PCI DSS assessments;
    • Acquirers evaluating merchants’ or service providers’ PCI DSS compliance documentation;
    • PCI Forensic Investigators (PFI) responsible for determining PCI DSS scope as part of an investigation.

It is important to note each organization is responsible for making its own scoping decisions and that following this guidance does not guarantee that effective segmentation has been implemented, nor does it guarantee compliance with PCI DSS. The guidance is available on the PCI SSC website. Chief Technology Officer Troy Leach provides additional insights on the topic on the PCI Perspectives blog.

About the PCI Security Standards Council
The PCI Security Standards Council is a global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security.

Bluebird Auto Rental Systems Enters Business Partnership with CenPOS

Bluebird Auto Rental Systems announced that they have entered into a
business partnership agreement with CenPOS, a Miami-based firm specializing in credit
card platform solutions.

Founded by Jorge Fernandez in 2008, CenPOS is a “super gateway”, allowing Bluebird’s
customers around the world to use any one of the various processors available in their
region. It is EMV Certified and uses Bluebird’s latest credit card platform: tokenization.
“We are excited about our partnership with Bluebird. With our deep connection to the
automotive market, working with a partner like Bluebird is a natural fit” commented Joey
Orozco, Director of Sales. “We look forward to bringing our mutual customers an EMV
ready solution that is easy to use and ready to meet demands of the rapidly evolving
payment space.”

Current and prospective customers of Bluebird will have the services of CenPOS made
available to them. “Through this partnership with CenPOS, we can jointly offer our
customers an alternative to how they process credit cards now. Some use a separate
standalone machine, and some use other gateways and processors” stated Angela
Margolit, President of Bluebird. “Our goal is to give our customers a choice.”

About Bluebird Auto Rental Systems

Bluebird Auto Rental Systems is a leading provider of software for the vehicle rental and
dealership service loaner industry since 1982. Bluebird’s Auto Rental Application,
RentWorks, is used around the world to effectively manage the efficiency and
profitability of any size vehicle rental operation.

About CenPOS

CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class
solutions for businesses, saving them time and money, while improving their customer
engagement. CenPOS’ secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

Chip-and-PIN, or Chip-and-Choice? EMV Liability Shift For PIN Transactions

With US EMV adoption well under way in the US, merchants are in the next phase of decision making for their EMV environment, for those terminals and solutions that support it. Should I force chip and pin when the issuer supports it, or should I allow chip and choice? It’s a tough decision and the answer is not the same for everyone.

Point-of-Sale (POS) systems vary in both implementation and capability. For example, a salesperson for a popular POS solution I spoke to told me they don’t support chip and pin. He actually said, “Since debit card processing costs are the same either way now with regulated debit, pin doesn’t really matter any more anyway.” Not true.

Consider the implications for a specialty retail environment with higher average value transactions, such as building supply, automotive parts, and electronics.

RETAIL: HIGH VALUE
FORCED CHIP & PIN CHIP & CHOICE
PROS Maximize profit potential 3 ways: highest security supported to shift counterfeit fraud to issuer; Even with regulated debit, there’s some financial differential for sending transactions via debit network, though vastly decreased. Finally, not all debit is regulated, and costs do vary. Less friction at the point of sale, faster checkout.
CONS While consumers know their debit pins, studies estimate consumers’ knowledge of credit card PINs at 5-10%. What is financial impact if customer cannot recall pin, fallback to signature is not allowed, and customer has no other payment method? Potential losses based on US EMV liability shift rules which require the highest level of security to shift back to issuer; may vary by brand for counterfeit, lost and stolen cards.

As with everything EMV, there are many moving parts to certifications for chip card acceptance. In order to have a choice, the merchants ecosystem from terminal to payment gateway, if applicable, acquirer, etc must all support it, which may be a tall order.

IMPORTANT: This article highlights a few items and does not cover all brand, business type, transaction type, card type, nor reasons for determining liability. Refer to various card brand core manuals or your acquirer for more specific details about EMV and card acceptance rules.

RESOURCES & ARTICLES AROUND THE WEB

To avoid issues with broken outside links over time, please copy the URL’s below into your browser.

https://www.mastercard.us/en-us/about-mastercard/what-we-do/rules.html

Chip & PIN vs. Chip & Signature

Best article for thoroughness. October 2014 http://krebsonsecurity.com/2014/10/chip-pin-vs-chip-signature/

Chip-and-PIN, or Chip-and-Choice?

Worth a look. February 10, 2014, By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed. http://takeonpayments.frbatlanta.org/2014/02/chip-and-pin-or-chip-and-choice.html

Chip & Choice Keeping Security Flexible

From Visa web site today, great illustration on impact of choices in different market segments. https://www.visa.com/chip/clients-partners/issuers/credit-card-chip-technology/chip-and-pin-choices.jsp

Chip-and-PIN vs. ‘chip-and-sig’

Good global overview and stats By Janna Herron · Bankrate.com, August 28, 2013
 http://www.bankrate.com/financing/credit-cards/chip-and-pin-vs-chip-and-sig/#ixzz4ALnE5Ps9
“What’s the difference? What separates the two is how each is authenticated at the register. Chip-and-PIN cards require a personal identification number to be entered to complete a purchase, much like how many debit card transactions are carried out now with magnetic stripe cards.” Read more: http://www.bankrate.com/financing/credit-cards/chip-and-pin-vs-chip-and-sig/#ixzz4ALnUjB9D

Visa Core Rules AND OTHER CARD BRAND RULES

Merchant Alerts & Rules Links

 

 

Credit Card Authorization Form and PCI Compliance Update

A Credit Card Authorization Form enables a business to charge a credit card one-time or for recurring purchases. Is your form PCI Compliant with 2016 standards? Edited from my original contribution to Credit Today, learn the pitfalls and solutions to traditional paper authorization forms.

Do your business practices meet current PCI Compliance standards?

  1. Is it OK to store the form in a locked drawer?
  2. Is it OK to store the form in the cloud if it’s encrypted?
  3. Is it OK to receive them via email?
  4. Is it possible to qualify for the lowest processing rates using them?
  5. Is it OK to key enter each transaction for cards on file?credit card authorization form pci compliant

Credit Card Authorization Forms and PCI Compliance Rules

  • Per PCI 3.2, Neither Primary Account Number (PAN) nor Card Verification Code (CVV) can be stored on paper after authorization.
  • Per PCI 3.4, must render PAN unreadable anywhere stored (including on portable digital media, backup media, and in logs) using one of four cited approaches.
  • No. Per PCI 2 Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.).
  • No. Most cards, except regulated debit, can qualify for multiple rates depending on how the transaction is submitted. For example, MasterCard World card rates:
Rate Name Rate Qualified Rate Reason
Standard 2.95% + $.10 Not all criteria met for another rate.
Merit I 2.05% + $.10 Key-entered or ecommerce and valid authorization + other criteria met.
Full UCAF 1.87% = $.10 Ecommerce; Cardholder authentication and other criteria met.

To qualify for UCAF, the customer must initiate payment.

Ecommerce includes online paypage and other electronic payment channels the customer initiates.

  • No. If a customer authorizes to store a card, then after the initial transaction, all subsequent transactions must be sent with the correct transaction type: recurring or repeat sale.

Alternative methods to process Card Not Present orders:

Hosted pay page. The merchant directs customers to web page to pay any invoice online. Acceptable implementation methods have changed in the last year or two for PCI Compliance. For maximum reduced PCI burden, send customers directly to the 3rd party payment gateway web URL. The gateway may or may not be the same as your processor. NOTE: If hosting on your own web site with an embedded payment (iframe) object, PCI requirements have changed; any old forms should be updated.

Electronic Bill Presentment & Payment. (EBPP or EIPP) This is basically a proactive version of the above. As a standalone solution, the merchant user logs in to a gateway web portal, and sends a payment request via text or email which the customer clicks and pays. Integrated to billing software, it sends the actual invoice, and may require customer to login to make the payment.

All the major payment gateways include a Virtual terminal, hosted pay page, and shopping cart checkout capability, tokenization to store card data for future orders. Some, including CenPOS also offer EBPP.

If you accept cards over the phone, gateways with a virtual encrypted keyboard can reduce PCI scope since card data never touches computers or networks.

Christine Speedy, CenPOS reseller, maximizes profits, efficiency, and security with payment processing solutions including EIPP, collections automation, and online payments. She can be reached at 954-942-0483 or cspeedy AT 3dmerchant.com.