Post on 11-May-2018
About this Presentation…
This presentation was given initially at RSPA’ 2008 R t ilN C tiRSPA’s 2008 RetailNow Convention and later at Fall/Winter 2008 SPS-2000 Dealer MeetingsDealer Meetings. CRS thanks Datacap Systems, Inc. and Mercury Payment Systems forMercury Payment Systems for providing content and assistance in preparing this material
1
preparing this material.
The Issue The Problem(s)
SAM4s SPS-2000PABP Update &
The Problem(s) Datacap Update
R l t R iPABP Update & Training
Regulatory Review Compliance
C li Compliance ResponsibilitySPS 2000 B t SPS-2000 Best Practices & Checklist
2
PCIPCI:The Issue (What’s Going On Here?)
Bad guys are stealing card info and using it to make fraudulent purchases big time (and identity theft)fraudulent purchases, big time (and identity theft)
– Characterized as big-time international electronic organized crime– Caught a ring responsible for TJ Maxx, Barnes&Noble etc recently, but more out
there
Card Associations (Vi MC t ) can’t charge anyone Card Associations (Visa, MC, etc) can t charge anyone for fraudulent purchases, so they are losing $$$ and everyones’ rates rise to cover the losses and costs to pursueto pursue
Involved merchants spend a lot of time and expense supporting pursuit
3
PCIPCI:The Issue (What’s Going On Here?)
Card fraud (and Identity theft) is very expensive, disruptive and far reaching for card holders involved Don’t payand far reaching for card holders involved. Don t pay for fraudulent charges, but takes time and effort to document fraudulent charges, correct credit history and rating etcand rating etc
Gov’t threatens to deal with it if card industry can’t self manage, and has taken some steps at state and federal levelsfederal levels
Everyone is/was storing card info in ways that make it easy to steal
4
Compromise StatisticsAn Internet Problem?
About 5 out of every 6 cases isCard Not Present
15%
About 5 out of every 6 cases isa traditional Brick and Mortarenvironment.
Retail ‘Card Present’ Merchantsare not aware of these risks! (“Not My Problem”)
Card Present
It’s not just an internet or e‐commerce problem.
585%
Compromise StatisticsWhich Systems are Problems?
None of the systemsCases By System Type
Shoping Cart
Backend2%
Mainframe1%
ywere PA DSS compliant(until recently)
Majority of the cases
PC POS
Shoping Cart12%
Physical1%
involved a compromise ofa PC based POS system
But embedded ECRs?84% So… No Need to Worry?
(Hint: using a compliant solution not = to compliant)
6
Compromise StatisticsWhat Info is Stolen?
Brick and Mortar Cases w/ Track Data Storage
No1%
Criminals target track data, securitycodes and PINs (storage is neverpermitted post authorization)
g
permitted post authorization)
80% of breaches are level 4 merchants!mostly in restaurant space (though most
d b l i f l l 1)
Yes99%
card nbr loss is from level 1)
Non‐compliant software packagesstored track data and the merchantsdid k il i l !
7
did not know until it was too late!
S Wh t’ th Bi D l?So What’s the Big Deal?Bottom Line
Everyone needs to be compliant NOW
Or be LIABLE for the consequences if/when they Or be LIABLE for the consequences if/when they get caught (compromised)
And the loopholes you are all thinking about ARE being closed
8
S Wh t’ th Bi D l?So What’s the Big Deal?New PCI (Visa) Small Merchant Mandates
01/01/08 Newly boarded merchants must not use known vulnerable payment applications – so acquirers now ask.p y pp q
10/01/08 Newly boarded level 3&4 merchants must use PA-DSS validated applications or be PABP compliant (except hardware terminals)hardware terminals)
10/01/09 Acquirers must decertify known vulnerable payment applications.
7/01/10 Acquirers must ensure all merchants are using PABP 7/01/10 Acquirers must ensure all merchants are using PABP compliant applications.
Visa Excepts “hardware terminals” but:– Don’t/Won’t clearly define (Ambiguity is King)
9
y ( g y g)– “Tell” Merchants they MUST use compliant solutions– We’re all between a rock and a very hard place
S Wh t’ th Bi D l?So What’s the Big Deal?The Threat - How fines are assessed
In proportion to total card numbers lost Based on type of lost data (Track data vs Account number
and expiration date)
Fines increase if additional factors are involved Fines increase if additional factors are involved(Example: Storage of full track data; Attitude)
Cover cost of reissuing cards ($20-$30/card) Can exceed $100,000 for loss of a modest number of
cards Card association to ‘processor’ to merchant no POS
10
Card association to processor to merchant… no POS resellers sued yet… but ‘share-sies’?
Greatest Sales Opportunity for Dealers Since Y2K 10/1/08 – “Compliance” demonstration required when
hchange processors (seems that compliant middleware does it for embedded hardware users)
7/1/10 – Acquirers must ensure all customers are
11
7/1/10 Acquirers must ensure all customers are compliant - 2-Years to Upgrade or Replace ALL Non-Compliant Systems
Summary and Datacap Update
Can fight it, but resistance is futile. Prepare to be assimilated We all need to complyassimilated. We all need to comply.
And protect yourselves – ‘hold harmless’ letters recommended (need to get Visa/someone to be the heavy)( g y)
More mandates coming 10/08. Probably based on further compromises and transition from data bases to data-in-transit.
Datacap Datacap– PCI validation 2006 for NETePay and DIALePay/DataTran– PABP validation 7/08 on new Trans (TwinTran, IPTran,
12DialTran).
– PABP validation on DataTran is fast tracking
R iReview:Regulatory Environment
PCI DSS (Visa CISP + MC SDP + AmEx + Disc)Payment Card Industry Data Security StandardPayment Card Industry Data Security Standard
FACTA (receipt masking)Fair & Accurate Credit Transactions Act
PABP (Visa Program)Payment Applications Best PracticesPA DSS PA-DSS (PCI version of PABP)New!Payment Applications Data Security Standards
13
PCI DSS
2006 Release Industry Self-Regulation Standard 5- Largest Card Companies Covers Secure Networks, Cardholder
Protection & Security Standards Enforceable by Card Company Fines &
Sanctions
14
FACTA
Started in States, evolved to National Allows consumers to see free credit reports protects Allows consumers to see free credit reports, protects
against identity theft, etc. Key Provision Covers Printing of Card Numbers:
“No person that accepts credit cards or debit cardsNo person that accepts credit cards or debit cards for the transaction of business shall print more than the last five digits of the card number or the expiration date upon any receipt provided to theexpiration date upon any receipt provided to the cardholder at the point of the sale or transaction.”
Updated in 2008 to eliminate “pure expiration date” actions.
15
PABP
Adopted November 2007 Used by PCI to help Acquirers Enforce Payment Application Used by PCI to help Acquirers Enforce Payment Application
Vendors Compliance Validated & Vulnerable Applications are Listed Key Dates: y
– 1/1/08 Newly boarded Merchants may not use vulnerable applications
– 10/1/08 Newly boarded Merchants must be PA-DSS validated or use PABP compliant solutions (except hardware terminals)use PABP compliant solutions (except hardware terminals)
– 10/01/09 Acquirers must decertify known vulnerable payment applications
– 7/1/10 Acquirers must insure that all of their merchants use only
16
q yPABP compliant, validated Applications
More Info at: www.pcisecuritystandards.org
PA-DSS
Announced November 2007 by PCI Security St d d C ilStandards Council
Based on Visa’s PABP PABP will transition into PA-DSS in 2008 Validations migrate (carry forward) More Info at: www.pcisecuritystandards.org
17
Q C liQ: Compliance: Who is Responsible?
A. POS ManufacturerB. ResellerC. Payment ProcessorD. Merchant
18
Answer: All of the Above
“U i PABP lid t d t“Using PABP validated payment applications does not alone guarantee or ensure compliance with the PCI DSS “ensure compliance with the PCI DSS…
19
Resources For Dealers
Retail Systems Provider Association (RSPA) G RSPA(RSPA) www.GoRSPA.org
– PCI News– DVD “Are you at Risk”DVD Are you at Risk– Handbook (Standard Documents & Letters)– Research & ReportsYour Payment Processing Partners Your Payment Processing Partners
CRS Website Datacap Website and People
20
Datacap Website and People
SPS-2000 Specific PABP
Encryption: Save Passwords Employee/S Mode Save Passwords Employee/S-Mode IRC of Card Numbers
For the System Programmer Installer: Each Employee should be set-up as a
t l ith iseparate employee with a unique EMPLOYEE ID in the employee file. There should be no “generic” employee log-in that
21
g p y gall employees use.
SPS-2000 Specific PABP
For the System Programmer Installer: All Managers should be set up as separate All Managers should be set up as separate
employees with a unique EMPLOYEE ID in the employee file.
All Manager ID’s\Passwords should be changed from the default settings.
When there is management turnover all When there is management turnover, all Manager ID’s\Passwords should be changed.
22
SPS-2000 Specific PABP
Employee Programming Screen
Must be Unique--NOTUnique--NOT
DEFAULT
U Diff tUse Different Operating &
Clock In
23
Clock In Codes
SPS-2000 Specific PABP
For the System Programmer Installer: Managers must use the SIGN ON by MCR
method.
Refer to the SPS-2000 Program Manual Chapter: “Employee Time Keeping withChapter: Employee Time Keeping with MCR – Program Guide” for detailed setup instructions.
24
SPS-2000 Specific PABP
For the System Programmer Installer:It i d d th t M th St It is recommended that Managers use the Strong Password method
Requires SignRequires SignIn Code &MCRC d R d Card Reader Enabled & Employee Sign On=
NEWOption
25
p y gEMPLOYEE #
SPS-2000 Specific PABP
For the System Programmer Installer:O l M h ld h t REP Only Managers should have access to REP mode in the SPS-2000.
If necessary, employee authorized reports can be done in REG mode through report
d l th i d EFTmacros and employee authorized EFT function such as tip entry can be done in REG mode through the EFT function key.
26
g y
SPS-2000 Specific PABP
S-Mode Password Programming
Set a niq eSet a unique Report Mode password &
distribute only to
managers
27
managers
SPS-2000 Specific PABP
General Printing Options: Page 5
Set MaskingSet Masking Option to
YES
28
SPS-2000 Specific PABP
Memory Stick Insert into
Bottom USB Records PABP.log
(Audit Info)M h t h ld th USB M Merchants should secure these USB Memory Sticks (place in the safe each night)
29
SPS 2000 S ifi PABP/SPS-2000 Specific PABP/When Using a Wireless Network…
6.1 For wireless networks transmitting cardholder data, encrypt the transmissions by using WiFi Protected Access (WPA or WPA2) technology IPSEC VPN or SSL/TLS Never rely exclusively ontechnology, IPSEC VPN, or SSL/TLS. Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN.
If WEP is used, do the following: • Use with a minimum 104-bit encryption key and 24 bitinitialization
value.• Use ONLY in conjunction with WiFi Protected Access (WPA or
WPA2) technology VPN or SSL/TLSWPA2) technology, VPN, or SSL/TLS.• Rotate shared WEP keys quarterly (or automatically if the technology
permits)• Rotate shared WEP keys whenever there are changes in personnel
ith t k
30with access to keys.
• Restrict access based on media access code (MAC) address.
SPS 2000 S ifi PABP/SPS-2000 Specific PABP/When Using a Wireless Network…
6.2 For wireless payment applications, and other wireless applications connected to cardholder data environments, verify that the wireless , ytechnology has been protected with a firewall configuration and that wireless vendor defaults have been changed per PCI Data Security Standard 1.3.8 and 2.1.1.
31
SPS-2000 Specific PABP
Merchant Training Merchants should be instructed that they must
use due diligence in securing all printed credit card transactions and reports with card holdercard transactions and reports with card holder data printed.
32
SPS-2000 PABP Checklist
Upgrade to Version 3.00g or above Unique Employee IDs Unique Employee IDs Separate Manager IDs/Not Default Passwords Different Operating & Clock-In Codes Manager Strong Password (ID + MCR) REP Mode Restricted to Managers Set Masking to YES Set Masking to YES Install Memory Stick to Record PABP.log Comply with Security Req. when using wireless network
33
p y y q g Merchant Training Hold Harmless Letter to Merchants