Customer purchasing goods either as a "Card Present" or Card Not Present" transaction
-Receives the payment card and bills from the
... [Show More] issuer
Cardholder
-Primary Account Number (PAN)
-Cardholder Name
-Expiration Date
-Service Code
Cardholder Data Include:
-Full track data (Magnetic-stripe data or equivalent on a chip)
-CAV2/CVC2/CVV2/CID
-PINs/PIN blocks
Sensitive Authentication Data includes:
American Express
Discover
JCB International
MasterCard
Visa
Payment Brand
-Bank or other organization issuing a payment card on behalf of a Payment Brand (e.g. MasterCard & Visa)
-Payment Brand issuing a payment card directly (e.g. Amex, Discover, JCB)
Issuer
Organization accepting the payment card for payment during a purchase
Merchant
*Bank or entity the merchant uses to process their payment card transactions
*Receive authorization request from merchant and forward to Issuer for approval
*Provide authorization, clearing, and settlement services to merchants
*Acquirer is also called
--Merchant Bank
--ISO
--Payment Brand -Amex, Discover, JCB
--Never Visa or MasterCard
Acquirer
*Acquirer is responsible for merchant compliance
--Know payment brand compliance programs and how they apply to merchants
--Ensure that their merchants understand PCI DSS compliance requirements and track compliance efforts
--Manage Merchant communications
*work with merchants until compliance has been validated
--Merchants are not compliant until all applicable requirements have been met and validated
--Acquirer is responsible for providing merchant compliance status to payment brands
*Incur any liability that may result from non-compliance with payment brand compliance programs
Common Acquirer Responsibilities
*A service provider is a business that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity.
-Sometimes a service provider is a merchant
*Service Provider also includes companies that provide services (to merchants, service providers, or other entities), which control or could impact the security of cardholder data
Service Providers
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Standard 1: Build and Maintain a Secure Network and Systems
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Standard 2: Protect Cardholder Data
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Standard 3: Maintain a Vulnerability Management Program
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
Standard 4: Implement Strong Access Control Measures
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Standard 5: Regularly Monitor and Test Networks
12. Maintain a policy that addresses information security for all personnel
Standard 6: Maintain an Information Security Policy
Install and maintain a firewall configuration to protect cardholder data
Requirement 1
Do not use vendor-supplied defaults for system passwords and other security parameters
Requirement 2
Protect stored cardholder data
Requirement 3
Encrypt transmission of cardholder data across open, public networks
Requirement 4
Protect all systems against malware and regularly update anti-virus software or programs
Requirement 5
Develop and maintain secure systems and applications
Requirement 6
Restrict access to cardholder data by business need to know
Requirement 7
Identify and authenticate access to system components
Requirement 8
Restrict physical access to cardholder data
Requirement 9
Track and monitor all access to network resources and cardholder data
Requirement 10
Regularly test security systems and processes
Requirement 11 [Show Less]