Tuesday, March 13, 2012

Self-Assessment Questionnaire C-VT Explained

With the newest version of the PCI DSS came a new SAQ type - SAQ C-VT. This particular SAQ form is geared toward a special branch of merchant. Even though SAQ C-VT qualifying merchants use the Internet to process credit card data, they do it in such a way that most of the responsibility of security is off-loaded to a third party. In order to qualify for SAQ C-VT, merchants must use a third party virtual terminal to process all credit card transactions.

A virtual terminal is just like it sounds a terminal for processing credit card transactions, without the use of a physical device. The virtual terminal would be a secure website provided by either your gateway or merchant account provider. To use the virtual terminal you would login using a username and password and then manually type in the customer card data for processing. The most common virtual terminals I can think of are the Authorize.net terminal and the First Data terminal.

Who it applies to:

Just about every merchant has access to a virtual terminal these days. Whether you use it exclusively or not will determine your eligibility for completing SAQ C-VT. Being able to complete SAQ C-VT really reduces the amount of work a merchant has to do to become PCI compliant. Because a merchant uses the Internet to access the virtual terminal, if they don't qualify completely for SAQ C-VT, they would have to complete SAQ C, which involves many more PCI DSS requirements.

The first qualifier for SAQ C-VT is that all credit card transactions must be processed through a virtual terminal. You can do half with a IP terminal and the other half through the virtual terminal. In addition to only using the virtual terminal, the provider must also be PCI compliant.

Once you have established that you only process through a PCI compliant virtual terminal, you must then look at your computer setup you use to access the terminal. First, the computer you use to access the virtual terminal must be a stand alone system. It can't be connected to any other computers through a network. The only connection it can have is to the Internet. Second, that computer must not have any software installed that will store card data. Third, the computer must not have any hardware attached that can read credit cards.

On top of the computer requirements a merchant must also meet the following policy and procedure requirements to be eligible for SAQ C-VT:
  • Merchant doesn't receive or send card data electronically other than through the virtual terminal (for example, through email, instant messaging, digital fax)
  • Only paper reports and receipts are kept
  • No cardholder data is ever stored electronically by the merchant
Given the nature of SAQ C-VT, merchants can either be a brick and mortar store, or a mail/phone operation. However, SAQ C-VT will never apply to a e-commerce merchants.

How to become Compliant:

With SAQ C-VT the steps to PCI compliance are much the same as the previous SAQ forms - conduct an anual audit, then fill out the SAQ C-VT form. Because all digital transactions go through a PCI compliant virtual terminal, no vulnerability scanning is needed for SAQ C-VT. However, because you do have an Internet connection there are extra requirements to ensure access controls to the virtual terminal are maintained.

SAQ C-VT contains requirement from 9 of the 12 PCI DSS sections. Those that apply specifically to the virtual terminal deal with restricting access to the virtual terminal and also maintaining the computer you use in a secure manner. Access to the virtual terminal and computer need to be restricted to those that have the need. The software on the computer needs to be kept updated and also protect the system with an anti-virus application.

Being able to complete SAQ C-VT can be a big time-saver for merchants. If you can adjust your method of processing to only utilize a virtual terminal, you will greatly reduce your requirements for PCI compliance. The smaller your security exposer is, the less time you need to dedicate to compliance, and can focus that much more on your core business functions.

Thursday, February 9, 2012

Self-Assessment Questionnaire B Explained

Self-Assessment Questionnaire B is probably the most popular of all the SAQ types provided by the PCI SSC. SAQ B applies to the majority of small business retail stores. SAQ B applies to the most basic and traditional methods of processing credit card payments. It basically addresses the simplest processing methods, from old style card imprint machines to the basic telephone dial-up card terminals. With only a few more requirements over what is needed for SAQ A, SAQ B is a simple and straight forward questionnaire for reporting your PCI compliance.

Who it applies to:

The first rule for SAQ B qualification is that you must not digitally store any credit card data. Just for reference, this rule applies to all SAQ forms except SAQ D. If you store any card data, you automatically fill out SAQ D, which is the entire PCI DSS.

For SAQ B there are 2 groups that merchants will fall into. First are the merchants that use the credit card imprint machines. This style of credit card processing is old, but there are still merchants out there who still use the knuckle-buster devices. For merchants using the imprint machines, special care will be needed to protect the physical access to the receipts. Because the these receipts contain the entire card number along with the expiration date for the card, this information is very sensitive. You will need to restrict access to only those employees who have a need for it. These receipts are your biggest security risk.

The second group that qualify for SAQ B are those merchants who use the simple dial-up card terminals. These terminals must be the standalone, dial-out type which connect directly to the phone line. Each time you process a card the terminal makes a call to your processor and transmits the information. There isn't a constant connection with these types of terminals. The easiest way to tell if you use a dial-up POS is to check if it plugs into the phone line, instead of a computer network cable.

Because of the qualifications for SAQ B, it usually applies to merchants with a physical store front and processes all transactions in person. These store owners are usually smaller merchants, due to the slower processing times for the dial-up terminals. Many of these shops will also only have one or two registers as well.

Even though the majority of SAQ B merchants are brick and mortar establishments, SAQ B can also apply to mail/telephone order operations. For mail/telephone order businesses the requirements for processing technology are the same as outlined above. The only thing to keep in mind for mail/telephone orders is that the card information can not be received electronically. For phone orders this isn't a problem. But for mail, the information must actually come in paper form, through the mail. It can't be emailed or digital fax, as that would violate the requirement of not receiving any card data electronically. As long as credit card numbers never touch a computer and you use the POS devices explained above, you are good to use SAQ B for PCI compliance reporting.

In summary, here are the bullet points to using SAQ B:
  • Only us imprint machines and/or standalone, dial-out terminals with phone line connection to processor
  • Dial-out terminals are not connected to any other computer, network, or the Internet
  • No card data is ever stored or transmitted in electronic format (no email, digital fax, instant messaging, etc). Only paper copies or receipts
  • You don't store any cardholder data in electronic format

How to become Compliant:

Becoming PCI compliant for SAQ B merchants is much the same as that for SAQ A. Because you don't store any electronic credit card data, and your card processing systems aren't connected to the Internet, you don't have to conduct any vulnerability scans. The real task is in complying with the requirements listed in SAQ B.

SAQ B covers 5 of the 12 PCI DSS sections. Only a portion of each section applies so the total number of requirements is small. The main requirement for SAQ B ensure that the card data is protected and also that policies are in place to prohibit the insecure transmitting of card data through services like instant messaging. SAQ B merchants must also develop policy and procedures for controlling access to physical copies of card data that might exist. Only employees that need to, should have access to the data.

Because of the limited exposure SAQ B merchants have to potential threats, their PCI requirements are small. With a little effort most of the requirement could be put into place in a very short time. With training and education employees can be taught what they need to know and do, in order to keep you secure and compliant with the PCI security standards.

As with all SAQ types, reporting compliance for SAQ B needs to be done each year. Before your compliance deadline each year review the SAQ B and audit your implementation for each DSS point. The current SAQ for can be found here. As the SAQ form moves from the most basic processing methods to the more complex the security requires become more in-depth and require frequent attention.

Thursday, January 26, 2012

Self-Assessment Questionnaire A Explained

Self-Assessment Questionnaire A is the most basic of all the PCI validation types. It was developed to address the needs of merchants who don't personally process any card data electronically. The requirements that apply to SAQ A merchants are very few. There are only two sections from the full PCI DSS that merchants must complete, for a total of 13 questions.

SAQ A only requires merchants to provide physical access security to cardholder data and also maintain policies that address information security for personnel. Even though there are only 2 sections presented in SAQ A, all merchants are required to comply with the PCI DSS in its entirety. If you have properly identified yourself as an SAQ A, then all other points not listed on the form won't apply to your specific situation.

Who it applies to:

Self-Assessment Questionnaire A focuses on merchants who don't have any face-to-face transactions (100% card-not-present) and also don't digitally store, process, or transmit any cardholder data. These types of merchants deal only in e-commerce and mail/phone orders. For payment processing SAQ A merchants rely solely on outsourced third party payment processors like PayPal or Google Checkout. This means that no card data ever touches your systems.

To clarify a little bit, if you are using PayPal, as an SAQ A merchant, you need to be using the setup where customers are physically directed away from your site to PayPal's before any card data is entered. The applicable PayPal implementations would be "Website Payments Standard" or "Express Checkout". If you use PayPal "Website Payments Pro" then an SAQ A is not the right form for you.

One more thing to note about the third party payment provider, in order for you to be eligible to use SAQ A they must be PCI compliant. You need to be able to confirm that they have gone through a PCI assessment and passed. Usually you can find this type of information on the service providers website, or by asking a sales agent. The company will need to produce a signed certificate of compliance.

The last point to determine eligibility for SAQ A has to do with storing card data. If you choose to store any data that your processor or customer might provide you, then it can only be received and stored in paper form. You can't have any data in an electronic format. For example if you do mail orders you can't have a customer email you his card information. Or if you get reports from your processor that have card data it can't be emailed to you.

In summary, here are the bullet points to qualifying for SAQ A
  • Only card-not-present transactions (e-commerce, mail/telephone orders)
  • Rely entirely on PCI compliant third party providers to process payments
  • Only receive and store card data in paper form (no electronic card data)    

How to become compliant:

Because of the way SAQ A merchants process data, their PCI requirements for reporting are very simple. Since they don't actually process, transmit or store card data, they don't need to scan any computer systems, review system configuration, or audit coding practices. The only real requirement is to make sure they meet all the requirement listed in SAQ A, then fill it out and submitted to their acquiring bank.

Merchants need to report their PCI compliance status every year. Each year before your compliance deadline you should review the current SAQ A form, which can be found here and conduct an audit of your policies and procedures. Check to make sure that everything is current and in line with what is required by the PCI SSC. By conducting an annual assessment of PCI requirements you can be sure you are maintaining a solid baseline of security to protect against potential threats.

Thursday, January 19, 2012

PCI Self-Assessment Questionnaire Explained

For the majority of merchants (levels 2 - 4) PCI compliance can be reported through the PCI SSC Self-Assessment Questionnaires (SAQ). Essentially the SAQ is a paired down list of requirements from the full PCI Data Security Standard (DSS). One key thing to remember however, is that just because the requirement doesn't show up on the SAQ questions, doesn't mean you don't have to follow it. With that said, the way the PCI SSC has configured the SAQ forms you probably don't have to worry about it too much. As long as you are using the correct form for the way you run your business you are good to go.

There are currently 5 different SAQ types, A, B, C-VT, C, and D. Each one focuses on a different type of merchant and how they process credit card data. For instance, SAQ B is for merchants that only have face-to-face customers and use dial-up card terminals, where as SAQ D addresses merchants that have Internet type terminals and store card data.

The key to selecting the right SAQ is being familiar with your payment process and your computer network. When it comes to credit card payments there are in-person and card-not-present payments. In-person would be those where the person can physically hand you the credit card to swipe, while card-not-present is your typical online transaction. Knowing which types of payments you have in your business will help in selecting the right SAQ.

There are also 3 basic types of payment terminals to be aware of. The first is the old imprint type, where you make a carbon copy of the card. Not many businesses use these anymore. Then there is the dial-up terminal. These types plug into a phone line (not the Internet) and must dial out every time a credit card is processed. These types of terminals are still widely used in many businesses. The last type are IP terminals, or ones with a connection to the Internet. These devices are very convenient because they are always connected to your processor and can conduct transactions very quickly. Most of the newest terminals are IP based.

The last area to cover, in determining your SAQ type, is your computer network configuration. This can get complicated quickly, but for SAQ purposes there is really only one thing you need to know: Does your business have multiple computers connected together or just a lone system. A few telling signs that you are running a network are the existence of things like an Internet router/modem, network switches/hubs,  numerous computer systems, and shared printers and other devices. Also the question of which type of network you have only comes into play when you use the IP terminals. Dial-up terminals by nature are not part of a computer network and simplifies your PCI requirements.

There are many SAQ Selector Tools out there that will guide you through the process of determining your SAQ validation type. These tools ask you simple questions about how you process card data and network configuration. With the basic knowledge outlined above you will be able to adequately answer the questions asked by such tools. The Aeris Compliance Engine (ACE) provides one to all merchants with an account. Once you know your SAQ type the next step is to report your compliance.

Now that we have a little bit more of a foundation to what a SAQ is, the next several posts will highlight each of the five SAQ forms and detail the types of merchants that should use them.

Thursday, January 12, 2012

Survey Says...PCI Works

I had a chance to listen to a webinar yesterday and thought I would share my thoughts on it. It was based on a new study that just came out. The study was conducted by the Merchant Acquirer's Committee (MAC) and ControlScan. Basically they sent out a survey to a bunch of acquirers, banks, ISO, processors and agents. The goal was to look at PCI compliance for level 4 merchants from the perspective of the acquirer.

For those that might not be familiar with all the PCI terminology, a level 4 merchant is basically a merchant that does less than 20,000 transactions a year. Merchant levels are based completely on transaction volume, and have nothing to do with the value of those transactions. This makes sense when you think of it from the angle that PCI is designed to protect card holder data. Merchants processing more unique credit cards carry more risk, and therefore more requirements for validation when it comes to PCI compliance.

OK, enough about that. On to the study. There were a few interesting findings that I wanted to mention, that might help out those acquirers and ISOs looking to implement a PCI compliance program for their merchants.

Work With Those That Know

First, the study touched on what acquirers and ISOs see as the main challenges to PCI compliance and establishing a successful program. There was a list of a few different ones but the biggest ones I thought were:
  • Lack of Resource to properly manage a program
  • Lack of PCI knowledge
The key to overcoming both of these is to partner with a good PCI compliance specialist. The study also mentioned that there are some out there trying to do this on their own. The study didn't mention this, but I would venture a guess that those trying to implement their own program are also those achieving the lowest levels of merchant compliance. PCI is a very complex beast. I have been involved for many years and still learn new things everyday. There are many different tools and programs out there to help you meet each of the 12 points in Data Security Standard. When it isn't your business, its not worth it to stay informed about all the changes and updates as they come out. Partnering with a third party provider for PCI compliance allows you to concentrate fully on your core business - resulting in more success in both arenas.

Stay in Touch with your Merchants

Second, the study confirmed that the more ways you communicate with your merchants the more success you will have. This sounds like common sense. I think we all experience this with any business we might work with. We get phone calls, emails, snail mail, and other advertising methods teaching us about what they do and how they can help. PCI compliance is no different. Education is a huge part to a successful program. Many Level 4 merchants might not know what is required of them, let alone how to implement a PCI compliance program of their own. The more contact points an acquirer has with a merchant the better the more likely it is that that merchant will follow through and become compliant. 

Along this same vain, the more tools a program offers the better the compliance rate will be. Beyond just the basic digital Self-Assessment Questionnaire and ASV Vulnerability Scanning there are many tools that add value to a compliance program. Some examples include:
  • Security Policy Builder
  • Security Awareness/PCI Training
  • Data Breach Protection Insurance
  • Credit Card Data Scanning
  • PCI Consulting and Education
Good programs will offer tools above and beyond the basics and work to keep them current and inline with the most recent PCI standards.

PCI Compliance Reduces Risk

For me, i think the biggest take away is the conclusion that PCI compliance does result in reduced risk and exposure for acquires, banks, and ISOs. The study found that those acquirers and banks with the highest levels of PCI compliant merchants experienced the lowest instances of data breaches. And really that's what it all comes down to. We all take on risk when we work in the payment card space, and we want to make it as small as possible. 

If you want to read the full study you can download it out here. Thanks again to MAC and ControlScan for conducting this study and making the finding available to the industry.

Wednesday, January 4, 2012

Welcome to Our PCI/Security Blog

Hello everyone. This is my first blog post. I just wanted to introduce the Aeris Secure Blog to the world and let everyone know what our goals and direction will be for our blog.

Our main focus will be on PCI compliance and education. Our posts will be geared towards teaching Acquirers, ISOs, and merchants the ins and outs of PCI compliance. Since Aeris Secure focuses on small- to mid-size merchants the majority of the content here will be focused on them and how PCI compliance applies to the smaller merchants.

We hope that all the information we provide will be beneficial for everyone that visits. To kick off our blog posts we will be starting with the basics of PCI compliance. We are going to cover the 5 different types of Self-Assessment Questionnaires (SAQ) provided by the PCI council for reporting compliance. We will cover each one in detail, going over things like who can use each SAQ type and what each of the specific requirements means.

Along the way we will also post up things we find interesting in the world of IT security and PCI compliance. We encourage everyone to comment and contribute to the discussion. We always love to hear what others are doing to become PCI compliant and how you are affected by it.

I hope you find the information we provide beneficial. For more information on who we are and what we do, visit our home page at aerissecure.com. You can find bios and company information on the About Us Page. For details on our products and services, check out the corresponding pages linked to on our home page.