PCI DSS Compliance

2015 Information Pack for Merchants

This pack contains general information regarding PCI DSS compliance and does not take into account your business' particular requirements. ANZ recommends you seek advice from a PCI-approved Qualified Security Assessor if you have questions or concerns about your business' PCI DSS compliance obligations. ANZ does not warrant the accuracy of this information and accepts no liability if you choose to rely on it. You must not circulate this pack to anyone outside of your organisation without ANZ’s written consent.

2

Contents

Section 1: Introduction to PCI DSS

Section 2: Being PCI DSS compliant?

Section 3: How can ANZ assist?

Section 4: Education Tools and References

3

Section 01 Introduction to PCI DSS

3

Acquirer Card Schemes PCI Security Standards Council (PCI SSC)

4

Overview of PCI DSS Roles and Responsibilities

Each of the following stakeholders play an important role in ensuring PCI DSS compliance for all organisations that store, process or transmit payment card information. PCI DSS is an industry requirement for all acquiring banks and their merchants.

Note: For details of American Express requirements, please speak to your American Express account manager.

The PCI Security Standards Council publishes and manages the standard.

Standards include: • PCI DSS • PCI PTS (Hardware) • PA DSS (Software)

Maintain lists of Approved Vendors for: • External network scanning • QSA Organisations, • Internal Security

Assessors • Payment Devices • Payment Applications

Ensure adherence to PCI standards by mandating timeframes for compliance, incentives, penalties and regular progress reporting.

Card Scheme Websites Provide: • Merchant Levels • Merchant Obligations • Compliance Dates • Education and training • List of registered PCI DSS

compliant Service Providers

Manage implementation of PCI Data Security Standards and the card schemes mandates with our merchants.

Report regularly to Visa and MasterCard on PCI DSS compliance progress of our merchants.

Provide education and support to ensure our merchants validate and maintain PCI DSS compliance

Merchant

• Complete an annual Self-Assessment Questionnaire or Onsite Audit

• Manage non-compliance remediation activities using the ‘Prioritised Approach’ tool

• Complete a compliant network vulnerability scan each calendar quarter

• Report your compliance status to ANZ each quarter.

• Use of PCI-DSS compliant service providers

• Use of PA-DSS certified best practice applications.

5

PCI DSS Compliance Is About Protecting Payment Card Data

If you want to accept payments via cards issued by the Card Schemes then you need to understand and comply with these standards. They form part of your Merchant Agreement.

PCIDSS applies to all merchants that store, process and/or transmit Payment Card Data - however the scope of its impact depends on what merchants solution you use and how you operate your business.

What is Payment

Card Data?

Security Code

Magnetic Stripe Contains Track Data

Chip

PAN

Expiry Date

Security Code

PCI DSS stands for Payment Card Industry Data Security Standard. The PCI DSS requirements are set by the PCI Security Standards Council (PCI SSC) whose founding members are international card schemes. PCI DSS is about how Merchants are expected to protect Payment Card Data.

6

Reference: PCI SSC PCI DSS Quick Reference Guide

PCI DSS Regulates The Storing Of Payment Card Data

To reduce your PCI DSS obligations outsource the capture and processing of card data using a PCI DSS compliant service provider.

Where you must store card data the following table advises which elements can be stored and how the PCI DSS requirement section 3 relates to the security controls and key management required to store Payment Card Data.

What Payment

Card Data can

be stored?

7

PCI DSS Protects Data Through Data Security Controls

PCIDSS consists of 6 core principles which are accompanied by 12 requirements. Becoming PCI DSS compliant requires that you can show that you have addressed all of the requirements that apply to you. Depending on how your business handles Payment Card Data will govern how many of these principles will need to be complied with.

How you demonstrate compliance depends on your Merchant level and/or the type and number of payment channels.

Reference: PCI DSS Version 3.0

PCI Data Security Standard – High Level Overview

Build and Maintain a Secure Network and Systems

1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other

security parameters.

Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Protect all systems against malware and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

Implement String Access Control Measures

7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to systems components 9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes

Maintain an Information Security Policy

12.Maintain a policy that addresses information security for all personnel

Examples Of How PCI DSS Non-compliance Can Lead To An Account Data Compromise

The initial investigation has identified a number of non PCI DSS compliant practices within the merchant that could have contributed to unauthorised access to payment card data.

These include:

Multiple website vulnerabilities, identified using an ASV scan

Lack of updating new software releases and security patches

Stored email based orders that contain cardholder data

Use of non-compliant service providers such as a payment gateway, web host, shopping cart or POS application.

Insecurely stored paper records used to take telephone orders

Paper records used to transfer transaction details between systems

Default passwords were never changed.

Extract from Forensic Investigation Report

9

Consequences Of An Account Data Compromise (ADC)

● If you don’t protect payment card data and/or take steps to ensure that your service providers do the same, you could be subject to an ADC event.

● If you become the subject of an ADC event you risk financial penalties, the suspension or termination of your merchant facility and remediation costs.

● You also risk damage to your brand and reputation. While many cardholder data compromises in Australia go unpublicised some have resulted in adverse publicity through national media outlets.

PCI DSS

Compliance

PCI DSS can help to minimise the occurrence and impact of the theft of Payment Card Data from you.

Non-compliant Compliant

ADCs involve unauthorised access to cardholder data that is held within your business environment in either electronic or physical form. It is usually done by fraudsters who don’t care how large or small the business is.

Suspension or

termination

Brand Damage

Audit / Forensics

Financial Costs:

Remediation/Penalties

Enhanced Brand and Reputation

Increased Customer Confidence

Costs Controlled

Financial consequences associated with PCI DSS non-compliance

Account Data Compromises If you suffer an ADC event, the financial consequences of a data compromise include:

Fines if you have an Account Data compromise

Reason Visa assessments (up to in US$)

MasterCard assessments (up to in US$)

Account data compromise (ADC) Up to $400,000 $5,000 to $500,000

Additional PCI DSS non-compliance assessments post ADC

NA $100,000 per non-compliant requirement

ADC – operational reimbursement Dependent upon number of accounts at risk/type of data at risk/number of accounts reported with confirmed fraud

Dependent upon number of accounts at risk/type of data at risk/number of accounts reported with confirmed fraud

Failure to report an ADC NA Up to US$25,000 per day of non-compliance

PCI DSS non-compliance The financial consequences of PCI DSS non-compliance include:

Fines for not validating compliance

Violations per calendar year MasterCard (up to in US $) for L1 & L2

Merchants

MasterCard (up to in US$) for L3 Merchants

Visa ( up to in US $) for L1, L2 &

L3 Merchants

First violation 25,000 10,000 500

Second violation 50,000 20,000 5,000

Third violation 100,000 40,000 10,000

Fourth violation 200,000 80,000 25,000

Total of 4 violations per Merchant

375,000 150,000 40,500

In addition, we may have no choice but to terminate your merchant facility if PCI DSS compliance isn't achieved by any date communicated to you. If your merchant facility is terminated, a record will be created with the card schemes, which could limit your ability to gain a merchant facility from another bank.

10

11

PCI DSS Latest Developments News Flash

Historical Mandates

Visa Enforcement Plan for Level 1 and 2 merchants as well as Service Providers. Effective 1 January 2015 all service providers must be registered with the schemes and have validated their PCI compliance, Level 1 and 2 merchants must have validated PCI compliance or have a firm plan and budget in place to reach compliance within an acceptable timeframe and the bank and Visa.

PCI DSS version 3.0. Effective 1 January 2014, organisations must comply from 1 January 2015.

Visa Safe Harbour for L3-L4 merchants are protected by Visa fines when fully outsourcing payments processing to PCI DSS compliant Service Providers: Effective 1 January 2014.

PCI PTS (PIN Transaction Security) version 4: Released date, June 2013.

PA DSS approved applications should only be used for payment processing: Effective 1 July 2012.

PCI SSC ISA Certified for Level 1 & 2 internal assessments: Effective 30 June 2012.

PCI DSS Supplement Publications

The PCI Security Standards Council develops supplement guides for emerging technologies and areas for improvement such as managing service providers or dealing with terminal tampering. Refer to below examples of recent publications:

New guide for managing 3rd party service providers. https://www.pcisecuritystandards.org/documents/PCI_DSS_V3.0_Third_Party_Security_Assurance.pdf

Best Practice for maintaining compliance. https://www.pcisecuritystandards.org/documents/PCI_DSS_V3.0_Best_Practices_for_Maintaining_PCI_DSS_Compliance.pdf

Security Awareness Program https://www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Practices_for_Implementing_Security_Awareness_Program.pdf

Skimming Prevention https://www.pcisecuritystandards.org/documents/Skimming%20Prevention%20BP%20for%20Merchants%20Sept2014.pdf

Prioritised Approach version 3.0 https://www.pcisecuritystandards.org/documents/Prioritized_Approach_v3.xlsx

12

Section 02 Being PCI DSS compliant

12

Determine Your Level And Reporting Obligations

Merchant Level Number of transactions per annum of either Visa or

MasterCard transactions

Level 1 > 6m

Level 2 > 1m and <6m

Level 3 < 1m and >20,000 ecommerce

Level 4 <1m and <20,000 ecommerce

Step 1. Determine your merchant level

● Your level is determined using the number of either Visa or MasterCard transaction per annum.

● Begin by identifying your merchant level, and keep track as your business grows.

● The ANZ PCI team also tracks your level and reports this through to the card schemes.

● Your merchant level determines how you validate PCI compliance.

● The PCI compliance requirements are the same for everyone, regardless of the transactions volume.

● Merchants are suspected of a data compromise they automatically become a level 1 merchants.

14

Determine Your Level and Reporting Obligations, Continued

Merchant

Level Reports Validation Method and Obligation

Level 1

• Annual AOC /SAQ

• ASV Scans every 90days

• Prioritised Approach Tool

• Must use an external Qualified Security Assessor (QSA) or

a PCI qualified Internal Security Assessor (ISA)

• Mandatory status reporting to ANZ

Level 2

• Must use an external Qualified Security Assessor (QSA) or

a PCI qualified Internal Security Assessor (ISA)

• Mandatory status reporting to ANZ

Level 3 • Self-Assessment

• Mandatory status reporting to ANZ

Level 4 • Self-Assessment

• Status reporting to ANZ upon request

Step 2. Understand the reporting obligations to validate compliance

● Assessments for level 1 require a Report of Compliance (ROC) and submission of the AOC.

● Assessment for level 2, 3 and 4 require a Self-Assessment Questionnaire (SAQ)to be submitted.

● Only PCI Security Council qualified assessors can validate compliance for level 1 and 2 merchants.

● Merchant must report their compliance status to ANZ each and every calendar quarter. Refer to reporting dates.

Reports to be provided to ANZ include:

An Attestation of Compliance (AOC) or Self Assessment Questionnaire (SAQ) to be provided each year on the anniversary date of the initial AOC.

Quarterly external vulnerability scan results.

Where non-compliant, quarterly updates using the Prioritise Approach tool.

15

How To Get Started With PCI DSS

Step 3. Start assessing your business to determine the scope

● When developing your project plan to remediate any gaps, consider changing business processes not just technology.

● Your website could be integrated with alternative integration methods to significantly reduce your efforts required to reach compliance, investigate hosted payment page and iFrame options with your service provider.

● Utilise your PCI DSS compliant service providers to help reduce your scope.

Recommended Actions

1 You will require good governance. Determine who in your business must be involved, you will

require both technology, business/operations areas and SMEs.

2 Run the external vulnerability scan using the ANZ PCI portal.

3

Document your current transaction flows and understand your assessment scope. This should include cardholder data flows, processes, people and systems. Consider how to de-scope by utilising compliant service providers.

4 Remove all sensitive data and delete any stored PANs immediately to eliminate risk.

5 Use the ANZ PCI Portal Wizard to determine your SAQ type.

6 Complete the SAQ and Prioritised Approach tool, if you are not PCI compliant.

7 Develop a project plan for remediation activities, along with a target compliance date.

8 Submit your reports to ANZ on the due dates.

PCI DSS SAQ Version 3.0 SAQ Guide

16

SAQ Description Requirements

Product Types

A Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.

14

Payment Gateway Hosted Payment Page and iFrame OR Hosted shopping cart PCI Complaint Software As a Service (SAS)

A-EP E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels.

140

Direct post from the client side directly to the payment gateway, bypassing the merchant’s web server.

B Merchants using only: Imprint machines with no electronic cardholder data storage; and/or Standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels.

41 Standalone terminal

B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.

83 Standalone terminal with an IP connection

C-VT Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.

73 Virtual terminal using a payment gateway

C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels.

140 Integrated terminal

D SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types. Including: Merchant hosted ecommerce and cardholder data storage.

326 All other products, integration methods and combination of products.

Mandatory PCI DSS Reporting Due Dates for 2015

The 2015 reporting dates are set out below:

ANZ prepares Schemes Reports about the PCI DSS compliance of its Merchants on a quarterly basis. Merchants are required to submit their reports to ANZ by the due dates in the below table.

Q1 Q2 Q3 Q4

Start of Quarter 1 January

2015

1 April 2015

1 July 2015

1 October 2015

Due date to submit Quarterly PCI DSS reports to ANZ

13 March 2015

12 June 2015

11 September 2015

4 December 2015

Reports to be submitted:

External Vulnerability Scan PASS Results

Signed SAQ or AOC Must be provided on the anniversary date (once every 12 months)

Prioritised Approach report when not PCI compliant

18

In order to meet the various PCI DSS validation requirements, most Merchants will need to do the following types of things:

Understand your Merchant Level

Determine the scope of your Card Data Environment – that is, understand where and how Payment Card Data forms part of your payment processing activities

Complete a compliant Network Vulnerability Scan (every 3 months (ongoing)) for externally facing IP addresses if they form part of your Card Data Environment

Complete an annual PCI DSS Assessment of your Card Data Environment – onsite or SAQ as required – determine what SAQ applies to you

If you are a Level 1 or Level 2 Merchant, you will need to decide whether you will engage a QSA or go down the ISA path

Develop a plan to fix (remediate) any areas of non-compliance – use the ‘Prioritised Approach’ tool if required

Quarterly submit your compliant Scan and PCI DSS assessment update to ANZ by report date

Summary – PCI DSS Compliance Requires Good Governance

Keeping good records and an audit trail will help you stay on top of your PCI DSS requirements

19

Section 03 How can ANZ assist?

19

20

Dedicated ANZ PCI Compliance Manager to assist your business in reaching compliance with PCI DSS. ANZ PCI Compliance Manager provides education, support, management and reporting frameworks and engagement with expert information security resources to assist your business with journey to and maintenance of PCI compliance.

ANZ offers our customers regular planning session for PCI DSS, to identify activities, support requirements and reporting timeframes for the coming year.

Progress meetings as required to support your PCI program.

Access to industry benchmarks and best practice for PCI program management.

Participate in ANZ PCI DSS Merchant Forums - network, learn and share experience with other merchants.

ANZ Is Committed To Assist Merchants With PCI DSS Compliance

ANZ is proud of its achievements to date in helping its merchants address their PCI DSS compliance obligations and can provide the following support services to assist attaining and maintaining PCI DSS compliance.

21

Introducing the ANZ PCI Portal

ANZ can provide unlimited complimentary access to selected merchants to its ANZ PCI Portal (go to ANZ PCI Online Portal) with easy to follow User Guides.

PCI Compliance Validation Task

How the ANZ PCI Portal can help you

PCI Self Assessment

You can work out which SAQ is relevant to you by following the prompts in the ANZ PCI Portal or by calling the Vectra Service Desk. SAQs can be completed online, and then electronically filed in the Portal. Save time, environmentally friendly - paperless.

Vulnerability Scans

If you are required to perform a Vulnerability Scan you can do so through the ANZ PCI Portal by following the prompts in the ANZ PCI Portal.

Many options for your ASV Scans, you can choose to run immediately; run at a specific scheduled date/time, or schedule every 90 days to run automatically.

You can scan many IP Addresses concurrently.

Save money! Convenient.

Fully supported by a Help Desk

Manned by friendly approachable PCI Subject Matter Experts (help-desk based in Australia). Phone and email support provided on 1800 558 552 or anzsupport@vectrapci.com.au.

Expertise.

22

Section 04 Education Tools & References

22

23

The PCI DSS (Full Requirements) v3 offers guidance in preparing for your annual PCI DSS assessment (pp 10-18).

Guidance is offered on scoping, sampling, network segmentation, outsourcing relationships, wireless environments, use of third-party service providers/outsourcing, compensating controls and the conduct of the assessment.

Extract from the document shown below:

Determine the scope of your Payment Card Data Environment

24

Quarterly task – perform an external vulnerability scan

There are ongoing quarterly obligations associated with demonstrating (proving) your level of PCI compliance:

Quarterly Network

Vulnerability Scan

PCI DSS

Requirement 11.2

To ensure PCI DSS compliance, your organisation is required to complete a Network Vulnerability Scan, fix any non-compliant vulnerabilities, and then conduct a final compliant scan each quarter.

An external vulnerability scan enables you to assess the level of security from potential external threats. PCI Approved scanning tools test network equipment, hosts, and applications for known vulnerabilities; the scan is intended to identify such vulnerabilities so they can be corrected.

A network security scan is conducted in a non-intrusive way to remotely review networks and Web applications based on your external-facing Internet Protocol (IP) addresses provided. The scan will identify vulnerabilities in operating systems, services, and devices that could be exploited by hackers to target your company’s private network.

A full technical description of the scan scope can be found in this document on pages 15-20 of the ASV Approved Scanning Vendors Program Guide.

Note: a Vulnerability Scan may not be required if your payment processing page is bank hosted or hosted by a PCI certified payment gateway. This is usually merchants completing either the SAQ A, B, or C-VT versions. Quarterly Scans are compulsory if you qualify for either the SAQ C or SAQ D version

Recommendations For Planning Your Quarterly Scans

Quarter activity required to achieve a PASS scan results by the reporting due dates.

Definitions: ASV means approved scanning vendor

Week 1-4 Activities

If your annual Attestation of Compliance (AOC) expires in this quarter, you will be requested for an update AOC by the due date.

ASVs are required to make ongoing improvements to detect new vulnerabilities, so perform your scan early in the process to allow for any unexpected remediation.

For SAQ D merchants, where compliance is not achieved complete a “Prioritised Approach” report using the approved template.

Week 5-8 Activities

• Perform required vulnerability remediation.

• Report false positives to your ASV vendor.

• Complete annual audit activities for the AOC.

Week 9-12 Activities

• Ensure you have a compliant ASV scan and AOC or ROC.

• Where non-compliant, advise the remediation timeframe and where applicable update the “Prioritised Approach” report showing ongoing improvements and percentages.

• Submit all reports by the Due Date.

Week 9 - 12

Initial Scan

Submit Reports

Remediation

26

Completing a Self-Assessment Questionnaire

The PCI Council has combined the 2 reference documents which includes test procedures and the guidance into the single document to help your business complete the Self-Assessment Questionnaire.

Extract from PCI DSS Version 3 with the extended guidance below:

27

Annual assessment requirements for Level 1 & 2 Merchants

If you are a Level 1 or Level 2 Merchant, your PCI DSS Assessments must be conducted under the supervision of a Qualified Security Assessor or one of your own staff members certified as Internal Security Assessor.

Qualified Security Assessors Qualified Security Assessor (QSA) companies are organisations that have been qualified by the PCI Security Council to have their employees assess compliance to the PCI DSS standard – details of QSA’s located in Australia can be found at: QSA Organisations.

ANZ has strong relationships with several local QSAs and would be happy to facilitate an introduction.

Internal Security Assessors are organisations that have had staff qualified by the PCI Council. The Internal Security Assessor (ISA) Program consists of training from the Council to improve the organisation’s understanding of PCI DSS.

There are a number of requirements around ISA certification at this link ISA Training Information - including pre-registration of your organisation with the PCI Security Standards Council, expertise requirements for the staff participants, online training & assessment prior to attending the training, etc.

For Level 1 and 2 Merchants, choosing whether you will appoint a QSA or train your own staff through the ISA program is an important decision and will require time and resources. We recommend that you address these questions early so that you can comply with your annual assessment requirements.

28

What if you are PCI DSS non-compliant?

Merchants often find that they are non-compliant with PCI DSS after they have completed their annual assessment.

In addition, a merchant’s payment environment can change and just because PCI DSS compliance has been achieved at one point in time, does not mean that the Merchant will always be compliant.

PCI DSS recognises that Merchants may not be compliant and requires that the merchant develop a remediation plan to fix any areas of non-compliance – your remediation plan should List and prioritise any remediation activities required for PCI validation. This ensures that you're remediating with a risk based approach, dealing with the highest risks first.

The PCI Council has developed the PCI DSS Prioritised Approach and the PCI DSS Prioritised Tool and Instructions

Input results from your completed Self Assessment Questionnaire into the Prioritised Approach Tool to provide an assessment of priority to remediate non-compliant requirements, based on risk. The Prioritised Approach Tool groups the PCI DSS requirements into risk-based ‘Milestones’.

It is important that you are able to demonstrate your commitment to rectify any areas of PCI DSS non-compliance by developing and implementing a remediation plan that is acceptable to ANZ. This can assist in minimising any Card Scheme fines due to non-compliance.

Target compliance dates must be included.

PCI DSS education and references

Brochures and Guides

Webinars

Training

ANZ Fraud Minimisation, Data Security and Chargeback Guide

PCI SSC PCI DSS (Full Requirements) v3

PCI SSC Understanding the Intent of the PCI DSS Requirements

PCI SSC PCI DSS Quick Reference Guide

PCI SSC PCI DSS Prioritised Approach

PCI SSC Various other PCI DSS supporting documents

PCI SSC PCI FAQS

Visa Guide for Staying PCI Compliant

MasterCard PCI 360 Merchant Education Webinars

APCA Get Smart About Fraud Online

PCI SSC PCI DSS Awareness Training Online

PCI SSC Internal Security Assessor (ISA) Training and Certification

The following information may be helpful in further understanding your PCI DSS obligations:

29