Embed Size (px)
Citation preview
July 2009
PCI (Payment Card Industry)
Irving Oil Marketing, Inc
Last Updated 9/2/09
- 2 -
There are hundreds of requirements in the PCI-DSS document, it is best to compartmentalize them into manageable buckets
… Payment
Card
Industry Compliance
(PCI)
Back Office
Pumps &
Pinpads
Hardware
Point
Of
Sale
Fuel
Brand
- 3 -
PCI DSS Requirements “The Digital Dozen”
- 4 -
Point of Sale
With the new rules around the Payment Card Industry; Visa and MasterCard have set new standards to protect card holder data and reduce fraud for both debit and credit cards.
VISA PABP – Payment Application Best Practices
What is it?: Data protection for credit and debit transactions
How is it done?: Encryption of data on POS system in log file and databases When it is due?: Date required: NOW What if I do not do it?: Customer card data is at risk and the processor will turn off your
ability to accept credit and debit transactions
PCI PA DSS – Payment Application Data Security Standards
What is it?: Data protection for credit and debit transactions How is it done?: Encryption of data on POS system in log file and databases
When it is due?: Date required: 07/01/2010
What if I do not do it?: Customer card data is at risk and the processor will turn off your
ability to accept credit and debit transactions
https://www.pcisecuritystandards.org/
* Credit Packages to process credit and debit are not offered if minimum requirements are not met
- 5 -
Point of Sales and PCI DSS
Point Of Sale Product Website Version PCI
Compliant
Irving Card Deck
with Override
Retalix Store Point www.retalix.com
225, 227, 7001, 7002, 7904,
R4.0 Yes Yes
Retalix Fuel www.retalix.com
1012,1014, 1016, 1017 Yes Yes
Verifone Ruby Super System www.verifone.com 4.00 Yes Yes
Verifone Topaz XL www.verifone.com 4.02 Yes Yes
Verifone Sapphire www.verifone.com 4.02 Yes Yes
Dresser Wayne Nucleus www.wayne.com 4.00 Yes WIP
Gilbarco G-Site www.gilbarco.com N/A No No
Gilbarco Passport www.gilbarco.com 6.00.23.02M
PABP until version 8.20 WIP
Pinnicle Palms www.pinncorp.com 2 Yes No
Radiant RPOS www.radiantsystems.com 6.7 Yes WIP
For general recap and awareness only consult visa web site and https://www.pcisecuritystandards.org/
- 6 -
PCI and Forecourt Controllers (Pumps)
Devices Product Website Version
PCI Compliant
Irving Card
Deck with
Override
Allied Electronics ANDI www.alliedelectronics.com A50 Yes Yes
Allied Electronics Nex Gen www.alliedelectronics.com N50 Yes Yes
Verifone 1000SE Pinpad www.verifone.com 180.000.000 Yes Yes
Verifone MX830 Pinpad www.verifone.com Yes Yes
Verifone x570 Credit Terminal www.verifone.com Yes Yes
Verifone 3750 Credit Terminal www.verifone.com Yes Yes
Ingenico 6550 Pinpad www.ingenico.com Yes Yes
Ingenico 3070 Pinpad www.ingenico.com Yes Yes
For general recap and awareness only consult visa web site and https://www.pcisecuritystandards.org/
- 7 -
Debit at the Point of Sale and Pumps
These new standards affect the Point of Sale and Pumps and could affect the ability for stores to take debit. Through new hardware and stronger encryption pin based debit will be more secure
PCI PED – PIN Entry Device (Inside pin pad)
What is it?: PIN protection for inside debit transactions
How is it done?: Encryption of the debit pin number for pay inside transaction
When it is due?: Date Required: 07/01/2010
What if I do not do it?: You will not be able to process debit inside at the Point of Sale
PCI EPP – Encrypting PIN Pad (Pump pin pad)
What is it?: Pin Protection for outside debit transactions
How is it done?: Encryption of the debit pin number at the dispenser
When it is due? After 01/01/2009 all newly deployed dispensers must be EPP capable
All dispensers must be EPP capable: 07/01/2010 What if I do not do it?: If a breach is tracked back to your non-EPP capable dispensers
there would be fines, restitution and liability
For general recap and awareness only consult visa web site and https://www.pcisecuritystandards.org/
- 8 -
PCI and Forecourt (Pumps)
Devices Product Version Website
PCI Compliant Retro Kit
Gilbarco MPD NA www.gilbarco.com No No
Gilbarco Advantage B65, B78, B79 www.gilbarco.com No* Yes
Gilbarco Encore 300 NA www.gilbarco.com No* Yes
Gilbarco Encore 500 NA www.gilbarco.com No* Yes
Gilbarco Encore 500S NA www.gilbarco.com
No*, Unless ordered after
01/01/09 Yes
Wayne Vista V1, V2, V3 www.wayne.com No No
Wayne Vista V4, V5 www.wayne.com No* Yes
Wayne Ovation www.wayne.com
If ordered after 01/01/09 Yes
Tokheim ??? ??? www.tokhiem.com ??? ???
Bennett ??? ??? www.bennettpump.com ???
Verifone Kit Only*
*All newly deployed Dispensers installed after January 1, 2009 MUST be TDES-capable *Can be retro fitted to be PCI Compliant
For general recap and awareness only consult visa web site and https://www.pcisecuritystandards.org/
- 9 -
WAN Network Provides (Credit Card Processing)
Third party network High Speed Provider Website
PCI Compliant
Override Certified
Aliant Yes, Canada Only www.bellaliant.net Yes Yes
Megapath Yes www.megapath.com Yes Yes
Echosat Sat www.echosat.com Yes Yes
For general recap and awareness only consult visa web site and https://www.pcisecuritystandards.org/
- 10 -
Back Office
• “Protect Card Holder Data”
•Establish policies and procedures that are auditable
•User access restricted to “need to know”
•Physical security and hard copy document storage
•Credit Card retrievals for reconciliation
•Shredding??
•Emaling card holder data
•Electronic storage; HDD, tape
- 11 -
Theoretical Cost of a Breach
- 12 -
Theoretical Cost of a Breach, Continued
High Volume 1200 X $320 = $384,000
Mid Volume 600 X $320 = $192,000
Light Volume 150 X $320 = $48,000
* This does not take into account the effect on a company's brand
- 13 -
Key take aways….
• As of today, current versions of Ruby, Retalix, Wayne and Gilbarco running in the Irving network are PABP compliant
•Failure to remedy a Point of Sale and fuel controller minimum systems requires could lead to a sites Merchant IDs being deactivated, in some cases a credit package is not available for non complaint Poi
All Irving installs after 01/01/08 have compliant point of sale pin pad devices
All Irving installs after 06/01/09 could have compliant EPP pump keypads, if not the site has a year to retrofit
Likely platform at risk: G-Site – know to be not compliant Ruby (without sapphire) – could become not compliant
PCI is about liability shift and is a Visa mandate
- 14 -
What could you do next?
•Just because the Fuel Brand and Point of Sale are compliant does not mean a retailer is PCI compliant
•Review the digital dozen, the key considerations for dealers and distributors are 1) Fuel Brand compliance status 2) Point-of-Sale compliance status 3) Pump Compliance status and 4) Back Office compliance status (Most single site operations use their POS as their BOS)
•Use pcisecuritystandards.org established by PCI Security Council, LLC the governing body. (Take PCI sites sponsored by SW/HW providers with a grain of salt)
•Download full PCI-DSS and PCI-PED specifications
•Perform self audit on using appropriate self assessment questionnaire (SAQ)
•Perform financial analysis on PCI-EPP
