Embed Size (px)
DESCRIPTION
Understand how important a merchant services audit is for your financial organization\'s FFIEC compliance
Citation preview
Compliance Topics:Merchant Services Audit for
Financial Institutions
Carol T. Adams, CTP
Managing Principal
What is Payment Card Industry (PCI) compliance?
Albert Gonzales, 28, master-minded the largest credit card breach in U.S. history by hacking Heartland Payment Systems. Gonzalez is currently spending 20 years in Federal prison for his part in a string of data breaches that resulted in the compromise of over 170 million credit and debit cards in 2008.
Payment Card Industry (PCI) compliance is a complex and ever evolving subject affecting millions of businesses – acquiring banks, Independent
Sales Organizations (ISOs), processors, hosts, shopping carts, e-commerce and retail merchants and other merchant services providers.
What is Payment Card Industry (PCI) Compliance?
The PCI standard requires all merchants and service providers around the world who
store, process, or transmit customer credit card data to adopt aggressive security
controls that ensure the integrity of customer information.
The PCI Data Security Standard was created to unify the programs run by different credit
card companies to help merchants and service providers to better secure their environments, thereby helping them to
reduce fraud and other crimes associated with cardholder data.
What is Payment Card Industry (PCI) Compliance?
All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period, which determines what they
must do in terms of compliance:
1 - Any merchant -- regardless of acceptance channel -- processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
2 - Any merchant -- regardless of acceptance channel -- processing 1M to 6M Visa transactions per year.
3 - Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
4 - Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants -- regardless of acceptance channel -- processing up to 1M Visa transactions per year.
Merchants Must:
• Identify their Validation Type as defined by PCI DSS to determine which Self Assessment Questionnaire is appropriate for their business.
• Complete the Self-Assessment Questionnaire according to the instructions in the Self- Assessment Questionnaire Instructions and Guidelines.
• Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). Note: scanning does not apply to all merchants. It is required for Validation Type 4 and 5 – those merchants with external facing IP addresses.
• Complete the relevant Attestation of Compliance in its entirety• Submit the SAQ, evidence of a passing scan and the Attestation of
Compliance, along with any other requested documentation, to their acquirer.
Compliance is a Continuing Process
Industry experts agree –
There is nothing wrong with PCI as a standard, but it also has a fundamental flaw --
It is a "point-in-time" certification of a company's readiness to handle security threats.
There is no continuous process for monitoring compliance built into the PCI standard. As a result, there is no way of knowing if a company that was certified as being compliant one day is still maintaining that compliance the next day.
Your Bank & PCIMany banks have referral arrangements with acquirers,
third-party vendors, and/or independent sales organizations (ISOs) to provide merchant card
services to their business customers.
What is your bank’s obligation for PCI?
If you store, process or transmit credit
card data, you must become PCI compliant.
If you have a referral arrangement, then you must confirm
they are PCI compliant.
Your Bank & PCI
The FFIEC asserts …
“…financial institutions are responsible for the actions of all contracted third-party service providers; therefore, they are expected to monitor carefully
the providers’ compliance
with the operating rules.”
The PCI Standards state …
“…using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently
reduce the effort to validate compliance. However, it does not mean they can ignore PCI.”
We must rely on the FFIEC and the Payment Card Industry for understanding compliance roles.
Merchant Services Audit Goals
• Validate the progress of and recommend remediation for third-party providers and customers (merchants) as it relates to PCI compliance
• Enhance compliance efforts within the broader framework of risk management, including contractual agreements, underwriting, and indemnification
Merchant Services Audit: 3-Step Process
• Planning• Assessment• Reporting & Remediation
Involves:
Internal stakeholders
Your referral partner
Your customers (merchants)
Merchant Services Audit: 3-Step Process
• Planning– Determine your scope
– Establish expectations with key players in the assessment
– Set target dates for communicating with partners & customers
– Collect relevant policies, procedures, and technical documentation needed for the audit
Merchant Services Audit: 3-Step Process
• Assessment
– Interviews with key stakeholders in the process
– Release of vendor questionnaire & merchant survey to ascertain PCI compliance progress
– Assessment of your application approval process, with a specific focus on underwriting parameters
– Review of the monthly account reconcilement
– Review of your third-party contract to understand breach liability and indemnification exposure
Merchant Services Audit: 3-Step Process
• Assessment
– Verification of your third-party’s compliance status against PCI standards criteria
– Verification of your third-party’s required vulnerability scan results
– Determine if you are aligned with peers relative to your support and educational efforts on PCI compliance for your customers (merchants)
Merchant Services Audit: 3-Step Process
• Reporting & Remediation
– Receive a statement of findings which identifies deficiencies and provides recommendations so that remediation efforts may begin as promptly as possible.
– Provide talking points for you and/or limited advocacy to promote a proactive dialogue with your acquirer regarding needed controls and clarifications.
– Outline action steps to enhance policies, procedures and controls
– Address emerging risks
An Ounce of Prevention…
Eliminates misdirected customer dissatisfaction when breaches occur
Alerts you to gaps in your providers’ compliance and potential risks
Augments your “know your customer” activities Reduces liability, should litigation occur Establishes you as a best practice organization among peers Demonstrates a strong vendor management policy to financial
governing bodies
For more information:
www.redknotresources.com
Carol T. Adams, CTP
Managing Principal
