商人卡服务- PCI DSS
返回商户卡服务网页
PCI DSS and UK
We have an obligation to protect sensitive financial information, 比如信用卡数据, 大学的客户. 这就是PCI DSS的意义所在.
支付卡行业, which includes VISA, MasterCard, American Express, Discover, and JCB, has issued security standards to which all organizations that accept credit card data must comply. These standards are called Payment Card Industry Data Security Standards, or PCI DSS. 这些标准在接受支付卡方面给你们部门增加了额外的责任. Without compliance, the card industry may refuse to allow you to process credit cards or issue fees and fines for noncompliance. Therefore, every UK office that accepts credit cards must become PCI DSS compliant.
由于分散的处理系统和开放的网络,信用卡泄露事件在高等教育领域的发生比例更高. Departments may think of PCI DSS compliance as an Information Technology or Treasury issue, when in reality it is the responsibility of every department that accepts credit cards.
When a university implements a PCI compliance plan it not only protects itself, 还有它的学生和员工. 大学金融服务(前身为财务主管办公室)实施了PCI合规计划,以确保火狐体育下注符合PCI标准, 教育大学管理人员, faculty, and staff on PCI, 并协助各部门进行合规工作.
本网站旨在向您介绍PCI DSS,并为贵司的合规工作提供指导. Thank you for educating yourself on this topic and for treating it with the respect it deserves.
Kevin Sisler, Director of Treasury and 商户卡服务
支付卡行业数据安全标准(PCI DSS)和火狐体育下注商业部门的合规要求
What is PCI DSS?
The Payment Card Industry Data Security Standards (PCI DSS) 数据和记录是存储的吗, 传输和系统测试要求旨在帮助确保信用卡信息的安全处理.
The PCI Data Security Standards are comprised of 12 general requirements.
谁制定标准,为什么火狐体育下注必须遵守?
标准是由 安全标准委员会. PCI委员会成立于2006年,旨在协调美国运通主要信用卡计划的独立安全计划和标准, 发现金融服务, JCB, MasterCard Worldwide, 和Visa国际. PCI委员会由政策制定执行委员会领导,该委员会由创始信用卡公司的代表组成. A Board of Advisors represents the 766 participating organizations and provides feedback to the PCI Counsel.
什么是商人级别?为什么它很重要?
There are four merchant categories, “Levels”, based on the number of transactions processed. 商人级别指定(1, 2, 3, 或4)确定所需的符合性日期以及所需符合性验证的复杂性和频率. 遵从性需求包括, at a minimum, annual PCI Self-Assessment Questionnaires (SAQ) and quarterly network vulnerability scans. The PCI DSS SAQ is designed to evaluate data storage and security processes, 找出存在的弱点, and validate a merchant’s compliance with the standards. A network vulnerability scan is a tool that remotely tests operating systems, networks and devices that could be used by hackers to target the private, 安全的信用卡处理网络. 遵从性需求的最高级别是第1级. 遵从性需求的最低级别是第4级.
Any University units that accept credit cards for payment are consider a merchant department by UK Treasury Services, also known as 商户卡服务 (MCS). Currently, the University has more than 150 units on campus that accept credit card payments. 虽然这些大学的商业部门是独立的实体,通过个人的商业账户进行处理, 我们的处理程序包括我们所有商家的处理活动作为一个整体,以确定大学的整体商家级别,以进行合规性验证. Based on the total combined activity of all of our merchants, 火狐体育下注目前被归类为3级商人. Treasury Services认为,每个商户部门对自己的PCI DSS合规性负责,必须向Treasury Services提交一份SAQ, based on the merchant’s method of accepting credit card payments, 每年验证其合规性. 财务处将每年协调大学所有商业部门的SAQ完成和提交过程. Additionally, 财政部将协助确定商家部门应完成哪些SAQ,并在商家填写SAQ时提供指导.
What are the PCI DSS Compliance requirements for 火狐体育下注 departments accepting credit cards (aka, 商业部门)?
- 制定和维护有关接受信用卡付款的部门政策和程序,包括处理处理的任何信用卡数据的安全性,以及在怀疑数据泄露时遵循的事件响应计划.
- 获取并维护直接或间接参与信用卡交易处理的任何第三方服务提供商的PCI DSS合规状态文件(例如.g. website hosting services, internet payment gateways, shopping cart providers, etc.)
- Attend annual training session provided by the MCS staff of Treasury Services.
- 保持PCI DSS合规性,并每年完成一份自我评估问卷(SAQ),以验证合规性,并提交给财务服务部MCS.
- Notify MCS of any change in credit card processing methods.
What Self-Assessment Questionnaire should the Merchant Department Complete?
http://www.pcisecuritystandards.org/documents/SAQ_InstrGuidelines_v3-1.pdf
|
A |
已将所有持卡人数据功能完全外包给PCI DSS兼容的第三方服务提供商的无卡商户(电子商务或邮件/电话订购), 没有电子存储, processing, or transmission of any cardholder data on the merchant’s systems or premises. 不适用面对面渠道. |
|
A-EP |
E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, 他们的网站不直接接收持卡人的数据,但这可能会影响支付交易的安全性. 无电子存储, processing, or transmission of any cardholder data on the merchant’s systems or premises. 仅适用于电子商务渠道. |
|
B |
商户只使用: •Imprint machines 无电子持卡人数据存储; and/or •Standalone, dial-out terminals 无电子持卡人数据存储. 不适用于电子商务渠道. |
|
B-IP |
仅使用单机的商家, PTS-approved payment terminals with an IP connection to the payment processor, 无电子持卡人数据存储. 不适用于电子商务渠道. |
|
C-VT |
商家每次通过键盘手动输入单笔交易,进入由PCI DSS认证的第三方服务提供商提供和托管的基于互联网的虚拟终端解决方案. 没有电子持卡人数据存储. 不适用于电子商务渠道. |
|
C |
Merchants with payment application systems connected to the Internet, 没有电子持卡人数据存储. 不适用于电子商务渠道. |
|
P2PE-HW |
Merchants using only hardware payment terminals that are included in and managed via a validated, PCI ssc上市的P2PE解决方案, 无电子持卡人数据存储. 不适用于电子商务渠道. |
|
D |
For Merchants: All merchants not included in descriptions for the above types. 服务提供者:由支付卡品牌定义为有资格完成自我评估问卷的所有服务提供者. |
不遵守PCI DSS的成本是什么?
如果持卡人的信息被泄露,不合规的成本将主要来自安全漏洞. 这些费用可能包括:
- 通知受影响的持卡人
- 为受影响的各方支付信用监控费用
- 支付未经授权的费用
- Engaging an external Qualified Security Assessor to investigate the breach, identify vulnerabilities and produce a Report on Compliance once the vulnerabilities are mitigated
- 实施必要的硬件或软件升级,以满足入侵后所需的更高级别安全要求
- 信用卡公司的罚款
- Litigation from cardholders, vendors or credit card companies
- 不利的宣传
- 损害火狐体育下注的声誉
美国财政部高等教育研究所(Treasury Institute for Higher Education)估计,每个信用卡账户被泄露的预期成本为182美元,而一次小规模的数据泄露(约为5.9%)可能会造成损失,000个账户)的成本可能超过100万美元.
信用卡安全漏洞是如何发生的?
Types of Breaches
- 入侵联网计算机
- 丢失或被盗的电脑,媒体(e.g. 拇指驱动器,外置硬盘驱动器等.)
- Improper Disposal of Records (Paper records not shredded or disposed)
- 员工信用卡数据被盗
- 错误地在网上发布信息
- Transmitting credit card data via insecure networks and systems (e.g. 未加密的Wi-Fi,电子邮件系统等.)
- 信用卡处理设备上的撇脂装置
Sources of Breaches
- 数据存储不当
- Outdated, unpatched Integrated Point of Service (POS) systems
- 系统日志,备份
- 不安全的应用程序
- 没有网络分段和/或防火墙
- 未打补丁的系统和/或默认配置
- 不安全的无线接入点
- 使用默认密码
- 无入侵监控
- 无担保销售点(POS)技术
- 使用不兼容的第三方服务提供商
Security breaches can result in serious consequences for the University, 包括泄露机密信息, damage to reputation, 增加的合规成本, substantial fines, possible legal liability and the potential loss of the ability to accept credit card payments.
接受信用卡的商户部门负责确保所有信用卡信息的接收和维护以符合PCI DSS的安全方式进行. 如果由于违反PCI合规性而实施货币制裁和/或卡接受限制,则个别部门将被追究责任.
Under no circumstance shall credit card information be obtained or transmitted via email. 财政部MCS不应将信用卡交易或数据存储在未符合PCI标准的个人电脑或服务器上. 所有信用卡的硬拷贝信息必须以一种保护个人持卡人信息不被滥用的方式存储, 如果不再需要,也可以销毁. Remember, 如果你不需要它,就不要保留它.
What should a Merchant Department do if they suspect a breach of credit card information has occurred?
In the event that a merchant knows or suspects that credit card data, 包括卡号和持卡人姓名, 是否已泄露给未经授权的人或被盗, the Merchant Department shall immediately take the following steps.
1. MDRP或任何怀疑存在安全漏洞的个人应立即致电财务总监和商户卡服务部.
2. 财务和信用卡服务总监将与火狐体育下注AT首席信息安全官合作,确定是否发生了违规行为. 如果信用卡数据确实被盗了, MCS会通知商户银行, 火狐体育下注警察局, the Legal Office, 大学财务服务, 内部审计署署长, 以及任何相关监管机构的违规行为.
有关PCI DSS的更多信息,请访问 www.pcisecuritystandards.org.
Links
- PCI DSS自我评估问卷
- 信用卡商家的业务流程(BPM) -见BPM E-2-1,章节VIII.
看看你的销售点系统, 加工设备, 或支付服务提供商是PCI DSS兼容的, check these links:
- PCI SSC验证支付应用程序列表
- VISA PCI DSS合规服务提供商名单
- 万事达卡PCI DSS兼容服务提供商列表
- PCI SSC List of Validated PTS Compliant Credit Card Processing Devices
Following are some useful links to learn more about the PCI DSS standards:
- PCI Security Council
- 财政部高等教育学院PCI DSS博客
- 直接谈论数据安全, (PDF) by Walter Conway and Dennis Reedy, Business Officer, December 2007. (not valid)
- Cards at School, Why Banks View Campuses as High Risk Customers, (PDF) Dennis Reedy and Walter Conway, AEP Exchange, March 2007. (not valid)
- Walter Conway PCI DSS高等教育指南
- 老板,我觉得有人偷了我们的客户数据, (PDF) Eric McNulty, Harvard Business Review, September 2007.
- The PCI Guru
- VISA
- MasterCard
- Discover
- American Express
警告:为方便用户而提供这些材料链接的一些网站并不由火狐体育下注管理. The University does not review, control, or take responsibility for the contents of those sites.