Merchant Services Audit 03 2011


Published on

Understand how important a merchant services audit is for your financial organization\'s FFIEC compliance

Published in: Economy & Finance, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Merchant Services Audit 03 2011

  1. 1. Compliance Topics: Merchant Services Audit for Financial Institutions Carol T. Adams, CTP Managing Principal
  2. 2. What is Payment Card Industry (PCI) compliance? Albert Gonzales, 28, master-minded the largest credit card breach in U.S. history by hacking Heartland Payment Systems. Gonzalez is currently spending 20 years in Federal prison for his part in a string of data breaches that resulted in the compromise of over 170 million credit and debit cards in 2008. Payment Card Industry (PCI) compliance is a complex and ever evolving subject affecting millions of businesses – acquiring banks, Independent Sales Organizations (ISOs), processors, hosts, shopping carts, e-commerce and retail merchants and other merchant services providers.
  3. 3. What is Payment Card Industry (PCI) Compliance? <ul><li>The PCI standard requires all merchants and service providers around the world who store, process, or transmit customer credit card data to adopt aggressive security controls that ensure the integrity of customer information. </li></ul><ul><li>The PCI Data Security Standard was created to unify the programs run by different credit card companies to help merchants and service providers to better secure their environments, thereby helping them to reduce fraud and other crimes associated with cardholder data. </li></ul>
  4. 4. What is Payment Card Industry (PCI) Compliance? <ul><li>All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period, which determines what they must do in terms of compliance: </li></ul><ul><li>1 - Any merchant -- regardless of acceptance channel -- processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. </li></ul><ul><li>2 - Any merchant -- regardless of acceptance channel -- processing 1M to 6M Visa transactions per year. </li></ul><ul><li>3 - Any merchant processing 20,000 to 1M Visa e-commerce transactions per year. </li></ul><ul><li>4 - Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants -- regardless of acceptance channel -- processing up to 1M Visa transactions per year. </li></ul>
  5. 5. Merchants Must: <ul><li>Identify their Validation Type as defined by PCI DSS to determine which Self Assessment Questionnaire is appropriate for their business.  </li></ul><ul><li>Complete the Self-Assessment Questionnaire according to the instructions in the Self- Assessment Questionnaire Instructions and Guidelines. </li></ul><ul><li>Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV).  Note: scanning does not apply to all merchants.  It is required for Validation Type 4 and 5 – those merchants with external facing IP addresses.  </li></ul><ul><li>Complete the relevant Attestation of Compliance in its entirety </li></ul><ul><li>Submit the SAQ, evidence of a passing scan and the Attestation of Compliance, along with any other requested documentation, to their acquirer. </li></ul>
  6. 6. Compliance is a Continuing Process Industry experts agree – There is nothing wrong with PCI as a standard, but it also has a fundamental flaw -- It is a &quot;point-in-time&quot; certification of a company's readiness to handle security threats. There is no continuous process for monitoring compliance built into the PCI standard. As a result, there is no way of knowing if a company that was certified as being compliant one day is still maintaining that compliance the next day.
  7. 7. Your Bank & PCI <ul><li>Many banks have referral arrangements with acquirers, third-party vendors, and/or independent sales organizations (ISOs) to provide merchant card services to their business customers. </li></ul><ul><li>What is your bank’s obligation for PCI? </li></ul>If you store, process or transmit credit card data, you must become PCI compliant. If you have a referral arrangement, then you must confirm they are PCI compliant.
  8. 8. Your Bank & PCI <ul><li>The FFIEC asserts … </li></ul><ul><li>“… financial institutions are responsible for the actions of all contracted third-party service providers; therefore, they are expected to monitor carefully the providers’ compliance </li></ul><ul><li>with the operating rules.” </li></ul><ul><li>The PCI Standards state … </li></ul><ul><li>“ … using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance.  However, it does not mean they can ignore PCI.” </li></ul><ul><li>We must rely on the FFIEC and the Payment Card Industry for understanding compliance roles. </li></ul>
  9. 9. Merchant Services Audit Goals <ul><li>Validate the progress of and recommend remediation for third-party providers and customers (merchants) as it relates to PCI compliance </li></ul><ul><li>Enhance compliance efforts within the broader framework of risk management, including contractual agreements, underwriting, and indemnification </li></ul>
  10. 10. Merchant Services Audit: 3-Step Process <ul><li>Planning </li></ul><ul><li>Assessment </li></ul><ul><li>Reporting & Remediation </li></ul>Involves: Internal stakeholders Your referral partner Your customers (merchants)
  11. 11. Merchant Services Audit: 3-Step Process <ul><li>Planning </li></ul><ul><ul><li>Determine your scope </li></ul></ul><ul><ul><li>Establish expectations with key players in the assessment </li></ul></ul><ul><ul><li>Set target dates for communicating with partners & customers </li></ul></ul><ul><ul><li>Collect relevant policies, procedures, and technical documentation needed for the audit </li></ul></ul>
  12. 12. Merchant Services Audit: 3-Step Process <ul><li>Assessment </li></ul><ul><ul><li>Interviews with key stakeholders in the process </li></ul></ul><ul><ul><li>Release of vendor questionnaire & merchant survey to ascertain PCI compliance progress </li></ul></ul><ul><ul><li>Assessment of your application approval process, with a specific focus on underwriting parameters </li></ul></ul><ul><ul><li>Review of the monthly account reconcilement </li></ul></ul><ul><ul><li>Review of your third-party contract to understand breach liability and indemnification exposure </li></ul></ul>
  13. 13. Merchant Services Audit: 3-Step Process <ul><li>Assessment </li></ul><ul><ul><li>Verification of your third-party’s compliance status against PCI standards criteria </li></ul></ul><ul><ul><li>Verification of your third-party’s required vulnerability scan results </li></ul></ul><ul><ul><li>Determine if you are aligned with peers relative to your support and educational efforts on PCI compliance for your customers (merchants) </li></ul></ul>
  14. 14. Merchant Services Audit: 3-Step Process <ul><li>Reporting & Remediation </li></ul><ul><ul><li>Receive a statement of findings which identifies deficiencies and provides recommendations so that remediation efforts may begin as promptly as possible. </li></ul></ul><ul><ul><li>Provide talking points for you and/or limited advocacy to promote a proactive dialogue with your acquirer regarding needed controls and clarifications. </li></ul></ul><ul><ul><li>Outline action steps to enhance policies, procedures and controls </li></ul></ul><ul><ul><li>Address emerging risks </li></ul></ul>
  15. 15. An Ounce of Prevention… <ul><li>Eliminates misdirected customer dissatisfaction when breaches occur </li></ul><ul><li>Alerts you to gaps in your providers’ compliance and potential risks </li></ul><ul><li>Augments your “know your customer” activities </li></ul><ul><li>Reduces liability, should litigation occur </li></ul><ul><li>Establishes you as a best practice organization among peers </li></ul><ul><li>Demonstrates a strong vendor management policy to financial governing bodies </li></ul>
  16. 16. For more information: Carol T. Adams, CTP Managing Principal [email_address]