Time
3 hours 7 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:00
welcome to the cyber ery demystifying P. C. I. D. S s complaints Course,
00:06
this module is about the different categories that merchants fall into and the requirements associated with
00:14
what are the different merchant types? How do you know which one you are?
00:19
The objective of this video is to discuss what is required of you by the P. C I s s see relative to your merchant category
00:28
now, therefore, merchant levels
00:31
levels one through four.
00:33
Each payment brand considers to be a level one versus a level two and so on. Convey very slightly.
00:39
These levels dictate what you must do in order to be considered. PC I compliant
00:45
Visa, MasterCard and Discover considers a level one merchant to be an entity. That process is over six million transactions a year.
00:53
American Express says that 2.5 million Amex transactions warrant the level one,
00:59
while J. C. B says it takes one million of their cards to be processed in order to be a level one
01:06
for Level two. American Express states that a merchant must possess process 5 50,000 to 2.5 million cards annually.
01:15
MasterCard, Visa and Discover says anything between one million and six million transactions makes you a level two
01:22
as J. C P only has two levels. Anything under one million transactions makes it the Merchant a Level two
01:30
merchants at Level three for MasterCard Visa and discover our organizations that process anywhere between 20,000 to 1 million transactions.
01:38
American Express says that a Level three is anything less than 50,000 transactions.
01:45
American Express only has three levels.
01:49
Level fours apply to all other merchants for Visa, MasterCard and discover.
01:53
It should be noted that all payment card brands may require a merchant to report as a level one of circumstances required.
02:00
A payment car brand may see that you are a level one. If there has been instances of security breaches in the past,
02:07
being a level one requires that your security practices be more heavily scrutinized.
02:13
So how do you know which level you fall into
02:15
this? Information should be provided to you by your acquiring bank.
02:21
Now,
02:22
why are these level designations important?
02:24
These levels dr What you must do in order to be able to continue to process transactions for the payment brands
02:30
you're level determines if you're allowed to conduct assessments internally or if you're required to have another certified company coming and evaluate your environment
02:38
to attest to the fact that you are doing the things that you need to do in order to be compliant.
02:46
Level one merchants are required to have a rock which stands for a report on compliance completed by a Q S. A qualified security assessor.
02:57
Quarterly network scans by an approved scanning vendor vendor or A S V,
03:02
an attestation of a compliance form
03:06
also completed by the que Essa
03:09
level to merchants can choose to complete an annual self assessment questionnaire,
03:15
but they must ensure that the staff engaged in the self assessment Attend a P C I s S e internal Security assessor or I s a training
03:24
to pass the Associated Accreditation program
03:28
in order to continue the option of self assessment for compliance validation
03:34
alternatively level to merchants may complete an annual onsite assessment conduct conducted by a P. C I s S C approved qualified security assessor
03:45
rather than complete annual self assessment questionnaire.
03:49
Level three and level four merchants must do an annual assessment that can be done by an outside vendor or by internal staff without any special training.
03:58
All merchants are required to have quarterly a SP scans.
04:05
So if you require says that you're a level 23 or four,
04:10
then what?
04:12
The p. C I s S c has provided a list of scenarios that guide you to which self assessment questionnaire you must fill out.
04:19
The self assessment questionnaire includes a series of yes, no questions for each applicability PC I data security Standard requirement.
04:29
If an answer is no, your organization is required to state the future remediation date and the associative actions.
04:35
If you go to this link listed here PC, I outlines which s a Q documents applies to which merchants
04:46
So s a Q or sack A
04:49
is for card, not present transactions.
04:54
Card, not presence means that the merchant doesn't ever physically come into contact with a credit card
05:00
card, not president. Merchants used e commerce or mail or telephone order
05:04
that they have fully outsourced all cardholder data functions to a P C. I. D. S s compliant third party service provider.
05:13
No electronic storage, processing or transmission of any cardholder data on the merchant systems or premise all into a sack. A.
05:24
So your company fully relies on 1/3 party to handle all of these functions
05:31
for a sec. E p.
05:33
Your company accepts on Li e commerce transactions.
05:38
All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a P C i. D. S s validated third party payment processor.
05:48
So your e commerce website does not receive any cardholder data but controls how the consumers or their cardholder data is redirected to a P C i. D. S s validate 1/3 party payment processor.
06:02
So a sack a e p company does not electronically store process or transmit any cardholder data on your system the premises, but relies entirely on third parties to handle these functions.
06:15
Any cardholder data your company retains is on paper, for example, printed reports or receipts, and these documents are not transmitted. Elektronik Lee
06:28
a sack B company uses only imprint machine and or use a standalone dial out terminals and these air connected via a phone line to your payment processor.
06:39
The stand alone dial out terminals are not connected to any other systems within your environment.
06:45
They're not connected to the Internet, and they don't transmit any cardholder data over a network which includes internal network or the Internet.
06:54
Any cardholder data your company retained is on paper, so again printed reports of receipts and these documents are not stored or transmitted electronically.
07:04
A sexy V T company,
07:09
Onley processes payments using a virtual payment terminal
07:13
access by Internet connected Web browser. So these virtual payment terminal solutions air provided by a P. C i. D. S s validated third party service provider
07:24
your company accesses the P. C. I. D. S s compliant virtual payment terminal solution via computer that has isolated on a single location
07:32
so it cannot be connected to other locations or systems within your environment.
07:38
That computer does not have software installed that cars is cardholder data to be stored in any way
07:44
sack CVT Companies do not otherwise receive or transmit cardholder data electronically through any channels.
07:53
Sac D is for merchants that our sack eligible merchants that don't meet any of the other criteria for Zach types.
08:03
Examples of merchant environments that would use sect e may include, but are not limited to, e commerce merchants who accept cardholder data on their website
08:11
merchants with electronic storage of cardholder data
08:16
merchants that don't store cardholders Elektronik Lee, but do not meet the criteria of other sack types.
08:24
Merchants with environments might meet the criteria other sack types, but have additional P. C. I. D. S s requirements applicable to their environment.
08:31
Zack de for service providers applies to all service providers divined by a payment brand as being sacked Eligible
08:41
Zach P to p E dash h w.
08:45
That's for merchants where all payment processing is conducted via validated P c i p to p e solution that has been approved Enlisted by the P C i s s e
08:56
The only systems in the merchant environment that store process transmit
09:01
account data are the point of interaction devices which are approved for use
09:05
for P to P E dash H w Your company does not otherwise receive or transmit cardholder data electronically.
09:16
So those were the reports needed for self assessments
09:20
for level one assessments The reports that the P C I S S C requires are the report on compliance or the rock and attestation of compliance or the AOC.
09:31
The attestation of compliance is a four page document that must be completed by the qualified security assessor
09:37
or merchant that the merchant performs an internal audit.
09:41
It serves as a declaration of merchants compliance status with the payment card industries. Data Security Standard.
09:48
It is a quick doc that asserts that the company is or isn't in compliance and provides the steps that are going to be taken if the company is moving towards complaints.
09:58
The report on Compliance is a much more detailed document that outlines all the steps taken to test each control mandated by the P. C I. For Level one merchants,
10:09
The Rock could be hundreds of pages long and explains all of the assessors findings.
10:13
The findings of the rock drive What's documented in the AOC.
10:18
These documents work together
10:20
and acquire a mayor may not require the rock be delivered with the sea.
10:26
So in this video we talked about how the merchant levels are defined,
10:31
the sacks
10:33
and the reports needed for Level one assessment.
10:41
Now, quick quiz. Let's review
10:43
All merchant levels are required to have what
10:52
A S V scans air required quarterly for each merchant level.
10:58
Next.
11:00
What is the attestation of compliance?
11:09
It's a document from a qualified security assessor that certifies compliance.
11:16
Next,
11:18
an internal security assessor is used to do what
11:28
they conduct internal audits of level to merchants

Up Next

PCI DSS: Payment Card Industry Data Security Standard

This online course covers the basic aspects of the PCI Data Security Standard for handling credit card data. It’s designed for professionals working for companies that must comply with the PCI DSS and its impact on company operations.

Instructed By

Instructor Profile Image
Timothy McLaurin
Director of Information Security at Wildcard Corp
Instructor