Cybrary Pro Day is here!

2.1 Merchants

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
3 hours 37 minutes
Difficulty
Beginner
CEU/CPE
4
Video Transcription
00:00
welcome to the cyber ery demystifying P. C. I. D. S s complaints Course,
00:06
this module is about the different categories that merchants fall into and the requirements associated with
00:14
what are the different merchant types? How do you know which one you are?
00:19
The objective of this video is to discuss what is required of you by the P. C I s s see relative to your merchant category
00:28
now, therefore, merchant levels
00:31
levels one through four.
00:33
Each payment brand considers to be a level one versus a level two and so on. Convey very slightly.
00:39
These levels dictate what you must do in order to be considered. PC I compliant
00:45
Visa, MasterCard and Discover considers a level one merchant to be an entity. That process is over six million transactions a year.
00:53
American Express says that 2.5 million Amex transactions warrant the level one,
00:59
while J. C. B says it takes one million of their cards to be processed in order to be a level one
01:06
for Level two. American Express states that a merchant must possess process 5 50,000 to 2.5 million cards annually.
01:15
MasterCard, Visa and Discover says anything between one million and six million transactions makes you a level two
01:22
as J. C P only has two levels. Anything under one million transactions makes it the Merchant a Level two
01:30
merchants at Level three for MasterCard Visa and discover our organizations that process anywhere between 20,000 to 1 million transactions.
01:38
American Express says that a Level three is anything less than 50,000 transactions.
01:45
American Express only has three levels.
01:49
Level fours apply to all other merchants for Visa, MasterCard and discover.
01:53
It should be noted that all payment card brands may require a merchant to report as a level one of circumstances required.
02:00
A payment car brand may see that you are a level one. If there has been instances of security breaches in the past,
02:07
being a level one requires that your security practices be more heavily scrutinized.
02:13
So how do you know which level you fall into
02:15
this? Information should be provided to you by your acquiring bank.
02:21
Now,
02:22
why are these level designations important?
02:24
These levels dr What you must do in order to be able to continue to process transactions for the payment brands
02:30
you're level determines if you're allowed to conduct assessments internally or if you're required to have another certified company coming and evaluate your environment
02:38
to attest to the fact that you are doing the things that you need to do in order to be compliant.
02:46
Level one merchants are required to have a rock which stands for a report on compliance completed by a Q S. A qualified security assessor.
02:57
Quarterly network scans by an approved scanning vendor vendor or A S V,
03:02
an attestation of a compliance form
03:06
also completed by the que Essa
03:09
level to merchants can choose to complete an annual self assessment questionnaire,
03:15
but they must ensure that the staff engaged in the self assessment Attend a P C I s S e internal Security assessor or I s a training
03:24
to pass the Associated Accreditation program
03:28
in order to continue the option of self assessment for compliance validation
03:34
alternatively level to merchants may complete an annual onsite assessment conduct conducted by a P. C I s S C approved qualified security assessor
03:45
rather than complete annual self assessment questionnaire.
03:49
Level three and level four merchants must do an annual assessment that can be done by an outside vendor or by internal staff without any special training.
03:58
All merchants are required to have quarterly a SP scans.
04:05
So if you require says that you're a level 23 or four,
04:10
then what?
04:12
The p. C I s S c has provided a list of scenarios that guide you to which self assessment questionnaire you must fill out.
04:19
The self assessment questionnaire includes a series of yes, no questions for each applicability PC I data security Standard requirement.
04:29
If an answer is no, your organization is required to state the future remediation date and the associative actions.
04:35
If you go to this link listed here PC, I outlines which s a Q documents applies to which merchants
04:46
So s a Q or sack A
04:49
is for card, not present transactions.
04:54
Card, not presence means that the merchant doesn't ever physically come into contact with a credit card
05:00
card, not president. Merchants used e commerce or mail or telephone order
05:04
that they have fully outsourced all cardholder data functions to a P C. I. D. S s compliant third party service provider.
05:13
No electronic storage, processing or transmission of any cardholder data on the merchant systems or premise all into a sack. A.
05:24
So your company fully relies on 1/3 party to handle all of these functions
05:31
for a sec. E p.
05:33
Your company accepts on Li e commerce transactions.
05:38
All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a P C i. D. S s validated third party payment processor.
05:48
So your e commerce website does not receive any cardholder data but controls how the consumers or their cardholder data is redirected to a P C i. D. S s validate 1/3 party payment processor.
06:02
So a sack a e p company does not electronically store process or transmit any cardholder data on your system the premises, but relies entirely on third parties to handle these functions.
06:15
Any cardholder data your company retains is on paper, for example, printed reports or receipts, and these documents are not transmitted. Elektronik Lee
06:28
a sack B company uses only imprint machine and or use a standalone dial out terminals and these air connected via a phone line to your payment processor.
06:39
The stand alone dial out terminals are not connected to any other systems within your environment.
06:45
They're not connected to the Internet, and they don't transmit any cardholder data over a network which includes internal network or the Internet.
06:54
Any cardholder data your company retained is on paper, so again printed reports of receipts and these documents are not stored or transmitted electronically.
07:04
A sexy V T company,
07:09
Onley processes payments using a virtual payment terminal
07:13
access by Internet connected Web browser. So these virtual payment terminal solutions air provided by a P. C i. D. S s validated third party service provider
07:24
your company accesses the P. C. I. D. S s compliant virtual payment terminal solution via computer that has isolated on a single location
07:32
so it cannot be connected to other locations or systems within your environment.
07:38
That computer does not have software installed that cars is cardholder data to be stored in any way
07:44
sack CVT Companies do not otherwise receive or transmit cardholder data electronically through any channels.
07:53
Sac D is for merchants that our sack eligible merchants that don't meet any of the other criteria for Zach types.
08:03
Examples of merchant environments that would use sect e may include, but are not limited to, e commerce merchants who accept cardholder data on their website
08:11
merchants with electronic storage of cardholder data
08:16
merchants that don't store cardholders Elektronik Lee, but do not meet the criteria of other sack types.
08:24
Merchants with environments might meet the criteria other sack types, but have additional P. C. I. D. S s requirements applicable to their environment.
08:31
Zack de for service providers applies to all service providers divined by a payment brand as being sacked Eligible
08:41
Zach P to p E dash h w.
08:45
That's for merchants where all payment processing is conducted via validated P c i p to p e solution that has been approved Enlisted by the P C i s s e
08:56
The only systems in the merchant environment that store process transmit
09:01
account data are the point of interaction devices which are approved for use
09:05
for P to P E dash H w Your company does not otherwise receive or transmit cardholder data electronically.
09:16
So those were the reports needed for self assessments
09:20
for level one assessments The reports that the P C I S S C requires are the report on compliance or the rock and attestation of compliance or the AOC.
09:31
The attestation of compliance is a four page document that must be completed by the qualified security assessor
09:37
or merchant that the merchant performs an internal audit.
09:41
It serves as a declaration of merchants compliance status with the payment card industries. Data Security Standard.
09:48
It is a quick doc that asserts that the company is or isn't in compliance and provides the steps that are going to be taken if the company is moving towards complaints.
09:58
The report on Compliance is a much more detailed document that outlines all the steps taken to test each control mandated by the P. C I. For Level one merchants,
10:09
The Rock could be hundreds of pages long and explains all of the assessors findings.
10:13
The findings of the rock drive What's documented in the AOC.
10:18
These documents work together
10:20
and acquire a mayor may not require the rock be delivered with the sea.
10:26
So in this video we talked about how the merchant levels are defined,
10:31
the sacks
10:33
and the reports needed for Level one assessment.
10:41
Now, quick quiz. Let's review
10:43
All merchant levels are required to have what
10:52
A S V scans air required quarterly for each merchant level.
10:58
Next.
11:00
What is the attestation of compliance?
11:09
It's a document from a qualified security assessor that certifies compliance.
11:16
Next,
11:18
an internal security assessor is used to do what
11:28
they conduct internal audits of level to merchants
Up Next