Upload
shaun-okeeffe
View
51
Download
1
Embed Size (px)
Citation preview
2
Realex Payments is a PCI DSS 3.2 compliant online payments service provider. We simplify Payment
Card Industry Data Security Standard (PCI DSS) compliance for thousands of businesses, processing
billions of pounds worth of payments each year.
Maintaining the security of our customers’ data is always our number one priority which means PCI
DSS compliance is the foundation of our business.
We’ve learned a lot over the years about achieving and maintaining PCI DSS compliance. And, with
this Whitepaper, we want to share our expertise to help you on your journey to compliance.
No matter how many payments you process, this whitepaper will help you to reduce the costs and
complexity associated with PCI DSS compliance:
• If you complete an on-site audit for PCI DSS compliance, we will show you how you can
reduce your PCI audit overheads by up to 70%
• If you complete a Self-Assessment Questionnaire, we’re going to show you how
to reduce total PCI requirements by up to 96%, not to mention cost savings that can
average between £10,000 and £100,000
Need proof? Well, you’ll hear from one of our customers, allpay, who have reduced their PCI overheads
by 70% by moving to a Hosted Payment Solution.
Nick Peplow, Bill Payments Director at allpay, said: “Since partnering with Realex, we have increased
our speed-to-market by 6 months, simplified our PCI auditing process, whilst we operate an online
payments page that fully reflects our brand, with Realex’s extensive security features.”
Simplifying compliance doesn’t mean you have to lose control of the payments journey either. You
can maximise conversion, your customers can make online payments seamlessly, and you can still
minimise your PCI DSS obligations.
Let’s get started!
Colin Aherne
Welcome Note
3
Table of Contents
The Fundamentals of PCI DSS compliance
Introduction
5
4
17
36
40
9
26
43
Levels of PCI DSS compliance
PCI DSS compliance and your Payment Service Provider
Reducing the PCI DSS compliance burden
Case study: allpay LTD
Q&A - PCI DSS compliance with Matej Saksida Information Team Lead at Realex Payments
Conclusion
4
Cybersecurity is a major issue for eCommerce businesses around the globe. Mishandling customer
card data can have serious consequences for both businesses and consumers, including:
• Substantial fees and fines from the card schemes
• Damage to your brand, and the loss of customer confidence and trust
• A forensic examination that can cost tens of thousands of pounds
• Loss of revenue and resources spent trying to recover from the breach
• Additional costs replacing or upgrading your existing security systems
• Increased and ongoing scrutiny from the relevant authorities where breaches
have occurred
• Ultimately, risk to the long term viability of your business
There are untold numbers of instances where hackers have managed to breach company networks
and access customer details. Several high profile companies have been breached, and attackers are
employing increasingly sophisticated approaches to gain access to valuable card data.
Consumers trust companies with their information but, when a breach occurs, this trust is damaged,
often resulting in sharp drops in revenue which can be difficult to recover from. This represents a
serious risk to the viability of your business – the National Cyber Security Alliance observed that
60% of small businesses who have suffered a data breach have closed within six months of the
breach occurring.
Achieving and maintaining PCI DSS compliance can be a costly and complex process, but there are
strategies which companies can employ to reduce their overheads.
Introduction
5
The Fundamentals of PCI DSS Compliance
The objective of PCI DSS compliance is to secure cardholder data in order
to minimise the risk of data breaches, and in turn reduce the risk of fraud. To
achieve this, the PCI Security Standards Council – the body which creates and
manages the PCI DSS rules and regulations – has set six goals for organisations
who handle card data; these goals are broken down in turn into 12 requirements.
Achieving compliance in practice means being able to demonstrate adherence
to those goals and requirements, summarised in the table below.
Why PCI DSS Compliance?
Goals Requirements
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system password and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus soft-ware or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel
Source: www.pcisecuritystandards.org/
FUNDAMENTALS OF PCI DSS COMPLIANCE
REDUCE PCI SCOPE WHILE MAXIMISING CONVERSION 6
The Current State of PCI DSS Compliance
The PCI DSS standards are revised on an ongoing basis to address evolving
threats and vulnerabilities.
PCI DSS 3.0 – the last major revision of the standard - was introduced in 2013.
When introduced, the scope of maintaining or achieving PCI DSS compliance
increased by about 27% from the previous version (2.0). Since then, two minor
revisions of the standard have been released – PCI DSS 3.1 in 2015, and PCI
DSS 3.2 in 2016. These have introduced further changes to scope, focusing
primarily on encryption standards.
While these additional changes are necessary, the constant revisions to the
standard have made it difficult for merchants to keep up. Verizon’s PCI DSS
Compliance Report (2015) found that only 20% of companies were fully
compliant at interim assessment, and of these, only 28% were found to be
fully compliant less than a year after validation.
Increasingly, merchants are looking for alternatives to shouldering the full
burden of compliance. While it is important to note that all merchants, no matter
how they accept payment card data, need to demonstrate their compliance,
there are strategies which minimise compliance overheads.
7
While the PCI Secure Standards Council is responsible for setting out the guidelines
for how merchants should achieve and demonstrate compliance, the degree of
compliance required for any individual merchant is determined by the number of
transactions they accept on cards carrying the brands of the card associations –
Visa, Mastercard, American Express and others. Each of the card associations has
their own standards.
PCI DSS Compliance is usually enforced by scheme members – that is, card
acquirers or merchant service providers, and card issuers – on behalf of the card
schemes. If you’re unsure about any aspect of PCI DSS compliance as it applies
to your business, we recommend that you speak with your merchant services
provider or engage the services of a qualified security assessor (QSA) to get advice.
For more information on the standards set by each of the individual card associations,
please refer to the links below.
American Express: www.americanexpress.com/datasecurity
Discover Financial Services: www.discovernetwork.com/fraudsecurity/disc.html
JCB International: http://www.jcbeurope.eu/business_partners/security/jcbprogram.html
MasterCard Worldwide: www.mastercard.com/sdp
Visa Inc.: www.visa.com/cisp
Visa Europe: www.visaeurope.com/ais
Assessing & Enforcing PCI DSS Compliance
8
Overview
When assessing compliance, two factors determine the perceived risk of data
being compromised; these are:
• The number of payment card transactions processed by the
organisation per annum
• The degree to which the organisation is exposed to sensitive
payment card data when processing those payments
PCI Compliance LevelsThe first factor determining the degree of compliance that a business must
demonstrate is the volume of transactions processed per annum. In the table
below, we’ve outlined the standards set by Visa;
Note: Different standards may apply if you accept higher volumes of MasterCard, American
Express, or other cards issued by the major card associations.
Levels of PCI DSS Compliance
Level Merchant Criteria Validation Requirements
1 Merchants processing more than six million
Visa transactions annually via all channels or
global merchants identified as level one by
any Visa region.
• Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource
• Quarterly network scan by Approved Scan Vendor (ASV)
• Attestation of Compliance form
2 Merchants processing one million to
six million Visa transactions annually
via all channels.
• Annual Self-Assessment Questionnaire (SAQ)
• Quarterly network scan by ASV
• Attestation of Compliance form
3 Merchants processing 20,000 to
one million Visa e-commerce
transactions annually.
• Use a service provider that has certified their PCI DSS compliance OR
• Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ)
4 Merchants processing fewer than 20,000
Visa e-commerce transactions annually.
• Use a service provider that has certified their PCI DSS compliance OR
• Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ)
Source: Visa. inc
LEVELS OF PCI DSS COMPLIANCE
REDUCE PCI SCOPE WHILE MAXIMISING CONVERSION 9
Level 1 2 3 4
ComplianceDifficulty
Type of Assessment
AnnualonsiteAssessment
Self Assessment Questionnaire
Self Assessment Questionnaire
Self Assessment Questionnaire
LEVELS OF PCI DSS COMPLIANCE
REDUCE PCI SCOPE WHILE MAXIMISING CONVERSION 10
Level 1 eCommerce Businesses - Report on Compliance
Payment systems deployed by organisations that process more than 6 million
transactions are usually complex. These Level 1 organisations are concerned
with the transfer and storage of sensitive card details which may increase
the risk of vulnerabilities. To address those risks, Level 1 businesses need
to adhere to a stringent set of requirements. This includes the creation of a
Report of Compliance (ROC), which must be completed by a third-party
Qualified Security Assessor (QSA). The ROC must provide extensive evidence
of the organisation’s compliance under each of the 12 headings (see “PCI
Compliance Levels”, above).
However, the level of detail required depends on how the business accepts
payment card data; different approaches require different levels of compliance,
with fully outsourced solutions requiring the least evidence.
LEVELS OF PCI DSS COMPLIANCE
REDUCE PCI SCOPE WHILE MAXIMISING CONVERSION 11
Level 2+ eCommerce Businesses - Self Assessment
Organisations that process fewer than 6 million transactions per year are
deemed to represent a lower risk of exposure, and so the assessment of PCI
DSS compliance is a less rigorous process. In many cases, organisations that
qualify as Level 2, 3 or 4 for PCI DSS purposes can self-assess their compliance
by completing a Self-Assessment Questionnaire (SAQ).
Which SAQ should I complete?The self-assessment process is not meant to be a box-ticking exercise; it is
important to remember that the ultimate goal of PCI DSS compliance is to
ensure the security of cardholder data and to protect you against data breaches.
It is strongly recommended that you consider each requirement set out by
the appropriate SAQ carefully when attesting to your compliance. Generally
speaking, if you’re not sure which SAQ you should complete, it is recommended
that you engage the services of a Qualified Security Assessor to help you out.
The responsibility for ensuring compliance with the PCI DSS rests with your
merchant services provider or acquiring bank. As such, organisations who self-
assess PCI DSS compliance are usually required to submit their assessment to
their provider to demonstrate their compliance.
LEVELS OF PCI DSS COMPLIANCE
REDUCE PCI SCOPE WHILE MAXIMISING CONVERSION 12
Understanding the Self Assessment Questionnaires
When self-assessing compliance, eCommerce businesses will typically have
to complete one of three Self-Assessment Questionnaires - SAQ A, SAQ A-EP
or SAQ D. The SAQs are designed to demonstrate adherence to the goals and
requirements of PCI DSS. The SAQ which applies is determined by the degree
to which your organisation is exposed to sensitive payment card data when
processing payments; in other words, the type of payment integration you use
on your website. The more that your organisation or systems are exposed to
sensitive card details, the more requirements you’ll need to address.
The table on the next page shows the requirements you must address when
completing the varying types of SAQ’s.
SAQ-A SAQ A-EP SAQ D
14 Requirements
22 Self assessment questions
Fully outsourced payment form to
PCI compliant provider
Example: Hosted Payment Solution
4% of total PCI requirements in scope
140 Requirements
193 Self assessment questions
Partially outsourced payment form
to PCI compliant provider
Example: Direct Post
43% of total PCI requirements in
scope
326 Requirements
329 Self assessment questions
Payments accepted directly on your
website
Example: API
100% of total PCI requirements in
scope
LEVELS OF PCI DSS COMPLIANCE
REDUCE PCI SCOPE WHILE MAXIMISING CONVERSION 13
The table below shows the requirements you must address when completing the the varying types of SAQ’s.
Completing self-assessment is only an option for merchants who qualify for Level 2, 3 or 4 of PCI DSS compliance.
For Level 1 merchants, a Report of Compliance must be prepared by a Qualified Security Assessor. However, similar
standards apply depending on how you accept, transmit and store sensitive customer card data.
In the following sections, we discuss how the method of card acceptance influences the standards which business
must adhere
Note: While we’ve focused on eCommerce businesses in this eBook, it is important to note that merchants who accept payments through a mix of different channels – such as via a point of sale device or over the phone – may have compliance requirements over and above those outlined here. Generally speaking, merchants need to demonstrate a level of compliance appropriate for the least secure channel of payment; if you’re unsure, we recommend that you engage the services of a Qualified Security Assessor to help you out.
Requirement to Demonstrate Compliance SAQ A SAQ A-EP SAQ D
Reviewing process documentation
Interviewing employees
Observing current configurations
Examining all data sources for card holder data
Examination of keys and certificates
Examining anti-virus configuration
Review audit trails and logs on system components
Change control documentation
Review process documentation
Interview employees
Observe current configurations
Examine all data sources for card holder data
Examine keys and certificates
Examine anti-virus configuration
Review audit trails and create logs on system components
Change control documentation
Secure software development training/policies
Examination of audit logs & log settings
Examination of time syncing tech & settings
Quarterly external scans/pen tests
Examine firewall and router configs
Review password procedures
Detailed incident response plan
Quarterly destruction of card holder data no longer in use
Examine mobile / employee owned devices
Review documented risk mitigation & migration plan
Review data retention and disposal policies
Review physical access process incl. CCTV, visitor logs and ID badges
Examine intrusion detection & intrusion prevention techniques
Company-wide rollout of security awareness programme
14
PCI DSS COMPLIANCE & YOUR PAYMENT SERVICE PROVIDER
If you’re a business accepting payments online, chances are that you use a
third party payment service provider to process transactions on your behalf.
Payment service providers tend to process transactions at volumes that
require them to be Level 1 PCI DSS compliant. While it is not unheard of for a
payment service provider to be breached, it is generally safe to assume that,
where you’re using a mainstream, reputable service provider who can provide
evidence of their compliance, any cardholder data you share with them will be
handled securely.
However, using a PCI DSS compliant service provider doesn’t necessarily
reduce the burden of compliance for your business; rather, it is how you use
those services to accept, transmit and store card details which will determine
the level of PCI DSS compliance that must be attained.
In this section, we look at three common use cases, discuss the risks and
benefits of those scenarios, and identify the likely implications from a
compliance perspective.
PCI DSS Compliance & Your Payment Service Provider
How you accept payments and your type of compliance
PCI DSS COMPLIANCE AND YOUR PAYMENT SERVICE PROVIDER
REDUCE PCI SCOPE WHILE MAXIMISING CONVERSION 15
Use Case 1: Accepting Payments and Handling Card Details on Your Servers
Handling Card Details on Your Servers: SAQ D
Characteristics How it Works
You fully manage the transaction: card details are
accepted on your own website
Card details transit your servers
Card details may be stored for later use
1. Your website creates the payment page
2. Customer enters card data
3. You receive card data and send payment details to
payment service provider
4. Payment provider receives the card data and sends
to payment system to be authorised
PCI DSSREQUIREMENTS:
100%
Most payment service providers provide access to an API which allows you to accept card details directly through your
website. Under this model, your servers collect card details and submit them to your payment service provider. The
card details transit your systems, and may be stored for future use. An API integration affords you the highest degree
of control over the end-customer experience, as you retain full control of the look and feel of the payment page.
BenefitsUsing an API allows you to create a payment flow which is customised exactly for your requirements, and allows you
to retain the card data for future use.
RisksChoosing an API integration means that in the event of a perimeter or firewall security breach, the impact of that breach
is much greater - due to the nature of the data that you store. This means the scope of PCI DSS compliance significantly
increases, which in turn increases the cost and complexity of maintaining compliance, for example, submitting quarterly
network scans and penetration tests.
Furthermore, it may be difficult to detect where these breaches have occurred. There have been instances where
hackers have retained access to compromised systems for periods of months or years, allowing them to steal a huge
amount of customer data without detection.
MERCHANTCOLLECTS PAYMENT DATA
MERCHANTRECEIVES PAYMENT DATA
PAYMENT SERVICE PROVIDERPROCESSES &AUTHORISES PAYMENT
PCI DSS COMPLIANCE AND YOUR PAYMENT SERVICE PROVIDER
REDUCE PCI SCOPE WHILE MAXIMISING CONVERSION 16
Use Case 2: Accepting Payments on Your Website Through Direct Post
Direct post payment acceptance: SAQ A-EP
Characteristics How it Works
You partially manage the transaction; card details are
collected by you but sent directly to the payment service
provider for processing
Card details never transit your servers
Card details are not stored anywhere on your servers
1. Your website creates the payment form in the
customer’s browser
2. The payment data is delivered directly from your
customer’s browser to the payment processor
3. Payment service provider receives the card data,
processes the payment, and returns the response
to you.
PCI DSSREQUIREMENTS:
59%
One way to reduce your exposure to sensitive card details is to use a so-called “direct post” payment acceptance
model. Under this model, your website renders the payment form in the customer’s browser and submits the collected
card details directly from the browser to your payment service provider. The card details never transit your servers,
reducing the number of systems which handle card details. This also affords you a greater degree of control over the
end-customer experience, since you still retain control of the look and feel of the payment page.
SAQ A-EP was introduced as part of PCI DSS 3.0 in response to the introduction of direct post models. In essence,
SAQ A-EP acknowledges that, while direct post implementations reduce exposure to such an extent that the more
stringent requirements of SAQ D need not be applied, there are still significant risks in this approach. In particular,
these implementations are more open to compromise by hackers and other malicious third parties than fully outsourced
models, and where compromised, may be harder to detect. As a result, quarterly network scans and external penetration
tests are still required.
MERCHANTCOLLECTS PAYMENT DATA
PAYMENT SERVICE PROVIDERRECEIVES PAYMENT DATA
PAYMENT SERVICE PROVIDERPROCESSES &AUTHORISES PAYMENT
PCI DSS COMPLIANCE AND YOUR PAYMENT SERVICE PROVIDER
REDUCE PCI SCOPE WHILE MAXIMISING CONVERSION 17
BenefitsDirect post payment acceptance methods can integrate seamlessly with your existing website and they work with most
web-based programming languages. Sensitive card details are never transmitted through your servers.
RisksWhilst sensitive card data does bypass your web server, your systems still create and serve the payment form to the
customer. So while the data goes direct to the payment gateway, there remains a risk, where your systems have been
compromised, that hackers can steal data as it’s being entered by customers. Again, this kind of breach may be difficult
to detect. As a result, quarterly network scans and external penetration tests are still required.
Note: It is not acceptable to store card details on merchant server if you want to achieve SAQ A-EP compliance; any storage of card details automatically implies the need to complete SAQ D.
PCI DSS COMPLIANCE AND YOUR PAYMENT SERVICE PROVIDER
REDUCE PCI SCOPE WHILE MAXIMISING CONVERSION 18
Use Case 3: Accepting Payments on Your Website Through a Fully Outsourced Solution
Fully Hosted Solutions: SAQ A
Characteristics How it Works
Your payment service provider completely manages
the transaction: The simplest way to collect payment
information securely, without handling customers’ card
details
Depending on the payment service provider, the payment
page can be rendered in an iFrame within your website,
a lightbox atop your website or full-page redirect to a 3rd
party.
You have no direct control of any element of the payment
page
Sensitive card details are never stored on your
infrastructure.
1. You redirect your customer to the payment service
provider, this may or may not involve a change of
domain, depending on the payment service provider.
2. Customer enters card details on a page hosted by
the payment service provider
3. Payment service provider processes the payment
4. Result returned to your website
PCI DSSREQUIREMENTS:
4%
The most effective way to reduce your compliance overheads is to eliminate sensitive customer card details from your
environment. This can be done by using a payment solution hosted by your payment service provider. Under a hosted
payment model, your payment service provider provides a payment page which is securely connected to your website.
This collects, submits and authorises payments on your behalf without the need to handle card details.
Benefits Because the payment service provider controls all elements of the payment form, the risk of compromise is deemed to
be particularly low. PCI DSS requirements are reduced to an absolute minimum, saving valuable time and resources.
PAYMENT SERVICE PROVIDERCOLLECTS PAYMENT DATA
PAYMENT SERVICE PROVIDERRECEIVES PAYMENT DATA
PAYMENT SERVICE PROVIDERPROCESSES &AUTHORISES PAYMENT
PCI DSS COMPLIANCE AND YOUR PAYMENT SERVICE PROVIDER
REDUCE PCI SCOPE WHILE MAXIMISING CONVERSION 19
RisksUsing outsourced solutions traditionally meant sacrificing control of the customer experience, a compromise that many
eCommerce businesses were unwilling to make, since it might lead to lower conversion rates and ultimately less
revenue.
Note: It is not acceptable to store card details on your servers if you want to achieve SAQ A compliance; any storage of card details automatically implies the need to complete SAQ D.
PCI DSS COMPLIANCE AND YOUR PAYMENT SERVICE PROVIDER
REDUCE PCI SCOPE WHILE MAXIMISING CONVERSION 20
3 SAQ’s: Requirements At-a-Glance
Comparing the SAQ Options
SAQ-A326 total requirements
326 total requirements
326 total requirements
4% 43% 100%
SAQ-A-EP SAQ-D
0% Reduction
Total Number SAQ-DTotal Number
96% Reduction
SAQ-A
14 requirements
in scope
57% Reduction
Total Number SAQ-A-EP
140 requirements
in scope
Reducing the number of requirements you need to complete is only part of the
story. The below chart illustrates estimated cost and time saving as compared
to the three SAQ options (source Drupal Commerce):
PCI DSS COMPLIANCE AND YOUR PAYMENT SERVICE PROVIDER
REDUCE PCI SCOPE WHILE MAXIMISING CONVERSION 21
3 SAQ’s: cost and time-saving at-a-glance
SAQ-A
SAQ-EP
SAQ-D
SAQ-EP
SAQ-D
SAQ-A
Months
Weeks
Hours
£ 100 1,000 10,000 100,000 1,000,000 1,500,000
22
“Target was certified as meeting the standard for the payment card
industry in September 2013. Nonetheless, we suffered a data breach”
Unfortunately, demonstrating compliance doesn’t guarantee security. Passing
an audit means that your business is following industry best practices to
protect against a data breach. However, as the example of Target shows, being
compliant doesn’t necessarily protect against data breaches.
The simple truth is this – if you handle, transmit or store sensitive card details
on your own systems, you open yourself to the possibility of compromise.
Maintaining the security required to protect sensitive card details requires a
significant investment of time and resources.
While there is no silver bullet to secure and protect against breaches, there are
numerous ways to dramatically reduce your risk, and, in doing so, protect your
company and your customers.
We’re going to examine some of the best (and most cost-effective) ways to
limit your risk of a breach and reduce your PCI DSS compliance overheads.
- Target Chairman, President and Chief Executive Officer Gregg Steinhafel.
Reducing your PCI DSS Compliance Burden
PCI DSS Compliance alone isn’t enough
REDUCING THE PCI DSS COMPLIANCE BURDEN
REDUCE PCI SCOPE WHILE MAXIMISING CONVERSION 23
As a business accepting payment by card, achieving and maintaining PCI DSS
compliance is mandatory. But there are many ways you can reduce your PCI
DSS compliance obligations and costs, including:
• Network Segmentation – isolate the systems that process, store
and transmit credit data.
• Tokenising Stored Data – protect sensitive card data by replacing
it with representative data which can’t be used by anyone other
than your business
• Moving to a Hosted Payment Solution – outsource to a Hosted
Payment Solution and choose a provider that can deliver the
flexibility you need to maximise conversion.
3 Options to Reduce Your PCI Overhead by up to 96%
REDUCING THE PCI DSS COMPLIANCE BURDEN
REDUCE PCI SCOPE WHILE MAXIMISING CONVERSION 24
5 CHALLENGES FACING MERCHANTS
Network Segmentation to Reduce the Cost and Complexity of PCI DSS Compliance
What is network segmentation?If you accept card details directly, or store those card details for future use,
network segmentation is one of the simplest ways to reduce the scope of
your PCI DSS compliance and limit the risk to you and your customers of a
data breach.
The concept is a relatively straightforward one. Take, for example, a business
which operates a complex network configuration with multiple servers carrying
out different functions. By isolating those systems and servers which handle
sensitive customer card details from the rest of the network, the scope of your
PCI DSS audit can be significantly reduced.
Proper segmentation of a network minimises the level of access to sensitive
information and makes it difficult for a cyber attacker to gain access to your
most sensitive data.
What are the benefits? No network is 100% secure; there is always a risk of compromise. This is
particularly true of large, complex systems, where vulnerabilities can be harder
to detect and manage.
Network segmentation can provide effective controls to hinder network
intrusion and to limit penetration of your network should malicious actors
breach initial barriers.
Network segmentation can significantly reduce the scope of a PCI audit by
demonstrating that cardholder data is isolated in a secure segmented location
(the Cardholder Data Environment, or CDE), so that only that segment needs
to be audited.
The value of segmentation is substantial, with significant reductions in the cost
and complexity of demonstrating compliance achievable in the following areas:
• Cost of audit: If the number of systems in scope for your PCI
audit is reduced, then the complexity and thus cost of the audit
will be similarly reduced
• Resources spent securing the segment: Less effort required
to develop and maintain security policies to protect the
segment.
Network Segmentation
REDUCING THE PCI DSS COMPLIANCE BURDEN
REDUCE PCI SCOPE WHILE MAXIMISING CONVERSION 25
5 CHALLENGES FACING MERCHANTS
NOTE:
While network segmentation can reduce the scope and cost of your PCI DSS audit, businesses who
accept or store card details on their own systems must still demonstrate compliance to the highest
degree, e.g. SAQ D. If you want to minimise your compliance overheads, it is generally recommended
that you outsource card acceptance and storage entirely.
• Forensic effort: Should a security breach occur, it’s easier to
pinpoint where the breach happened.
What’s needed for network segmentation?Many different technologies can be used to segment networks, but when
isolating cardholder data for PCI DSS purposes, there are some considerations
to factor in:
• Create policies for security based segments: Segmentation
alone isn’t enough if specific security policies aren’t applied to
the segment. To be compliant with PCI DSS, a firewall should be
used to protect the segment, and policies should then be created
around user access.
• Provide proof that policies are in place: You need to be able to
show that you have policies in place to protect cardholder data.
Auditors will also need to be given access to tools that can show
who has access and which demonstrate that policies are being
followed closely.
Correct segmentation can be a cost and resource saving practice as well as an
added layer of security protecting you and your customers.
The massive data breach at Target is an example of what can go wrong if
policies and procedures pertaining to segmentation aren’t followed; their 2014
breach was carried out by hackers who broke into their network using login
credentials stolen from a heating, ventilation and air conditioning company who
work for Target at a number of locations.
REDUCING THE PCI DSS COMPLIANCE BURDEN
REDUCE PCI SCOPE WHILE MAXIMISING CONVERSION 26
Extract card details for the customer and card references from
the vault and submit for auth
5 CHALLENGES FACING MERCHANTS
Storing Card Data with Tokenisation of Sensitive Data to Reduce PCI Requirements
What is Tokenisation?
Tokenisation
The PCI Security Standard recommends that Card Holder Data is not stored
unless absolutely required, and even then, only if the benefits outweigh the risk
of compromise. If you store cards for future use, you will always need to attest
compliance to the highest levels (SAQ D), increasing the cost and complexity of
achieving and maintaining compliance.
How does tokenisation work?
Card tokenisation represents a viable way of keeping customer card data on file
without increasing the risks of compromise and without adding unnecessary
compliance overheads. Tokenisation replaces sensitive customer card details
with non-sensitive representative data (a token) which can be used to process
transactions as if you had the card details on file.
You can use tokenisation to retain the flexibility to take future payments while
achieving the lower levels of PCI DSS compliance overheads associated with SAQ
A and SAQ A-EP.
Customer ReferenceCard ReferenceAmountCurrencySub-Account
517011xxxxxx0968MM/YY
ResultCard Type
Card Name
517011xxxxxx0968MM/YY
Cardholder NameCard Type
REDUCING THE PCI DSS COMPLIANCE BURDEN
REDUCE PCI SCOPE WHILE MAXIMISING CONVERSION 27
5 CHALLENGES FACING MERCHANTS
NOTE:
While tokenisation reduces the burden of PCI DSS Compliance associated with storing card details,
the method of card acceptance is still a strong determining factor of the level of compliance required.
Merchants who use tokenisation, but who handle the card details directly at the point of acceptance,
will still need to attest to the higher level of compliance associated with SAQ D.
What are the benefits? You will use the token to process payments and so do not need to store the
customer’s information, reducing the liability to your business. Additionally,
tokenisation outsources the burden of storing cardholder data to a third party,
reducing the costs involved with maintaining PCI DSS Compliance.
Compromised tokens are effectively useless to hackers, reducing the risk of fraud
arising from data breaches, and making businesses that employ tokenisation less
attractive as a target.
With tokenisation, you can implement one-click checkout solutions and subscription
business models easily, increasing customer conversion for returning customers
and reducing the churn associated with recurring payments.
What’s needed for tokenisation?
There are a number of different approaches to tokenisation which you can employ.
By far the most common method is to exchange sensitive customer card details
for a token provided by your PSP. You can then use the token, rather than the card
details, to take a payment.
Approaches to tokenisation are evolving and the card associations (Visa and
MasterCard) are providing token provision services which allow you to exchange
card details for a token issued by the association itself.
These tokens are effectively indistinguishable from standard card details, and so
can be used across payment service providers and merchant service providers.
However, they can also be limited to specific use cases to create an added layer of
security. Emerging mobile payment methods Apple Pay and Android Pay use this
approach to secure customer card details.
However, at the time of writing, this approach has not been well-established for
merchants seeking to store card details; for most purposes, standard payment
service provider tokenisation will meet the needs of most businesses.
REDUCING THE PCI DSS COMPLIANCE BURDEN
REDUCE PCI SCOPE WHILE MAXIMISING CONVERSION 28
What is a Hosted Payment Solution? Hosted solutions combine hosted payment forms provided by the PSP with tokenisation
solutions to ensure that your business retains full control of the payment lifecycle
without ever having to handle sensitive customer card details.
Rather than accepting card details on your website, the customer uses a payment form
hosted by your Payment Service Provider to enter their card details, with the result of
the transaction returned to your system. Additionally, card details can be tokenised at
the point of acceptance to allow you to accept future payments.
What are the benefits?The best way for a business to reduce the cost and complexity of PCI DSS compliance
is to fully outsource all acceptance, transmission and storage of customer card details
to a Level 1 compliant Payment Service Provider.
Businesses who fully outsource their payment acceptance and storage solutions can
achieve SAQ A PCI DSS compliance, which puts most of the requirements of PCI DSS
compliance out of scope. The risk of compromise is pretty much eliminated, since no
card data ever transits on your systems. This, in turn, reduces the risk to your business.
As the complexity of PCI DSS compliance increases with every new iteration of the
standard, more and more eCommerce businesses of all sizes are choosing to outsource
their payment processing systems, choosing a Hosted Payments Solution over an in-
house API-based or direct post integration.
What’s needed for a Hosted Payment Solution?Implementing a Hosted Payment Solution is often seen as a balancing act. On one
hand, hosted solutions can minimise the risks (and costs) associated with handling
sensitive card data. On the other, they are typically associated with a reduced level of
control of the online payments journey, along with the risk of lower conversion.
eCommerce businesses have to weigh up the cost of PCI DSS compliance with the
potential loss of control of the payments journey before making a decision on which
payments solution to choose.
Most payment providers now offer some kind of hosted solution. It is worth seeking
out a payment provider that can demonstrate a focus on UX, customer conversion, and
customisation of the payment page, as well as delivering flexible integration options
which can be adapted to your preferred customer journey.
Hosted Payment Solutions
29
Realex Payments’ Hosted Payment Solution delivers complete control of the
end-to-end payment experience on your website, without the associated PCI
DSS compliance costs.
Accepting online payments has never been easier, with a choice of PCI DSS
compliant integration methods that each deliver a seamless, customisable
payment experience to maximise conversion, across any device. Our payments
technology is secure and reliable with 99.99% uptime and dedicated support
around the clock.
3 Benefits of our Hosted Payment Solution
1. LESS COMPLIANCE COSTS, MORE CONTROL Realex Payments’ Hosted Payment Solution enables you to retain total control
of the payment experience on your website, without the associated PCI DSS
compliance costs.
- Customise your payment page You can easily customise your payment page by modifying the HTML or
CSS to reflect the look and feel of your website; delivering a consistent
customer experience while maximising conversion.
- Store cards in a secure environment We take care of your online payments completely within our PCI DSS v3.2
compliant environment, so you don’t need to handle, transmit or store
sensitive card details, minimising your PCI DSS obligations and expenditure.
Choosing a Hosted PaymentSolution With Realex Payments
CHOOSING A HOSTED PAYMENT SOLUTION WITH REALEX PAYMENTS
REDUCE PCI SCOPE WHILE MAXIMISING CONVERSION 30
Control your online paymentsWe provide the tools you need for transparent reporting in real-time to help
you to reconcile transactions, with the ability to search, void and refund
your transactions easily.
2. SIMPLE INTEGRATIONIntegrating with Realex Payments’ Hosted Payment Solution is simple and
your dedicated account manager will help you every step of the way.
Integrate easily with 3 hosted checkout options You can embed the Hosted Payments Page in an iFrame within your website,
overlay a lightbox, or redirect your customers to a dedicated payment page.
Reduce development costs Regardless of which option you choose, we maintain a suite of SDKs, quick
guides and shopping cart integrations, which vastly reduces development
times and costs.
Easily integrate additional beneficial services Choosing Realex Payments’ Hosted Payment Solution opens up the
opportunity to add a broader range of services with little or no integration
work. These include; Card Storage, Fraud Management, Dynamic Currency
Conversion and Alternative Payment Methods.
3. MAXIMISE CONVERSION Our Hosted Payment Solution delivers a payment page that is designed to
maximise conversion through best practice techniques.
Accept payments across every device We deliver a payments page that adapts to any device so your customers
flow easily through the buying process, on desktop, mobile or tablet.
Create a smooth user experience The Hosted Payment Page is fitted with helpful prompts on your payment
page, such as automatic card type identification and real-time form validation
to maximise conversion.
CHOOSING A HOSTED PAYMENT SOLUTION WITH REALEX PAYMENTS
REDUCE PCI SCOPE WHILE MAXIMISING CONVERSION 31
Enable customers to store cards We help to strengthen customer retention by offering your customers
the option to securely store their card details on your Hosted Payment
Page, delivering a one click checkout experience for returning customers.
Customers can add, edit or delete their own cards, with details stored
within our PCI DSS v3.2 Level 1 compliant environment.
Reach international customers with ease As you scale locally and globally, we help you sell beyond borders with a
checkout that adapts to 15+ languages, along with Multi-currency and Dynamic
Currency Conversion (DCC) to reach new markets.
Access our payment innovations instantly Our in-house user experience team continually enhances the Hosted Payment
Solution with new innovations that optimise your conversion rates for both
one-off and repeat customers.
32
SERVICE. DRIVEN. COMMERCE
PROCESSING £1 BILLION ONLINE EVERY YEAR
ALLPAY
When you’re a Level 1 PCI Merchant like allpay, compliance and audit costs can easily surpass 100,000 a year. allpay chose to outsource their payment page to Realex Payments to simplify their PCI DSS compliance and secure customer data, while retaining complete ownership of the online payment experience.
OVERVIEW: OFFERING THE WIDEST RANGE OF BILL PAYMENT SOLUTIONS, ACROSS EVERY DEVICE
allpay is one of the world’s largest payments specialists, providing bill payment services to 750 public and private sector organisations.
allpay collects over £6 billion a year and processes in excess of 55 million transactions through a diverse range of payment collection solutions designed to meet their customers’ needs.
CASE STUDY: ALLPAY LTD
REDUCE PCI SCOPE WHILE MAXIMISING CONVERSION 33
SERVICE. DRIVEN. COMMERCE
THE CHALLENGE: INCREASING PCI COSTS AND CHANGING ONLINE PAYMENT TRENDS In recent years, allpay has experienced strong growth in the number of customers paying through mobile and digital channels, with online payments now representing almost £1 billion of payments annually.
During a period of significant growth for the business, it became clear that it was no longer feasible to retain their in-house payment system. Keeping up with fast-changing payment trends was costly to maintain. Meeting Level 1 PCI DSS requirements was also costly for allpay, with onsite audits taking 5 days, along with high associated technology and licensing costs. As a result, allpay decided to look externally for a solution.
THE SOLUTION: A HIGHLY SECURE, PCI DSS COMPLIANT PAYMENTS SOLUTION WITH REALEX PAYMENTS allpay chose a Hosted Payment Solution from Realex Payments. This payments solution removes allpays’ need to
handle, transmit or store sensitive cardholder data. This maintains the security of sensitive data and also simplifies PCI DSS requirements. The migration from their in-house payments to the Hosted Payment Solution was seamless with virtually no impact on allpay’s clients or staff.
James Bolton, Product Manager for Card Acceptance at allpay, says, “Realex provided a high level of support throughout our migration as well as accurate documentation allowing our developers to work efficiently.”
Realex Payments provides allpay with a completely customised hosted payment page, delivering a seamless checkout experience for their end customers, across desktop and mobile devices. In addition, the solution offers a comprehensive suite of transaction reporting, full access to the best fraud user experience in the market and
subscription payments functionality to help allpay to schedule payments so as to maximise repeat revenue.
THE OUTCOME: 70% LESS PCI AUDIT TIME AND IMPROVED SPEED-TO-MARKET BY UNDER 6 MONTHSFor allpay, one of the main benefits of moving to a Hosted Payment Solution with Realex Payments has been to simplify PCI compliance.
James Bolton notes, “We are still classed as a PSP Level 1 provider, however our onsite audit was greatly reduced with our QSA completing the work needed within 1.5 days – a 70% reduction from what it took before, because we don’t see or store any Personal Account Numbers (PAN’s) through our system, which has saved us time and money.”
“These weren’t the only costs we saved; we have been able to reduce licence fees in the high end of 5 figures, whilst also reducing the amount of development and maintenance work that we would have to do with every iteration of PCI DSS. This also means our IT Operations team can focus on deployment of new products as opposed to updating PCI DSS compliant servers / systems," comments Bolton.
Realex Payments now processes over almost half a million transactions on behalf of allpay and expects this to increase considerably. Since coming on board, allpay has released a payments scheduler to support subscription
payments. Launching the payments scheduler as part of Realex Payments’ solution has increased allpay’s speed to market by five to six months, and reduced launch costs significantly.
Nick Peplow, Bill Payments Director at allpay, concludes, “Since partnering with Realex Payments, we have simplified our auditing process dramatically, saving us valuable time. We now operate an online payments page that fully reflects our brand, reassuring our customers, whilst still benefiting from the extensive security features of Realex Payments’ solution.”
34
PCI DSS compliance is costly, but there are ways to reduce your scope. By implementing key changes to your technology (such as tokenisation and network segmentation), you can save time and money, as well as reducing your liability as a business in the event of a breach.
If you currently process payments in-house, through API or Direct Post, you can save a significant amount of money every year by outsourcing your payments page to a PCI DSS compliant payment service provider.
Perhaps your decision to keep control of your payments page was made some years ago, when the only option was to redirect your customers to a third party webpage.
Technology has changed.
Today, you can have a fully customisable payment page, embedded within your site through an iframe and you can reduce your PCI in-scope requirements by 96%. Even if you are a Level 1 eCommerce provider and need to do an onsite audit, you can still reduce audit time and costs by up to 70%.
Let us talk you through how you can simplify your PCI DSS requirements. Every Account Manager at Realex Payments receives the latest PCI DSS compliance training. Get in touch and let us talk you through your options.
Contact us or visit www.realexpayments.com for more information on how you can outsource your PCI overheads.
Conclusion