A technology setup that involves relying on a PCI-Compliant third-party provider that you redirect to will still require consideration for what may be in scope for PCI. As detailed in PCI Scoping Guidance there are two types of systems:

• CDE Systems - System components that store, process or transmit Cardholder Data or Sensitive Authentication Data or system components that are on the same network segment. (e.g. subnet, VLAN, et al.)

• Connected-to and/or Security-Impacting Systems - Among other things consists of system components that can impact the configuration or security of the CDE, or how CHD/SAD is handled. The example used is a web redirection server or name resolution server.

To use an example, in a setup where a web server uses a redirect it could be considered a Connected-to and/or Security-Impacting System that must satisfy applicable PCI requirements. Even though that server is not processing, transmitting, and/or storing any Cardholder Data the compromise of that server, for example, can directly impact how Cardholder and/or Sensitive Authentication Data is handled as well as the definition of what is in the Cardholder Data Environment.

It is important to consider Connected-to and/or Security-Impacting Systems as well as PCI Scoping Guidance to ensure that you do not unintentionally overlook scenarios that may require PCI requirements to be in place.

Yes. All merchants, small or large, are required to be PCI compliant. The payment brands have collectively mandated PCI DSS compliance for any and all organizations that process, store, or transmit payment cardholder data. Inherent in having a merchant account is the ability to handle cardholder data.

Yes. All merchants that store, process, or transmit cardholder data are required to comply with the PCI DSS, regardless of the medium in which they operate (hard copy or electronic) or method in which they communicate the data (IP, analog, cellular, or satellite).

Yes. Any division of a business that stores, processes, or transmits cardholder data must comply with the PCI DSS. However, if an entity has multiple merchant accounts that have the same network configuration, operate according to the same information security policies and procedures, and utilize the same equipment, they may be able to assess all locations under one SAQ.

As detailed in the PCI DSS FAQs merchants and service providers should always consult with their acquirer (merchant bank) or payment brand directly, as applicable, to confirm their PCI DSS validation and reporting method (e.g. whether to complete an onsite assessment and Report on Compliance (ROC), or a self-assessment and SAQ).

Sensitive data received from customers must be cleared to limit the exposure of PCI Data. These are the best practices for all parties who are dealing with sensitive information:

• If a credit card number or bank account number is sent to you, you should delete the record of the attachment or email

• When referring to a sensitive number, replace the center numbers with Xs. For example, a card number could be 4050-XXXX-XXXX-1234 or an SSN/TIN XX-XXX-1234

• Will request a new record/ticket without the full PAN data

These are the best practices for all parties who are dealing with sensitive information:

• If a merchant requests full PAN data, politely decline to provide the information

The PCI DSS Self-Assessment Questionnaires (SAQs) are validation tools for merchants and service providers that are eligible to evaluate and report their PCI DSS compliance via self-assessment. There are a number of different SAQs available that are intended to meet the needs of particular types of environments. The PCI Security Standards Council makes resources available here with guidance on how to successfully complete.

All merchants accepting payment by credit or debit cards are required to comply with PCI DSS. This website provides the tools needed to achieve compliance with the least amount of time, effort, and expense.

Merchants are contractually required to comply with the PCI DSS as part of their processing agreement to accept card payments with the Card Networks. Failure to meet the contractual obligations may result in the payment provider assessing fees, suspending the ability to process transactions, and/or termination of the agreement.

The questionnaire can be renewed either by clicking on the Re-Assess button, if available or by completing a new SAQ. SAQs are valid for one year from the date they are submitted.

EMV (Europay, MasterCard, and Visa) cards or “chip” cards have chips embedded in the card that is utilized much like the magnetic stripe in traditional cards. If a terminal is certified to read the chip and uses this functionality, the merchant is considered to be EMV compliant.

Am I allowed to select the PCI Compliance Team who does my compliance?

Unless your payment provider has other regulations in place, you can select any vendor to become PCI compliant. 

All merchants are required to be PCI DSS compliant. Refusal to comply may result in fines or the loss of the ability to accept debit and credit cards.

An ASV scan is a non-intrusive external scan against the public address of a merchant's card processing network. The scan checks for open TCP & UDP ports at the network gateway and tests for vulnerabilities and common misconfigurations which could put card data at risk. Additional information about the ASV scan can be found in the ASV Program Guide which is available from the PCI SSC website: https://www.pcisecuritystandards.org/documents/ASV_Program_Guide_v3.0.pdf.

For the purposes of this section, an endpoint is any device that can be used to process, transmit and/or store data or connect to or facilitate connections to other devices that may contain data and interconnectivity elsewhere. Common examples include laptops, mobile phones, printers, and tablets.

Today’s interconnected world of what is often referred to as the Internet of Things (“IoT”) consists of devices containing devices running technologies to foster beneficial things like connectivity, productivity, and other aspects that are desirable by consumers. As a result, it has created an increasingly complex environment relative to information security due to the nature of how devices work, the state of the key technologies supporting those devices, and how humans interact with them. 

To provide a more relatable example, in the fall of 2016 there was a distributed denial of service (“DDoS”) attack that rendered a sizable portion of the internet's backbone unusable. This attack was carried out by spreading malware to IoT devices such as cameras, baby monitors, printers, and routers to, in turn, flood internet infrastructure with a denial of service attack. The result was that business operations contingent on reliable internet came to a halt. 

All of that said, endpoints are relevant in that they are internet-connected devices that, if compromised or used maliciously, can result in the unauthorized access to, disclosure of, modification of, or destruction of data as well as impairment of other devices or systems. When this type of undesirable occurrence takes place within an organization it can be quite disruptive and may result in regulatory proceedings, fines, etc.

There are many options and approaches that can be pursued when trying to mitigate risks associated with endpoints. Below are several common approaches:

• Inventory - establish a reliable inventory of devices to have as complete of a view on how many devices exist, how they are being used, and by whom.

• Antivirus and Antimalware - deploy anti-virus and anti-malware solutions to detect and mitigate malware that presents itself on devices. There are solutions available today that also take more of an Artificial Intelligence and behavioral approach to detecting and mitigating threats applicable to devices.

• Mobile Device Management - leverage a management solution to centrally deploy security configurations and technologies to all devices. This type of solution is often paired with antivirus and antimalware technologies and used as the bridge between the device and the technology.

Support and Implementation teams will only ever communicate with Payrix Clients over email using ‘payrix.com' email addresses. Should you receive any communications from other domains that are attempting to engage in business activities with you please reach out to us immediately for review and any required action(s) deemed necessary. Further, in the course of providing support to Client's Payrix will never ask for sensitive information such as credentials (e.g. passwords).

In the event that you receive an unscheduled phone call from Payrix Staff requesting access to Confidential Information or that you take action on any of your systems or Payrix’s Products and Services please leverage the Support Portal to confirm that it is a valid Support activity. This portal can also be used for any other potentially suspicious behaviors that you observe.

Social engineering is a set of techniques used by malicious individuals to attempt to manipulate human psychology in order to achieve specific goals. Phishing is common when someone sends an urgent email to an individual with limited technological proficiency instructing them to provide payment to free their loved one from jail abroad or to click a link that routes them to a malicious site asking them to enter their login credentials. Other forms include attempting to gain physical entry to areas of a facility containing confidential information through manipulation of individuals or phone calls to individuals trying to trick them into providing sensitive information over the phone.

Identifying some training resources appropriate to your organization to have Staff review on an annual basis is a good place to start. There are a number of free resources available online that provide basic training on how to detect and thwart Social Engineering attacks.

Additionally, given how common phishing attempts have become, it is best practice to review email provider capabilities to determine the types of protections that can be put in place to mitigate against phishing attacks and deploy any mitigations determined to be appropriate and feasible.

Malicious individuals use various spoofing techniques to trick users into believing an email is legitimate. Common themes include, but are not limited to, the following:

• Use of ‘cousin’ domains - e.g. payrlx.com vs. http://payrix.com  

• Enticing, urgent, or threatening language is commonly used to encourage the recipient to take immediate action.

• Grammatical errors are an obvious red flag, but sophisticated hackers do not make glaring errors.

• Emails including attachments.
  

Other things to consider:

• Before clicking, hover over the link to see the URL of where the link actually leads, and beware of link shorteners, such as Bitly or TinyURL. Keep in mind that phishing emails can include clean URLs in addition to the phishing URL to trick users and email filters.

• Pay special attention if a message states “I can’t talk right now” or “call me at this number instead”

• Cybercriminals can easily replicate brand logos, images, and badges in emails and web pages that are indistinguishable from the real thing.

For further tips or examples, check out the Federal Trade Commission’s Phishing Guide.

Multi-Factor Authentication is authentication using two or more different factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). 

The unfortunate reality is that passwords alone are often not sufficient enough to prevent your or your users’ accounts from being compromised. With advancements in computing and technology, it has become much easier to carry out brute force or other password-specific attacks to gain unauthorized access to someone’s account. A strong password policy is important, however, by itself is not always sufficient to prevent an account compromise

MFA is a simple step that can be leveraged to mitigate account compromises. Microsoft recently published a blog related to their cloud services indicative of the effectiveness of this type of mitigation relative to the percentage of account compromise attacks that would have been blocked, which is over 99.9%.

To provide a more user-friendly experience with MFA an Identity Provider (“IdP”) or centralized authentication platform can be leveraged to save time for your users. This type of technology can also provide valuable insights into security events such as where your users are logging in from and detail on failed logins. Many IDPs also provide the functionality to configure security alerting, restrict from where and how users can authenticate, and which factors can be used. (e.g. SMS, Google Authenticator, FIDO)