Post on 13-Jun-2015
description
transcript
Where We Stand.
PCI Prioritization and Interchange Fees
Regulations and LegislationPresentation by: Ross Federgreen*
*Founder, CSRSI® THE PAYMENT ADVISORS
PCI Critical Dates
Prioritization
Interchange Legislation
PCI Critical Dates
ALIGNMENT July 1, 2010
US Payment Application Security Mandate
Phase I through Phase V
TDES Mandate
POS PIN Acceptance Device Mandate
US Payment Application Security Mandate (CISP 102307)
Phase I through Phase V
Phase I Jan 1, 2008
Phase II July 1 , 2008
Phase III Oct 1, 2008
Phase IV Oct 1, 2009
Phase V July 1, 2010
US Payment Application Security Mandate (CISP 102307)
Phase I through Phase V
Phase I Jan 1, 2008
Newly boarded merchants must not use known vulnerability payment applications, and VisaNet Processors (VNPs) and agents must not certify new payment applications to their platforms that are known vulnerable payment applications.
US Payment Application Security Mandate (CISP 102307)
Phase I through Phase V
Phase II July 1, 2008
VNPs and agents must only certify new payment applications to their platforms that are PA-DSS compliant applications
US Payment Application Security Mandate (CISP 102307)
Phase I through Phase V
Phase III October 1, 2008
Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS compliant applications.
US Payment Application Security Mandate (CISP 102307)
Phase I through Phase V
Phase IV October 1, 2009
VNPs and agents must decertify all vulnerable payment applications.
US Payment Application Security Mandate (CISP 102307)
Phase I through Phase V
Phase V July 1, 2009
Acquirers must ensure their members, VNPs and agents use only PA-DSS compliant applications.
Triple Data Encryption Standard (TDES) Mandate (PIN Security Bulletin 093008)
Phase I through Phase II
Phase I January 1, 2009
Newly deployed US Automated Fuel Dispensers must contain a TDES capable and PCI approved Encrypting PIN pad.
Triple Data Encryption Standard (TDES) Mandate (PIN Security Bulletin 093008)
Phase I through Phase III
Phase II July 1, 2010
All US POS PEDs must be encrypting PINS using TDES end-to-end.
POS PIN mandate (PIN Security Bulletin 093008)
July 1, 2010
All attended POS PIN acceptance device models must have passed testing by a PCI recognized or Pre PCI recognized laboratory and have been approved by Visa.
PRIORITIZATION
PRIORITIZATION
“The prioritized approach provides guidance that will help merchants identify how to reduce risk to card
holder data as early on as possible in their compliance journey.”
PCI Security Standards Council, 2009
PRIORITIZATION
The Prioritized Approach
Benefits:1.Roadmap2.Pragmatic approach3.Supports financial and operational planning4.Objective and measured progress indicators5.Consistency among QSA
PRIORITIZATION
The Prioritized Approach
Six security milestones1.Remove sensitive authentication data and limit data retention2.Protect the perimeter, internal and wireless networks3.Secure payment card applications4.Monitor and control access to your system5.Protect stored cardholder data6.Finalize remaining compliance efforts and ensure all controls are in
place
INTERCHANGE
INTERCHANGESignificant bipartisan effort to remove the current Interchange system. Driven by the merchant community and the consumer community.
7-11 petition drive during summer 2009 obtained 1.6 million signatures in one week.
Current Pending Legislation
Credit Card Fair Fee Act of 2009 (HR2695)
Credit Card Fair Free Act of 2009 (S1212)
Credit Card Interchange Fees Act of 2009 (HR 2382)
INTERCHANGE
HR 2695 (Conyers Bill)
• Create an exemption in the antitrust laws to allow merchants to form collective bargaining units to negotiate rates and terms of accepting payment cards with any electronic payment system with over 20% market share (credit/debit combined).
• Therefore MasterCard and Visa only.
• To facilitate negotiations there are disclosure requirements for each side
• Supervision by the Attorney General
• No consequences for unsuccessful negotiation
INTERCHANGE
S 1212 (Durbin Bill)
• Disclosure of facilitated negotiations
• Consequence of failure to reach a voluntary relationship
• Resolved by special three judge panel
• Judicial panel is required to choose between submitted proposals using the criteria of that which would prevail in a “perfectly competitive market.”
INTERCHANGE
HR 2382 (Welch Bill)
• Focuses on credit card network rules that restrict merchants ability to choose card types and terms of utilization.
• Prohibits card networks from restricting merchants to:• Steering payment methods of consumers• Limiting how merchants can price
• Prohibits card networks from charging more for reward cards.
INTERCHANGE
CREDIT CARD ACCOUNTABILITY RESPONSIBILITY AND DISCLOSURE ACT OF 2009
Public Law 111-24May 22, 2009
TITLE V SECTION 501
INTERCHANGE
TITLE V SECTION 501
“STUDY AND REPORT ON INTERCHANGE FEES”
(a) The Comptroller General of the United States shall conduct a study on use of credit by consumers, interchange fees and their effects on consumers and merchants.(c) Not later than 180 days after the date of enactment of this Act, The Comptroller shall submit a report to the Committee on Banking, Housing and Urban Affairs of the Senate and the Committee on Financial Services of the House of Representatives…
INTERCHANGE
TITLE V SECTION 501
“STUDY AND REPORT ON INTERCHANGE FEES”
(b) Nine major areas of focus including:• How much Interchange Fees are overseen by the Federal
banking agencies or other regulators• How does the Interchange or merchant discount fees affect the
ability of merchants of varying size to negotiate price with card associations and banks
• The costs and factors incorporated into Interchange fees• The effect of Interchange fees on the cost of goods and services
Confused by the continual complexity of PCI Compliance?
Contact us. We have answers. Learn more at www.CSRSI.com
Ross Federgreen Jan Carrozarfedergreen@csrsi.com jcarroza@csrsi.com866-462-7774x1 866-462-7774x4Jensen Beach, FL Seattle, WA