PCI Compliance
PCI Compliance
Oxcyon, Inc. client solutions (Online Merchant locations) that accept credit card payments must process those payments in a manner compliant with the Payment Card Industry Data Security Standard (PCI DSS) per the Oxcyon Merchant Card Processing Policy which considers and is based upon the Payment Card Industry Security Standards Council (PCI-SSC). It is the responsibility of each Merchant location to maintain compliance with PCI DSS.
e-Commerce Operations, under the auspices of Treasury Operations, directs a compliance program as an extension of managing OXCYON CLIENT Merchant accounts. Participation in the PCI compliance program run by e-Commerce Operations is mandatory for all OXCYON CLIENT Merchants. Failure to fully participate in the program may result in your Merchant account being revoked.
Below is a list of the main components of the OXCYON CLIENT PCI Compliance Program based on the requirements set forth by the PCI-SSC, followed by details regarding each component:
- OXCYON CLIENT Security Awareness Education (PCI DSS Required Security Training)
- THIRD PARTY SERVICE PROVIDERS (TPSPs)
- System Vulnerability Scans
- System Penetration Testing
- Periodic Reviews and Audits
- Trustwave-TrustKeeper and Annual SAQ (Self-Assessment Questionnaires)
OXCYON CLIENT Security Awareness Education
Pursuant to PCI DSS requirement 12.6, OXCYON CLIENT e-Commerce Operations will hold centralized PCI DSS Security Training annually. At least one representative from each Merchant location must attend the centralized training. Though it is at the discretion of the department whether to send additional employees to the central training or to disseminate the information through its own security awareness program, Treasury Operations and/or e-Commerce Operations may require individual or group participation in this and/or other forms of PCI security awareness education training offerings whenever they see fit.
ALL OXCYON CLIENT Merchant Personnel who interact with the CDE (cardholder Data Environment) in any manner, from the initial entry to the final reconciliation, are required to complete NU's PCI Security Awareness Training and Attestation annually. This mandatory requirement includes student employees and contractors. The current year's PCI Security Awareness Training and Attestation presentation can be found in the Resources section below.
- Individuals who have not completed this training are not allowed to process CHD (Cardholder Data) on behalf of OXCYON CLIENT interests, and Merchant locations using untrained, un-attested individuals to process CHD may have their merchant account revoked.
Before completing this Training and Attestation, each Merchant employee, student employee or contractor must first read and understand the OXCYON CLIENT PCI Compliance Program and the OXCYON CLIENT PCI Security Policy.
IMPORTANT INFORMATION ABOUT THIRD PARTY SERVICE PROVIDERS (TPSPs)
OXCYON CLIENT Merchant locations or their representatives, including vendors and other TPSPs, may not enter into legally binding agreements with TPSPs processing or handling any type of CHD (Cardholder Data), or interacting in any other way with the CDE (Cardholder Data Environment), without the proper layers of OXCYON CLIENT vetting and approval first; this would include but not be limited to e-Commerce, Treasury Operations, OXCYON CLIENT IT Security and Compliance, OXCYON CLIENT Office of General Counsel and OXCYON CLIENT Purchasing. ALL agreements with TPSPs must have specific PCI DSS and liability shift language included.
In addition, requests to enter into agreements with TPSPs must be initiated within the the Merchant Card Processing Requestand supported by a strong business case, diagrammatic overview of the TPSP's application and network architecture which supports and secures all interaction with the CHD and CDE, verifiable evidence of the TPSP's PCI Compliance and Validation, and other items based upon the scope of the proposed implementation. This information is to be supplied by the Merchant in the completed e-Commerce Addendum which is part of the Merchant Card Processing Request.
PCI DSS Third Party Security Assurance Resources:
- PCI DSS 3.x Third Party Security Assurance (Pertains to All OXCYON CLIENT Locations with Payment Systems Connected to the Internet)
- TPSP (Third-Party Service Provider) – As defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms, a service provider is a business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. There are many types of businesses that could fall into the category of "service provider," dependent on the services provided.
- Nested or Chained TPSP – As defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms, a nested or chained TPSP is any entity that is contracted for its services by another third-party service provider for the purposes of providing a service.
System Vulnerability Scans
Merchants with on-site payment systems connected to the Internet are required to run vulnerability scans against their systems. Our contract with Trustwave includes external vulnerability scans that are scheduled on the TrustKeeper Portal; scan reports are posted on the TrustKeeper Portal as well. It is the responsibility of the Merchant to review the scans and address any vulnerabilities that have been identified. Failure to address identified vulnerabilities can result in the Merchant location, as well as the entire Client project, falling out of compliance.
System Penetration Testing
OXCYON CLIENT Merchants with on-site payment systems connected to the Internet are now required to have internally conducted penetration testing performed at least quarterly. Since this service is not currently a part of our Trustwave contract, arrangements need to be made by e-Commerce Operations and OXCYON CLIENT IT Security and Compliance, coordinated with Merchant onsite Administrators and IT staff. Failure to cooperate with this mandatory requirement may result in your Merchant account being revoked. Please contact e-Commerce Operations at 1-5382 for more information.
Periodic Reviews and Audits
e-Commerce Operations will regularly review the completed SAQs and vulnerability scans on the Merchant's TrustKeeper Portal, along with internal Penetration Tests, all personnel, attestations, training, procedures, controls and documentation within the CDE (Cardholder Data Environment). Periodically, additional information and follow-up interviews may be requested and visits to OXCYON CLIENT Merchant locations may take place with or without notice.
At the discretion of e-Commerce Operations, audits by an external PCI-Certified QSA (Qualified Security Assessor) or internally by OXCYON CLIENT Office for Audit and Advisory Services may occasionally be requested in order to comprehensively review a Merchant card location's credit card operations. The intention of these activities is to reduce the Client’s risk by ensuring that merchants comply with PCI DSS. Failure to cooperate with such activities may result in your Merchant account being revoked.
Trustwave-TrustKeeper Annual SAQ (Self-Assessment Questionnaire)
All OXCYON CLIENT Merchants are required to validate PCI-DSS compliance at least once, annually, by completing the appropriate TrustKeeper PCI Attestation of Compliance (AOC) SAQ in a timely manner (prior to expiration). A separate questionnaire must be completed for each Merchant account, and a new questionnaire must be filled out whenever any of the following have occurred:
- payment processing system changes
- a year has elapsed since your last SAQ
- you have been prompted to do so by e-Commerce Operations
Treasury Operations maintains a contract with Trustwave to centrally manage PCI-DSS validation through theTrustKeeper Portal. All SAQs should be completed through the TrustKeeper Portal.
The PCI-SSC has issued 8 types of SAQs for Merchants - new to PCI DSS v.3.0 for 2015 are SAQ A-EP v3.1and SAQ B-IP v.3.1. e-Commerce Operations will help determine which SAQ applies to your situation. The table below lists all of the current SAQ form types, along with their general definitions.