PCI security standards: A high-level overview
|
|
- Chester Norris
- 6 years ago
- Views:
Transcription
1 PCI security standards: A high-level overview Prepared by: Joel Dubin, Manager, RSM US LLP joel.dubin@rsmus.com, Many merchants often have difficulty understanding how they must comply with Payment Card Industry Data Security Standard (PCI DSS). Some may assume that PCI applies only to certain businesses or service providers, for example. Banks that outsource credit and debit card processing also may be uncertain as to compliance requirements. Questions may further arise if the bank does not issue credit or debit cards at all. Many merchants who accept credit cards for transactions often struggle to determine exactly what they must do to be compliant with PCI DSS. And now, with the standard being updated more frequently than every three years, as it has been up until this year, many merchants are at a loss to keep up with the changes. The most recent version of the standard, version 3.2, came out this year and is already in force. Even if a community bank, for example, knows it must comply, understanding which guidelines are applicable to its institution can be challenging. Yet noncompliance could result in significant financial penalties and reputational damage to the community bank. Customer accounts could also be compromised. To clarify this issue, this white paper will examine how PCI DSS affect different types of merchants and financial institutions, such as retailers, restaurants and hotels, and banks, under what circumstances, and which standards should be followed in certain situations.
2 A short history lesson To understand the purpose and scope of PCI standards, consider how the standard came to be. First of all, protection for cardholder data has long been a hot topic in the financial services industry. The issue was highlighted by the 1999 passage of the Gramm Leach Bliley Act, which (among other things) stipulated that financial institutions must have a policy in place to protect information from security threats. In the end, however, the PCI standard was developed not as a law or regulation, but as a private initiative by the payment card industry. The PCI Security Standards Council (SSC) was launched in 2006 by the five global payment brands, Visa, Inc., MasterCard Worldwide, American Express, Discover Financial Services and JCB International; it was responsible for the development, management and education of the PCI standards. Shortly thereafter, the council introduced Payment Card Industry Data Security Standards (PCI DSS), a set of standards designed to ensure that merchants met minimum levels of security when they handled cardholder data. Later, the scope was broadened to include other entities. PCI standards defined The PCI standards are comprised of the following: Data Security Standard (PCI DSS): The security standard for any organization that processes, stores or transmits cardholder data such as merchants and service providers Payment Application Data Security Standard (PA-DSS): Security standard for the development of application software that processes, stores or transmits cardholder data PIN transaction security (PCI PTS): Security standard for PIN entry devices such as credit card terminals Point-to-point encryption (PCI P2PE): Security standard for the encryption of communications between two endpoints PCI standards apply to any merchant or service provider handling credit cards Any merchant accepting credit cards for payment of transactions is required to meet PCI compliance. The question of how to comply whether a full Report on Compliance (ROC), or just a Self-Assessment Questionnaire (SAQ), is based on what the credit card brands and the SSC define as merchant levels. Four merchant levels were established; the highest level, Level 1, conducts one million or more transactions a year. Level 1 merchants are required to undergo a full PCI assessment every year, including an onsite review by a Qualified Security Assessor (QSA) and the submission of a completed ROC to the merchant s acquiring bank or card brand. The other merchant levels only require the filing of an SAQ, which can be done by the merchant themselves, or by a QSA. It s often better to have a QSA complete the SAQ, since the QSA can navigate the technical fine points in the SAQ. Whether a merchant is a large retail or hotel chain, or a middle market business using credit cards for payments, PCI applies and needs to be considered. Service providers are companies that handle credit cards but don t conduct transactions. A data storage company, for example, or a third party that handles credit cards for a merchant, would be in scope for PCI. QSA companies, like RSM, can help navigate the maze of the 12 PCI requirements. Whether providing advice on network segmentation to isolate card data and reduce PCI scope, or providing advice on PCI-compliant logging and scanning, or identifying best PCI practices for user authentication and vulnerability management, QSA companies can assist. A gray area might be banks, which issue and process cards but don t neatly fit into the merchant or service provider box. As we ll see in the following section, banks are in scope for PCI. 2
3 PCI standards do apply to banks Unbeknownst to some community banks, the above PCI standards do apply to them, as well as to merchants and service providers. The specific requirement is spelled out on page 5 of the PCI DSS, and it states that the standard applies to all entities involved in payment card processing including merchants, processors, acquirers, issuers and service providers, as well as all other entities that store, process or transmit cardholder data. According to the standards, a financial institution is considered a merchant if it accepts credit or debit cards for payment of goods and services such as for safety deposit boxes, public utility payments, payments for insurance policies or any other payments. An institution is considered a service provider if it is connected to card processing networks such as VisaNet, NYCE (New York Currency Exchange) or First Data, and processes card transactions on behalf of merchants or other entities. If a financial institution issues credit or debit cards (i.e., the card carries the financial institution s name or logo), it is considered an issuer, regardless of whether it physically issues the cards or has outsourced card issuance to a third party. However, a financial institution is only required to conform to the relevant PCI standards for issuers if the financial institution physically issues cards with the payment card brand logos. A financial institution is considered an acquiring bank or acquirer if it contracts with merchants for the acceptance of credit or debit cards for payment. Even though the financial institution may have outsourced the processing of transactions to a third party, the financial institution is still considered the acquirer. Acquiring banks need to establish and maintain a merchant PCI compliance tracking and reporting system and must periodically report their compliance statistics to the appropriate payment card brand. Community banks frequently ask questions about special circumstances affecting their bank. Here are three of the most common questions asked about PCI DSS. If a bank outsources credit and debit card issuance and processing, is it required to comply with PCI standards? Many financial institutions outsource credit and debit card issuance and processing to a third party and may assume that they are not required to comply with PCI standards. Even with a Service Organization Control report from the contracted third party, this is not the case. With outsourcing, a financial institution s applications and networks can still come into contact with cardholder data in a number of ways. The most common ways are: The switching and transmission of automated teller machine transactions over the institution s data network Storing of debit card full primary account numbers (PAN) in the institution s core application Accounting department personal computers or servers storing spreadsheets from Visa or MasterCard that contain full PANs Processing of credit or debit cards through dedicated card terminals or teller terminals for payments Storing credit or debit card full PANs in statement consolidation and rendering systems or as PDF files from a third party who creates the statements These forms of contact are very common within financial institutions and dictate that the bank must demonstrate compliance with PCI standards. Does PAN encryption and PA DSS certification negate the need to demonstrate PCI compliance? As a part of developing a secure network architecture, a financial institution s application providers can encrypt the full PANs stored by their applications. These vendors also ensure that financial institution applications are PA-DSS certified. With these measures in place, many financial institutions may think that compliance with the PCI standards is not necessary. 3
4 However, even when applications utilize encryption for storing cardholder data, that data still has to have been processed or transmitted to or from those applications. Also, while an application may be PA-DSS certified, a financial institution must ensure that the application was implemented according to the vendor s explicit requirements to maintain this certification. As a result, the financial institution is still responsible under PCI DSS for ensuring, at a minimum, that: Cardholder data is securely transmitted over the financial institution s network. Cardholder data is securely processed by the financial institution s applications. Any encryption used is based on an industry-tested and accepted algorithm such as the advanced encryption standard. Any encryption algorithm used employs strong key lengths and proper key management practices. If a community bank does not issue credit or debit cards, does it have to comply with the PCI standards? If the bank signs up merchants for accepting credit or debit cards for payment of goods and services, and the bank processes card transactions for those merchants, then the bank is required to comply with PCI DSS. Even if the bank does not process merchant transactions, it is still required to establish a merchant PCI compliance program, as well as periodically assess that program for the applicable payment card brand, and report its merchant PCI compliance statistics to the card brand. In addition, while banks may not physically issue credit or debit cards, they may issue PANs to their commercial customers to use like a debit or credit card for purchasing airline reservations, office supplies and other business needs. If those PANs are processed or stored by any of the bank s application systems or are transmitted over their networks, then it needs to comply with the PCI standards. What is new in PCI version 3.2? The changes in PCI 3.2 are incremental revisions and clarifications to PCI 3.1. Some of the highlights include the following: All administrative access to cardholder data now requires a two-factor authentication Updated dates for the required migration from SSL to TLS for transmission of cardholder data over public networks, like the internet Support for display of PAN beyond the first six and last four, if there is a business justification PCI compliance starts with an assessment At a minimum, all banks should conduct an assessment of their applications and networks to determine if they process, store or transmit cardholder data. If they do, the findings should be analyzed to determine if each area is in compliance with the PCI security standards. Part of the assessment will involve an evaluation of which standards are relevant to the organization. Based on the outcome of that assessment, the bank will know if they have any compliance gaps and what steps should be taken to close those gaps. If the organization is considered an acquiring bank, then they need to have established an appropriate merchant PCI compliance program for their affiliated card brand. Finally, bringing your systems into compliance with PCI has intangible benefits for your bank. Customer satisfaction is enhanced when cardholder data is secure, because customers feel they can trust you with their sensitive card information. If customers trust a bank, they are more likely to remain loyal to it. Likewise, compliance improves your reputation with your payments processing partners (acquirers, merchants, et al.) that will feel more confident in doing business with the bank. 4
5 This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. Internal Revenue Service rules require us to inform you that this communication may be deemed a solicitation to provide tax services. This communication is being sent to individuals who have subscribed to receive it or who we believe would have an interest in the topics discussed. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. RSM and the RSM logo are registered trademarks of RSM International Association. The power of being understood is a registered trademark of RSM US LLP RSM US LLP. All Rights Reserved. tl-nt-ras-all-1016
PCI 101: Transaction Volumes and Validation Requirements. By Chip Ross January 4, 2019
PCI 101: Transaction Volumes and Validation Requirements By Chip Ross January 4, 2019 Regarding PCI compliance, all entities that store, process or transmit cardholder data are subject to the requirements
More informationPCI-DSS for Credit Unions
PCI-DSS for Credit Unions Tom Schauer; CEO @ TrustCC CISSP, CISA, CISM, CRiSC, CEH, CTGA tschauer@trustcc.com Misinformation Opinion: There is more confusion and more misinformation about PCI requirements
More informationPayment Card Industry Compliance Policy
PURPOSE and BACKGROUND The purpose of this policy is to ensure that Massachusetts Maritime Academy (MMA) maintains compliance with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is
More informationClark University's PCI Compliance Policy
ï» Clark University's PCI Compliance Policy Who Should Read this Policy: All persons who have access to credit card information, including: Every employee that accesses handles or maintains credit card
More informationQ: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?
Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain
More informationCOLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6
1. Procedure Title: PCI Compliance Program COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6 2. Procedure Purpose and Effect: All Colorado State University departments that accept credit/debit
More informationPCI FAQ Q: What is PCI? ALL process, store transmit Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)?
PCI FAQ Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information
More informationPAI Secure Program Guide
PAI Secure Program Guide A complete guide to understanding the Payment Card Industry Data Security Requirements (PCI DSS) and utilizing the PAI Secure Program Welcome to PAI Secure, a unique 4-step PCI-DSS
More informationSubject: Protecting cardholder data in support of the Payment Card Industry (PCI) Data Security Standards
University Policy: Cardholder Data Security Policy Category: Financial Services Subject: Protecting cardholder data in support of the Payment Card Industry (PCI) Data Security Standards Office Responsible
More informationWEBINAR. Five Steps to PCI Compliance. Madeline Long. Ron Demmans. Download these slides at Director of Sales Solveras
Five Steps to PCI Compliance Sponsored by Madeline Long Director of Sales Solveras Ron Demmans Director of Sales Administration Solveras WEBINAR 1. What is PCI Compliance? 2. How does PCI Compliance affect
More informationBall State University
PCI Data Security Awareness Training Agenda What is PCI-DSS PCI-DDS Standards Training Definitions Compliance 6 Goals 12 Security Requirements Card Identification Basic Rules to Follow Myths 1 What is
More informationVPSS Certification Frequently Asked Questions
VPSS Certification Frequently Asked Questions What is the difference between Visa s Account Information Security (AIS) program and VPSS Certification? The AIS program ensures compliance to the Payment
More informationPCI DSS and GDPR Made Easy
PCI DSS and GDPR Made Easy ENRICO ERMANNO DALL ARA PCI QSA 203-275, CISSP, GPEN Chief Security Officer @ 366 SECOM ITB, Berlin, March 9th 10:30 Can you afford 4% of yearly turnover in fine? REGULATIONS:
More informationSubject: Protecting cardholder data in support of the Payment Card Industry (PCI) Data Security Standards
University Policy: Cardholder Data Security Policy Category: Financial Services Subject: Protecting cardholder data in support of the Payment Card Industry (PCI) Data Security Standards Office Responsible
More informationAdministration and Department Credit Card Policy
Administration and Department Credit Card Policy Updated February 29, 2016 CONTENTS Purpose PCI DSS Scope/Applicability Authority Securing Credit Card Data Policy Glossary Page 2 of 5 PURPOSE As a department
More informationCampus Administrative Policy
Campus Administrative Policy Policy Title: Credit Card Acceptance Policy Number: 2019 Functional Area: Finance Effective: February 1, 2011 Date Last Amended/Reviewed: February 1, 2011 Date Scheduled for
More informationPayment Card Security Policy
Responsible University Administrator: Vice President for Finance and Administration Responsible Officer: Director of Student Financial Services Origination : 4/1/2016 Current Revision : N/A Next Review
More informationPayment Card Acceptance Administrative Policy
Administrative Procedure Approved By: Brandon Gilliland, AVP for Finance and Controller Effective Date: January 15, 2016 History: Approval Date: September 25, 2014 Revisions: December 15, 2015 Type: Administrative
More informationPayment Card Industry Data Security Standards (PCI DSS) Initial Training
Payment Card Industry Data Security Standards (PCI DSS) Initial Training PCI DSS Training Content What topics will this training cover? What is PCI DSS? Objectives of PCI DSS Common Terminology Background
More informationSALES & SERVICE POLICIES
Financial Policy Manual SALES & SERVICE POLICIES 2001 Sales & Service Activities 2002 Collection, Reporting & Payment of Pennsylvania Sales & Use Tax 2003 Financial Responsibilities for Sales & Service
More informationAmerican Express Data Security Operating Policy Thailand
American Express Data Security Operating Policy Thailand As a leader in consumer protection, American Express has a long-standing commitment to protect Cardmember Information, ensuring that it is kept
More information2.1.3 CARDHOLDER DATA SECURITY
University of Oxford Finance Division FINANCIAL POLICY 2.1.3 CARDHOLDER DATA SECURITY Date: 27 June 2017 Version: 1.0 Status: Draft Author: Bridget Midwinter TABLE OF CONTENTS Page Purpose... 3 Objectives...
More informationPayment Card Industry Training 2014
Payment Card Industry Training 2014 Phone Line Terminal & Hosted Order Page/Secure Acceptance Redirect Merchants Contact * Carole Fallon * 614-292-7792 * fallon.82@osu.edu Updated May 2014 AGENDA A. Payment
More informationTerminal Servicers. Frequently Asked Questions. 28 March 2018
Terminal Servicers Frequently Asked Questions 28 March 2018 Notices Following are policies pertaining to proprietary rights and trademarks. Proprietary Rights The information contained in this document
More informationEvent Merchant Card Services
Event 317 - Merchant Card Services Statement of Work A. Overview: It is the intent of the Bexar County Tax Assessor-Collector to solicit proposals to establish a contract with a vendor to provide merchant
More informationApplication of Policy. All University faculty, staff, and third party service providers.
Policies of the University of North Texas Chapter 10 10.035 Accepting Credit Cards Fiscal Management Policy Statement. UNT supports the acceptance of credit cards as payment for goods and services to improve
More informationGACC MIDWEST LUNCHEON SERIES
GACC MIDWEST LUNCHEON SERIES State of the Information Security July 12, 2017 With you today Jay Schulman Principal, Great Lakes Security & Privacy Leader Focused on helping companies build and improve
More informationSEC auditor independence considerations
SEC auditor independence considerations When a private equity fund portfolio company may have an initial public offering If a private equity fund portfolio company is considering an initial public offering
More informationBusiness Practices Seminar April 3, 2014
Business Practices Seminar April 3, 2014 Departmental Operations Review of Payment Card Industry Standard Assessment Process Overview Review of University Policy No. 3610 57.7 467 200+ Scott Weimer Director
More informationData Security Addendum for inclusion in the Contract between George Mason University (the University ) and the Selected Firm/Vendor
Data Security Addendum for inclusion in the Contract between George Mason University (the University ) and the Selected Firm/Vendor This Addendum is applicable only in those situations where the Selected
More informationIndiana University Payment Card Merchant Agreement
Indiana University Payment Card Merchant Agreement This Merchant Agreement (the Agreement ), executed on the date stated below, which includes any schedule or addendum to this Agreement, all of which are
More informationCredit Card Handling Security Standards
Credit Card Handling Security Standards Overview This document is intended to provide guidance regarding the processing of charges and credits on credit and/or debit cards. These standards are intended
More informationMERCHANT NEWS INTERACTIVE EDITION
SPRING 2017 MERCHANT NEWS INTERACTIVE EDITION - KEEPING YOU IN THE KNOW IN THIS ISSUE Welcome to Spring 2017 Realex Payments Product News Card Industry And Card Scheme News Payments Card Industry Data
More informationWhat is PCI Compliance?
What is PCI Compliance? The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card
More informationOLD DOMINION UNIVERSITY PCI SECURITY AWARENESS TRAINING OFFICE OF FINANCE
OLD DOMINION UNIVERSITY PCI SECURITY AWARENESS TRAINING OFFICE OF FINANCE August 2017 WHO NEEDS PCI TRAINING? THE FOLLOWING TRAINING MODULE SHOULD BE COMPLETED BY ALL UNIVERSITY STAFF THAT: - PROCESS PAYMENTS
More informationA to Z Jargon buster. Call +44 (0) to discuss your upgrade options
A to Z Jargon buster Call +44 (0) 844 209 4370 to discuss your upgrade options www.pxp-solutions.com sales@pxp-solutions.com twitter: @pxpsolutions Are you trying to navigate your way around what can seem
More informationShould you consider an employee stock ownership plan (ESOP)?
Should you consider an employee stock ownership plan (ESOP)? Frequently asked questions regarding ESOP consideration Prepared by: Anne Bushman, Senior Manager, Washington National Tax, RSM US LLP anne.bushman@rsmus.com,
More informationUNL PAYMENT CARD POLICIES AND PROCEDURES. Table of Contents
UNL PAYMENT CARD POLICIES AND PROCEDURES Table of Contents Payment Card Merchant Security Standards Policy and Procedures... 2 Introduction... 4 Payment Card Industry Data Security Standard... 4 Definitions...
More informationA report showing the merchant s settlement. The acquirer settlement report is generated by the acquiring bank at the end of every billing cycle.
A Acquirer (acquiring bank) An acquirer is an organisation that is licensed as a member of Visa/MasterCard as an affiliated bank and processes credit card transactions for (online) businesses. Acquirers
More informationPCI Training. If your department processes credit card information, it is CRITICAL that you understand the importance of protecting this data.
PCI Training This training is to assist you in understanding the policies at Appalachian that govern credit card transactions and to meet the PCI DSS Standards for staff training to prevent identity theft.
More informationPayment Card Industry (PCI) Qualification Requirements. For PCI Forensic Investigators (PFIs)
Payment Card Industry (PCI) Qualification Requirements For PCI Forensic Investigators (PFIs) Version 3.0 August 2016 Document Changes Date Version Description November 2012 2.0 August 2016 3.0 Amendments
More informationElectronic Payments: The Winds of Change, A Call to Action. Will 2011 Be An Eventful Year in the History of Payment Card Security?
Electronic Payments: The Winds of Change, A Call to Action Will 2011 Be An Eventful Year in the History of Payment Card Security? 1 Presenter W. Stephen Cannon, Chairman, Constantine Cannon LLP Former
More informationRETAIL SPECIFIC NEWS Keeping you in the know
SUMMER 2013 EDITION NEWS RETAIL SPECIFIC NEWS Keeping you in the know Important ImportantInformation Information--Please Pleasekeep keepin inaasafe safeplace place This Edition of Retail Specific Dynamic
More informationClydesdale Bank and Yorkshire Bank Merchant Services
Important Information Clydesdale Bank and Yorkshire Bank Merchant Services Merchant Operating Instructions Table of Contents 1 Welcome 4 1.1 Making the most of this guide 4 1.2 What else you need to read
More informationMERCHANT CREDIT CARD PROCESSING APPLICATION AND AGREEMENT PAGE 1 of 2 BUSINESS INFORMATION Taxpayer Identifi cation Number: (9 digits)
Primary Sales Partner Name and Number: Sub Sales Partner Name and Number: Business LEGAL Name: MERCHANT CREDIT CARD PROCESSING APPLICATION AND AGREEMENT PAGE 1 of 2 BUSINESS INFORMATION Taxpayer Identifi
More informationRESULTS OF THE 2017 RSM AML SURVEY
RESULTS OF THE 2017 RSM AML SURVEY ABA Money Laundering Enforcement Conference December 4, 2017 Presenters Patricio Perez Partner, Risk Advisory Services, RSM patricio.perez@rsmus.com Nick Mustafa Director,
More informationPayment Processing 101
Payment Processing 101 Timelines & Deliverables PRESENTED BY Pg: 1 March 7, 2018 www.clearwaterpayments.com Quick Agenda Credit/Debit Transactions Industry Definitions Transaction Process Cost/Pricing
More informationPayment Card Industry (PCI) Data Security Standard Validation Requirements
Payment Card Industry (PCI) Data Security Standard Validation Requirements For Qualified Security Assessors (QSA) Version 1.2 October 2008 Document Changes Date Version Description October 2008 1.2 To
More informationAdministration Policy
Administration Policy Complete Policy Title: Policy for Acceptance of Payment Cards and ecommerce Payments Approved by: Vice-President (Administration) Date of Original Approval: August 2005 Responsible
More informationThe University of Michigan Treasurer s Office Card Services. Merchant Services Policy Document
Merchant # (Treasurer s Office Use Only): The University of Michigan Treasurer s Office Card Services Merchant Services Policy Document Describe Business Purpose: Enter Merchant Name (25 characters max):
More informationACCOUNTING FOR INCOME TAXES SECTION 162(m) May 9, 2018
ACCOUNTING FOR INCOME TAXES SECTION 162(m) May 9, 2018 ASC 740 SECTION 162(m) Pre-Tax Reform ASC 740 - Section 162(m) Pre-Tax Reform Overview of Section 162(m) Limited compensation for covered employees
More informationCompute Managed Services Schedule to the General Terms
Compute Managed Services Schedule to the General Terms Contents A note on you... 2 Words defined in the General Terms... 2 Part A Compute Managed Services... 2 1 Service Summary... 2 2 Service Components...
More informationPayment Card Industry Data Security Standards (PCI DSS) Awareness Training
Payment Card Industry Data Security Standards (PCI DSS) Awareness Training PCI DSS Training Content What topics will this training cover? What is PCI DSS? Objectives of PCI DSS Common Terminology Background
More informationNegotiating working capital targets and definitions
Negotiating working capital targets and definitions Prepared by: Robert Moore, Partner, RSM US LLP bob.moore@rsmus.com, +1 847 413 6223 The textbook definition of working capital is the difference between
More informationCustomer Due Diligence for Beneficial Owners. Othel Rife Risk Advisory Services Manager RSM US LLP
Customer Due Diligence for Beneficial Owners Othel Rife Risk Advisory Services Manager RSM US LLP Presenter Information Othel Rife Risk Advisory Services Manager Phone: 1 253.382.2254 Email: Othel.Rife@rsmus.com
More informationSociety of Corporate Compliance and Ethics Regional Compliance & Ethics Conference December 4, 2015
Society of Corporate Compliance and Ethics Regional Compliance & Ethics Conference December 4, 2015 Agenda: About Resources Global Professionals (RGP), and Tim Eng About Air Liquide America, and Jeff Taylor
More informationHarvard Credit Card Merchant Agreement (HCCMA) I. Introduction
Harvard Credit Card Merchant Agreement (HCCMA) I. Introduction The Harvard credit card merchant agreement represents the terms and conditions for Harvard University departments obtaining a credit card
More informationCompute Managed Services Schedule to the Products and Services Agreement
Compute Managed Services Schedule to the Products and Services Agreement Contents Words defined in the General Terms and conditions... 2 Part A Compute Managed Services... 2 1 Service Summary... 2 2 Service
More informationCREDIT CARD PROCESSING AND SECURITY
CREDIT CARD PROCESSING AND SECURITY POLICY NUMBER: RESERVED FOR FUTURE USE RESPONSIBLE OFFICIAL TITLE: SENIOR VICE PRESIDENT FOR ADMINISTRATION AND FINANCE RESPONSIBLE OFFICE: ADMINISTRATION AND FINANCE
More informationCARD PROGRAM SERVICES. Terms and Conditions (Merchant Agreement)
CARD PROGRAM SERVICES Terms and Conditions (Merchant Agreement) 1 Introduction This Card Program Services Terms and Conditions (the Merchant Agreement ) is for the provision of the Services to the Merchant
More informationAuthorization Approval of a transaction by the financial institution that issued a paycard or other payment card.
APA Visa Paycard Portal Glossary of Terms Account Number A unique number assigned by a financial institution to a customer s account. The account number for a paycard is embossed or imprinted on the card
More informationSage Payment Processing User's Guide. March 2018
Sage 300 2017 Payment Processing User's Guide March 2018 This is a publication of Sage Software, Inc. 2017 The Sage Group plc or its licensors. All rights reserved. Sage, Sage logos, and Sage product and
More informationData Breach Financial Protection Program Terms and Conditions
Data Breach Financial Protection Program Terms and Conditions The Data Breach Financial Protection Program (the Program ) is a comprehensive expense reimbursement program, provided with some Netsurion
More informationTable of Contents. Overview. What is payment processing? Who s Who. Types of Payment Solutions. Online Transactions. Interchange Process
Overview Credit Card Processing 101 is your go-to handbook for navigating the payments industry. This document provides a quick and thorough understanding on how businesses accept electronic payments,
More informationMERCHANT MEMBER PACKAGE AGREEMENT & APPLICATION
MERCHANT MEMBER PACKAGE AGREEMENT & APPLICATION Vantage Card Services, Inc. 2230 Towne Lake Parkway Building 400, Suite 110 Woodstock, GA 30189 (800) 397-2380 (770) 928-5688 Fax (770) 928-9328 www.vantagecard.com
More informationBUSINESS POLICY. TO: All Members of the University Community 2016:07. Credit Card Processing and Security Policy (Supersedes Policy 2009:05 & 2012:12)
BUSINESS POLICY TO: All Members of the University Community 2016:07 DATE: February 2016 Credit Card Processing and Security Policy (Supersedes Policy 2009:05 & 2012:12) Contents Section 1 Scope...2 Section
More informationREF STANDARD PROVISIONS
This Data Protection Addendum ( Addendum ) is an add- on to the Purchasing Terms and Conditions. It is applicable only in those situations where the Selected Firm/Vendor provides goods or services under
More informationTERMS FOR THE PARTICIPATION IN CARD SCHEMES
TERMS FOR THE PARTICIPATION IN CARD SCHEMES The following Terms for the Participation in Card Schemes govern the AGREEMENT FOR THE PARTICIPATION IN CARD SCHEMES between JCC Payment Systems Limited ( JCC
More informationSage ERP I White Paper
I White Paper Credit Card Payment Processing: Making Sense of the Credit Card Industry How Integrated credit card processing with saves time, money and effort Table of Contents Introduction...3 Why Credit
More informationChanges to revenue recognition for franchisors
Changes to revenue recognition for franchisors Prepared by: Chris Banse, Partner, RSM US LLP +1 972 764 7061, chris.banse@rsmus.com Daniel Sullivan, Senior Manager, RSM US LLP +1 617 241 1492, daniel.sullivan@rsmus.com
More informationNONCONTROLLING INTERESTS IN BUSINESS COMBINATIONS
NONCONTROLLING INTERESTS IN BUSINESS COMBINATIONS Prepared by: Lindsay Hill, Director, RSM US LLP lindsay.hill@rsmus.com, +1 612 629 9692 Arlene Towarnicke, Director, RSM US LLP arlene.towarnicke@rsmus.com,
More informationMerchant Business Solution. Card Acceptance by Business Terms and Conditions. Version: 8.0. Effective date: December 2017.
Merchant Business Solution. Card Acceptance by Business Terms and Conditions. Version: 8.0 Effective date: December 2017. Postal address: Merchant Business Solutions GPO Box 18 Sydney NSW 2001 1800 029
More informationUPCOMING SCHEME CHANGES
UPCOMING SCHEME CHANGES MERCHANTS/PARTNERS/ISO COPY Payvision Ref: Payvision-Upcoming Scheme Changes (v1.0)-august 2016 1 Rights of use: COMPLYING WITH ALL APPLICABLE COPYRIGHT LAWS IS THE RESPONSABILITY
More informationBusiness services deal making: five critical partner compensation questions to consider
Business services deal making: five critical partner compensation questions to consider Prepared by: Mike Fanelli, Partner, RSM US LLP michael.fanelli@rsmus.com, +1 212 372 1883 Bobby Rooney, Director,
More informationEFTPOS Merchant Agreement Terms and Conditions
EFTPOS Merchant Agreement Terms and Conditions June 2018 Postal address: IBM 89 1 King Street Concord West NSW 2138 1300 650 977 1300 780 940 (EFTPOS 1 customers only) Facsimile: 02 9767 1526 2 Contents
More informationRevenue recognition considerations for member-owned private clubs
Revenue recognition considerations for member-owned private clubs Prepared by: Phil Newman, Partner, RSM US LLP phil.newman@rsmus.com, +1 239 513 6595 Ryan McAndrew, Manager RSM US LLP ryan.mcandrew@rsmus.com,
More informationPCI Compliance and Payment Card Processing Policy
PCI Compliance and Payment Card Processing Policy Policy Number: Effective Date: Approval: Office: PURPOSE: The University of Indianapolis accepts payment cards on payment for goods and services under
More informationBefore debiting the Cardholder, the Merchant shall conduct the checks specified below.
REGULATIONS FOR SALES PAID BY CARD REMOTE TRADING (Card Not Present) (October 2015) These regulations, the "Remote Trading Regulations", apply to sales paid by Card in Remote Trading. "Remote Trading"
More informationACA penalties are coming: Are you at risk? RSM US LLP. All Rights Reserved.
ACA penalties are coming: Are you at risk? Presenters Jill Harris Senior Director Washington National Tax Rochester, MN Bill O Malley Senior Director Washington National Tax Peoria, IL IRS assessments
More informationCredit Card Acceptance and Processing Procedures
Credit Card Acceptance and Processing Procedures Introduction Michigan Tech accepts credit cards for many payments of goods and services. Credit card payments must be processed in compliance with Payment
More informationSTEPPING INTO THE A GUIDE TO CYBER AND DATA INSURANCE BREACH
STEPPING INTO THE A GUIDE TO CYBER AND DATA INSURANCE BREACH 2 THE CYBER AND DATA RISK TO YOUR BUSINESS This digital guide will help you find out more about the potential cyber and data risks to your business,
More informationChapter 4 E-commerce Security and Payment Systems
Chapter 4 E-commerce Security and Payment Systems Copyright 2016 Pearson Education, Ltd. 4.5 E-COMMERCE PAYMENT SYSTEMS Copyright 2016 Pearson Education, Ltd. Slide 1-2 E-commerce Payment Systems In this
More informationMerchant Services. Program Terms and Conditions. (Program Guide)
Merchant Services Program Terms and Conditions (Program Guide) PREFACE Thank you for selecting us for your payment processing needs. Accepting numerous payment options provides a convenience to your customers,
More informationReloadable Card. Cardholder Frequently Asked Questions. June 2014 R.FQ.S E
Reloadable Card Cardholder Frequently Asked Questions Reloadable Card (1) Where can I use my card? Your card may be used anywhere debit cards are accepted. The brand marks on your card indicate where the
More informationCredit Card Processing Best Practices
Credit Card Processing Best Practices We are a merchant service provider dedicated to facilitating the passage of your sales tickets back to the thousands of institutions that issue the MasterCard (including
More informationChargebacks 101. Do draft retrievals result in upfront debits? No, draft retrievals are non-monetary.
Chargebacks 101 Can a telephone recording of a conversation with the cardholder be accepted as evidence that the cardholder no longer disputes? Unfortunately, the networks are not able to accept telephone
More informationCARD ACCEPTANCE GUIDE
CARD ACCEPTANCE GUIDE Released July 2015 SERVICE. DRIVEN. COMMERCE This Guide contains information protected by copyright. No part of this material may be duplicated, reproduced or disclosed in any form
More informationD A T A S E C U R I T Y, F R A U D P R E V E N T I O N A N D P C I C O M P L I A N C E. May 2015
D A T A S E C U R I T Y, F R A U D P R E V E N T I O N A N D P C I C O M P L I A N C E May 2015 D A T A S E C U R I T Y, F R A U D P R E V E N T I O N A N D P C I C O M P L I A N C E This presentation
More informationNo refunds will be granted In cases of extenuating circumstances, refunds will be granted solely on the decision of St Paul Greek Orthodox Church
St Paul Greek Orthodox Church Refund Policy No refunds will be granted In cases of extenuating circumstances, refunds will be granted solely on the decision of St Paul Greek Orthodox Church Privacy Policy
More informationMerchant Business Solutions
Pacific Merchant Business Solutions Terms and Conditions. Date: November 2015 Contact Details. Westpac Fiji PO Box 238 Suva Fiji Phone: 132 032 or (679) 3217000 Fax: (679) 3300718 Email: westpacfiji@westpac.com.au
More informationGlobal Visa Card-Not-Present Merchant Guide to Greater Fraud Control. Protect Your Business and Your Customers with Visa s Layers of Security
Global Visa Card-Not-Present Merchant Guide to Greater Fraud Control Protect Your Business and Your Customers with Visa s Layers of Security Millions of Visa cardholders worldwide make one or more purchases
More informationOnline Presentment and Payment FAQ s
General Online Presentment and Payment FAQ s What are some of the benefits of receiving my bill electronically? It is convenient, saves time, reduces errors, allows you to receive bills anywhere at any
More informationDemystifying Credit Card Processing for Nonprofits
Demystifying Credit Card Processing for Nonprofits Most nonprofits accept credit cards. Why? Because donors love the convenience and perks, such as airline mileage, that they get when they pay by credit
More informationPREPAID CARD GLOSSARY
PREPAID CARD GLOSSARY ACH Remitter: The bank that receives the electronic funds transfer via Automated Clearing House (ACH) to load funds to a prepaid card. A known remitter is one that is logged in the
More informationSimplified accounting for private companies: Certain intangible assets
Simplified accounting for private companies: Certain intangible assets Prepared by: Brian H. Marshall, Partner, National Professional Standards Group, RSM US LLP brian.marshall@rsmus.com, +1 203 905 5014
More informationTransforming the State and Local Government Payment Process
Transforming the State and Local Government Payment Process MARKET TRENDS REPORT Introduction Modern citizens routinely receive modern services from the private sector, and payment processing is no exception.
More informationWhy a compliance knowledge center is the best approach for addressing the Dodd-Frank regulatory deluge
Why a compliance knowledge center is the best approach for addressing the Dodd-Frank regulatory deluge Prepared by: Tyrone Beasley, Principal, Risk Advisory Services, RSM US LLP tyrone.beasley@rsmus.com,
More informationSecuring Credit Card Data at UB (complying with Payment Card Industry Data Security Standards)
Securing Credit Card Data at UB (complying with Payment Card Industry Data Security Standards) Carolann Lazarus Internal Audit PCI Compliance Initiative Co-lead lazarus@buffalo.edu (716) 829-6947 Tricia
More informationVisa s Approach to Card Fraud and Identity Theft
Visa s Approach to Card Fraud and Identity Theft Paul Russinoff June 7, 2007 Discussion Topics Visa s Comprehensive Security Approach Multiple Layers Commitment to Cardholders Consumer Tips Protecting
More informationFinancial instruments: FASB standard on recognition and measurement
Financial instruments: FASB standard on recognition and measurement Prepared by: Faye Miller, Partner, National Professional Standards Group, RSM US LLP faye.miller@rsmus.com, +1 410 246 9194 Updated April
More information