A data breach can threaten your ability to process card payments and possibly expose your business to fines. Check out this presentation for tips on how to get your company in compliance with the card industry's PCI requirements. We also recently hosted a webinar on this topic with First Data, which can be viewed here: https://bit.svb.com/2J125es

1. How Protecting Customer Card
Data Protects Your Business
PCI COMPLIANCE
May, 2018
SVB Global Merchant Services

2. Learn How to Comply with
PCI Data Security Standards
1 PCI Basics
2 Risks of Non-Compliance
3 Resources
PCI Compliance 2

3. Compliant policies, systems & procedures
ProcessorsMerchants Banks
Qualified Security
Assessor (QSA)
• Perform assessments and provide
support to merchants, processors, banks
• Submit compliance report or other form
PCI Security
Standards Council
Who’s Responsible for What
3
Oversight, Responsibility, Enforcement
PCI Compliance

4. PCI Basics
• Cardholder data is any personally identifiable data including:
– Primary Account Number
– Expiry Date
– Name
• Sensitive Authentication Data must also be protected:
– Full Track Data (magnetic strip)
– CAV2/CVC2/CVV2/CID (3 or 4 digit code)
– PIN/PIN Block
• All merchants accepting debit/credit cards must comply with
the PCI DSS at all times
4PCI Compliance

5. PCI Basics
• The Payment Card Industry Data Security Standard
(PCI DSS) is a set of 12 requirements designed to
protect cardholder data.
• Applies to all merchants, systems, networks and applications
that process, store, and/or transmit card numbers.
• Build and Maintain a Secure Network and Systems (2)
• Protect Cardholder Data (2)
• Maintain a Vulnerability Management Program (2)
• Implement Strong Access Control Measures (3)
• Regularly Monitor and Test Networks (2)
• Maintain an Information Security Policy (1)
5PCI Compliance

6. PCI DSS
Key Terms
Self-Assessment Questionnaire (SAQ)
– A questionnaire designed to assist organizations in self-evaluating
their IT and payment processing environment.
Vulnerability Scanning
– Helps secure your business by identifying weaknesses in your
network and applications.
Qualified Security Assessor (QSA)
– Certified to validate that a company is compliant with the PCI DSS.
Approved Scanning Vendor (ASV)
– Certified to perform vulnerability scanning.
6PCI Compliance

7. 7
Validation Actions Depend on Level
Merchant Level Validation Actions Validated By
3
Any merchant that processes
20,000 to 1 million
e-commerce transactions
annually
Annual
Self-Assessment
Questionnaire
Merchant
Quarterly
Network Scan
Approved Scanning Vendor
4
Any merchant that processes up
to 1 million brick-and-mortar
Visa transactions, or less than
20,000 Visa/e-commerce
transactions annually
Annual
Self-Assessment
Questionnaire
Merchant
Quarterly
Network Scan
Approved Scanning Vendor
PCI Compliance

8. 8
SAQ
Name
Description
A Card-not-present merchants (e-commerce or mail/telephone-order), that have fully outsourced all cardholder data functions to PCI DSS compliant
third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or
premises.
Not applicable to face-to-face channels.
A-EP E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly
receive cardholder data but that can impact the security of the payment transaction. No storage, processing, or transmission of cardholder data on
merchant’s systems or premises.
Applicable only to e-commerce channels.
B Merchants using only:
• Imprint machines with no electronic cardholder data storage, and/or
• Standalone, dial-out terminals with no electronic cardholder data storage.
Not applicable to e-commerce channels.
B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor with no electronic cardholder
data storage.
Not applicable to e-commerce channels.
C-VT Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based, virtual payment terminal solution that is
provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.
Not applicable to e-commerce channels.
C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
Not applicable to e-commerce channels.
P2PE Merchants using only hardware payment terminals included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic
cardholder data storage.
Not applicable to e-commerce merchants.
D All merchants not included in descriptions for the above SAQ types.
PCI Compliance

9. PCI DSS Compliance
• Fundamental Security Best Practices
– Avoid fraud
– Helps to understand own system better
– Clarifies where data is stored
• Upholds Brand Name
– Adds value to name
– Increases consumer confidence
• Non-compliant or Compromised Business could expect:
– Damage to their brand/reputation
– Investigation costs
– Remediation costs
– Fines and fees
9
Oversight, Responsibility, Enforcement
PCI Compliance

10. Best Practices
• Use strong passwords
• Protect card data and only store
what you need
• Inspect terminal for tampering
• Install patches from vendors
• Use trusted business partners
• Protect in-house access to data
• Use anti-virus
• Scan for vulnerabilities
• User secure terminals
• Protect business from internet
• Make stored data useless to criminals
10
From PCI Security Standard
PCI Compliance

11. 11
Risks of Non-Compliance
Of merchants
who had data stolen
90%
are small merchants,
60%
of small and medium
businesses breached
were closed in
6 months
$20,752
Is the average
cost to a small
business due
to hacking
45%of
organizations were
breached through
remote access,
21%of
organizations were
breach through
malicious code,
39%had
memory-scraping
malware installed
Trustwave; PCI Guidetosafepayments Security metrics’2017ReportPCI Guidetosafepayments
PCI Compliance

12. 12
Resources
PCI Security Standards Council:
www.pcisecuritystandards.org
List of validated payment applications,
services providers, and more.
Full version of the PCI DSS
Visa CISP:
http://www.visa.com/cisp
Mastercard SDP:
http://www.mastercard.com/sdp
We’re here to help:
TransArmor Solution
PCI Rapid Comply:
https://pcirapidcomply.com
Have your Merchant ID handy
Customer Support Number
1-877-201-3617
support@pcirapidcomply2.com
PCI Compliance

13. Want to know more
about PCI and how you can
create a more secure payments
processing environment?
Get advice
from the experts at
svb.com/merchant-services
PCI Compliance Webinar 13

14. First Data is an independent third party and is not affiliated with SVB Financial Group.
©2018 SVB Financial Group. All rights reserved. SVB, SVB FINANCIAL GROUP, SILICON
VALLEY BANK, MAKE NEXT HAPPEN NOW and the chevron device are trademarks of SVB
Financial Group, used under license. Silicon Valley Bank is a member of the FDIC and the
Federal Reserve System. Silicon Valley Bank is the California bank subsidiary of SVB
Financial Group (Nasdaq: SIVB).
This material, including without limitation the statistical information herein, is provided for
informational purposes only. The material is based in part on information from third-party
sources that we believe to be reliable, but which have not been independently verified by us,
and for this reason, we do not represent that the information is accurate or complete. The
information should not be viewed as tax, investment, legal or other advice, nor is it to be relied
on in making an investment or other decision. You should obtain relevant and specific
professional advice before making any investment decision. Nothing relating to the material
should be construed as a solicitation, offer or recommendation to acquire or dispose of any
investment or to engage in any other transaction.
14PCI Compliance