SAMPLE DATA FLOW DIAGRAMS for MERCHANT ENVIRONMENTS To protect your environment against payment data theft, you first have to understand how you accept payments. What kind of equipment do you use, who are your Processors and other technology service providers, and how do these things all fit together? Per CU Policy, all CU Merchants must maintain a Data Flow Diagram illustrating the flow of Cardholder Data (CHD) through the CU Merchant’s Cardholder Data Environment (CDE). The diagram must begin with where CHD is captured and include all components within the CU Merchant CDE, such as people, POS devices, payment gateways, databases, web servers, and any other necessary payment components. These sample diagrams will help you get started on building a diagram showing the flow of CHD and all components used through your own Merchant environment, as required by CU Policy. *These illustrations are examples only and are not all inclusive. You must successfully investigate and identify all pieces of your environment to ensure proper security is in place.
On the following page, select the type of Environment that best describes your Merchant Environment, you will be taken to the Sample Diagram of your choice. Fill in the diagram details with data spcific to your Merchant Environment where indicated in red. BEFORE YOU BEGIN TO CREATE A NEW DIAGRAM, ONE MIGHT ALREADY EXIST FOR YOUR ENVIRONMENT. BE SURE TO ASK AROUND, ESPECIALLY YOUR IT DEPARTMENT TO SEE IF ONE ALREADY EXISTS.
MERCHANT ENVIRONMENTS Click on the payment channel description below that best describes your specific Merchant Environment. PAYMENT CHANNEL DESCRIPTIONS: IN PERSON (CARD PRESENT) Stand-alone payment terminal connected to dedicated phone line. Payments sent to Processor via dial-up phone line. IN PERSON (CARD PRESENT) Handheld payment terminal with cellular connection. Payments sent to Processor via cellular network only. IN PERSON (CARD PRESENT) P2PE Solution, connected to Internet. Payments are sent to Processor via Internet. OVER THE PHONE AND/OR BY MAIL (CARD-NOT-PRESENT) Merchant uses a stand-alone payment terminal connected to dedicated phone line. Payments are sent to Processor via dial-up phone line. OVER THE PHONE AND/OR BY MAIL (CARD-NOT-PRESENT) Merchant usese a P2PE Solution, connected to Internet. Payments are sent to Processor via Internet. OVER THE PHONE AND/OR BY MAIL (CARD-NOT-PRESENT) Merchant uses virtual payment terminal accessed via Internet browser to send payments to Processor via Internet. ONLINE/WEBSITE OVER THE INTERNET (CARD-NOT-PRESENT) Merchant has a website where cardholders enter their credit card data on Merchant's own managed payment page. Payments are sent to Processor via Internet by Merchant. ONLINE/WEBSITE OVER THE INTERNET (CARD-NOT-PRESENT) Merchant has a website where cardholders enter their name and contact info, but are redirected to PCI compliant 3rd party payment page to enter credit card data. Payments are sent to Processor via Internet by 3rd party. ONLINE/WEBSITE OVER THE INTERNET (CARD-NOT-PRESENT) Merchant has fully outsourced their website and payment page to a PCI compliant 3rd party. Payments are sent to Processor via Internet by third-party service provider.
IN PERSON (CARD PRESENT)
Stand-alone payment terminal connected to dedicated phone line. Payments sent to Processor via dial-up phone line.
MID: TERMINAL TYPE:
Choose Terminal:
Choose your Processor here:
The payment terminal is connected to Processor by a dedicated dial-up telephone line
O
PR
LOCATION: PHONE LINE
Total # of terminals:
If you have multiple terminals within your Merchant Environment, enter the details for each below MID:
MID:
TID:
TID:
TYPE: Choose Terminal: LOCATION:
MID: TID: TYPE: Choose Terminal: LOCATION:
TYPE:
Choose Terminal:
LOCATION:
MID: TID: TYPE: Choose Terminal: LOCATION:
R
SO
S CE
Choose One
IN PERSON (CARD PRESENT)
Handheld payment terminal with cellular connection. Payments sent to Processor via cellular network only. MID:
TERMINAL Choose Terminal: TYPE: LOCATION:
Choose your Processor here:
HANDHELD PAYMENT TERMINAL
CELLULAR NETWORK
Total # of terminals: Payment terminal encrypts card data (for example, using PCI’s Secure Reading & Exchange of Data – SRED) connects to cellular network
ALWAYS BE SURE TO:
O
PR
R
SO
S CE
Choose One
IN PERSON (CARD PRESENT)
P2PE Solution, connected to Internet. Payments are sent to Processor via Internet. MID: TERMINAL Choose Terminal: TYPE: LOCATION: Total # of terminals:
Obtain diagram provided by P2PE provider.
OVER THE PHONE AND/OR BY MAIL (CARD-NOT-PRESENT)
Merchant uses a stand-alone payment terminal connected to dedicated phone line. Payments are sent to Processor via dial-up phone line. MID: TERMINAL TYPE: Choose Terminal:
Merchant Authorized User
LOCATION: Total # of workstations: Names of all users with access to Terminal
The payment terminal is connected to Processor by a dedicated dial-up telephone line
O
PR PHONE LINE
ALWAYS BE SURE TO:
R
SO
S CE
OVER THE PHONE AND/OR BY MAIL (CARD-NOT-PRESENT)
Merchant usese a P2PE Solution, connected to Internet. Payments are sent to Processor via Internet.
MID: TERMINAL TYPE: Choose Terminal: LOCATION: Total # of workstations:
Obtain diagram provided by P2PE provider. ALWAYS BE SURE TO:
OVER THE PHONE AND/OR BY MAIL (CARD-NOT-PRESENT) Merchant uses Virtual Payment Gateway Terminal accessed via Internet browser to send payments to Processor via Internet. MID: Gateway: Choose One: LOCATION: Total # of workstations: Names of all users with access to Payment Gateway:
MERCHANT PC
VIRTUAL PAYMENT GATEWAY TERMINAL FROM PCI DSS COMPLIANT PAYMENT PROCESSOR
FIREWALL
Citrix Server INTERNET
ALWAYS BE SURE TO:
Use strong passwords
ONLINE/WEBSITE OVER THE INTERNET (CARD-NOT-PRESENT) Merchant has a website where cardholders enter their credit card data on Merchant's own managed payment page. Payments are sent to Processor via Internet by Merchant. MID:
Homepage URL:
Select a Payment Gateway: Choose One:
MERCHANT E-COMMERCE HOME PAGE
Payment Page URL:
MERCHANT SHOPPING CART or REGISTRATION PAGES
MERCHANT PAYMENT PAGE
O
PR
INTERNET ROUTER/FIREWALL
R
SO
S CE
ONLINE/WEBSITE OVER THE INTERNET (CARD-NOT-PRESENT)
8
Merchant has a website where cardholders enter their name and contact info, then redirected to PCI compliant 3rd party payment page to enter credit card data. Payments are sent to Processor via Internet by 3rd party. Enter name of Third Party Service Provider:
MID: Select a Payment Choose One: Gateway:
MERCHANT E-COMMERCE HOME PAGE
Homepage URL: Payment Page URL:
MERCHANT SHOPPING CART or REGISTRATION PAGES
THIRD-PARTY PAYMENT PAGE THIRD-PARTY WEB SITE
O
PR
INTERNET ROUTER/FIREWALL
R
SO
S CE
ONLINE/WEBSITE OVER THE INTERNET (CARD-NOT-PRESENT) Merchant has fully outsourced
their website and payment page to a PCI compliant 3rd party. Payments are sent to Processor via Internet by third-party service provider. Enter name of Third Party Service Provider:
MID: Select a Payment Choose One: Gateway:
Homepage URL: Payment Page URL:
Obtain diagram provided by your Third-Party Service Provider.