 |
|
 Payment Card Industry (PCI) Compliance
Overview
The Payment Card Industry Data Security Standard (PCI DSS) is a mandatory global standard established by the major card associations to ensure the protection of cardholder data. Based on twelve guidelines, the PCI DSS requires merchants to make their physical and virtual environments secure to ensure protection of cardholder data. As a merchant accepting credit cards as a form of payment, you are required by the card associations to adhere to the PCI DSS. The PCI DSS encompasses the security programs from Visa and MasterCard, Cardholder Information Security Program (CISP) and Site Data Protection (SDP), respectively.
The PCI DSS sets technology requirements such as the use of data encryption, end-user access control, and activity monitoring and logging. It also includes procedural mandates, such as the need to implement formal and documented security policies and vulnerability-management programs. They were developed to ensure that cardholder data is protected throughout the transaction process. Compliance with the standard applies to all types of merchants, retail, MO/TO, and Internet. All merchants need to follow best practices for storage and destruction of all paper or electronic records containing account numbers or cardholder data. Additionally, merchant service providers processing credit cards need to be PCI compliant. |
| Back to top |
Importance of PCI Data Security Standard Compliance and/or Certification:
It is clear that ensuring the safety of your customers' cardholder information can help your business strive to create and maintain a positive image, enhance customer confidence and even assist in improving your bottom line. Additional benefits include:
- By adhering to the data security regulations businesses can significantly reduce their exposure to fraud losses resulting from the theft of cardholder data.
- Compliance with the programs can lead to enhanced consumer confidence, which can result in higher sales.
- Compliance with the PCI DSS is mandatory. If you and your service providers are not compliant with the PCI DSS, the card associations could levy fees and fines against you and your credit card processing services could be terminated.
|
| Back to top |
PCI Assessment Requirements
The more credit card transactions a merchant processes, the more stringent the compliance procedure. For most merchants, compliance consists of passing quarterly or annual network scans and completing an annual self-assessment questionnaire. If you process more than 20,000 e-commerce or 6 million total V/MC transactions per DBA annually, you will need to provide evidence of certification from a V/MC certified vendor. |
| Level |
Merchant Classification Criteria (as of July 18, 2006) |
| 1 |
Any merchant -regardless of acceptance channel-that:
- Processes over 6 million Visa transactions per year
- In some cases, merchants who suffered a hack or an attack that resulted in an account data compromise
- Visa or MasterCard determines who should meet the Level 1 merchant requirements
- Has been identified by any other payment card brand as Level 1
|
| 2 |
Any merchant that processes 1 million to 6 million Visa transactions, regardless of acceptance channel |
| 3 |
Any merchant that processes 20,000 to 1 million Visa e-commerce transactions |
| 4 |
Any merchant that processes fewer than 20,000 Visa e-commerce transactions or fewer than 1 million Visa transactions regardless of acceptance channel |
|
Merchant
Level |
Validation Actions |
Validated By |
Deadline |
| 1 |
Annual On-site PCI DSS
Data Security
Assessment |
Qualified Data Security
Company or Internal Audit (if signed by Officer of the company) |
9/30/04 (Visa’s new level 1 merchants have up to one year from identification to validate) |
| Quarterly Network Scan |
Authorized Scanning Vendor |
| 2 |
Annual PCI DSS Self-Assessment Questionnaire/Annual On-site PCI DSS Data Security Assessment |
Merchant |
6/30/05(Visa’s new level 2 merchants have until 9/30/07) |
| Quarterly Network Scan |
Authorized Scanning Vendor |
| 3 |
Annual PCI DSS Self-Assessment Questionnaire |
Merchant |
6/30/05 |
| Quarterly Network Scan |
Authorized Scanning Vendor |
| 4 |
Annual PCI DSS Self-Assessment Questionnaire |
Merchant |
Validation requirements and dates are determined by the merchant’s acquirer |
| Quarterly Network Scan |
Authorized Scanning Vendor |
|
| Back to top |
The PCI Data Security Standard
All merchants that accept credit cards are required to comply with the PCI DSS including retail stores (card present transactions) and Internet or mail order/telephone order businesses (card-not-present transactions).
Link to PCI Data Standards (below)
MasterCard’s PCI Data Security Standard Manual |
| Back to top |
On-Site Security Audit
The audit must be completed by Level 1 merchants. A V/MC approved, Qualified Data Security Company should be engaged to complete the Report on Compliance.
PCI Security Audit Procedures & Reporting |
| Back to top |
Self-Assessment Questionnaire
This must be completed and submitted by Level 2 and 3 merchants. It should address any system(s) or system component(s) involved in processing, storing, or transmitting cardholder data. It is recommended that Level 4 merchants complete the assessment to ensure their own compliance to the standard. |
| Back to top |
|
Network Scans
Network scans check systems for vulnerabilities. The non-intrusive scan is conducted remotely to review networks and Web applications based in the externally facing Internet Protocol (IP) address provided by the merchant. Level 1, 2, and 3 merchants are responsible for ensuring that a quarterly network scan is performed on their Internet-facing perimeter systems by a qualified independent scan vendor. |
| Back to top |
|
Validation
Level 1, 2 and 3 merchants are required to conduct quarterly network scans and either annual self-assessments or audits with V/MC approved vendors. Trustwave a the leading information security firm certified by the major card associations, offers our merchants a simple solution to validate PCI compliance.
Level 4 merchants are advised to conduct quarterly network scans and annual self-assessments, but they're not required to, so long as they comply with the 12 other requirements of the PCI standard. Merchants that process fewer than 20,000 V/MC transactions online are considered level 4 merchants. |
| Back to top |
| Next Steps |
It is important that merchants become PCI compliant as quickly as possible to respond to the growing concern among credit cardholders about data security. Below is a list of steps to get started:
- Identify the individuals that will be responsible for PCI compliance in your organization and assemble a team that includes members from each compliance area.
- Determine your merchant level.
- Complete the PCI Data Security Standard.
- Make sure that your organization has an Information Security Policy and that it is being enforced.
- Engage a qualified vendor to perform the required Network/Perimeter Scans, if appropriate.
- Immediately address any significant deficiencies discovered during the assessment or scan.
- Retain record of self-assessments, scans, and follow-up activities. Be prepared to provide these documents upon request.
|
| Back to top |
| Fines and Penalties |
Penalties for failure to comply with the PCI requirements, failure to rectify a security issue, or failure to report a compromise are severe:
- possible restrictions on the merchant
- permanent prohibition of the merchant’s participation in card association programs
- a fine of up to $500,000 per incident
- violation of applicable federal or state laws
- fraud losses perpetrated using the account numbers associated with the compromise (from date of compromise forward)
|
| Back to top |
| What to do if compromised: |
In the event of a security incident, merchants must take immediate action to:
- Contain and limit the exposure. Conduct a thorough investigation of the suspected or confirmed loss or theft of account information within 24 hours of the compromise
- Alert all necessary parties. Be sure to notify:
- Merchant Account Provider
- Merchant Bank
- Visa Fraud Control Group at (650) 432-2978
- Local FBI Office
- U.S. Secret Service (if Visa payment data is compromised)
- Provide the compromised Visa accounts to Visa Fraud Control Group within 24 hours.
- Within four business days of the reported compromise, provide Visa with an incident report.
The CISP What To Do If Compromised guide from Visa contains step-by-step guidelines. |
| Back to top |
| Payment Card Industry (PCI) Data Security Standard |
|
The “Digital Dozen” the Payment Card Industry Data Security Standard (1 through 12) |
| Build and Maintain a Secure Network |
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters |
| Protect Cardholder Data |
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks |
| Maintain a Vulnerability Management Program |
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications |
| Implement Strong Access Control Measures |
7. Restrict access to cardholder data by business �need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data |
Regularly Monitor and Test Networks |
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes |
| Maintain Information�Security Policy |
12. Maintain a policy that addresses information security |
|
| Note that these Payment Card Industry (PCI) Data Security Requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data. Additionally, these security requirements apply to all “system components” which is defined as any network component, server, or application included in, or connected to, the cardholder data environment. Network components, include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Servers include, but are not limited to, web, database, authentication, DNS, mail, proxy, and NTP. Applications include all purchased and custom applications, including internal and external (web) applications. |
| Back to top |
| No Surcharging Rule |
- Visa and MasterCard have incorporated a “No Surcharging Rule” which states that the merchant must always treat a credit card transaction like any other transaction (i.e. cash, check, gift card, etc.); that is, you may not impose any surcharges on a credit transaction.
- A merchant must not display any signage stating there is a minimum fee related to paying with a credit card. If a merchant gets reported to Visa/MasterCard, they will be in violation which could result in fines and possible termination of their credit card processing.
- The merchant may offer a discount on cash transactions, provided that the offer is clearly disclosed to the consumer and the cash price is presented as a discount from the standard price charged for all other forms of payment.
- A merchant is allowed to add a “convenience fee” for specific transactions types. For example, if you are paying your electric bill at your local grocery store -- a service the store offers, but a business outside of that shop’s routine practice – as long as the fee is disclosed, the shop can charge a convenience fee for processing the utility payment for you.
- American Express does not have an explicit policy regarding charges for minimum transaction fees, but they do have a policy against “discrimination” against their card, so if a merchant has no service charge for VISA and MasterCard, they cannot have a charge for American Express.
- For more information on this and other acceptance regulations, please click here.
|
| Back to top |
|
|
|
|
|
| |
|
|
