Visa and MasterCard have collaborated in creating industry standard security requirements for payment cards. As a result, Visa’s Account Information Security (AIS) program in Canada and MasterCard’s Site Data Protection (SDP) program have aligned to similar requirements. In December 2004, Visa USA’s Cardholder Information Security Program (CISP) and MasterCard’s SDP program also announced the alignment of their programs. As a result, all of these various programs are being re-branded under the Payment Card Industry (PCI) Data Security Standards.
All credit card associations share the similar goal of protecting payment card account data stored by merchants and service providers and include both a review of policies, procedures and safeguards in addition to network scans. As a result, these goals have already been endorsed by Discover, JCB, and Diners Club and are under review by American Express.
All merchants or Solution Providers with systems that store, process, or transmit cardholder data must comply with PCI Data Security Standards. Compliance validation is required for all merchants, particularly for merchants with the highest transaction counts that represent the greatest risk to the payment card industry. This includes merchants using payment card applications for credit card authorization and settlement.
The technical foundation based on the “Digital Dozen”, representing 12 data security requirements, has not changed. Both MasterCard (https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_navigating_dss.pdf) and Visa (http://www.visa.ca/en/merchant/fraud-prevention/account-information-security/index.jsp) Web sites have documents that map previous SDP and CISP requirements to the newly aligned PCI requirements. MasterCard’s SDP security solution to protect Web merchants and vendors against the threat of hack and attack situations has been incorporated into the four merchant levels.
Merchants that use a third party for their cardholder transaction processing and do not store transaction data on their systems are not subject to the audit requirements; however, they should ensure that their vendor is aware and compliant to these standards, if applicable. Please note that merchants are required to contact Global Payments to update their records if they have changed Solution Providers, if the vendor or equipment specified on the merchant agreement has changed or if they believe the solution provider is not compliant.
Merchants that use a stand-alone terminal should continue to follow best practices as outlined in the Global Payments Merchant Agreement and the PCI Data Security Standards. For example, merchants need to follow best practices for storage and destruction of all paper or electronic records containing account numbers or cardholder data.
The following is a summary of the compliance validation steps required for merchants that store data.
To enroll in the programs, please refer to the Qualified Security Assessor (QSA) on the PCI Security Standards Council web site.
In addition, TrustWave has been selected as Global Payments’ preferred QSA in Canada and the U.S. and can assist merchants or Solution Providers in meeting the PCI DSS requirements.
| Merchant Level | Criteria | Self- Assessment Questionnaire |
Network Security Scan | Onsite Review |
Initial Compliance Validation Date |
| 1 | • Any merchant-regardless of acceptance channel, with over 6,000,000 Visa or MasterCard transactions per year. • Any merchant that has suffered a successful unauthorized intrusion that resulted in an account data compromise. • Any merchant that Visa, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. • Any merchant identified by any other payment card brand as Level 1. |
Annual | Quarterly | Annual | December 31, 2005 and annually |
| 2 | • Any merchants regardless of acceptance channel, with 1,000,000 to 6,000,000 Visa or MasterCard transactions per year. • Any merchants meeting the Level 2 criteria of a competing payment brand |
Annual | Quarterly | Not Required | December 31, 2005 and annually |
| 3 | • Any E-Commerce merchants with 20,000 to 1,000,000 Visa or MasterCard e-commerce transactions • Any merchants meeting the Level 3 criteria of a competing payment brand |
Annual | Quarterly | Not Required | December 31, 2005 and annually |
| 4* | Any merchant processing fewer than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants processing fewer than 1,000,000 Visa transactions per year. | Annual | Quarterly | Not Required | Date TBD - Acquirer to determine |
* Level 4 Merchants are required to comply with the PCI Data Security Standard. Level 4 Merchants should consult their account manager to determine if compliance validation is also required. ** Card Associations requirements dictate it is prohibited to store full track data in any circumstance. |
|||||
Terms and Definitions
Annual PCI Self-Assessment Questionnaire: A compliance questionnaire is required for Level 2 and Level 3 merchants (and Level 3 Third Parties) to determine adherence to the Digital Dozen (12 data security requirements) on the basis of a self-assessment questionnaire. Merchants (and Third Parties) must also undergo, at least quarterly, a System Perimeter Scan performed by a Payment Card Industry approved security assessor.
Annual On-Site Report on Compliance (ROC): A PCI-approved, independent security assessor performs an annual on-site review of Level 1 Merchant documenting adherence to the Digital Dozen and resulting in a Report on Compliance. A report on Compliance from a Level 1 merchant’s internal auditor will be accepted provided that a letter signed by an executive-level officer of the merchant accompanies the report. Payment Card Industry approved assessors can be found on card association Web sites (see links below) or contact your relationship manager. The on-site review is also required for Level 1 and Level 2 Third Parties.
Data Storage: The temporary or permanent retention of account data in any form (including logs) for subsequent processing, retrieval, or other use.
Data Storage Entity (DSE): Any entity other than the acquiring member, merchant, or
Third Party Processor (TPP)
that stores MasterCard account data on behalf of merchants, web hosting providers, and payment gateways. They may include terminal drivers and processors. Storage may be temporary or permanent and in any form (including logs).
Magnetic Stripe Data (Track Data): Data encoded in the magnetic stripe used for authorization during transactions when the card is presented. Entities must not retain full magnetic stripe data
subsequent to transaction authorization. Specifically, subsequent to authorization, service codes, discretionary data/ Card Validation Value/Code, and proprietary reserved values must be purged; however, account number, expiration date, name, and service code may be extracted and retained, if needed for business.
Merchant Servicer (TPS): Visa Merchant Servicer includes non-members other than the merchant and processor that receive, pass or store transaction data on their internal systems on behalf of the merchant. This includes third party servicers, Web hosting company or shopping cart and media back-up company.
Third Party Processor (TPP): A MasterCard Third Party Processor requires registration directly with MasterCard if the TPP provides services to MasterCard member financial institutions.
Third Party Servicer (TPS): Visa Third Party Servicer includes non-members other than the merchant and processor that receive, pass, or store transaction data on their internal systems on behalf of the member, the merchant, or another Third Party. TPS includes merchant vendors, including Web hosting company or shopping cart, and media back-up company. These merchant vendors are classified as Merchant Servicers. Also includes Independent Sales Organizations (ISO), loyalty program vendor, risk management vendor, chargeback vendor and credit bureau that provide services to member financial institution or its merchants.
VisaNet Processor: A processor, member financial institution or merchant directly connected to Visa’s proprietary network for transaction authorization. A non-member processor VisaNet registration and member financial institution processor designation are required by Visa.
Vulnerability Scan: An automated tool that checks a merchant or service provider’s systems for vulnerabilities. This applies to merchants with external-facing Internet protocol (IP) addresses with internal systems that receive, pass or store cardholder transaction data. Even if a merchant does not offer Web-based transactions, there are other services such as e-mail and employee Internet access that will result in the Internet-accessibility of a company’s network.
The tool conducts a non-intrusive scan to remotely reviews networks and Web applications based on the external-facing Internet Protocol (IP) addresses. Scans identify vulnerabilities in operating systems, services and devices that could be used by hackers to target the company’s network. Level 1, 2 and 3 merchants are responsible for ensuring that a quarterly network scan is performed on their Internet-facing perimeter systems by a qualified security assessor.
For the Level 4 merchants, the Quarterly Network Security Scan is optional, but highly recommended.
The information contained herein is for informational purposes only and Global Payments Inc. does not warrant the accuracy or completeness of the information. Although we believe the information to be reliable, we cannot guarantee that it will not be subsequently amended as a result of intervening factors such as rules changes from the card associations. The information contained herein is subject to change without notice and Global Payments Inc. does not undertake any responsibility to update this information after the date hereof. Global Payments Inc. does not endorse any external sites linked herein.
