This section is provided by Global Payments Inc. as an informational tool to help you stay informed on pertinent industry information, Visa® and MasterCard® compliance requirements, and other information about the electronic payments industry. Click on a topic below for more information:
Card Associations and Card Branding
Discover Network AcceptanceDiscover has alliances with the following card brands which allows these brands to be accepted by any merchant that is setup to process Discover cards. Click on the individual links for more information.
Securing Cardholder Account Information - Industry Regulations and Merchant Obligations
Industry Regulations
Payment Card Industry Security Standards Council (PCI SSC)
The PCI SSC is the membership organization responsible for three important security standards related to safeguarding payment transaction data.
- PCI DSS – Payment Card Industry Data Security Standard
- PA-DSS – Payment Application Data Security Standard
- PCI PTS – Point of Sale PIN Transaction Security Standard.
All parties involved in payment card acceptance must safeguard payment transaction data and comply with the applicable standard(s). If a system with payment card information is hacked or stolen, then the compromised party must take steps to report the data security breach and work with forensics investigators, law enforcement, merchant acquiring stall, and others to report findings. The best defense is to implement data security operating policies, limit stored payment card data, and safeguard data that is necessary.
Merchant Obligations
The card associations developed the PCI DSS to help strengthen data security at the merchant level and combat credit card data compromises. Merchants with point-of-sale (POS) systems and computers with an internet connection are at significant risk for having sensitive data – such as customer credit card data – stolen. This kind of theft from security breaches at merchant locations – both large and small – has cost merchants millions of dollars in fines, restitution, and reputation. All merchants with internal systems that store, process, or transmit cardholder data must comply with Payment Card Industry (PCI) Security Standards.
PCI DSS Program for Level 4 Merchants
To demonstrate our level of commitment, Global Payments has engaged two Qualified Payment Application Security Companies to help Level 4 Merchants determine their risk and provide direction to solutions. To participate in Global Payments’ PCI DSS Compliance Program, merchants can choose from Security Metrics or Trustwave. Click here to view Global Payments PCI DSS compliance program.
To start taking advantage of Global Payments' PCI DSS Compliance program with SecurityMetrics, contact them directly at: 877.705.6073
To start taking advantage of Global Payments' PCI DSS Compliance program with Trustwave, contact them directly at: 877.295.1739 or:
- Global Payments Merchants follow this link: https://pci.trustwave.com/globalpaymentsL4program/
- Comerica/Global Payments merchants follow this link: https://pci.trustwave.com/comericaL4program/
- Merchant Obligation Quick Tips
Here are three quick tips to reference to help explain your responsibilities as a merchant to ensure you comply with all PCI DSS/PA DSS mandates:
- Complying with PCI DSS is a merchant's responsibility. If you don’t need it, then don’t store it. Merchants, agents, and service providers should not store cardholder data unless there is a legitimate business need.
- To ensure you as a merchant use secure payment applications - Visa mandate indicates all required merchants use PA DSS compliant applications by 7/1/2010. LINK
- The easiest and most efficient method to ensure you as a merchant are PCI DSS/PA DSS compliant is to consult a Qualified Security Assessor (QSA). The QSAs are companies that can guide and assist you through each step of the PCI DSS/PA DSS process. Your responsibility as a merchant to be secure is a requirement and the QSAs can ensure you have everything you need and answer all your questions concerning PCI DSS/PA DSS.
For more detailed information and steps to ensure you are complying with PCI DSS/PA DSS mandates click the Payments Card Industry Security Standards for Merchants link below.
- Payment Card Industry Security Standards for Merchants
Merchant Requirements for Securing Cardholder InformationData Security Compliance Requirements: In order to help protect the integrity of cardholder data, ALL merchants that process, store or transmit Full Cardholder Number (FCN) data MUST comply with the Payment Card Industry Data Security Standard (“PCI DSS”) at all times. Merchants may also be required to validate and report their compliance if they send or receive FCN to/from Global. In addition,
PCI DSS Compliance Validation and Reporting Requirements
All merchants that process Cardholder data are required to comply with the PCI DSS at all times. Prior to beginning the compliance assessment process, it is important for merchants to understand how their reporting level as defined by the card associations impacts the validation/reporting requirements by level, and frequency. The information below will help merchants identify what merchant level they fall under and the compliance validation and reporting requirements that correspond to that merchant level.
- Step 1: Compliance Requirements
All merchants must comply with the Payment Card Industry Data Security Standard. The data security standard can be found on the PCI SSC Web site and it is updated every 24 months. Merchants must ensure that they comply with the updated versions of the PCI DSS. PCI DSS Version 1.2 is effective 1/1/2009. It is the global data security standard that any business of any size must adhere to as a condition of payment card acceptance. Version 1.1 is not valid after 12/31/2009. The 12 PCI DSS requirements fall into six objectives as indicated below.
PCI Data Security Standard Build and Maintain a
Secure Network1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored data
4. Encrypt transmission of cardholder data and sensitive information across public networks
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and
Test Networks10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information
Security Policy12. Maintain a policy that addresses information security
Requirement 3 Protect Stored Cardholder Data
Requirement 3 of the PCI DSS pertains to guidelines for protecting stored cardholder data. If merchant passes cardholder data through their internal systems at authorization, then merchants should develop and adhere to a data retention/data storage policy that strictly limits merchant storage and retention of transaction data to data required for business, legal, and/or regulatory purposes. Sensitive cardholder authentication data must never be stored after authorization. Effective October 2008 for newly boarded and effective July 2010 for existing merchants, merchants with internal systems that pass or store transaction data are required to either use a PCI PA-DSS compliant payment application or to validate PCI DSS compliance. For more information regarding PA-DSS, please visit the PCI SSC Web site. For more information on Data Storage Do’s and Don’ts, please refer to PCI Data Storage Do’s and Don’ts. If you don’t need it, then don’t store it. Merchants, agents, and service provider should not store cardholder data unless there is a legitimate business need. Most vendors can provide view or export access to a truncated or masked cardholder number. Never send the full cardholder number in unencrypted emails, IMs, etc.
- Step 2: Determine Your Merchant Level and Validation Compliance Requirements
The table below outlines the PCI DSS Merchant Levels, the corresponding compliance validation requirements, and the tools that can be used to validate your compliance. Any merchant that suffers a data security breach that resulted in the actual or suspected compromise of Cardholder data may be required to validate their compliance at a higher level as determined by payment network.
Merchant Level and Compliance Validation Requirements
Merchant Level Selection Criteria Network Scan by Qualified Approved Scan Vendor Annual PCI Self-Assessment Questionnaire Attestation of Compliance Form Annual
On-Site Security AuditCompliance Validation Due Date Level 1 Any merchant – regardless of acceptance channel – with over 6,000,000 Discover, MasterCard, or Visa transactions or over 2,500,000 American Express transactions per year
Any Visa Global merchant identified by any Visa region as Level 1
Any merchant identified by any other payment card brand as Level 1
Any merchant that has suffered a hack or an attack that resulted in an account data compromise
Any merchant that MasterCard or Visa determines should meet the Level 1 merchant requirements to minimize risk to their systemRequired Quarterly. For more MasterCard details see #3 below. Not applicable to Level 1 Merchants Required Required Annually.
For more MasterCard details see #1 below.September 30, 2004 and annually thereafter Level 2 Any merchant processing 1 million to 6 million Discover, MasterCard, or Visa transactions per year, regardless of acceptance channel. Any merchant processing 50,000 to 2,500,000 American Express transactions per year. Required Quarterly. For more MasterCard details see #3 below. Required
MasterCard requires annually.
For more MasterCard details see #2 below.Required Required
MasterCard
-at merchants discretion.
For more MasterCard details see #2 below.31 December 2010 Level 3 Any merchant processing 20,000 to 1 million Discover, MasterCard, or Visa e-commerce transactions per year
Any merchant processing less than 50,000 American Express transactions per yearRequired Quarterly. For more MasterCard details see #3 below. Required Annually Required Optional June 30, 2005 and annually thereafter Level 4 All other merchants, regardless of acceptance channel
Any merchant processing less than 20,000 MasterCard or Visa e-commerce transactions per year, and all other merchants processing up to 1 million MasterCard or Visa transactions per yearRequired Quarterly. For more MasterCard details see #3 below. Required Annually Required if Validating Compliance Optional At Member’s Discretion MasterCard Merchant Levels further explanations:
1. Effective 30 June 2011, Level 1 merchants that choose to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC-offered merchant training programs and pass any PCI SSC associated accreditation program annually in order to continue to use internal auditors. For more information on PCI SSC-offered merchant training programs and dates, visit the PCI SSC Training Program Homepage.
2. Effective 30 June 2011, Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC-offered merchant training programs and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual self-assessment questionnaire. For more information on PCI SSC-offered merchant training programs and dates, visit the PCI SSC Training Program Homepage.
3. Quarterly Network Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV).
4. Level 4 Merchants are required to comply with the PCI Data Security Standard. Level 4 Merchants should consult their acquirer to determine if compliance validation is also required.
5. Initial Compliance Validation Date for Level 1 merchants has passed. 30 June 2011 Deadline affects merchants that choose to conduct an annual onsite assessment using an internal auditor.
For more information on defining your merchant level, visit the card schemes' links.
- American Express Defining Your Merchant Level
- Discover Defining Your Merchant Level
- MasterCard Defining Your Merchant Level
- Visa Defining Your Merchant Level
- Step 3: Assess
The PCI SSC fact sheet titled “Getting Started with PCI Data Security Standard” is an excellent introduction for merchants validating their PCI DSS compliance. Merchants should review the chart that identifies the SAQs based on how the merchant processes at the point of sale.
SAQ
Validation
TypeSelf-Assessment Questionnaire – Description SAQ
V1.21 Card-not-present (electronic commerce or mail/telephone order) merchants, all cardholder data functions outsourced. Does not apply to face-to-face merchants. Does not apply if merchant uses a terminal, PC, or ECR system
[Scan not required as L4 merchant]A 2 Imprint-only (paper) merchants with no electronic cardholder data stored. B 3 Stand-alone (dial only) terminal merchants, no electronic cardholder data stored
Does not apply to terminals connected to the Internet (see 4 and 5 below)Merchant must affirm that there is no evidence of magnetic stripe data, cardholder authentication data (CID, CVCVV2), or PIN data storage after authorization. Recommend that merchants utilize tool from TrustWave to confirm.
[Scan not required as L4 merchant]B 4 Merchants ith POS systems connected to the Internet or a network gateway, no electronic cardholder data storage. Does not apply if payment application system/internet device is connected to any other system within the merchants’ environment (see 5 below) Merchant must confirm with their payment application vendor that payment system does not store sensitive authentication data after authorization.
Merchant must affirm that there is no evidence of magnetic stripe data, cardholder authentication data (CID, CVCVV2), or PIN data storage after authorization. Recommend that merchants utilize tool from TrustWave to confirm.
[Scan recommended as L4 merchant]C 5 All other merchants (not included in Types 1-4) and all service providers defined by a payment card brand as eligible to complete a SAQ. Passing scan required in addition to passing SAQ. D
Merchants under SAQ Validation Type 2 and 3 can be identified based on their response to Question 2: “Are you using a “dial up” terminal or “TTC” Touch Tone Capture?” Compliance validation is recommended, but optional, and should be a very easy process since quarterly scans are NOT needed. Merchants can validate compliance using the SAQ only. However, merchants that need additional assistance or support in completing their SAQ and merchants that are internet facing and are SAQ validation type 4 or 5 should use an Approved Scan Vendor, like TrustWave, for both their scan and their SAQ, since SAQ support is presumed to be included in the service fees for scanning.
Using a Service Provider. SAQ Validation type 1, 4, and 5 merchants use service providers. Service providers are organizations that process, store, or transmit cardholder data on behalf of payment card clients, In addition to adhering to the PCI DSS, compliance validation and member bank registration is required for all service providers merchants, or other service providers. A Service Provider reported to MasterCard to be compliant with the PCI Standard should have been provided a Certificate of Validation (COV) by a QSA. If you are considering using a Service Provider, MasterCard recommends that you ask to see and inspect the Certificate of Validation. Service providers are required to validate PCI DSS compliance. Validated service providers may appear on industry Web sites. Some payment card brands may only publish list of validated “level 1” service providers. In addition, service providers must be registered with the payment card brands by the merchant’s acquirer.
- American Express Data Security Operating Policy for U.S. Service Providers
- Discover Information Security and Compliance (DISC)
- Payment Card Industry Data Security Standards for Service Providers
- Link to MC site – Compliant service providers
http://www.mastercard.com/us/company/en/whatwedo/site_data_protection.html- Link to Visa site – Compliant service providers
http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdfMerchants under SAQ Validation Type 1 are using a service provider for their CNP transactions. Merchants under SAQ Validation Type 4 are using a service provider rather than a telephone common carrier to route authorization requests over the Internet or through a network gateway.
Using integrated point of sale (IPOS) Software. Service providers are required to validate PCI DSS compliance. Validated service providers may appear on industry Web sites.NOTE: Some payment card brands may only publish list of validated “level 1” service providers. In addition, service providers must be registered with the payment card brands by the merchant’s acquirer.
Merchants using IPOS software would validate under SAQ Validation Type 5. SAQ validation is optional, but recommended, if merchant is using a validated payment application on the PCI PA-DSS list. However, merchants that are not using a validated payment application on the PCI PA-DSS list must validate PCI DSS compliance at the merchant level prior to July 1, 2010 or change their method of POS processing at the POS (i.e. switch to a Global PC application that is PA DSS validated or switch to a POS dial up terminal). Application question 3 a Where is Data Stored? should indicate either that “Merchant Location only” or “Merchant and Service Provider” store data IF transactions are routed through a network gateway. Additionally, if the merchant software interfaces with Middleware, then the Middleware should be identified.
Middleware
Middleware is a piece of software that connects two or more software applications, allowing them to exchange data. Middleware translates the merchant’s IPOS software message into the processor message format. This means that the Middleware is certified to Global’s host message specifications and appears on the third party database.
Level Description Compliance Validation Requirements Compliance Validation Tools Available at
https://www.pcisecuritystandards.orgLevel 1 Processors or any service provider that stores, processes and/or transmits over 300,000 transactions per year
Note: Eliminates payment gateway definition from several existing regional programs
· Complete an annual on-site assessment using the PCI DSS Requirements and Security Assessment Procedures. On-site assessment must be performed by a Qualified Security Assessor.
· Complete Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor (ASV)
PCI DSS Requirements and Security Assessment Procedures v1.2
List of PCI SSC Qualified Security Assessors (QSA)
https://www.pcisecuritystandards.org/approved_companies_providers/qsa_companies.phpNOTE: TrustWave is strongly recommended
https://www.trustwave.com/List of PCI SSC Approved Scanning Vendors (ASV)
https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.phpLevel 2 Any service provider that stores, processes and/or transmits less than 300,000 transactions per year
Note: Effective January 1, 2009, MasterCard will no longer list those Service Providers who have only submitted an SAQ. The posting will contain only those entities who have successfully completed an annual onsite review
Note: Effective February 1, 2009, Level 2 service providers will not longer be listed on Visa’s List of PCI DSS Compliant Service Providers. Entities that wish to be on the List of PCI DSS Compliant Service Providers must validate as a Level 1 provider
Annual PCI Self-Assessment Questionnaire
Quarterly Network Scan
American Express and Discover's Service Providers Regulations
- American Express Data Security Operating Policy for U.S. Service Providers
Service Providers must adhere to American Express Data Security Policies.
Review this article for detailed information on Data Security Operating Policy for U.S. Service Providers. Link
- Discover Service Provider Compliance Validation and Reporting Requirements
All service providers that process, store or transmit cardholder data on the Discover network are required to report their compliance status to Discover Network on an annual basis. In order to validate and report their compliance status to Discover Network, service providers must complete and submit one of the following:
On-site assessment
Service providers that completed an on-site assessment using PCI DSS v1.2 are required to submit Appendix E of the PCI DSS Requirements and Security Assessment Procedures v1.2: Attestation of Compliance - Service Providers, as well as the Executive Summary of the Report on Compliance (ROC).
Note: Discover requires service providers that are not fully compliant with the PCI DSS to also complete the "Action Plan for Non-Compliant Status" section of the Attestation of Compliance.1Self-Assessment
Service Providers that completed an on-site assessment using PCI DSS v1.1 are required to submit the Executive Summary from their Report on Compliance (ROC). Please note: all assessments that commence after January 1, 2009 must use PCI DSS v1.2.
Service providers that perform a self-assessment are required to complete PCI DSS Self-Assessment Questionnaire D and submit the Service Provider Version of the Attestation of Compliance.
Note: Discover requires service providers that are not fully compliant with the PCI DSS to also complete the "Action Plan for Non-Compliant Status" Section of the Attestation of Compliance.1
All compliance reports must be submitted by December 31 for the current year*. For more information visit Discover's Information Security and Compliance (DISC) Web site. LinkFor more information on Service Providers, visit the card schemes' links.
- American Express Data Security Operating Policy for U.S. Service Providers
- Discover Information Security and Compliance (DISC)
- MasterCard Defining Your Service Provider Level
- Visa Defining Your Service Provider Level
Validation procedures and documentation
Effective February 1, 2009, Visa will only require submission of an executed Attestation of Compliance Form https://www.pcisecuritystandards.org/documents/pci_dss_aoc_service_providers.doc and the “Executive Summary” section of the service provider’s Report on Compliance (ROC) to demonstrate PCI DSS compliance as a Level 1 service provider. Level 2 service providers will submit version D of the Self-Assessment Questionnaire (SAQ).
- Step 4: Remediate
Remediation steps may focus on implementing
SAQ Validation Type Remediation Steps SAQ V2.0 1 Card-not-present (electronic commerce or mail/telephone order) merchants, all cardholder data functions outsourced. Does not apply to face-to-face merchants. Does not apply if merchant uses a terminal, PC, or ECR system.
[Scan not required as L4 merchant]
*****************************************************************************************
Typical remediation steps may focus on establishing policies and procedures to address requirements 9 and 12.
9. Restrict physical access to cardholder data
12. Maintain a policy that addresses information security
A 2 & 3 Imprint-only (paper) merchants with no electronic cardholder data stored.
OR
Stand-alone (dial only) terminal merchants, no electronic cardholder data stored.
Does not apply to terminals connected to the Internet (see 4 and 5 below).
Merchant must affirm that there is no evidence of magnetic stripe data, cardholder authentication data (CID, CVCVV2), or PIN data storage after authorization. Recommend that merchants utilize tool from TrustWave to confirm.
[Scan not required as L4 merchant]
*****************************************************************************************
Typical remediation steps may focus on establishing policies and procedures to address requirements 7, 9, and 12.
7. Restrict access to cardholder data by business need-to-know
9. Restrict physical access to cardholder data
12. Maintain a policy that addresses information security
B 4 Merchants with POS systems connected to the Internet or a network gateway, no electronic cardholder data storage. Does not apply if payment application system/internet device is connected to any other system within the merchants’ environment (see 5 below).
Merchant must confirm with their payment application vendor that payment system does not store sensitive authentication data after authorization.
Merchant must affirm that there is no evidence of magnetic stripe data, cardholder authentication data (CID, CVCVV2), or PIN data storage after authorization. Recommend that merchants utilize tool from TrustWave to confirm.
[Scan recommended as L4 merchant]
*****************************************************************************************
Remediation steps may focus on establishing policies and procedures to address requirements 3, 4, 7, 9 and 12.
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
7. Restrict access to cardholder data by business need-to-know
9. Restrict physical access to cardholder data
12. Maintain a policy that addresses information security
C 5 All other merchants (not included in Types 1-4) and all service providers defined by a payment card brand as eligible to complete a SAQ. Passing scan required in addition to passing SAQ.
*****************************************************************************************
Remediation steps may focus on any/all requirements 1 through 12. Merchants may want to use the TrustKeeper Agent applet to confirm that they are not storing any sensitive cardholder authentication fields subsequent to the authorization. If payment application is non-compliant, merchant must address by October 1, 2009. Level 4 merchant should be aggressively prepared to invest in software upgrade to comply with PA DSS mandate deadline if current payment application is neither validated nor vulnerable.
D
- Step 5: Report Your Compliance Status
Report Your Compliance Status
The best method to ensure that you complete all of the necessary PCI DSS/PA DSS requirements is to consult a Qualified Security Assessor (QSA). The QSAs are companies that can guide and assist you through each step of the PCI DSS/PA DSS process. Your responsibility as a merchant to be secure is a requirement and the QSAs can ensure you have everything you need and answer all your questions concerning PCI DSS/PA DSS.
For newly boarded merchants validating compliance, the SAQ, Scan, and Attestation of Compliance should be provided by merchant to their sales representative. Sales representative should ensure that a copy accompanies the merchant application, however, please retain a copy for your records. Merchants are required to submit updated documents annually (SAQ/AOC) and quarterly (passing scan results). The sales rep should ensure that these are forwarded to compliance and should submit post-enrollment masterfile maintenance to update/maintain the MAS Dates for Date of Compliance and Date Last Scan.
Payment Card Industry Payment Application Data Security Standards (PCI PA-DSS)
PA-DSS is the Council-managed program formerly under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP). The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS. Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. In-house payment applications developed by merchants or service providers that are not sold to a third party are not subject to the PA-DSS requirements, but must still be secured in accordance with the PCI DSS.
Validated Payment Applications LINK
https://www.pcisecuritystandards.org/documents/pci_dss_aoc_service_providers.docPayment Card Industry POS PIN Transaction Security (PTS) Standards
Approved PIN Entry Devices LINK
https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.phpComplying with PCI DSS is the merchant's responsibility. If you have received a letter from Global Payments Inc. or an affiliated processing party, please click on the below link to identify if you are using a compliant payment application. Note, you will be required to enter your enrollment code found on your letter to access the secure questionnaire.
- PCI DSS: Merchant Payment Application
All third parties with internal systems that store, process, or transmit cardholder data on behalf of merchants must comply with Payment Card Industry (PCI) Security Standards. Compliance validation is required for all third parties that store, process, or transmit cardholder data on behalf of merchants and member financial institutions.
- Payment Card Industry Data Security Standards for Service Providers
Visa and MasterCard have collaborated in creating payment card industry standard security requirements and alignment of Visa USA Cardholder Information Security Program (CISP) and MasterCard Site Data Protection (SDP) programs in the United States and alignment of SDP and Visa’s Accountholder Information Security (AIS) Program outside of the United States. In December 2004, Visa US and MasterCard announced the alignment of their programs re-branded as Payment Card Industry (PCI) Data Security Standards. The MasterCard SDP, Visa USA CISP, and Visa Canada AIS Programs have the similar goal of protecting payment card account data stored by merchants and service providers and include both a review of policies, procedures, and safeguards in addition to network scans. These goals have been endorsed by Discover, JCB, and Diners Club and are under review by American Express.
All third parties with internal systems that store, process, or transmit cardholder data on behalf of merchants must comply with Payment Card Industry (PCI) Security Standards. Compliance validation is required for all third parties that store, process, or transmit cardholder data on behalf of merchants and member financial institutions. Validation requires regular network scans and annual validation of policies and procedures. Level 1 and Level 2 Service Providers must engage a qualified independent security assessor to prepare a Report on Compliance and Level 3 Service Providers may complete the self-assessment or utilize self-assessment tools available through qualified independent security assessors.
Network scanning tools map the Web site’s configuration and check a database of more than 1,200 known vulnerabilities. Network scan may also include intrusion detection services, firewall monitoring, and additional web insurance. Network scans must be performed by a qualified independent scan vendor.
The Level 1 Service Provider group includes all processors that are connected to VisaNet and MasterCard networks. Global Payments has met the PCI requirements for 2005. Level 1 Service Provider group includes all payment gateways that operate between merchant and Global Payments or between merchant and other processors. Level 1 Service Providers was expanded to include Data Storage Entities (DSEs) for Level 1 Merchants (more than 6 million MasterCard or Visa transactions regardless of acceptance channel) and Level 2 Merchants (more than 150,000 and less than 6,000,000 electronic commerce transactions).
The Level 2 and Level 3 Service Provider group includes all third party service providers (example: Third-Party Servicer (TPS), Independent Sales Organizations (ISO), merchant vendor, Web hosting company or shopping cart, media back-up company, Loyalty program vendor, Risk management vendor, chargeback vendor, and credit bureau) not in Level 1 that store, process, or transmit transactions. The number of transactions will be determined based on the gross number of Visa transactions stored, processed, or transmitted—not just for the merchant or Member supported but for all entities supported by a service provider. The Level 2 and Level 3 Service Provider group also includes third party Data Storage Entities storing data on behalf of Level 3 Merchants (more than 20,000 and less than 150,000 electronic commerce transactions) or Level 4 Merchants (all other merchants, regardless of acceptance channels).
Visa requires service providers to provide compliance validation results directly to Visa. After a Level 1, 1, 2 , or 3 Service Provider has provided compliance documentation demonstrating full compliance to Visa USA, they will be included on the list of Compliant Service Providers. To view current Visa list, click here.
Third parties that receive, pass, and store transaction data for merchants should have agreements with merchants.
The following is a summary of the compliance validation steps required for third parties (including ISOs, loyalty, etc.) that store cardholder data.
Level Description Compliance Validation Requirements Compliance Validation Tools
Available at
https://www.pcisecuritystandards.orgLevel 1 Processors or any service provider that stores, processes and/or transmits over 300,000 transactions per year
Note: Eliminates payment gateway definition from several existing regional programs
Complete an annual on-site assessment using the PCI DSS Requirements and Security Assessment Procedures. On-site assessment must be performed by a Qualified Security Assessor.
Complete Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor (ASV)
PCI DSS Requirements and Security Assessment Procedures v1.2
List of PCI SSC Qualified Security Assessors (QSA)
https://www.pcisecuritystandards.org/approved_companies_providers/qsa_companies.phpNOTE: TrustWave is strongly recommended
https://www.trustwave.com/List of PCI SSC Approved Scanning Vendors (ASV)
https://www.pcisecuritystandards.org/pdfs/approved_companies_providers/approved_scanning_vendors.phpLevel 2 Any service provider that stores, processes and/or transmits less than 300,000 transactions per year
Note: Effective January 1, 2009, MasterCard will no longer list those Service Providers who have only submitted an SAQ. The posting will contain only those entities who have successfully completed an annual onsite review
Note: Effective February 1, 2009, Level 2 service providers will not longer be listed on Visas’ List of PCI DSS Compliant Service Providers. Entities that wish to be on the List of PCI DSS Compliant Service Providers must validate as a Level 1 provider
Annual PCI Self-Assessment Questionnaire
Quarterly Network Scan
American Express and Discover's Service Providers Regulations
- American Express Data Security Operating Policy for U.S. Service Providers
Service Providers must adhere to American Express Data Security Policies.
Review this article for detailed information on Data Security Operating Policy for U.S. Service Providers. Link
- Discover Service Provider Compliance Validation and Reporting Requirements
All service providers that process, store or transmit cardholder data on the Discover network are required to report their compliance status to Discover Network on an annual basis. In order to validate and report their compliance status to Discover Network, service providers must complete and submit one of the following:
On-site assessment
Service providers that completed an on-site assessment using PCI DSS v1.2 are required to submit Appendix E of the PCI DSS Requirements and Security Assessment Procedures v1.2: Attestation of Compliance - Service Providers, as well as the Executive Summary of the Report on Compliance (ROC).
Note: Discover requires service providers that are not fully compliant with the PCI DSS to also complete the "Action Plan for Non-Compliant Status" section of the Attestation of Compliance.1Self-Assessment
Service Providers that completed an on-site assessment using PCI DSS v1.1 are required to submit the Executive Summary from their Report on Compliance (ROC). Please note: all assessments that commence after January 1, 2009 must use PCI DSS v1.2.
Service providers that perform a self-assessment are required to complete PCI DSS Self-Assessment Questionnaire D and submit the Service Provider Version of the Attestation of Compliance.
Note: Discover requires service providers that are not fully compliant with the PCI DSS to also complete the "Action Plan for Non-Compliant Status" Section of the Attestation of Compliance.1
All compliance reports must be submitted by December 31 for the current year*. For more information visit Discover's Information Security and Compliance (DISC) Web site. LinkFor more information on Service Providers, visit the card schemes' links.
- American Express Data Security Operating Policy for U.S. Service Providers
- Discover Information Security and Compliance (DISC)
- MasterCard Defining Your Service Provider Level
- Visa Defining Your Service Provider Level
Validation procedures and documentation
Effective February 1, 2009, Visa will only require submission of an executed Attestation of Compliance Form https://www.pcisecuritystandards.org/documents/pci_dss_aoc_service_providers.doc and the “Executive Summary” section of the service provider’s Report on Compliance (ROC) to demonstrate PCI DSS compliance as a Level 1 service provider. Level 2 service providers will submit version D of the Self-Assessment Questionnaire (SAQ).
Here are some additional industry links regarding PCI DSS:
- Merchant Security & Privacy - Made Simpler™ Manageable Guidelines to Help You Protect Your Customers' Security & Privacy From Identify Theft & Fraud
- Better Business Bureau Data Security Made Simpler
- Terms and Definitions
- TrustWave TW Overview
- In order to help you better understand the risks of theft and fraud for your business and the requirements for PCI DSS compliance, Global Payments invites all merchants to attend one of our online PCI seminars. Join us March 18th at 1:00 CST for PCI 101 – What Your Business Needs to Know. Visit www.trustwave.com/globalwebinars.php for information on how to register.
Merchant Other Rules and Regulations
|
Date |
Calendar Item Description |
Card Scheme |
|
2/1/2009 |
Visa Zero Dollar Account Verification Fee—Effective on this date, acquirers may notice changes in their Visa billing. Previously excluded declined, AVS, and SMS-acquired Account Verification transactions will now be included in this fee calculation. |
Visa |
|
4/17/2009 |
Required Support of Partial Authorization Approvals Details regarding the technical support for Partial Authorization Approvals are provided in Release 9.1 of the Technical Specifications. |
Discover |
|
7/1/2009 |
Zero Floor Limit Fee (Clearing Without Authorization)—A new transaction fee will be applied for any Visa clearing transaction submitted without proper authorization. Since April 2007, all transactions acquired in the U.S., in all merchant environments, have moved to a zero floor limit and must be authorized. This fee will help reduce the number of clearing transactions that are not properly authorized. Unauthorized clearing transactions adversely impact the integrity of the Visa payment system by circumventing both acquirer and issuer real time risk and fraud control systems. |
Visa |
|
10/1/2009 |
Visa Misuse of Authorization System Fee—A new acquirer fee of $0.045 fee per transaction will be applied to authorization transactions that are not followed by a matching Visa clearing transaction (or, in the case of a cancelled or timed out transaction, are not properly reversed) goes into effect. This fee is being implemented to reduce the occurrence of “ghost authorizations” (authorizations that are approved but never cleared), which can unnecessarily restrict a cardholder’s open to buy, leading to increased declines and confusion at the merchant’s point of sale. Authorizations will be matched with corresponding clearing or authorization reversal transactions by means of the Transaction Identifier (Field 62.2). The clearing or authorization reversal will be required within specific time frames following the original authorization transaction. These time frames are still being finalized The Misuse of the Authorization System Fee will be billed by Visa to the acquirer identified in the transaction via the Global Member Billing Solutions (GMBS) System. |
Visa |
|
10/16/2009 |
Discover Financial Services acquired Dines Club International - deadline for certification and testing of compliance by Network clients with Diners Club International requirements in Program Documents. Hosts must be reconfigured at this time to avoid Diners Club International transaction failures. |
Discover |
|
10/16/2009 |
Visa Automated Fuel Dispensers - A Partial Authorization Non-Participation Fee of $0.01 per nonparticipating Automated Fuel Dispenser transaction takes effect. |
Visa |
|
4/1/2010 |
Section 9.1.8, Partial Authorization Approvals: You and your Acquirer Processor, if any, must obtain Certification from us before April 17, 2009 of your respective systems’ ability to support Partial Authorization Approvals. Your Merchants’ systems, including POS Devices and Authorization procedures, are required to support Partial Authorization Approvals, in accordance with the Technical Specifications, before April 1, 2010. Please explain to your Merchants that if the Merchant receives a Partial Authorization Approval and subsequently submits Sales Data in an amount different from the Partial Authorization Approval, the amount by which the Sales Data exceeds the Partial Authorization Approval may be subject to Dispute. For more information contact your Discover Network Relationship Manager. |
Discover |
|
4/16/2010 |
Sales tax exempt transactions will no longer be eligible for the Level 2 incentive rate from MasterCard. Tax exempt commercial card transactions with Line Item Detail will continue to be eligible for the Level 3 incentive rate from MasterCard. |
MasterCard |
|
5/1/2010 |
MasterCard announced a mandate for acquirers in the U.S. region to support partial approvals, support sending a reversal request or advice to update the cardholder’s open-to-buy balance, and support sending account balance responses within the Banknet® telecommunications network and the MasterCard® Debit Switch (MDS) for debit and prepaid transactions. NOTE – Global Payments has received an extension from MasterCard until 1 May 2011 for all MCCs. Please see May, 2011 |
MasterCard |
|
6/1/2010 |
Federal Reserve Board - The Department of the Treasury and the Federal Reserve Board today announced the release of a joint final rule to implement the Unlawful Internet Gambling Enforcement Act of 2006. The Act prohibits gambling businesses from knowingly accepting payments in connection with unlawful Internet gambling, including payments made through credit cards, electronic funds transfers, and checks. For more information review these links: |
Federal Reserve Board |
|
7/1/2010 |
To ensure you as a merchant use secure payment applications - Visa mandate indicates all required merchants use PA DSS compliant applications by 7/1/2010. For more information visit this link |
Visa |
|
7/1/2010 |
Visa Triple Data Encryption Standard (TDES) Implementation Requirements: All transactions originating at POS PIN-Entry Devices must be encrypting PINs using TDES from the point of transaction to the Issuer (end-to-end). |
Visa |
|
12/31/2010 |
MasterCard mandates POS terminals that currently mask the PAN on the cardholder receipts (reflecting only the last four digits) may implement the truncation of the expiration date – from cardholder and merchant receipts – with future software updates, no later than December 31, 2010. For more information visit this the Card Account Information Truncation Requirements: Transactions Receipts section below. |
MasterCard |
|
1/1/2011 |
1099K: |
IRS |
|
5/1/2011 |
MasterCard announced a mandate for acquirers in the U.S. region to support partial approvals, support sending a reversal request or advice to update the cardholder’s open-to-buy balance, and support sending account balance responses within the Banknet® telecommunications network and the MasterCard® Debit Switch (MDS) for debit and prepaid transactions. NOTE – Global Payments has received an extension from MasterCard until 1 May 2011 for all MCCs. For a list of MCCs and more information visit this the MasterCard Rules, section:11.5C.3 Additional U.S. Region Rules |
MasterCard |
|
1/1/2012 |
B Notices: |
IRS |
| New Merchant or New Deployment Cardholder Copy Only | Existing Merchants Cardholder Copy Only | |
| MasterCard | 04/01/2005 | See Visa Date |
| Visa USA | 07/01/2003 | 07/01/2006 |
| Visa CA | 04/01/2007 | 04/01/2007 |
| US Public Law 108-159 | 12/04/2003 | 12/04/2006 |
| New Merchant or New Deployment Both Copies | Existing Merchants Both Copies | |
| MasterCard | 10/01/2008 | 12/31/2010 |
| Alaska | 07/01/2009 | 07/01/2009 |
| California | 01/01/2009 | 01/01/2009 |
| Colorado | 07/01/2006 | 07/01/2006 |
| Nevada | 07/01/2009 | 12/31/2009 |
| New Mexico | 01/04/2004 | 01/04/2004 |
| Tennessee | 05/13/2005 | 01/01/2007 |
| Washington State | 07/26/2009 | 07/26/2009 |
NOTE: Other state legislatures (i.e. IN, MS, NJ, OR, VT, CT) have legislation in process requiring truncation of merchant copy of printed transaction receipt and merchants should be cognizant of state requirements that may be more restrictive than federal law and carry strict penalties.
On December 4, 2003, President Bush approved a federal law which preempts existing state laws requiring truncation of account numbers on customer receipts, thereby creating a uniform national standard. This legislation, called the Fair and Accurate Credit Transactions Act of 2003, provides (among many other things) that "no person accepting credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of sale or transaction. The law governs electronically printed receipts and does not apply to transactions in which the sole means of recording the credit or debit card account number is by handwriting or by an imprint. The effective date for merchant equipment in use before January 1, 2005 to be compliant was December 4, 2006. The effective date for merchant equipment that went into use on or after January 1, 2005 to be compliant was January 1, 2005.
Effective October 1 2008, MasterCard requires that the cardholder and merchant receipt generated by all electronic POS terminals – whether attended or unattended – mask the card expiration date. In addition, cardholder receipts must only display only the last four (4) digits of the primary account number (PAN). All preceding digits of the PAN must be replaced with fill characters that are neither blank spaces nor numeric characters, such as “X,” “*,” or “#.”
MasterCard strongly suggests that the merchant copy generated by all electronic POS terminals, whether attended or unattended, reflect only the last four (4) digits of the PAN and that all preceding digits be replaced with fill characters that are neither blank spaces nor numeric characters, such as “X,” “*,” or “#.”
POS terminals that currently mask the PAN on the cardholder receipts (reflecting only the last four digits) may implement the truncation of the expiration date – from cardholder and merchant receipts – with future software updates, no later than December 31, 2010.
NOTE: Effective April 1, 2005 MasterCard required all cardholder receipts generated by newly installed, replaced, or relocated ATM and point-of-interaction (POI) terminals, whether attended or unattended, reflect only the last four digits of the primary account number (PAN). Fill characters that are neither blank spaces nor numeric characters, such as X, *, or #, must replace all preceding digits.
If your current terminal(s) cannot truncate the expiry date on the merchant receipt, you will need to upgrade your payment application in advance of the December 2010 deadline. Global Payments has numerous applications that offer this feature. Check with your account representative or call 1 800 929-1245 for information.
Effective July 1, 2003, for all new terminals, Visa USA mandated that all but the last four digits of the cardholder account number, and the entire expiration date, be suppressed on the cardholder copy of all transaction receipts generated from electronic (including cardholder-activated) terminals.
Effective July 1, 2006, for all existing terminals, Visa USA mandated that all but the last four digits of the cardholder account number, and the entire expiration date, be suppressed on the cardholder copy of all transaction receipts generated from electronic (including cardholder-activated) terminals.
Effective 1 October 2011 for new terminals, and effective 1 October 2014 for existing terminals, Visa will require that all but the last four (4) digits of a PAN be suppressed on cardholders’ copies of transaction receipts generated from electronic terminals, including ATMs and cardholder-activated terminals.
Industry Educational Webinars
Sponsoring Institutions
Limited Acceptance Merchants For a definition on limited card acceptance, please refer to the Global Payments Card Acceptance Guide link above.