Visa and MasterCard have collaborated in creating payment card industry standard security requirements and alignment of Visa USA Cardholder Information Security Program (CISP) and MasterCard Site Data Protection (SDP) programs in the United States and alignment of SDP and Visa’s Accountholder Information Security (AIS) Program outside of the United States. In December 2004, Visa US and MasterCard announced the alignment of their programs re-branded as Payment Card Industry (PCI) Data Security Standards. The MasterCard SDP, Visa USA CISP, and Visa Canada AIS Programs have the similar goal of protecting payment card account data stored by merchants and service providers and include both a review of policies, procedures, and safeguards in addition to network scans. These goals have been endorsed by Discover, JCB, and Diners Club and are under review by American Express.
All third parties with internal systems that store, process, or transmit cardholder data on behalf of merchants must comply with Payment Card Industry (PCI) Security Standards. Compliance validation is required for all third parties that store, process, or transmit cardholder data on behalf of merchants and member financial institutions. Validation requires regular network scans and annual validation of policies and procedures. Level 1 and Level 2 Service Providers must engage a qualified independent security assessor to prepare a Report on Compliance and Level 3 Service Providers may complete the self-assessment or utilize self-assessment tools available through qualified independent security assessors.
Network scanning tools map the Web site’s configuration and check a database of more than 1,200 known vulnerabilities. Network scan may also include intrusion detection services, firewall monitoring, and additional web insurance. Network scans must be performed by a qualified independent scan vendor.
The Level 1 Service Provider group includes all processors that are connected to VisaNet and MasterCard networks. Global Payments has met the PCI requirements for 2005. Level 1 Service Provider group includes all payment gateways that operate between merchant and Global Payments or between merchant and other processors. Level 1 Service Providers was expanded to include Data Storage Entities (DSEs) for Level 1 Merchants (more than 6 million MasterCard or Visa transactions regardless of acceptance channel) and Level 2 Merchants (more than 150,000 and less than 6,000,000 electronic commerce transactions).
The Level 2 and Level 3 Service Provider group includes all third party service providers (example: Third-Party Servicer (TPS), Independent Sales Organizations (ISO), merchant vendor, Web hosting company or shopping cart, media back-up company, Loyalty program vendor, Risk management vendor, chargeback vendor, and credit bureau) not in Level 1 that store, process, or transmit transactions. The number of transactions will be determined based on the gross number of Visa transactions stored, processed, or transmitted—not just for the merchant or Member supported but for all entities supported by a service provider. The Level 2 and Level 3 Service Provider group also includes third party Data Storage Entities storing data on behalf of Level 3 Merchants (more than 20,000 and less than 150,000 electronic commerce transactions) or Level 4 Merchants (all other merchants, regardless of acceptance channels).
Visa requires service providers to provide compliance validation results directly to Visa. After a Level 1, 2 , or 3 Service Provider has provided compliance documentation demonstrating full compliance to Visa USA, they will be included on the list of Compliant Service Providers. To view current Visa list, click here.
Third parties that receive, pass, and store transaction data for merchants should have agreements with merchants.
The following is a summary of the compliance validation steps required for third parties (including ISOs, loyalty, etc.) that store cardholder data.
| Service Provider Validation Level | Selection Criteria | Network Scan by Qualified Independent Scan Vendor | Annual On-Site Review by PCI-approved independent security assessor and Report on Compliance | Annual PCI Self-Assessment Questionnaire | Compliance
Validation Due Date |
| Level 1 | All
VisaNet Processors (Member and Nonmember) All MasterCard Processors (TPPs) MasterCard DSEs storing data on behalf of Level 1 Merchants MasterCard DSEs storing data on behalf of Level 2 Merchants All payment gateways |
Quarterly | Required | Not applicable | September 30, 2004 and annually |
| Level 2 | Any
service provider that is not in Level 1 and stores, processes,
or transmits more than one million Visa accounts annually MasterCard DSEs storing data on behalf of Level 3 Merchants |
Quarterly | Required | Not applicable | September 30, 2004 and annually |
| Level 3 | Any
service provider that is not in Level 1 and stores, processes,
or transmits less than one million Visa accounts annually All other MasterCard DSEs storing data (i.e. Loyalty, Risk Management, ISOs) |
Quarterly | Optional | Required | September 30, 2004 and annually |
Annual PCI Self-Assessment Questionnaire: Compliance questionnaire required for Level 3 Third Parties (and Level 2 and Level 3 merchants) to determine adherence to the Digital Dozen on the basis of a self-assessment questionnaire. Third Parties (and Merchants) must also undergo at least quarterly a System Perimeter Scan performed by a Payment Card Industry approved security assessor.
Annual Report on Compliance (ROC): A PCI-approved, independent security assessor performs an annual on-site review of Level 1 and Level 2 Third Party documenting adherence to the Digital Dozen and resulting in a Report on Compliance. Payment Card Industry approved assessors can be found on card association Web sites (see links below) or contact your relationship manager. Also required for Level 1 Merchants.
Data Storage: The temporary or permanent retention of MasterCard account data in any form (including logs) for subsequent processing, retrieval, or other use.
Data Storage Entity (DSE): Any entity other than the acquiring member, merchant, or TPP that stores MasterCard account data on behalf of merchants, web hosting providers, and payment gateways. May include terminal drivers and processors. Storage may be temporary or permanent and in any form (including logs).
Merchant Servicer (TPS): Visa Merchant Servicer includes non-members other than the merchant and processor that receive, pass, or store transaction data on their internal systems on behalf of the merchant. This includes third party servicers, Web hosting company or shopping cart, and media back-up company. Requires member bank registration of Merchant Servicer with Visa.
System Perimeter Scan: A PCI-approved, independent security assessor performs a system perimeter scan at least quarterly. A system perimeter scan involves an automated tool that checks third party systems for vulnerabilities. This applies to all third parties (and merchants) with external-facing Internet protocol (IP) addresses. Even if a third party (or merchant) does not offer Web-based transactions, there are other services such as e-mail and employee Internet access that will result in the Internet-accessibility of a company’s network. The tool will conduct a non-intrusive scan to remotely review networks and Web applications based on the external facing IP addresses provided by the third party. Required for Level 1, 2, and 3 Third Parties (and Level 1, 2, and 3 merchants).
Third Party Processor (TPP): MasterCard Third Party Processor. Requires registration directly with MasterCard if TPP provides services to MasterCard member financial institutions.
Third Party Servicer (TPS): Visa Third Party Servicer includes non-members other than the merchant and processor that receive, pass, or store transaction data on their internal systems on behalf of the member, the merchant, or another Third Party. TPS includes merchant vendors, including Web hosting company or shopping cart, and media back-up company. These merchant vendors are classified as Merchant Servicers. Also includes Independent Sales Organizations (ISO), loyalty program vendor, risk management vendor, chargeback vendor, and credit bureau that provide services to member financial institution or its merchants. Every member bank must register its third party servicers with Visa USA. Visa USA will bill its membership and annual renewal fee directly to TPS, not the member(s).
VisaNet Processor: Processor, member financial institution, or merchant directly connected to Visa’s proprietary network for transaction authorization. Non-member processor VisaNet registration and member financial institution processor designation is required by Visa.
