Payment Card Industry (PCI) Compliance
The Payment Card Industry Data Security Standard
(PCI DSS) is a mandatory global standard established by the major card associations
to ensure the protection of cardholder data. Based on twelve guidelines, the PCI
DSS requires merchants to make their physical and virtual environments secure to
ensure protection of cardholder data. As a merchant accepting credit cards as a
form of payment, you are required by the card associations to adhere to the PCI
DSS. The PCI DSS encompasses the security programs from Visa and MasterCard, Cardholder
Information Security Program (CISP) and Site Data Protection (SDP), respectively.
The PCI DSS sets technology requirements such as the use of data encryption, end-user
access control, and activity monitoring and logging. It also includes procedural
mandates, such as the need to implement formal and documented security policies
and vulnerability-management programs. They were developed to ensure that cardholder
data is protected throughout the transaction process. Compliance with the standard
applies to all types of merchants, retail, MO/TO, and Internet. All merchants need
to follow best practices for storage and destruction of all paper or electronic
records containing account numbers or cardholder data. Additionally, merchant service
providers processing credit cards need to be PCI compliant. To verify that Sage
Payment Solutions is compliant,
click here.
Importance of PCI Data Security
Standard Compliance and/or Certification:
It is clear that ensuring the safety of your customers' cardholder information
can help your business strive to create and maintain a positive image, enhance customer
confidence and even assist in improving your bottom line. Additional benefits include:
- By adhering to the data security regulations businesses can significantly reduce
their exposure to fraud losses resulting from the theft of cardholder data.
- Compliance with the programs can lead to enhanced consumer confidence, which can
result in higher sales.
- Compliance with the PCI DSS is mandatory. If you and your service providers are
not compliant with the PCI DSS, the card associations could levy fees and fines
against you and your credit card processing services could be terminated.
PCI Assessment Requirements
The more credit card transactions a merchant processes, the more stringent the compliance
procedure. For most merchants, compliance consists of passing quarterly or annual
network scans and completing an annual self-assessment questionnaire. If you process
more than 20,000 e-commerce or 6 million total V/MC transactions per DBA annually,
you will need to provide evidence of certification from a V/MC certified vendor.
|
1
|
Any merchant- regardless of acceptance channel- processing over 6,000,000 V/MC transactions
per year.
Any merchant that has suffered a hack or an attack that resulted in an account data
compromise.
Any merchant that V/MC determines should meet the Level 1 merchant requirements
to minimize risk to their systems.
Any merchant identified by any payment card brand as Level 1
|
Comply with DSS
|
Required
|
|
On-Site Security Audit |
Required Annually |
|
Self-Assessment Questionnaire |
|
|
Network Scans |
Required Quarterly |
|
Validated By |
Qualified Data Security Company and Independent Scan Vendor |
|
2
|
Any merchant processing 1,000,000 to 6,000,000 V/MC e-commerce transactions per
year.
|
Comply with DSS
|
Required
|
|
On-Site Security Audit |
|
|
Self-Assessment Questionnaire |
Required Annually |
|
Network Scans |
Required Quarterly |
|
Validated By |
Merchant and Independent Scan Vendor |
|
3
|
Any merchant processing 20,000 to 1,000,000 V/MC e-commerce transactions per year.
|
Comply with DSS
|
Required
|
|
On-Site Security Audit |
|
|
Self-Assessment Questionnaire |
Required Annually |
|
Network Scans |
Required Quarterly |
|
Validated By |
Merchant and Independent Scan Vendor |
|
4
|
Any merchant processing fewer than 20,000 V/MC e-commerce transactions per year,
and all other merchants processing up to 1,000,000 Visa transactions per year.
|
Comply with DSS
|
Required
|
|
On-Site Security Audit |
|
|
Self-Assessment Questionnaire |
Recommended Annually |
|
Network Scans |
Recommended Annually |
|
Validated By |
Merchant |
The PCI Data Security Standard
All merchants that accept credit cards are required to comply with the PCI DSS including
retail stores (card present transactions) and Internet or mail order/telephone order
businesses (card-not-present transactions).
Link to PCI Data
Standards (below)
MasterCard’s
PCI Data Security Standard Manual
On-Site Security Audit
The audit must be completed by Level 1 merchants. A V/MC approved, Qualified
Data Security Company should be engaged to complete the Report on Compliance.
PCI Security Audit Procedures & Reporting
Self-Assessment Questionnaire
This must be completed and submitted by Level 2 and 3 merchants. It should
address any system(s) or system component(s) involved in processing, storing, or
transmitting cardholder data. It is recommended that Level 4 merchants complete
the assessment to ensure their own compliance to the standard.
Network Scans
Network scans check systems for vulnerabilities. The non-intrusive scan is conducted
remotely to review networks and Web applications based in the externally facing
Internet Protocol (IP) address provided by the merchant. Level 1, 2, and 3 merchants
are responsible for ensuring that a quarterly network scan is performed on their
Internet-facing perimeter systems by a qualified independent scan vendor.
Validation
Level 1, 2 and 3 merchants are required to conduct quarterly network scans
and either annual self-assessments or audits with V/MC approved vendors. Sage Payment
Solutions has partnered with AmbironTrustWave, the leading information security
firm certified by the major card associations, to offer our merchants a simple solution
to validate PCI compliance with the TrustKeeper program. To get started with the
validation process, go to http://sagepaymentsolutions.trustkeeper.net
to enroll.
Level 4 merchants are advised to conduct quarterly network scans and annual
self-assessments, but they're not required to, so long as they comply with the
12 other requirements of the PCI standard. Merchants that process fewer than 20,000
V/MC transactions online are considered level 4 merchants. Sage Payment Solutions
has arranged for you to have access to a free risk assessment through AmbironTrustWave's
Risk Profiler. To take this free risk assessment to measure your level of risk,
go to http://sagepaymentsolutions.riskprofiler.net.
After completing the risk assessment, you will have the option to continue on with
the validation process.
Next Steps
It is important that merchants become PCI compliant as quickly as possible to respond
to the growing concern among credit cardholders about data security. Below is a
list of steps to get started:
- Identify the individuals that will be responsible for PCI compliance in your organization
and assemble a team that includes members from each compliance area.
- Determine your merchant level.
- Complete the PCI Data Security Standard
Self-Assessment questionnaire.
- Make sure that your organization has an Information Security Policy and that it
is being enforced.
- Engage a qualified vendor to perform the required Network/Perimeter Scans, if appropriate.
- Immediately address any significant deficiencies discovered during the assessment
or scan.
- Retain record of self-assessments, scans, and follow-up activities. Be prepared
to provide these documents upon request.
Fines and Penalties
Penalties for failure to comply with the PCI requirements, failure to rectify a
security issue, or failure to report a compromise are severe:
- possible restrictions on the merchant
- permanent prohibition of the merchant’s participation in card association programs
- a fine of up to $500,000 per incident
- violation of applicable federal or state laws
- fraud losses perpetrated using the account numbers associated with the compromise
(from date of compromise forward)
What to do if compromised:
In the event of a security incident, merchants must take immediate action to:
- Contain and limit the exposure. Conduct a thorough investigation of the suspected
or confirmed loss or theft of account information within 24 hours of the compromise
- Alert all necessary parties. Be sure to notify:
- Merchant Account Provider
- Merchant Bank
- Visa Fraud Control Group at (650) 432-2978
- Local FBI Office
- U.S. Secret Service (if Visa payment data is compromised)
- Provide the compromised Visa accounts to Visa Fraud Control Group within 24 hours.
- Within four business days of the reported compromise, provide Visa with an incident
report.
The CISP
What To Do If Compromised guide from Visa contains step-by-step guidelines.
Payment Card Industry (PCI)
Data Security Standard
12 Requirements
|
1: Install and maintain a firewall configuration to protect data
|
|
2: Do not use vendor-supplied defaults for system passwords and other security parameters
|
|
3: Protect stored data
|
|
4: Encrypt transmission of cardholder data and sensitive information across public
networks
|
|
5: Use and regularly update anti-virus software
|
|
6: Develop and maintain secure systems and applications
|
|
7: Restrict access to data by business need-to-know
|
|
8: Assign a unique ID to each person with computer access
|
|
9: Restrict physical access to cardholder data
|
|
10: Track and monitor all access to network resources and cardholder data
|
|
11: Regularly test security systems and processes.
|
|
12: Maintain a policy that addresses information security
|
|
