1. What are the Payment Card Industry (PCI) Data Security Standards?
The PCI Data Security Standards are association (Visa®/MasterCard®) and industry mandated requirements for handling of credit card information, classification of merchants, and validation of merchant compliance. Merchants are responsible for the security of cardholder data and must be careful not to store certain types of data on their systems or the systems of their third party service providers. Merchants are also responsible for any damages or liability that may occur as a result of a data security breach or other non-compliance with the PCI Data Security Standards. The information security principles contained within these standards are based on ISO 17799, the internationally recognized standard for information security practices.
2. To whom does the Payment Card Industry Data Security Standards Compliance Program apply?
The program encompasses all merchants and third party service providers that store, process, or transmit cardholder data.
3. What are the benefits of being in compliance with the Payment Card Industry Data Security Standards?
It is good business practice to adhere to the PCI standards and protect cardholder information. Additionally, Visa, MasterCard, and Discover® Network may impose fines on their member banking institutions when merchants do not comply with PCI Data Security Standards. You are contractually obligated to indemnify and reimburse us, as your acquirer, for such fines. Please note such fines could be significant, especially if your business is compromised and you have not been validated as compliant.
4. What is "cardholder data"?
Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. The account number is the critical component that makes the PCI Data Security Standards applicable. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data. The PCI Data Security Standards apply to all cardholder data stored, processed, or transmitted. Your Compliance Classification Level and What it Means.
5. How is a merchant's compliance classification level determined?
A merchant's compliance classification level is determined by annual transaction volume. The volume calculation done for you will be based on the gross number of Visa, MasterCard or Discover Network transactions processed within your merchant account. However, it will not be based on the aggregate transaction volume of a corporation that owns several chains.
6. What is the scope of the onsite review for Level 1 Merchants?
The scope of PCI Data Security Standards compliance validation for Level 1 Merchants is focused on any system(s) or system component(s) related to authorization and settlement where cardholder data is retained, stored, or transmitted, including:
- All external connections into the merchant network (i.e., employee remote access, VisaNet, third party access for processing, and maintenance).
- All connections to and from the authorization and settlement environment (i.e., connections for employee access or for devices such as firewalls and routers).
- Any data repository outside of the authorization and settlement environment where more than 500 thousand account numbers are stored. POS Terminals may be excluded from review unless:
- A POS environment is IP-based and there is external access via Internet, wireless, VPN, dial-in, broadband, or publicly accessible machines (such as kiosks) to the merchant location. In this case, the POS environment must be included in the scope of the on-site review.
- A POS environment is not IP-based nor has external access to the merchant location. In this case, the on-site review begins at the connection into the authorization and settlement environment.
7. How is IP-based POS environment defined?
The point of sale (POS) environment is the environment in which a transaction takes place at a merchant location (i.e. retail store, restaurant, hotel property, gas station, supermarket, or other point of sale location). An Internet protocol (IP) -based POS environment is one in which transactions are stored, processed, or transmitted on IP-based systems, or systems communicating via TCP/IP.
8. Are Level 4 merchants ever required to validate their compliance?
Yes. If a Level 4 merchant is deemed to be a "High Risk" merchant by Wells Fargo, they are required to validate compliance with the PCI Data Security Standards. Merchant Services LTDwill contact Level 4 "High Risk" merchants to discuss next steps.
9. What is a "High Risk" merchant?
Currently, merchants that are known to use non-compliant payment applications (applications known to store magnetic stripe, Cardholder Verification Value (CVV), or Cardholder Verification Value 2(CVV2) or Card Validation Code 2 (CVC2) or Card Identification (CID) fall into this "High Risk" category.
10. Can my compliance requirements change?
Yes. As your transaction volume changes, and as association and industry rules change, your compliance requirements may change. It is your responsibility to be continuously aware of the data security requirements that currently apply to you.
Data Storage Protocol
11. When is it acceptable to store magnetic stripe data?
It is never acceptable to retain magnetic stripe data subsequent to transaction authorization. Visa, MasterCard, and Discover Network prohibit storage of the contents of the magnetic stripe as a unit. However, the following individual data elements may be retained subsequent to transaction authorization: • Cardholder Account Number • Cardholder Name • Card Expiration Date
12. Are there alternatives to encrypting stored data?
According to requirement 3.4 of the Payment Card Industry Security Audit Procedures (PDF*), stored cardholder data should be rendered unreadable. And, if encryption, truncation, or another comparable approach cannot be used, encryption options should continue to be investigated as the technology is rapidly evolving. In the interim, while encryption solutions are being investigated, stored data must be strongly protected by compensating controls. Any compensating controls should be considered as part of the compliance validation process. An example of compensating controls for encryption of stored data is complex network segmentation that may include the following:
- Internal firewalls that specifically protect the database.
- TCP wrappers or firewall on the database to specifically limit who can connect to the database.
- Separation of the corporate internal network on a different network segment from production, with a firewall separation from database servers.
13. Are there alternatives, or compensating controls, that can be used to meet a requirement?
If a requirement is not, or cannot, be met exactly as stated, compensating controls can be considered as alternatives to requirements defined in PCI Data Security Standards. Compensating controls should meet the intention and rigor of the original PCI Data Security Standards, and should also be examined by the security assessor as part of the regular PCI Data Security standards compliance audit. Compensating controls should be "above and beyond" other PCI Data Security Standards, and should not simply be in compliance with PCI Data Security Standards.
14. What if a merchant does not store cardholder data?
If a merchant does not store cardholder data, the PCI Data Security Standards still apply to the environment that transmits or processes cardholder data. This includes any service providers that a merchant uses.
Approved Software and Applications
15. What processing software/applications are currently known to be compliant?
Below you will find a link to the card processing software programs that Visa has validated to be compliant with the PCI Data Security requirements, including the requirement that after authorization, Security Data will be purged from the records and systems. Security Data is certain security information, including the full contents of any track of the magnetic stripe from the back of a card and the cardholder validation code (the three or four digit value printed on the signature panel of the card). Copies of these software programs that have version numbers older (those with a lower version number) than those indicated must be either upgraded, have a special security patch installed, or be replaced with compliant software to ensure that you do not store Security Data in violation of Visa, MasterCard or Discover Network's rules. If you are using any software programs different than the programs indicated, you must confirm with your software vendor that the version you are using is compliant with current security requirements.
Steps you should be taking
16. What is a security assessor?
A security assessor is an auditing company that specializes in information security. They use card association developed criteria (the PCI Data Security Standards) to validate whether or not a merchant's information security is robust enough to sufficiently protect cardholder data from unauthorized access or malicious parties.
17. Is it a common practice for security assessors to perform a re-assessment?
Yes, assessors frequently are asked to revalidate those items that were not in place at the time of the initial review and provide an updated Report on Compliance.
18. Where can the PCI Data Security Standards Compliance Questionnaire be found?
The PCI Self-Assessment Questionnaire is available for download at: pcisecuritystandards.org
19. What is a System Perimeter Scan?
A System Perimeter Scan involves an automated tool that checks a merchant's or service provider's systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan will identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company's private network. The tool will not require the merchant or service provider to install any software on their systems, and it will not perform any denial-of-service attacks.
20. Is the System Perimeter Scan only applicable to e-commerce merchants?
No. The System Perimeter Scan is applicable to all merchants and service providers with external-facing IP addresses. Even if an entity does not offer Web-based transactions, there are other services that make systems Internet accessible. Basic functions such as e-mail and employee Internet access will result in the Internet-accessibility of a company's network. These paths to and from the Internet can provide unprotected pathways into merchant and service provider systems if not properly controlled. If a merchant or service provider does not have any external-facing IP addresses, they will only be required to complete the Report On Compliance or the Compliance Questionnaire, as appropriate.
21. How do merchants determine the cost of compliance validation?
The cost of the review varies greatly depending on the size of the environment to be reviewed, the chosen assessor, and the degree to which the merchant is already in compliance when the review commences. The cost of a System Perimeter Scan depends on the number of IP addresses to be scanned, the frequency of the scans, and the chosen assessor. As a courtesy to its merchants, Well Fargo has negotiated preferred pricing with TrustWave for its merchants.
22. What if a merchant has outsourced the storage, processing, or transmission of cardholder data to a service provider?
Merchants should deal only with PCI Data Security Standards compliant service providers. If there are service providers handling cardholder data on a merchant's behalf, the merchant is still responsible for the security of this data and must ensure that contracts with these service providers specifically include PCI Data Security Standards compliance as a condition of business. Per association rules, you must inform Merchant Services LTD if you are using a service provider.
23. Do merchants need to include their service providers in the scope of their PCI Data Security Standards Review?
Yes. Merchants are responsible for the compliance of their service providers.
24. Can a merchant be considered compliant if they have outstanding non-compliance issues, but provide a remediation plan?
No. Lack of full compliance will prevent a merchant from being considered compliant. Merchant Services LTD encourages merchants to complete the initial review, develop a remediation plan; complete items on the remediation plan, and revalidate compliance of those outstanding items in a timely manner.
Penalties for Non-compliance
25. Are there fines associated with non-compliance of the PCI Data Security Standards?
Yes. Visa, MasterCard, and Discover Network may impose fines on their member banking institutions when merchants do not comply with PCI Data Security Standards. You are contractually obligated to indemnify and reimburse us, as your acquirer, for such fines. Please note such fines could be significant.
26. Are there fines if cardholder data is compromised?
Yes. If cardholder data that you are responsible for is compromised, you may be subject to the following liabilities and fines associated with non-compliance:
- Potential fines of up to $500,000 (in the discretion of Visa, MasterCard, Discover Network or other card companies).
- All fraud losses incurred from the use of the compromised account numbers from the date of compromise forward.
- Cost of re-issuing cards associated with the compromise.
- Cost of any additional fraud prevention/detection activities required by the card associations (i.e. a forensic audit) or costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraudulent activity).
Other PCI Compliance Resources
27. Where can I go online to get more information?
For information on association and industry cardholder information security programs, please visit the following websites on a regular basis: Visa USA — http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html MasterCard — https://sdp.mastercardintl.com Discover Network — http://www.discovernetwork.com/fraudsecurity/disc.html PCI Security Standards Council — https://www.pcisecuritystandards.org
28. Who can I speak to if I have questions?