Payment Card Industry (PCI) Data Security Standards for Merchants

Visa and MasterCard have collaborated in creating industry standard security requirements for payment cards. As a result, Visa’s Account Information Security (AIS) program in Canada and MasterCard’s Site Data Protection (SDP) program have aligned to similar requirements. In December 2004, Visa USA’s Cardholder Information Security Program (CISP) and MasterCard’s SDP program also announced the alignment of their programs. As a result, all of these various programs are being re-branded under the Payment Card Industry (PCI) Data Security Standards.

All credit card associations share the similar goal of protecting payment card account data stored by merchants and service providers and include both a review of policies, procedures and safeguards in addition to network scans. As a result, these goals have already been endorsed by Discover, JCB, and Diners Club and are under review by American Express.

All merchants or Solution Providers with systems that store, process, or transmit cardholder data must comply with PCI Data Security Standards. Compliance validation is required for all merchants, particularly for merchants with the highest transaction counts that represent the greatest risk to the payment card industry. This includes merchants using payment card applications for credit card authorization and settlement. The technical foundation based on the “Digital Dozen”, representing 12 data security requirements, has not changed. Both MasterCard (sdp.mastercardintl.com) and Visa (www.visa.ca/ais) websites have documents that map previous SDP and CISP requirements to the newly aligned PCI requirements. MasterCard’s SDP security solution to protect Web merchants and vendors against the threat of hack and attack situations has been incorporated into the four merchant levels.

Merchants that use a third party for their cardholder transaction processing and do not store transaction data on their systems are not subject to the audit requirements; however, they should ensure that their vendor is aware and compliant to these standards, if applicable. Please note that merchants are required to contact Global Payments to update their records if they have changed Solution Providers, if the vendor or equipment specified on the merchant agreement has changed or if they believe the solution provider is not compliant.

Merchants that use a stand-alone terminal should continue to follow best practices as outlined in the Global Payments Merchant Agreement and the PCI Data Security Standards. For example, merchants need to follow best practices for storage and destruction of all paper or electronic records containing account numbers or cardholder data.

The following is a summary of the compliance validation steps required for merchants that store data. To enroll in the programs, please refer to the Qualified Independent Security Assessors (QISA) on the Visa or MasterCard web sites. In addition, Ambiron has been selected as Global Payments’ preferred QISA in Canada and the U.S. and can assist merchants or Solution Providers in meeting the PCI requirements.

Terms and Definitions

Annual PCI Self-Assessment Questionnaire: A compliance questionnaire is required for Level 2 and Level 3 merchants (and Level 3 Third Parties) to determine adherence to the Digital Dozen (12 data security requirements) on the basis of a self-assessment questionnaire. Merchants (and Third Parties) must also undergo, at least quarterly, a System Perimeter Scan performed by a Payment Card Industry approved security assessor.

Annual On-Site Report on Compliance (ROC): A PCI-approved, independent security assessor performs an annual on-site review of Level 1 Merchant documenting adherence to the Digital Dozen and resulting in a Report on Compliance. A report on Compliance from a Level 1 merchant’s internal auditor will be accepted provided that a letter signed by an executive-level officer of the merchant accompanies the report. Payment Card Industry approved assessors can be found on card association web sites (see links below) or contact your relationship manager. The on-site review is also required for Level 1 and Level 2 Third Parties.

Data Storage: The temporary or permanent retention of account data in any form (including logs) for subsequent processing, retrieval, or other use.

Data Storage Entity (DSE): Any entity other than the acquiring member, merchant, or TPP that stores MasterCard account data on behalf of merchants, web hosting providers, and payment gateways. They may include terminal drivers and processors. Storage may be temporary or permanent and in any form (including logs).

Merchant Servicer (TPS): Visa Merchant Servicer includes non-members other than the merchant and processor that receive, pass or store transaction data on their internal systems on behalf of the merchant. This includes third party servicers, Web hosting company or shopping cart and media back-up company.

System Perimeter Scan: A PCI-approved, independent security assessor performs a system perimeter scan at least quarterly. A system perimeter scan involves an automated tool that checks a merchant’s systems for vulnerabilities. This applies to merchants with external-facing Internet protocol (IP) addresses with internal systems that receive, pass or store cardholder transaction data. Even if a merchant does not offer Web-based transactions, there are other services such as e-mail and employee Internet access that will result in the Internet-accessibility of a company’s network. The tool will conduct a non-intrusive scan to remotely review networks and Web applications based on the external facing IP addresses provided by the merchant. Required for Level 1, 2, and 3 Merchants (and Level 1, 2, and 3 Third Parties).

Third Party Processor (TPP): A MasterCard Third Party Processor requires registration directly with MasterCard if the TPP provides services to MasterCard member financial institutions.

Third Party Servicer (TPS): Visa Third Party Servicer includes non-members other than the merchant and processor that receive, pass, or store transaction data on their internal systems on behalf of the member, the merchant, or another Third Party. TPS includes merchant vendors, including Web hosting company or shopping cart, and media back-up company. These merchant vendors are classified as Merchant Servicers. Also includes Independent Sales Organizations (ISO), loyalty program vendor, risk management vendor, chargeback vendor and credit bureau that provide services to member financial institution or its merchants.

VisaNet Processor: A processor, member financial institution or merchant directly connected to Visa’s proprietary network for transaction authorization. A non-member processor VisaNet registration and member financial institution processor designation are required by Visa.

For more information on data security, please contact your Global Payments relationship or sales manager.

• To view information on this topic from American Express, click here.
• To view information on this topic from Discover, click here.
• To view information on this topic from MasterCard, click here.
• To view information on this topic from VISA, click here.

The information contained herein is for informational purposes only and Global Payments Inc. does not warrant the accuracy or completeness of the information. Although we believe the information to be reliable, we cannot guarantee that it will not be subsequently amended as a result of intervening factors such as rules changes from the card associations. The information contained herein is subject to change without notice and Global Payments Inc. does not undertake any responsibility to update this information after the date hereof. Global Payments Inc. does not endorse any external sites linked herein.