Payment Card Industry Data Security Standards for Merchants
Visa and MasterCard have collaborated in creating payment card industry standard security requirements through the alignment of the Visa USA Cardholder Information Security Program (CISP) and the MasterCard Site Data Protection (SDP) programs in the United States and the alignment of SDP and Visa’s Accountholder Information Security (AIS) Program outside of the United States. In December 2004, Visa USA and MasterCard announced the alignment of their programs, re-branded as Payment Card Industry (PCI) Data Security Standards. The MasterCard SDP, Visa USA CISP, and Visa Canada AIS Programs have the similar goal of protecting payment card account data stored by merchants and service providers. These goals have been endorsed by Discover, JCB, and American Express.
All merchants with internal systems that store, process, or transmit cardholder data must comply with Payment Card Industry (PCI) Security Standards. Compliance validation is required for merchants with the highest transaction counts that represent the most risk to the Payment Card Industry. This category of merchants includes merchants using PC or POS vendor applications for credit card authorization and settlement.
The technical foundation based on the “Digital Dozen” has remained a constant and both MasterCard and Visa websites have mapping documents that map previous SDP and CISP requirements to the PCI DSS requirements aligned in 2006.
Merchants that use a third party (i.e. payment gateway) for their cardholder transaction processing and do not store transaction data on their internal systems are not subject to the audit requirements; however, there are requirements regarding such merchants’ use of a third party that are detailed in the Global Payments CARD ACCEPTANCE GUIDE and such merchants are required to contact Global Payments to update merchant records if the merchant has changed vendors or if the vendor or equipment specified on the merchant agreement has changed.
Merchants that use a stand-alone terminal should continue to follow best practices regarding storage and destruction of all records containing account numbers or cardholder data, as detailed in the Global Payments CARD ACCEPTANCE GUIDE.
The following is a summary of the compliance validation steps required for merchants that store data. August 2006 revisions announced by Visa USA are effective immediately and indicated below.
| Merchant
Level |
Selection
Criteria |
Network
Scan by Qualified Independent Scan Vendor |
Annual
PCI Self-Assessment Questionnaire |
Annual
On-Site Security Audit |
Compliance
Validation
Due Date
|
| Level
1 |
Any merchant -- regardless of acceptance channel – with over 6,000,000 MasterCard or Visa transactions or over 2,500,000 American Express transactions per year
Any merchant identified by any other payment card brand as Level 1.
Any merchant that has suffered a hack or an attack that resulted in an account data compromise.
Any merchant that Visa determines should meet the Level 1 merchant requirements to minimize risk to the Visa system |
Quarterly |
Not
applicable to Level 1 Merchants |
Required |
September
30, 2004 and annually thereafter |
| Level
2 |
Effective May 2007 (MasterCard) and August 2006 (Visa) :Any merchant processing 1 million to 6 million MasterCard or Visa transactions per year, regardless of acceptance channel.Prior to May 2007 (MasterCard) and August 2006 (Visa) : Electronic Commerce merchant with 150,000 to 6,000,000 Visa transaction per year.Effective September 2007 (American Express) any merchant processing 50,000 to 2,500,000 AmericanExpress transactionsper year. *Recommended.
|
Quarterly |
Required* |
Optional |
Validation date for newly identified Level 2 merchants is December 31, 2008 (MasterCard) and December 31, 2007 (Visa).
Validation date for prior Level 2 merchants was June 30, 2005 and annually thereafter |
| Level
3 |
Effective May 2007 (MasterCard) and August 2006 (Visa) :Any merchant processing 20,000 to 1 million MasterCard or Visa e-commerce transactions per year.
Prior to May 2007 (MasterCard) and August 2006 (Visa) :
Electronic Commerce merchant with 20,000 to 150,000 MasterCard or Visa e-commerce transaction per year. |
Quarterly |
Required |
Optional |
June
30, 2005 and annually thereafter |
| Level
4 |
All
other merchants, regardless of acceptance channel.
Effective August 2006:
Any merchant processing less than 20,000 Visa e-commerce
transactions per year, and all other merchants processing
up to 1 million Visa transactions per year
|
Annual
Scan
Recommended
|
Recommended |
Optional |
To
Be Announced by Member |
Terms and Definitions
Annual Report on Compliance (ROC): A PCI-approved, independent security assessor performs an annual on-site review of Level 1 Merchant documenting adherence to the Digital Dozen and resulting in a Report on Compliance. Report on Compliance from a Level 1 merchant’s internal auditor will be accepted provided that a letter signed by an executive-level officer of the merchant accompanies the report. Payment Card Industry-approved assessors can be found on the card association web sites (see links below) or by contacting your relationship manager. The ROC is also required for Level 1 and Level 2 Third Parties.
Confirmation of ReportAccuracy (CORA): Form signed by merchant submitted to their Visa acquirer with ROC or SAQ and Quarterly Scan results.
Connected Entity: DSE or MS that receives cardholder or transaction data from Processor or that receives cardholder or transaction data from cardholder or merchant on behalf of merchant. Also see “Merchant Connected Entity” and “Processor Connected Entity”. Processor Connected Entities are reported quarterly to Visa and member bank to ensure that member bank has registered the Connected Entity as DSE or MS.
Data Storage: The temporary or permanent retention of account data in any form (including logs) for subsequent processing, retrieval, or other use.
Data Storage Entity (DSE): Any entity other than the acquiring member, merchant, or TPP that stores MasterCard account data on behalf of merchants, web hosting providers, and payment gateways. This may include terminal drivers and processors. Storage may be temporary or permanent and in any form (including logs).
Merchant Connected Entity: DSE or MS that receives cardholder or transaction data from cardholder or merchant on behalf of merchant. Also see “Connected Entity” and “Processor Connected Entity”. Merchant Connected Entity must be PCI DSS compliant and registered by the member bank as DSE or MS. Also, merchant must have agreement with Merchant Connected Entity regarding merchant ownership and security of transaction data. See Card Acceptance Guide.
Merchant Servicer (MS): Visa Merchant Servicer includes non-members other than the merchant and processor that receive, pass, or store transaction data on their internal systems on behalf of the merchant. This includes third party servicers, Web hosting companies or shopping carts, and media back-up companies. Every member bank must register its merchant servicers with Visa USA. Visa USA will bill its membership and annual renewal fee directly to the first member to register the merchant servicer, not each member using the MS.
Processor Connected Entity: DSE or MS that receives cardholder or transaction data from Processor. This includes payment gateways, loyalty vendors, risk vendors, and ISO/MSPs that receive files containing full cardholder account number. Also see “Connected Entity” and “Merchant Connected Entity”. Processor Connected Entities are reported quarterly to Visa and member bank to ensure that member bank has registered the Connected Entity as DSE, MS, and/or TPSP.
Self-Assessment Questionnaire (SAQ): Compliance questionnaire required for Level 2 and Level 3 merchant (and Level 3 Third Parties) to determine adherence to the Digital Dozen on the basis of a self-assessment questionnaire. Merchants (and Third Parties) must also undergo at least quarterly a System Perimeter Scan performed by a Payment Card Industry approved security assessor and a pen test.
System Perimeter Scan: A PCI-approved, independent security assessor performs a system perimeter scan at least quarterly. A system perimeter scan involves an automated tool that checks the merchant’s systems for vulnerabilities. This applies to merchants with external-facing Internet protocol (IP) addresses with internal systems that receive, pass, or store cardholder transaction data. Even if a merchant does not offer Web-based transactions, there are other services such as e-mail and employee Internet access that will result in the Internet-accessibility of a company’s network. The tool will conduct a non-intrusive scan to remotely review networks and Web applications based on the external facing IP addresses provided by the merchant. Required for Level 1, 2, and 3 Merchants (and Level 1, 2, and 3 Third Parties).
Third Party Processor (TPP): MasterCard Third Party Processor. Processor provides services to MasterCard member financial institutions and must be registered by each member.
Third Party Servicer (TPS): Visa Third Party Servicer includes non-members other than the merchant and processor that receive, pass, or store transaction data on their internal systems on behalf of the member, the merchant, or another Third Party. TPS includes merchant vendors, including Web hosting companies or shopping carts, and media back-up companies. These merchant vendors are classified as Merchant Servicers. Also includes Independent Sales Organizations (ISO), loyalty program vendors, risk management vendors, chargeback vendors, and credit bureaus that provide services to member financial institutions or their merchants. Every member bank must register its third party servicers with Visa USA. Visa USA will bill its membership and annual renewal fee directly to TPS, not the member(s).
VisaNet Processor (VNP): Processors, member financial institutions, or merchants directly connected to Visa’s proprietary network for transaction authorization. Non-member processor VisaNet registration and member financial institution processor designation is required by Visa.
- For more information on the Global Payments Data
Security Program please contact your relationship
or sales manager.
- To view information on this topic from PCI Security Standards Council (PCI SSC), click here.
- To view information on this topic from American Express, please refer to your annual policy notification.
- To view information on this topic from Discover,
click
here.
- To view information on this topic from MasterCard,
click
here.
- To view information on this topic from VISA,
click
here.
Back to Industry Initiatives
|
