Home > My Global > Industry Initiatives
 

Merchant Use of Third Parties

If you use a PC product or third party integrated product for your transaction processing, then you have responsibility to take reasonable and appropriate steps to safeguard cardholder account information. It is critical that every merchant ensure that its vendors, processors, software providers, payment gateways, or other service providers adhere to the same security requirements.

Merchants using a third party need to confirm whether account information is being passed and/or stored on merchant internal systems, whether account information is being passed and/or stored on third-party vendor internal systems, or both. In addition, Internet merchants using shopping cart software that receives and passes cardholder information are responsible for safeguarding cardholder account information and identifying use of a third-party shopping cart to their acquirer/processor.

While there is applicable language in the Card Acceptance Guide, due to the importance of this issue, we are summarizing key requirements below and providing links to other important information or websites.

Merchants who store data

  • Merchant requirement to identify if cardholder data is stored on internal systems. NOTE: Your merchant application asks what software and vendor you use.
     
  • Merchant requirement to conduct self audits or third party audits that may be requested or required by the card associations at your expense if you store data on internal systems. NOTE: See Payment Card Industry Standards for Merchants on Industry Initiatives for additional information.
     
  • Merchant requirement to remediate deficiencies identified as a result of self audit or third party audits as directed.
     
  • Merchant requirement to participate in forensic review if you have a security breach
     
  • Merchant requirements to abide by card association requirements and best practices as may appear on card association websites, on Global websites, in Card Acceptance Guide, and in other communications.
     
  • These requirements apply to all merchants storing data on internal systems, not just electronic commerce merchants.
     
  • Payment Card Industry (PCI) requirements apply to with any merchant with internet-facing IP address if cardholder data is stored on merchant’s internal systems.
     
  • Payment Card Industry requirements and best practices must be adhered to by all merchants. Merchants representing the highest transaction volumes and risk must validate compliance with PCI Security Standards.
     
  • Visa developed a communication that underscores the requirements that software developers comply with information security requirements and best practices by not storing sensitive cardholder data. The communication may be viewed by clicking on “POS SECURITY”. NOTE: Software that meets these requirements and best practices may be listed on PCI Web sites later in 2005.
     
  • MasterCard, in conjunction with the other payment card associations, developed a merchant communication notice that underscores the requirement that merchants comply with applicable MasterCard regulations including maintaining cardholder account data in a secure environment. The merchant communication can be viewed by clicking on “SECURITY LETTER” and the MasterCard Merchant Rules manual may be viewed by clicking on “RULES”.

Merchants who use a third party vendor that stores data

  • Merchant requirement to identify if cardholder data is stored on the internal systems of a Merchant Servicer or Third Party Servicer. NOTE: Your merchant application asks what software and vendor you use.
     
  • Merchant requirement to notify us (i.e. within 3 days) of any changes or additional third parties.
     
  • Merchant requirement to only use Third Party Servicers or Merchant Servicers that are on Visa CISP or comparable PCI list
     
  • Merchant requirement to only use Third Party Servicers or Merchant Servicers that are registered with their acquiring bank
     
  • Merchant requirement to have an agreement with third party
     
  • Merchant requirement to retain legal control of data if they use a third party
     
  • Merchant requirement to notify Global if merchant or third party have a security breach

The merchant application is being redesigned to better support collection and tracking of cardholder data storage locations to ensure merchant and vendor compliance. In addition, the third-party database will identify whether or not the third party Certified Application Provider (CAP) stores transaction data. As indicated above, Third Party Servicers and Merchant Servicers must be Visa CISP compliant in addition to being registered with the acquiring bank. If the third party database indicates that CAP stores data, then a new field for “Registration” must indicate “Yes” for a new merchant to use this vendor effective September 30, 2004. To view, click “CAP THIRD PARTY DATA”.
 
 
 
 
 
   

Worldwide Sites: Asia-PacificU.S.CanadaEuropeDolEx
Questions or comments about the Web site, please click here.
© 2005 Global Payments Inc. All rights reserved.
Terms of Use / Privacy Statement