Payment Card Industry (PCI) Data Security Standards for Service Providers

Visa and MasterCard have collaborated in creating payment card industry standard security requirements and alignment of Visa USA Cardholder Information Security Program (CISP) and MasterCard Site Data Protection (SDP) programs in the United States and alignment of SDP and Visa’s Accountholder Information Security (AIS) Program outside of the United States. In December 2004, Visa US and MasterCard announced the alignment of their programs re-branded as Payment Card Industry (PCI) Data Security Standards. The MasterCard SDP, Visa USA CISP and Visa Canada AIS Programs have the similar goal of protecting payment card account data stored by merchants and service providers and include both a review of policies, procedures and safeguards in addition to network scans. These goals have been endorsed by Discover, JCB and Diners Club and are under review by American Express.

All third parties (TPPs) and Data Storage Entities (DSEs) with internal systems that store, process or transmit cardholder data on behalf of merchants are collectively referred to as “Service Providers”. Service Providers must comply with Payment Card Industry (PCI) Data Security Standards. Compliance validation is required for all third parties that store, process or transmit cardholder data on behalf of merchants and member financial institutions. Validation requires regular network scans and annual validation of policies and procedures. All Service Providers must engage a qualified security assessor (QSA) to validate compliance.

One of the validation action is quarterly network scans, network scanning tools  that map the website’s configuration and check a database of more than 1,200 known vulnerabilities. Network scan may also include intrusion detection services, firewall monitoring and additional web insurance. Network scans must be performed by a qualified independent scan vendor.

The Level 1 Service Provider group includes all Third Party Processors that are connected to VisaNet and MasterCard networks. Global Payments has met the PCI requirements since 2005. Level 1 Service Provider group includes all payment gateways that operate between merchant and Global Payments or between merchant and other processors.

The Level 2 and Level 3 Service Provider group includes all third party service providers (example: Third-Party Servicer (TPS), Independent Sales Organizations (ISO), merchant vendor, web hosting company or shopping cart, media back-up company, loyalty program vendor, risk management vendor, chargeback vendor, and credit bureau) not in Level 1 that store, process or transmit transactions. The number of transactions will be determined based on the gross number of Visa transactions stored, processed, or transmitted—not just for the merchant or Member supported but for all entities supported by a service provider. The Level 2 and Level 3 Service Provider group also includes third party Data Storage Entities storing data on behalf of Level 3 Merchants (more than 20,000 and less than 150,000 electronic commerce transactions) or Level 4 Merchants (all other merchants, regardless of acceptance channels).

Visa requires service providers to provide compliance validation results directly to Visa. After a Level 1, 2 or 3 Service Provider has provided compliance documentation demonstrating full compliance to Visa Inc. and MasterCard Worldwide, they will be included on the list of Compliant Service Providers.

To view current Visa list, click here.

To view current MasterCard list, click here.

Third parties that receive, pass, and store transaction data for merchants should have agreements with merchants.

The following is a summary of the compliance validation steps required for third parties (including ISOs, loyalty, etc.) that store cardholder data.

LEVEL SERVICE PROVIDER CRITERIA REQUIREMENTS COMPLIANCE VALIDATION DUE DATE

Level 1

All MasterCard Third Party

Processors (TPPs)

All VisaNet Processors (VNPs)

All Payment Gateways (Processor Connected Entities) that process, transmit, and/or store Visa transactions, regardless of transaction volume

All Data Storage Entities (DSEs) that store, transmit, or process greater than 1,000,000 total combined MasterCard and Maestro

transactions annually

Annual Onsite PCI Data Security Assessment [Annual Report on Compliance (ROC)] performed by a Qualified Security Assessor (QSA)

Quarterly Network Scan by an Approved Scanning Vendor (ASV)

December 31, 2005 and

annually

Level 2

Any Visa Service provider that is not in Level 1 that processes, transmits, or stores more than 1,000,000 Visa accounts/transactions annually.

Annual Onsite PCI Data Security Assessment performed by a Qualified Security Assessor (QSA)

Quarterly Network Scan by an Approved Scanning Vendor (ASV)

December 31, 2005 and annually

Level 2

All DSE’s that store, transmit, or process less than 1,000,000 total

combined MasterCard and Maestro transactions annually

Annual Onsite PCI Data Security Assessment performed by a Qualified Security Assessor (QSA)

Quarterly Network Scan by an Approved Scanning Vendor (ASV)

December 31, 2005 and annually

Level 3

Any Visa Service provider that is

not in Level 1 that processes,

transmits, or stores fewer than 1,000,000 Visa accounts/transactions annually

Annual Onsite PCI Data Security Assessment performed by a Qualified Security Assessor (QSA)

Quarterly Network Scan by an Approved Scanning Vendor (ASV)

December 31, 2005 and annually thereafter

Terms and Definitions

Annual PCI Self-Assessment Questionnaire: Compliance questionnaire required for Level 3 Third Parties (and Level 2 and Level 3 merchants) to determine adherence to the Digital Dozen on the basis of a self-assessment questionnaire. Third Parties (and Merchants) must also undergo at least quarterly a System Perimeter Scan performed by a Payment Card Industry approved security assessor.

Annual Report on Compliance (ROC): A PCI-approved, independent security assessor performs an annual on-site review of Level 1 and Level 2 Third Party documenting adherence to the Digital Dozen and resulting in a Report on Compliance. Payment Card Industry approved assessors can be found on card association websites (see links below) or contact your relationship manager. Also required for Level 1 Merchants.

Data Storage: The temporary or permanent retention of MasterCard account data in any form (including logs) for subsequent processing, retrieval or other use

Data Storage Entity (DSE): Any entity other than the acquiring member, merchant or TPP that stores MasterCard account data on behalf of merchants, web hosting providers and payment gateways. May include terminal drivers and processors. Storage may be temporary or permanent and in any form (including logs).

Merchant Servicer (TPS): Visa Merchant Servicer includes non-members other than the merchant and processor that receive, pass, or store transaction data on their internal systems on behalf of the merchant. This includes third party servicers, web hosting company or shopping cart, and media back-up company. Requires member bank registration of Merchant Servicer with Visa.

System Perimeter Scan: A PCI-approved, independent security assessor performs a system perimeter scan at least quarterly. A system perimeter scan involves an automated tool that checks third party systems for vulnerabilities. This applies to all third parties (and merchants) with external-facing Internet protocol (IP) addresses. Even if a third party (or merchant) does not offer Web-based transactions, there are other services such as email and employee Internet access that will result in the Internet-accessibility of a company network. The tool will conduct a non-intrusive scan to remotely review networks and web applications based on the external facing IP addresses provided by the third party. Required for level 1, 2 and 3 Third Parties (and Level 1,2 and 3 merchants).

Third Party Processor (TPP): MasterCard Third Party Processor. Requires registration directly with MasterCard if TPP provides services to MasterCard member financial institutions

Third Party Servicer (TPS): Visa Third Party Servicer includes non-members other than the merchant and processor that receive, pass or store transaction data on their internal systems on behalf of the member, the merchant, or another Third Party.

TPS includes merchant vendors, including web hosting company or shopping cart, and media back-up company. These merchant vendors are classified as Merchant Servicers. Also includes Independent Sales Organizations (ISO), loyalty program vendor, risk management vendor, chargeback vendor and credit bureau that provide services to member financial institution or its merchants. Every member bank must register its third party servicers with Visa USA. Visa USA will bill its membership and annual renewal fee directly to TPS, not the member(s).

VisaNet Processor: Processor, member financial institution, or merchant directly connected to Visa’s proprietary network for transaction authorization. Non-member processor VisaNet registration and member financial institution processor designation is required by Visa.

For more information on the Global Payments Data Security Program please contact your relationship or sales manager.