PCI Security Standards for Merchants

Data Security Compliance Requirements: In order to help protect the integrity of cardholder data, ALL merchants that process, store or transmit Full Cardholder Number (FCN) data MUST comply with the Payment Card Industry Data Security Standard (“PCI DSS”) at all times. Merchants may also be required to validate and report their compliance if they send or receive FCN to/from Global. In addition,

PCI DSS Compliance Validation and Reporting Requirements

All merchants that process Cardholder data are required to comply with the PCI DSS at all times. Prior to beginning the compliance assessment process, it is important for merchants to understand how their reporting level as defined by the card associations impacts the validation/reporting requirements by level, and frequency. The information below will help merchants identify what merchant level they fall under and the compliance validation and reporting requirements that correspond to that merchant level.

Step 1: Compliance Requirements

All merchants must comply with the Payment Card Industry Data Security Standard. The data security standard can be found on the PCI SSC Web site and it is updated every 24 months. Merchants must ensure that they comply with the updated versions of the PCI DSS. PCI DSS Version 3.0 is effective 1/1/2015. It is the global data security standard that any business of any size must adhere to as a condition of payment card acceptance. Version 2.0 is not valid after 12/31/2014. The 12 PCI DSS requirements fall into six objectives as indicated below.

PCI Data Security Standard

Build and Maintain a
Secure Network

 1.    Install and maintain a firewall configuration to protect data

 2.    Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

 3.    Protect stored data

 4.    Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a Vulnerability Management Program

 5.    Use and regularly update anti-virus software

 6.    Develop and maintain secure systems and applications

Implement Strong Access Control Measures

 7.    Restrict access to data by business need-to-know

 8.    Assign a unique ID to each person with computer access

 9.    Restrict physical access to cardholder data

Regularly Monitor and
Test Networks

10.  Track and monitor all access to network resources and cardholder data

11.  Regularly test security systems and processes

Maintain an Information
Security Policy

12.  Maintain a policy that addresses information security

Requirement 3 Protect Stored Cardholder Data

Requirement 3 of the PCI DSS pertains to guidelines for protecting stored cardholder data. If merchant passes cardholder data through their internal systems at authorization, then merchants should develop and adhere to a data retention/data storage policy that strictly limits merchant storage and retention of transaction data to data  required for business, legal, and/or regulatory purposes. Sensitive cardholder authentication data must never be stored after authorization. Effective October 2008 for newly boarded and effective July 2010 for existing merchants, merchants with internal systems that pass or store transaction data are required to either use a PCI PA-DSS compliant payment application or to validate PCI DSS compliance. For more information regarding PA-DSS, please visit the PCI SSC Web site. For more information on Data Storage Do’s and Don’ts, please refer to PCI Data Storage Do's and Don'ts. If you don’t need it, then don’t store it. Merchants, agents, and service provider should not store cardholder data unless there is a legitimate business need. Most vendors can provide view or export access to a truncated or masked cardholder number. Never send the full cardholder number in unencrypted emails, IMs, etc.

Step 2: Determine Your Merchant Level and Validation Compliance Requirements

The table below outlines the PCI DSS Merchant Levels, the corresponding compliance validation requirements, and the tools that can be used to validate your compliance. Any merchant that suffers a data security breach that resulted in the actual or suspected compromise of Cardholder data may be required to validate their compliance at a higher level as determined by payment network.

Merchant Level and Compliance Validation Requirements

Merchant Level

 

Selection Criteria

Annual PCI Self-Assessment Questionnaire

Network Scan by Qualified Approved Scan Vendor

Attestation of Compliance Form

Annual
On-Site Security Audit

Compliance Validation Due Date

Level 1 Visa: Merchants processing over 6 million Visa Transactions annually (all channels),m or global merchants identified as Level 1 by any Visa region Not applicable to Level 1 Merchants Required Quarterly. For more MasterCard details see #3 below. Required Required Annually. For more MasterCard details see #1 below. 6/30/2012
MC: Any merchant – regardless of acceptance channel – with over 6,000,000 combined total of MasterCard and Maestro card transactions annually. Any Visa Global merchant identified by any Visa region as Level 1. Any merchant that has suffered a hack or an attack that resulted in an account data compromise. Not applicable to Level 1 Merchants Required Quarterly. For more MasterCard details see #3 below. Required Required Annually. For more MasterCard details see #1 below. 6/30/2012
Discover Any merchant – regardless of acceptance channel – with over 6,000,000 MasterCard. Any merchant that Discover determines should meet Level 1 compliance. All merchants required by another brand identified as Level 1. Not applicable to Level 1 Merchants Required Quarterly. For more MasterCard details see #3 below. Required Required Annually. For more MasterCard details see #1 below. 6/30/2012
American Express: Any merchant – regardless of acceptance channel – with over 2,500,000 American Express transactions per year; or any merchant that American Express otherwise deems as a Level 1 merchant Required Required Quarterly. For more MasterCard details see #3 below. Required Required Annually. For more MasterCard details see #1 below. 6/30/2012
Any merchant that MasterCard or Visa determines should meet the Level 1 merchant requirements to minimize risk to their system   Not applicable to Level 1 Merchants Required Quarterly. For more MasterCard details see #3 below. Required Required Annually. For more MasterCard details see #1 below. 6/30/2012
Level 2 Visa: Any merchant processing 1 million to 6 million Visa transactions annually (all channels). Required MasterCard requires annually. For more MasterCard details see #2 below. Required Quarterly. For more MasterCard details see #3 below. Required   6/30/2012
MC: Any merchant processing more than one million but less than or equal to six million combined total of MasterCard and Maestro transactions annually. Any merchant meeting the Level 2 criteria of Visa. Required MasterCard requires annually. For more MasterCard details see #2 below. Required Quarterly. For more MasterCard details see #3 below. Required Required MasterCard -at merchants discretion. For more MasterCard details see #2 below. 6/30/2012
Discover: All Merchants process between 1 million and 6 million card transactions annually on the Discover Network Required MasterCard requires annually. For more MasterCard details see #2 below. Required Quarterly. For more MasterCard details see #3 below. Required   6/30/2012
American Express: Any merchant processing more than 50,000 but less than 2,500,000 American Express Transactions per year. Required MasterCard requires annually. For more MasterCard details see #2 below. Required Quarterly. For more MasterCard details see #3 below. Required   6/30/2012
Level 3 Visa: Merchants processing 20,000 to 1 million Visa e-commerce transactions annually. Required Annually Required Quarterly. For more MasterCard details see #3 below. Required Optional 6/30/2012
MC: Any merchant with more than 20,000 combined MasterCard and Maestro e-commerce transactions annually, but less than or equal to one million total combined MasterCard and Mastro e-commerce transactions annually. Any merchant meeting the level 3 criteria of Visa. Required Annually Required Quarterly. For more MasterCard details see #3 below. Required Optional 6/30/2012
Discover: All merchants processing between 20,000 and 1 million card-not-present only transactions annually on the Discover network. Required Annually Required Quarterly. For more MasterCard details see #3 below. Required Optional 6/30/2012
American Express: Less than 50,000 American Express transactions per year. Required Annually Required Quarterly. For more MasterCard details see #3 below. Required Optional 6/30/2012
Level 4 Visa: Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually. Required Annually Required Quarterly. For more MasterCard details see #3 below. Required if Validating Compliance Optional At Member’s Discretion
MC: All other merchants. Required Annually Required Quarterly. For more MasterCard details see #3 below. Required if Validating Compliance Optional At Member’s Discretion
Discover: All other merchants. Required Annually Required Quarterly. For more MasterCard details see #3 below. Required if Validating Compliance Optional At Member’s Discretion
American Express: 50,000 or more American Express Card transactions per year with at least 75% made on an EMV-enabled terminal. Required Annually Required Quarterly. For more MasterCard details see #3 below. Required if Validating Compliance Optional At Member’s Discretion

MasterCard Merchant Levels further explanations:

1.  Effective 30 June 2012, Level 1 merchants that choose to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC ISA Training and pass the associated accreditation program annually in order to continue to use internal auditors.

2. Quarterly network scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV).

3. Initial compliance date of June, 2005 for Level 1 merchants has now passed. The 30 June 2012 deadline is for PCI SSC ISA training and certification only and is for those merchants that choose to conduct an annual onsite assessment using an internal auditor.

4. Effective 30 June 2012, Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC ISA Training and pass the associated accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved Qualified Security Assessor (QSA) rather than complete an annual self-assessment questionnaire.

5. Level 4 merchants are required to comply with the PCI DSS. Level 4 merchants should consult their acquirer to determine if compliance validation is also required.

Step 3: Assess

The PCI SSC fact sheet titled “Getting Started with PCI Data Security Standard” is an excellent introduction for merchants validating their PCI DSS compliance. Merchants should review the chart that identifies the SAQs based on how the merchant processes at the point of sale.

SAQ
Validation
Type (v3.0)

Self-Assessment Questionnaire – Description

ASV Scan Required

Penetration Test Required

A

Card-not-present merchants: All payment processing functions fully outsourced, no electronic cardholder data storage

No

No

A-EP

E-commerce merchants re-directing to a third-party website for payment processing, no electronic cardholder data storage

Yes

Yes

B

Merchants with only imprint machines or only standalone dial-out payment terminals: No e-commerce or electronic cardholder data storage

No

No

B-IP

Merchants with standalone, IP-connected payment terminals: No e-commerce or electronic cardholder data storage

Yes

No

C

Merchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage

Yes Yes

C-VT

Merchants with web-based virtual payment terminals: No e-commerce or electronic cardholder data storage

No No

D-MER

All other SAQ-eligible merchants

Yes Yes

D-SP

SAQ-eligible service providers

Yes Yes

P2PE

Hardware payment terminals in a validated PCI P2PE solution only: No e-commerce or electronic cardholder data storage

No No
       

Using a Service Provider. SAQ Validation type A, C, and D merchants use service providers. Service providers are organizations that process, store, or transmit cardholder data on behalf of payment card clients, In addition to adhering to the PCI DSS, compliance validation and member bank registration is required for all service providers merchants, or other service providers. A Service Provider reported to the card brands to be compliant with the PCI Standard should have been provided a signed Attestation of Compliance (AOC) by a QSA. If you are considering using a Service Provider, MasterCard recommends that you ask to see and inspect the Attestation of Compliance. Service providers are required to validate PCI DSS compliance. Validated service providers may appear on industry Web sites. Some payment card brands may only publish list of validated “level 1” service providers. In addition, service providers must be registered with the payment card brands by the merchant's acquirer.

Merchants under SAQ Validation Type A are using a service provider for their CNP transactions. Merchants under SAQ Validation Type C are using a service provider rather than a telephone common carrier to route authorization requests over the Internet or through a network gateway.

Level

Description

Compliance Validation Requirements

Compliance Validation Tools Available at
https://www.pcisecuritystandards.org

Level 1

Processors or any service provider that stores, processes and/or transmits over 300,000 transactions per year

Note: Eliminates payment gateway definition from several existing regional programs

? Complete an annual on-site assessment using the PCI DSS Requirements and Security Assessment Procedures. On-site assessment must be performed by a Qualified Security Assessor.

? Complete Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor (ASV)

PCI DSS Requirements and Security Assessment Procedures v3.0

List of PCI SSC Qualified Security Assessors (QSA)
https://www.pcisecuritystandards.org/approved_companies_providers/qsa_companies.php

NOTE: Security Metrics is strongly recommended
https://www.securitymetrics.com/

List of PCI SSC Approved Scanning Vendors (ASV)

https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php

Level 2

Any service provider that stores, processes and/or transmits less than 300,000 transactions per year

Note: Effective January 1, 2009, MasterCard will no longer list those Service Providers who have only submitted an SAQ. The posting will contain only those entities who have successfully completed an annual onsite review

Note: Effective February 1, 2009, Level 2 service providers will not longer be listed on Visa’s List of PCI DSS Compliant Service Providers. Entities that wish to be on the List of PCI DSS Compliant Service Providers must validate as a Level 1 provider

Annual PCI Self-Assessment Questionnaire

Quarterly Network Scan

 

American Express and Discover's Service Providers Regulations

Validation procedures and documentation

Effective February 1, 2009, Visa will only require submission of an executed Attestation of Compliance Form https://www.pcisecuritystandards.org/documents/pci_dss_aoc_service_providers.doc and the “Executive Summary” section of the service provider’s Report on Compliance (ROC) to demonstrate PCI DSS compliance as a Level 1 service provider. Level 2 service providers will submit version D of the Self-Assessment Questionnaire (SAQ).

Step 4: Remediate

Remediation steps may focus on implementing

SAQ
Validation
Type (v3.0)

Self-Assessment Questionnaire – Description

Remediation Steps

A

Card-not-present merchants: All payment processing functions fully outsourced, no electronic cardholder data storage

Requirement 9: Restrict physical access to cardholder data
Requirement 12. Maintain a policy that addresses information security

A-EP

E-commerce merchants re-directing to a third-party website for payment processing, no electronic cardholder data storage

Remediation steps may focus on any/all requirements 1 through 12

B

Merchants with only imprint machines or only standalone dial-out payment terminals: No e-commerce or electronic cardholder data storage

Requirement 3: Protect stored data
Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks
Requirement 7: Restrict access to data by business need-to-know
Requirement 9: Restrict physical access to cardholder data
Requirement 12: Maintain a policy that addresses information security

B-IP

Merchants with standalone, IP-connected payment terminals: No e-commerce or electronic cardholder data storage

Remediation steps may focus on any/all requirements 1 through 12

C

Merchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage

Remediation steps may focus on any/all requirements 1 through 12

C-VT

Merchants with web-based virtual payment terminals: No e-commerce or electronic cardholder data storage

Requirement 1: Install and maintain a firewall configuration to protect data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Requirement 3: Protect stored data
Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Requirement 7: Restrict access to data by business need-to-know
Requirement 9: Restrict physical access to cardholder data
Requirement 12: Maintain a policy that addresses information security

D-MER

All other SAQ-eligible merchants

Remediation steps may focus on any/all requirements 1 through 12

P2PE

Hardware payment terminals in a validated PCI P2PE solution only: No e-commerce or electronic cardholder data storage

Requirement 3: Protect stored data
Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks
Requirement 9: Restrict physical access to cardholder data
Requirement 12: Maintain a policy that addresses information security
     

Step 5: Report Your Compliance Status

Report Your Compliance Status

The best method to ensure that you complete all of the necessary PCI DSS/PA DSS requirements is to consult a Qualified Security Assessor (QSA). The QSAs are companies that can guide and assist you through each step of the PCI DSS/PA DSS process. Your responsibility as a merchant to be secure is a requirement and the QSAs can ensure you have everything you need and answer all your questions concerning PCI DSS/PA DSS.

For newly boarded merchants validating compliance, the SAQ, Scan, and Attestation of Compliance should be provided by merchant to their sales representative. Sales representative should ensure that a copy accompanies the merchant application, however, please retain a copy for your records. Merchants are required to submit updated documents annually (SAQ/AOC) and quarterly (passing scan results). The sales rep should ensure that these are forwarded to compliance and should submit post-enrollment masterfile maintenance to update/maintain the MAS Dates for Date of Compliance and Date Last Scan.

Payment Card Industry Payment Application Data Security Standards (PCI PA-DSS)

PA-DSS is the Council-managed program formerly under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP). The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS. Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. In-house payment applications developed by merchants or service providers that are not sold to a third party are not subject to the PA-DSS requirements, but must still be secured in accordance with the PCI DSS.

Validated Payment Applications LINK

Payment Card Industry POS PIN Transaction Security (PTS) Standards

Approved PIN Entry Devices LINK
https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php

Complying with PCI DSS is the merchant's responsibility. If you have received a letter from Global Payments Inc. or an affiliated processing party, please click on the below link to identify if you are using a compliant payment application. Note, you will be required to enter your enrollment code found on your letter to access the secure questionnaire.