Payment Card Industry Data Security Standard (PCI DSS)
In this electronic age, customer account data has become a growing target for fraudsters. One of your key weapons in the fight against such criminals is your full participation in, and compliance with the Payment Card Industry Data Security Standard (PCI DSS).
The efforts of PCI DSS are designed to help you prevent the theft of confidential consumer cardholder data by assessing whether that data is secure within your organization and, if necessary, improving your level of security to meet or exceed industry standards.
We have included vital information below to help ensure you are informed about data security and provide direction on your role in maintaining cardholder data security.
Upholding the standard
PCI DSS requires organizations that collect, process, transmit or store cardholder data to uphold and maintain the data security standards set by the payment industry worldwide and managed by the PCI Security Standards Council (PCI SSC).
All merchants who collect, process, transmit or store cardholder data must comply with PCI DSS. Failure to comply with PCI DSS and the Payment Card Networks’ Compliance Programs may result in a Merchant being subject to fines, fees or assessments and/or termination of processing services.
12 Principles of PCI DSS
PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. The result is a comprehensive standard intended to help organizations protect consumer cardholder data.
Below are the twelve principle requirements of PCI DSS.
Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an Information Security Policy
- Maintain a policy that addresses information security
The PCI DSS and supporting documentation can be found at https://www.pcisecuritystandards.org.
Why Data Security Matters
The more frequently credit and debit cards are used by consumers the more cardholder account information is being processed and potentially kept on file.
The result is the increased potential for fraudulent use of this data if organizations do not take the necessary steps to proactively collect and store this data in a secure manner. The PCI DSS program provides these organizations consistent standards to follow to maintain the integrity of the consumer cardholder data being collected and stored.
Consider the following key benefits to your business that protecting cardholder data can provide.
1. Build consumer trust
Many customers not only seek out merchants they feel they can trust, but are also likely to return to those businesses and tell others. In a 2006 Visa-sponsored survey that spanned 12 countries, consumers ranked the security of personal and financial information as their number one concern. These consumers also indicated that merchant data security practices can influence their desire to purchase products and services.
Complying with industry standards helps demonstrate your commitment to protect your customers’ confidential payment information. This security is essential to build and maintain consumer trust.
2. Strengthen security
The main goal of PCI DSS is to protect confidential data at all points in the payment system. Complying with the program improves awareness of data security and helps you strengthen security measures to minimize the possibility of data security attacks.
3. Avoid unnecessary costs
Implementing a strong data security policy will help you prevent a security breach that could cost your business by damaging your reputation and your bottom line. Data breaches resulting from weak security practices could make your business vulnerable to costly forensic review, litigation, penalties and an overall drain on your business operations. By implementing effective data security standards, you can avoid these expenses and protect your business’s good name.
4. Maintain a positive image
Being compliant with PCI DSS goes a long way toward protecting your reputation in the eyes of your customers and the press, given growing public concerns about safeguarding personal data.
5. Gain a competitive edge
A strong data security policy can help you build a reputation for trustworthiness and reliability. When your customers are confident their confidential account information is safe with you, their repeat business will boost your bottom line and give you an advantage over the competition.
Merchant Levels & Validation Requirements
All merchants that store, process, or transmit cardholder data must comply with PCI DSS and validate their compliance using the appropriate method.
Below are the descriptions of the merchant levels and the validation requirements for each level, as determined by Visa Canada and MasterCard.
| Merchant Level |
Description |
Validation Requirements |
Validated By |
| 1 |
- Any merchant regardless of acceptance channel, processing over 6,000,000 Visa or MasterCard transactions annually.
- Any merchant that has suffered a hack or an attack that resulted in an account data compromise.
- Any merchant that a Card Association, at its sole discretion, determines should meet the Level 1 merchant requirements.
|
Annual On-site PCI Data Security Assessment
Annual PCI Self Assessment Questionnaire
|
Qualified Security Assessor (QSA) |
| Quarterly Network Scan |
Approved Scanning Vendor (ASV) |
| 2 |
- Any merchant processing between 1,000,000 and 6,000,000 Visa or MasterCard transactions annually of one card plan.
|
Annual PCI Self Assessment Questionnaire |
Qualified Security Assessor (QSA) |
| Quarterly Network Scan |
Approved Scanning Vendor (ASV) |
| 3 |
- Any merchant processing between 20,000 and 1,000,000 Visa or MasterCard e-commerce transactions annually.
|
Annual PCI Self Assessment Questionnaire |
Qualified Security Assessor (QSA) |
| Quarterly Network Scan |
Approved Scanning Vendor (ASV) |
| 4 |
- Any e-commerce merchant processing fewer than 20,000 Visa or MasterCard e-commerce transactions annually.
- Any merchant (regardless of acceptance channel) processing fewer than 1,000,000 Visa or MasterCard transactions annually.
|
Annual PCI Self Assessment Questionnaire
Quarterly Network Scan
|
We have worked with Trustwave Corporation to provide you access to compliance tools and data security solutions, at a preferred price, to help meet your PCI compliance requirements.
For more information on how Trustwave can help support your compliance with PCI, please visit www.tdmerchantservices.com/pci4
|
1. MasterCard - Effective 30 June 2011, Level 1 merchants that choose to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC-offered merchant training programs and pass any PCI SSC associated accreditation program annually in order to continue to use internal auditors.
2. MasterCard - Effective 30 June 2011, Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC-offered merchant training programs and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA.
Compliance Assessment Services
There are many data security firms such as Trustwave that provide information security and PCI compliance services. For a list of PCI certified Qualified Security Assessors and Approved Scanning Vendors visit https://www.pcisecuritystandards.org/approved_companies_providers/index.php
Service Provider Compliance Requirements
A service provider is defined as an organization that stores, processes, or transmits cardholder data on behalf of a merchant or other service providers. All service providers are required to comply with PCI DSS, including validating their compliance to PCI DSS through the services of a Qualified Security Assessor (QSA).
For more information regarding the compliance requirements for service providers and to see a list of service providers that have validated their compliance to PCI DSS please see:
Visa's Service Providers Compliance Requirements
Visa’s list of Validated Services Providers
MasterCard’s Service Providers Compliance Requirements
MasterCard’s list of Validated Services Providers
Payment Application Data Security Standard (PA-DSS)
The Payment Application Data Security Standard (PA-DSS) is a standard managed by the PCI SSC. This standard is based on Visa’s Payment Application Best Practices (PABP).
Many merchants deploy third party payment applications that are tailored to their business needs to assist them in accepting credit card payments. The goal of PA-DSS is to assist software vendors in developing secure payment applications that do not store prohibited data, such as full magnetic stripe data, card verification values, or PIN data, and ensure their payment applications support compliance with the PCI DSS standard. Vulnerable payment applications that store prohibited data are the leading cause of account data compromises among small merchants.
Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. In-house payment applications developed by merchants or service providers that are not sold to third parties are not subject to the PA-DSS requirements, but must still be secured in accordance with the PCI DSS. PA-DSS is not applicable to standalone point-of-sale terminals, database software or web server software.
Further information on PA-DSS including a list of payment applications that have validated their compliance to PA-DSS can be found at:
www.pcisecuritystandards.org
Visa Canada's Payment Application Compliance Program
Visa Canada has established timeframes by which acquirers must ensure that all merchants (new and existing) who use payment application software to process with their acquirers only use such software that has been validated against PA-DSS or PABP requirements.
- As of October 1, 2008, Acquirers must ensure that any newly boarded merchant that uses payment application software only uses payment application software that has been validated to comply with the PA-DSS (PABP) requirements. Please note that "newly boarded" merchants only refer to new merchants that accept Visa cards for payment. It does not include existing merchants who may switch Acquirers, nor does it include a new outlet store in a merchant chain or franchise setup.
- As of July 1, 2010, Acquirers must ensure that their merchants (new and existing) who use a payment application only use payment application software that has been validated to comply with the PA-DSS (PABP).
MasterCard’s Payment Application Compliance Program
Effective July 1, 2012, MasterCard will revise the MasterCard SDP Program Standards to require all merchants and Service Providers that use third party-provided payment applications to only use those applications that are compliant with the Payment Card Industry Payment Application Data Security Standard (PCI PA-DSS), as applicable. The applicability of the PCI PA-DSS to third party-provided payment applications is defined in the PCI PA-DSS Program Guide. In addition, MasterCard will establish a new PA-DSS compliance validation requirement for Level 1, Level 2, and Level 3 merchants as well as Level 1 and Level 2 Service Providers.
Links to Visa Account Information Security (AIS), MasterCard Site Data Protection (SDP) & PCI Council
Additional information can be found by visiting the following.
www.visa.ca/ais
www.mastercard.com/sdp
www.pcisecuritystandards.org/
Tips for Safeguarding Data
Keeping your customer data safe from hackers makes good business sense. Here are some helpful guidelines to help you protect your confidential customer information and your business.
- Keep cardholder information storage to a minimum and never store the information contained in a credit or debit card’s magnetic stripe. Don’t store it, if you don’t need it.
- When you no longer need the account information, destroy it in a secure fashion. Never store the CVV, CVV2 or PIN.
- Be aware that some software programs may store data automatically. Review software and update preferences to be sure account information is not being stored without your knowledge. Check to see if your software is PA-DSS compliant.
- Comply with security audits according to the PCI requirements. (For details, see www.pcisecuritystandards.org)
- Use adequate firewalls. Ensure that your payment card acceptance environment is properly segmented from public networks such as the Internet.
- Change system passwords and security codes from those supplied originally by software manufacturers.
- Encrypt all payment card information stored on the processor’s computers.
- Encrypt any card data transmitted over the Internet or other open public network.
- Use and regularly update your antivirus software.
- Keep other software, such as operating systems, secure and updated.
- Only allow employees access to customer data on a need to know basis. As well, each employee with computer access should receive a unique ID.
- Restrict physical access to hard copies of payment card data.
- Test your company’s security systems on a regular basis.
- Have an information security policy that spells out rules for employees who handle data. Reinforce the rules regularly.
- Require all third-party suppliers with access to cardholder data to adhere to payment card industry security requirements.
|
