PCI is a requirement from the payment card companies. It is not a government regulation. The goal of PCI’s Data Security Standard (PCI DSS) is to protect credit card account information – prevent fraud caused by card/identity theft.
All organizations that process payment cards (Visa, MasterCard, AMEX, etc…) have to comply with the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS was developed by the payment card brands. and compliance is essential if a merchant wishes to continue processing payment card transactions. This includes merchants that only use paper-based processing, merchants that outsource the credit card processing, and merchants that process credit cards in-house. The PCI DSS has approximately 194 controls in 12 sections, and the 12 sections are grouped into 6 objectives.
The 6 objectives are:
- build and maintain a secure network,
- protect cardholder data,
- maintain a vulnerability management program,
- implement strong access control measures,
- regularly monitor and test networks,
- maintain an information security policy.
The merchant/acquiring bank will inform their merchants of the level and required process for turning in evidence. Each bank is slightly different in the process and most are focusing on merchants with high volume and working their way down to the lowest volume merchants. Even if your bank has not requested compliance data, it is wise to make sure your company is following the standard, so you fall under the “safe harbor” for liability.
The first step in complying with the PCI DSS is filling out a Self Assessment Questionnaire (SAQ). In February 2008, the PCI Council announced different validation types for merchants, depending upon the risk of the processing environment. Merchants who outsource processing have 11 questions to attest to, while merchants who process transactions in-house on custom applications have to attest to all 226 questions. Each merchant is placed in levels based upon the number of transactions processed. These levels determine what evidence of compliance must be prepared and whether it is necessary to submit the documentation to the merchant’s acquiring bank (Referred to as Merchant Bank or Acquirer). Merchants with a low number of transactions need to only complete the SAQ and maintain the documentation in-house. Merchants in the middle levels must submit the SAQs and evidence of performing external scans to their acquiring banks. At the highest level, merchants must have an external scan and a full independent PCI audit by a Qualified Security Assessor (QSA).
Merchant levels are determined by the annual number of transactions, not the dollar amount of the transactions. If you process under 20,000 transactions in e-commerce, or under 1 million credit card transactions, you are in level 4, the least restrictive. Level 4 requires a PCI compliance self-assessment, and a quarterly network vulnerability scan.
Self Assessment Questionnaires
As most Acquirer’s (Merchant Bank) require Self Assessment Questionnaires on merchant levels 2, 3 and 4, it is important to know which version of the SAQ your business may need to complete.
- Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
- Imprint-only merchants with no electronic cardholder data storage
- Stand-alone dial-up terminal merchants, no electronic cardholder data storage
- Merchants with payment application systems connected to the Internet, no electronic cardholder data storage
- All other merchants (not included in descriptions for SAQs A-C above) and all service providers defined by a payment brand as eligible to complete an SAQ.
Quarterly Network Scans
To demonstrate compliance with the PCI DSS, merchants and service providers may be required to have periodic PCI Security Scans conducted as defined by each payment card company. The PCI DSS requires that all merchants with externally-facing IP addresses perform external network scanning to achieve compliance. Acquirers (Merchant Banks) require the quarterly submission of scan reports for Level 1, 2 and 3 merchants and may require submission of scan reports by level 4 merchants. These scans are automated, non-intrusive web scans performed by a PCI Approved Scanning Vendor (ASV). The scans are scans conducted over the Internet by an ASV to evaluate your web perimeter for any known vulnerabilities.
Payment Application Data Security Standard (PA DSS) and the PIN Entry Device standard (PED) support the PCI DSS and address security of applications and hardware used to process payment card transactions. “PA-DSS is the Council-managed program formerly under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP). The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS.” – Payment Card Industry Security Standards Council “The PCI PED security alignment initiative is aimed at ensuring that the cardholder’s PIN, and any sensitive information such as resident keys, are protected consistently at a PIN acceptance device. The objective of the requirements is the provision of a single, consistent, and stringent standard for all PIN acceptance devices worldwide”. – Payment Card Industry Security Standards Council These supporting standards are aimed at vendors who are creating applications and hardware devices used in the processing of payment cards. Merchants should be aware of these standards and purchase applications and hardware devices that are compliant with these standards. At this time, Merchants will be required to use only compliant applications and hardware by July 2010.
Safe harbor is the outcome of the PCI certification process and provides protection from fines and compliance exposure in the event of a data compromise. If there is a data breach, the card brands will perform a forensic audit to determine if the organization was PCI DSS compliant at the time of the data breach. If the organization is found to be out of compliance at the time of the breach they may be liable for the full cost of the breach including the cost of the forensics, losses of cardholders, losses to the banks, losses to the card brand and in some states fines will be assessed. In addition, the organization will be moved to the highest merchant level and will be required to meet the most stringent evidence requirements and the credit card processing fees will increase. To obtain safe harbor status a merchant must maintain full compliance at all times, including at the time of the breach as demonstrated during a forensic investigation. Notes: 1.) For a merchant to be considered compliant, any Service Providers that store, process or transmit credit card account data on behalf of the merchant must also be compliant. 2.) The submission of compliance validation documentation alone does not provide the member safe harbor status.
Does your Internet Payment Application Meet Standards for Protecting Payment Card Data?
By David O. Kepper, Senior Relationship Manager, Government Banking, U.S. Bank National Association
With the rising number of credit card payments being made by telephone and the Internet, card related fraud has become a growing challenge — and not just for cardholders. Government agencies and commercial enterprises accepting and processing card payments can suffer severe damage to their reputations if cardholder data is stolen. Recognizing this escalating risk, the five major card associations — American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International — together developed the Payment Card Industry Data Security Standard (PCI DSS). The standard includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
Compliance with PCI DSS is mandatory for any organization touching credit card data. “Regardless of whether you’re a bank, a barbershop or McDonald’s, if you touch card data, you must comply with the PCI standards,” says Michael Volk, a Senior Treasury Management Product Manager at U.S. Bank.
Before you select a provider, ask if they have received certification of PCI DSS compliance. If so, you can be assured your internet payment service provides a safe and easy method of collecting payments via the Internet and by phone — the latter either through integrated voice response (IVR) services or call centers.Pursuing PCI DSS certification represents a tremendous investment of time and human resources. Certification must address the following six compliance directives referred to as “categories”:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Monitor and test networks
- Maintain an information security policy
Within these categories are 12 “categorical requirements.” For instance, to maintain a vulnerability management program (the third category above), an organization must use and regularly update anti-virus software and develop and maintain secure systems and applications. In all, an organization must demonstrate fulfillment of 140 specific requirements to achieve certification. The process includes separate self-assessment, pre-assessment and final assessment phases. “With all of the problems being experienced in the industry with breaches of data security, PCI Data Security Standard certification should reassure customers that it is trustworthy and secure,” explains Volk. For more information on the PCI Data Security Standard, visit www.pcisecuritystandards.org.