|
The Payment Card Industry Data Security Standard (PCI DSS) is a security standard that includes requirements for security management, policies, procedures, network setup, software design, and other protective measures. The PCI Security Standards Council (PCI SSC) is a forum comprised of members from each of the card companies. The PCI DSS provides a common standard with which the payment industry must adhere.
First National Merchant Solutions would like to remind our customers, you must meet the requirements of PCI DSS by properly safeguarding cardholder data. It is critical your business adheres to the security requirements to ensure the highest standard of care to help keep sensitive cardholder data from hackers and fraudsters. The following highlights the 12 main standards (please refer to the PCI SSC for complete requirements):
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data and sensitive information across open public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software`
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security
All businesses will fall into one of four levels based on transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa, MasterCard and Discover transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (DBA). In cases where a corporation has more than one DBA, the aggregate volume of transactions stored, processed or transmitted by the corporate entity will be used to determine the validation level. Other restrictions and conditions may apply. Merchant levels are defined as:
| Merchant Level |
Description |
|
1
|
Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa or MasterCard transactions per year.
Any merchant that Visa or MasterCard, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
|
|
2
|
Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa or MasterCard transactions per year.
|
|
3
|
Any merchant processing 20,000 to 1,000,000 Visa or MasterCard e-commerce transactions per year.
|
|
4
|
Any merchant processing fewer than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa or MasterCard transactions per year.
|
* New merchant level definitions effective of July 18, 2006.
** Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level
Merchants may be subject to fines by the card associations if deemed non-compliant. For your convenience fine schedules for Visa and MasterCard are outlined below.
| Visa Fine Schedule |
|
First Violation
|
Up to $50,000 USD for rolling 12-month period
|
|
Second Violation
|
Up to $100,000 USD for rolling 12-month period
|
|
Third Violation
|
At Management's discretion for more than two violations in a rolling 12 month period
|
|
Visa's PCI Compliance Acceleration Program (PCI CAP) Fine Schedule
|
|
Level 1
|
$25,000 USD per month
|
|
Level 2
|
$5,000 USD per month
|
|
MasterCard Assessment Schedule
|
|
Level 1
|
Up to $25,000 USD per merchant
|
|
Level 2
|
Up to $5,000 USD per merchant
|
|
Level 3
|
Up to $5,000 USD per merchant
|
If your company uses Third Party Processors (TPP), you must notify First National Merchant Solutions of your use of such TPP and ensure that your TPP is compliant with the PCI DSS. TPP's are those companies that perform services including, but not limited to: terminal operation, authorization routing, voice authorization, call referral processing, electronic data capture, clearing file preparation and submission, settlement processing, cardholder and merchant statement preparation and chargeback processing.
Once a business has met the requirements and is deemed compliant, you must be registered as compliant.
As your Acquirer, First National Merchant Solutions is required by Visa, MasterCard and Discover Network to house compliance documentation on our customers' behalf. In addition, First National Merchant Solutions is required by the card associations to provide an update on each of our customers' compliance status monthly or as requested by Visa, MasterCard and Discover. Customers should provide regular status-updates to First National Merchant Solutions to ensure the most current compliance information is being communicated to the card associations. Additionally, merchants must forward copies of all compliance documentation (e.g. scan results, self assessment questionnaire, remediation plans, or report on compliance as applicable based on PCI level assigned) directly to First National Merchant Solutions at the following address:
First National Merchant Solutions
Attn: PCI Compliance Manager
1620 Dodge Street - Stop Code 3268
Omaha , NE 68197
First National Merchant Solutions will not register a merchant as compliant until all required documentation is received internally.
For more information on the PCI requirements or to get a list of compliant service providers, please visit:
http://www.mastercard.com/us/merchant/security/what_can_do/SDP/merchant/index.html, www.visa.com/cisp, http://www.discovernetwork.com/fraudsecurity/disc.html or https://www.pcisecuritystandards.org/
In the event of a security incident, Members, merchants and service providers must take immediate action to investigate the incident, limit the exposure of cardholder data, and notify Visa, MasterCard and Discover to report investigation findings. The CISP What To Do If Compromised guide, which can be found on the Visa Web site listed above, contains step-by-step guidelines to assist Members, merchants and service providers through the incident. View the Guide
Magnetic-Stripe and Account Data Storage Prohibited
To protect cardholder information and to deter fraud, the card associations prohibit the storage of the full contents of any track data on the magnetic-stripe and the Card Verification Value (CVV). These rules prohibit merchants or their agents from storing the magnetic-stripe data after the response to the authorization request has been received. Due to the serious nature of compromising cardholder data, the card associations have implemented substantial penalties for non-compliance.
The CVV is a unique three-digit code imprinted on the signature panel of cards, to help merchants in the card-not-present environment manage risk by confirming the presence of the card during the authorization process. Neither the full contents of the magnetic-stripe data nor the CVV can be stored after the response to an authorization request has been received. Additional requirements include:
-
A terminal at the point of sale must not display or store full magnetic-stripe data
-
Individual elements of the magnetic-stripe data, such as card account number, expiration data and cardholder name, may be retained on paper, microfiche or an online secure site file for financial record keeping
-
CVV data must not be stored after the response to an authorization request has been received
-
Storage of data containing individual elements of the magnetic-stripe must be kept in an area limited to selected personnel and rendered unreadable prior to discarding
Visa merchants who have been found to be storing full-track data and have not corrected the issue will be assessed the following fines:
-
This will begin with a penalty of up to $50,000 for each merchant
-
Thereafter Visa will assess a fine of up to $100,000 to the merchant on a monthly basis until the merchant has demonstrated that track data has been removed from each merchant's systems
Payment Applications Best Practices
On October 23, 2007, Visa mandated the Payment Applications Best Practices. This mandate is organized into five phases and addresses the vulnerabilities to merchants through payment applications. To ensure maximum data safety in addition to adherence to the PCI DSS, merchants should also use only those payment applications validated as PABP compliant. For additional information or for a list of validated payment applications and related information on PABP please visit www.visa.com/pabp
Disclaimer: This document contains a compilation of information received from various sources. This information is presented solely for the convenience of the reader and should not be used as a substitute for your own research and reference to actual regulations and/or other official documents, or as a substitute for consulting your legal advisor. SPC Inc. d/b/a First National Merchant Solutions and its parents and affiliates are not responsible for inaccurate, outdated, or incomplete information. All information contained herein is subject to change.
 |
 |
