Friday, September 03, 2010
Sign-up

 

 Call Today 954.462.0100 

  Quicklinks:  Credit Card Equipment & Software |  Referral Program
Your are @  Learning CenterWhat are (PCI) Standards?
 
 Value Added Services
QuickBooks Processing
$$$ Savings Guarantee $$$
Check Services
Gift Card Program
Online Account Reporting
ACH/Recurring Billing
Dynamic Currency Conversion
  
 Learning Center
Merchant Accounts 101
Guidance for Processing Credit Cards
Risk Management
Chargeback Prevention
Address Verification Service
What are (PCI) Standards?
  
  What are (PCI) Standards?

What are the Payment Card Industry (PCI) Data Security Standards?
The PCI Data Security Standards are association (Visa/MasterCard) mandated requirements for handling of credit card information, classification of merchants, and validation of merchant compliance. Merchants are responsible for the security of cardholder data and must be careful not to store certain types of data on their systems or the systems of their third party service providers. Merchants are also responsible for any damages or liability that may occur as a result of a data security breach or other non-compliance with the PCI Data Security Standards. The information security principles contained within these standards are based on ISO 17799, the internationally recognized standard for information security practices.

 

To whom does the Payment Card Industry Data Security Standards Compliance Program apply?
The program encompasses all merchants and third party service providers that store, process, or transmit cardholder data.

 

What are the benefits of being in compliance with the Payment Card Industry Data Security Standards?
It is good business practice to adhere to the PCI standards and protect cardholder information. Additionally, Visa and MasterCard may impose fines on their member banking institutions when merchants do not comply with PCI Data Security Standards. You are contractually obligated to indemnify and reimburse us, as your acquirer, for such fines. Please note such fines could be significant, especially if your business is compromised and you have not been validated as compliant.

 

What is "cardholder data"?
Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. The account number is the critical component that makes the PCI Data Security Standards applicable. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data. The PCI Data Security Standards apply to all cardholder data stored, processed, or transmitted.

 

How is a merchant's compliance classification level determined?
A merchant's compliance classification level is determined by annual transaction volume. The volume calculation done for you will be based on the gross number of Visa or MasterCard transactions processed within your merchant account. However, it will not be based on the aggregate transaction volume of a corporation that owns several chains.

 

 

What is the scope of the onsite review for Level 1 Merchants?
The scope of PCI Data Security Standards compliance validation for Level 1 Merchants is focused on any system(s) or system component(s) related to authorization and settlement where cardholder data is retained, stored, or transmitted, including:

  • All external connections into the merchant network (i.e., employee remote access, VisaNet, third party access for processing, and maintenance).
  • All connections to and from the authorization and settlement environment (i.e., connections for employee access or for devices such as firewalls and routers).
  • Any data repository outside of the authorization and settlement environment where more than 500 thousand account numbers are stored.

POS Terminals may be excluded from review unless:

  • A POS environment is IP-based and there is external access via Internet, wireless, VPN, dial-in, broadband, or publicly accessible machines (such as kiosks) to the merchant location. In this case, the POS environment must be included in the scope of the on-site review.
  • A POS environment is not IP-based nor has external access to the merchant location. In this case, the on-site review begins at the connection into the authorization and settlement environment.

 

How is IP-based POS environment defined?
The point of sale (POS) environment is the environment in which a transaction takes place at a merchant location (i.e. retail store, restaurant, hotel property, gas station, supermarket, or other point of sale location). An Internet protocol (IP) -based POS environment is one in which transactions are stored, processed, or transmitted on IP-based systems, or systems communicating via TCP/IP.

 

Are Level 4 merchants ever required to validate their compliance?
Yes. If a Level 4 merchant is deemed to be a "High Risk" merchant , they are required to validate compliance with the PCI Data Security Standards.

 

What is a "High Risk" merchant?
Currently, merchants that are known to use non-compliant payment applications (applications known to store magnetic stripe, Cardholder Verification Value (CVV), or Cardholder Verification Value 2(CVV2) fall into this "High Risk" category.

 

Can my compliance requirements change?
Yes. As your transaction volume changes, and as association rules change, your compliance requirements may change. It is your responsibility to be continuously aware of the data security requirements that currently apply to you.

 

When is it acceptable to store magnetic stripe data?
It is never acceptable to retain magnetic stripe data subsequent to transaction authorization. Both Visa and MasterCard's Operating Regulations prohibit storage of the contents of the magnetic stripe as a unit. However, the following individual data elements may be retained subsequent to transaction authorization:

  • Cardholder Account Number
  • Cardholder Name
  • Card Expiration Date

 
Are there alternatives, or compensating controls, that can be used to meet a requirement?
If a requirement is not, or cannot, be met exactly as stated, compensating controls can be considered as alternatives to requirements defined in PCI Data Security Standards. Compensating controls should meet the intention and rigor of the original PCI Data Security Standards, and should also be examined by the security assessor as part of the regular PCI Data Security standards compliance audit. Compensating controls should be "above and beyond" other PCI Data Security Standards, and should not simply be in compliance with PCI Data Security Standards.

 

What if a merchant does not store cardholder data?
If a merchant does not store cardholder data, the PCI Data Security Standards still apply to the environment that transmits or processes cardholder data. This includes any service providers that a merchant uses.

 

What processing software/applications are currently known to be compliant?
Below you will find a link to the card processing software programs that Visa has validated to be compliant with the PCI Data Security requirements, including the requirement that after authorization, Security Data will be purged from the records and systems. Security Data is certain security information, including the full contents of any track of the magnetic stripe from the back of a card and the cardholder validation code (the three or four digit value printed on the signature panel of the card). Copies of these software programs that have version numbers older (those with a lower version number) than those indicated must be either upgraded, have a special security patch installed, or be replaced with compliant software to ensure that you do not store Security Data in violation of Visa or MasterCard rules. If you are using any software programs different than the programs indicated, you must confirm with your software vendor that the version you are using is compliant with current security requirements.

 

What is a security assessor?
A security assessor is an auditing company that specializes in information security. They use card association developed criteria (the PCI Data Security Standards) to validate whether or not a merchant's information security is robust enough to sufficiently protect cardholder data from unauthorized access or malicious parties.

 

Is it a common practice for security assessors to perform a re-assessment?
Yes, assessors frequently are asked to revalidate those items that were not in place at the time of the initial review and provide an updated Report on Compliance.

 

What is a System Perimeter Scan?
A System Perimeter Scan involves an automated tool that checks a merchant's or service provider's systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan will identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company's private network. The tool will not require the merchant or service provider to install any software on their systems, and it will not perform any denial-of-service attacks.

 

Is the System Perimeter Scan only applicable to e-commerce merchants?
No. The System Perimeter Scan is applicable to all merchants and service providers with external-facing IP addresses. Even if an entity does not offer Web-based transactions, there are other services that make systems Internet accessible. Basic functions such as e-mail and employee Internet access will result in the Internet-accessibility of a company's network. These paths to and from the Internet can provide unprotected pathways into merchant and service provider systems if not properly controlled. If a merchant or service provider does not have any external-facing IP addresses, they will only be required to complete the Report On Compliance or the Compliance Questionnaire, as appropriate.

 

How do merchants determine the cost of compliance validation?
The cost of the review varies greatly depending on the size of the environment to be reviewed, the chosen assessor, and the degree to which the merchant is already in compliance when the review commences. The cost of a System Perimeter Scan depends on the number of IP addresses to be scanned, the frequency of the scans, and the chosen assessor. Please contact an Elite representitive to determine which security assessor to contact.

 

What if a merchant has outsourced the storage, processing, or transmission of cardholder data to a service provider?
Merchants should deal only with PCI Data Security Standards compliant service providers. If there are service providers handling cardholder data on a merchant's behalf, the merchant is still responsible for the security of this data and must ensure that contracts with these service providers specifically include PCI Data Security Standards compliance as a condition of business.

 

Do merchants need to include their service providers in the scope of their PCI Data Security Standards Review?
Yes. Merchants are responsible for the compliance of their service providers.

 

Can a merchant be considered compliant if they have outstanding non-compliance issues, but provide a remediation plan?
No. Lack of full compliance will prevent a merchant from being considered compliant. Elite Payment Processing encourages merchants to complete the initial review, develop a remediation plan; complete items on the remediation plan, and revalidate compliance of those outstanding items in a timely manner.

 

Are there fines associated with non-compliance of the PCI Data Security Standards?
Yes. Visa and MasterCard may impose fines on their member banking institutions when merchants do not comply with PCI Data Security Standards. You are contractually obligated to indemnify and reimburse us, as your acquirer, for such fines. Please note such fines could be significant.

 

Are there fines if cardholder data is compromised?
Yes. If cardholder data that you are responsible for is compromised, you may be subject to the following liabilities and fines associated with non-compliance:

  • Potential fines of up to $500,000 (in the discretion of Visa, MasterCard or other card companies).
  • All fraud losses incurred from the use of the compromised account numbers from the date of compromise forward.
  • Cost of re-issuing cards associated with the compromise.
  • Cost of any additional fraud prevention/detection activities required by the card associations (i.e. a forensic audit) or costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraudulent activity).

 

Who can I speak to if I have questions?
If you have questions, please contact our Customer Service Representatives at 877.330.3313.

 

Bookmark and Share 
  

Copyright 2008 Elite Payment Processing, LLC. All Rights Reserved. 1.877.330.3313
Elite Payment Processing, LLC is a registered ISO/MSP of NCMIC Finance Corp.

All trademarks, service marks, and trade names referenced in this material
are the property of their respective owners.
American Express® requires separate approval.



Elite Payment Processing Â· 1500 W. Cypress Creek Rd., Suite 201 - Ft. Lauderdale, Fl 33309

 

  Authorize.Net Preferred Reseller
Copyright 2008 by Elite Payment Processing