Payment Card Industry (PCI)
Frequently Asked QuestionsThe Payment Card Industry (Visa, MasterCard, American Express, Discover, Diners Club, JCB) has adopted a standard for securing cardholder data, known as the PCI Data Security Standard. Protegrity has introduced the PCI SolutionPac, a comprehensive solution to help address the needs of organizations to comply with these standards. In developing this solution we have compiled a list of Frequently Asked Questions around the PCI Standard. Frequently Asked Questions: - Can a merchant be considered compliant if they have outstanding non-compliance issues, but provide a remediation plan?
- What is a System Perimeter Scan?
1. How did the Payment Card Industry (PCI) Data Security Standards originate? The PCI standard originally began as four different proprietary programs to secure credit card data. Over time, as merchant concerns about having to support multiple, incompatible programs helped motivate the card issuers to develop a common standard for protecting sensitive credit card data. The individual programs continue, and their links are below: Back to Top 2. What are the Payment Card Industry (PCI) Data Security Standards? The PCI Data Security Standards are requirements mandated by the above card issuers for handling of credit card information, classification of merchants, and validation of merchant compliance. Merchants and third party service providers are responsible for the security of cardholder data and must be careful not to store certain types of data on their systems or the systems of their third party service providers. Merchants and service providers are also responsible for any damages or liability that may occur as a result of a data security breach or other non-compliance with the PCI Data Security Standards. The information security principles contained within these standards are based on ISO 17799, the internationally recognized standard for information security practices. Back to Top 3. What companies must comply with the PCI Data Security Standards program? The program encompasses all merchants and third party service providers that store, process, or transmit cardholder data. Back to Top 4. What are the benefits of being in compliance with the PCI Data Security Standards? It is good business practice to adhere to the PCI standards and protect cardholder information. Additionally, Visa and MasterCard may impose fines on their member banking institutions when merchants do not comply with PCI Data Security Standards. These fines can range from thousands of dollars to hundreds of thousands of dollars, depending on the nature and scope of the data compromised by the violation, especially if a business is compromised and it has not been validated as compliant. Back to Top 5. How is a merchant’s compliance classification level determined? A merchant’s compliance classification level is determined by annual transaction volume. The volume calculation done for a merchant or third party will be based on the gross number of Visa or MasterCard transactions processed within the merchant account. However, it will not be based on the aggregate transaction volume of a corporation that owns several chains. Back to Top 6. What are the compliance levels and validation requirements?
Compliance Level 1 Qualification Criteria: Retail and eCommerce Merchants with greater than 6 million Visa or MasterCard transactions annually
Validation Requirement: Completion of a Report on Compliance through an on-site review by a security assessor
Deadline: September 2004
Frequency: Annually
Compliance Level 2 Qualification Criteria: E-Commerce merchants with greater than 150,000 to 6 million Visa or MasterCard transactions annually
Validation Requirement: Completion of PCI Data Security Standards Compliance Self-Assessment; Compliant Perimeter Scan
Deadline: June 30, 2005
Frequency: Annually for the PCI Data Security Standards Compliance Self-Assessment; Quarterly for the Compliant Perimeter Scan
Compliance Level 3 Qualification Criteria: E-Commerce merchants with greater than 20,000 to 150,000 Visa or MasterCard transactions annually
Validation Requirement: Completion of PCI Data Security Standards Compliance Self-Assessment; Compliant Perimeter Scan
Deadline: June 30, 2005
Frequency: Annually for the PCI Data Security Standards Compliance Self-Assessment; Quarterly for the Compliant Perimeter Scan
Compliance Level 4 Qualification Criteria: All other merchants
Validation Requirement: None, but a Self-Assessment is strongly recommended; A perimeter scan is strongly recommended
Deadline: Not applicable
Frequency: Annually for the recommended Self-Assessment; Quarterly for the recommended Perimeter Scan
Back to Top 7. What is the scope of the onsite review for Level 1 Merchants? The scope of PCI Data Security Standards compliance validation for Level 1 Merchants is focused on any system(s) or system component(s) related to authorization and settlement where cardholder data is retained, stored, or transmitted, including: All external connections into the merchant network (i.e., employee remote access, VisaNet, third party access for processing, and maintenance).
All connections to and from the authorization and settlement environment (i.e., connections for employee access or for devices such as firewalls and routers).
Any data repository outside of the authorization and settlement environment where more than 500,000 account numbers are stored.
POS Terminals may be excluded from review unless:
A POS environment is IP-based and there is external access via Internet, wireless, VPN, dial-in, broadband, or publicly accessible machines (such as kiosks) to the merchant location. In this case, the POS environment must be included in the scope of the on-site review.
A POS environment is not IP-based nor has external access to the merchant location. In this case, the on-site review begins at the connection into the authorization and settlement environment.
Back to Top 8. Are Level 4 merchants ever required to validate their compliance? Yes. If a Level 4 merchant is deemed to be a “High Risk” merchant by their credit card processor, they will be notified by that processor. This should have already happened if there were a problem, as the deadline for notification was June 30, 2005. Back to Top 9. What is a “High Risk” merchant? Currently, merchants that are known to use non-compliant payment applications (applications known to store magnetic stripe, Cardholder Verification Value (CVV), or Cardholder Verification Value 2 (CVV2)) fall into this “High Risk” category. Back to Top 10. How is the IP-based POS environment defined? The point of sale (POS) environment is the environment in which a transaction takes place at a merchant location (i.e. retail store, restaurant, hotel property, gas station, supermarket, or other point of sale location). An Internet protocol (IP) -based POS environment is one in which transactions are stored, processed, or transmitted on IP-based systems, or systems communicating via TCP/IP. Back to Top 11. Do merchants need to include their service providers in the scope of their PCI Data Security Standards Review? Yes. Merchants are responsible for the compliance of their service providers. This means that merchants need to ensure that their card processing and other service providers have achieved a level of PCI compliance appropriate to their transaction volume. Back to Top 12. Can a merchant be considered compliant if they have outstanding non-compliance issues, but provide a remediation plan? No. Lack of full compliance will prevent a merchant from being considered compliant. Wells Fargo encourages merchants to complete the initial review, develop a remediation plan, complete items on the remediation plan, and revalidate compliance of those outstanding items in a timely manner. Back to Top 13. What is a security assessor? A security assessor is an auditing company that specializes in information security. They use card association developed criteria (the PCI Data Security Standards) to validate whether or not a merchant’s information security is robust enough to sufficiently protect cardholder data from unauthorized access or malicious parties. While Protegrity is not an auditing company, we have partners who are certified auditing companies and we work with them on PCI assignments as needed. Back to Top 14. Where can the PCI Data Security Standards Compliance Questionnaire be found? The PCI Self-Assessment Questionnaire is available for download on the Visa CISP Website or Mastercard SDP Website. If a merchant chooses to enroll with one of the association approved security assessors to perform the system perimeter scan, they may complete the approved assessor’s Compliance Questionnaire in lieu of the version posted on Visa’s CISP Web site. Back to Top 15. What is a System Perimeter Scan? A System Perimeter Scan involves an automated tool that checks a merchant’s or service provider’s systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan will identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company’s private network. The tool will not require the merchant or service provider to install any software on their systems, and it will not perform any denial-of-service attacks. Back to Top 16. Is the System Perimeter Scan only applicable to e-commerce merchants? No. The System Perimeter Scan is applicable to all merchants and service providers with external-facing IP addresses. Even if a merchant does not offer Web-based transactions, there are other services that make systems Internet accessible. Basic functions such as e-mail and employee Internet access will result in the Internet-accessibility of a company’s network. These paths to and from the Internet can provide unprotected pathways into merchant and service provider systems if not properly controlled. If a merchant or service provider does not have any external-facing IP addresses, they will only be required to complete the Report on Compliance or the Compliance Questionnaire, as appropriate. Back to Top 17. How do merchants determine the cost of compliance validation? The cost of the review varies greatly depending on the size of the environment to be reviewed, the chosen assessor, and the degree to which the merchant is already in compliance when the review commences. The cost of a System Perimeter Scan depends on the number of IP addresses to be scanned, the frequency of the scans, and the chosen assessor. Back to Top 18. What if a merchant does not store cardholder data? If a merchant does not store cardholder data, the PCI Data Security Standards still apply to the environment that transmits or processes cardholder data. This includes any service providers that a merchant uses. Back to Top 19. When is it acceptable to store magnetic stripe data? It is never acceptable to retain magnetic stripe data subsequent to transaction authorization. Both Visa and MasterCard’s Operating Regulations prohibit storage of the contents of the magnetic stripe as a unit. However, the following individual data elements may be retained subsequent to transaction authorization: Cardholder Account Number
Cardholder Name
Card Expiration Date
Back to Top 20. Are there alternatives to encrypting stored data? According to the Payment Card Industry Security Audit Procedures, stored cardholder data should be rendered unreadable. Encryption is the preferred solution. But if there is a valid reason why encryption of certain data cannot be implemented, this data must be strongly protected by compensating controls. Any compensating controls should be considered as part of the compliance validation process. An example of compensating controls for encryption of stored data is complex network segmentation that may include the following: Internal application and network firewalls that specifically protect the database.
TCP wrappers or firewall on the database to specifically limit who can connect to the database.
Separation of the corporate internal network on a different network segment from production, with a firewall separation from database servers.
Back to Top 21. Are there alternatives, or compensating controls, that can be used to meet a requirement? If a requirement is not, or cannot, be met exactly as stated, compensating controls can be considered as alternatives to requirements defined in PCI Data Security Standards. Compensating controls should meet the intention and rigor of the original PCI Data Security Standards, and should also be examined by the security assessor as part of the regular PCI Data Security standards compliance audit. Compensating controls should be “above and beyond” other PCI Data Security Standards, and should not simply be in compliance with PCI Data Security Standards. Back to Top 22. Are there fines for non-compliance and/or if cardholder data is compromised? Yes. If cardholder data that a merchant or third party is responsible for is compromised, the responsible party may be subject to the following liabilities and fines associated with non-compliance: Potential fines of up to $500,000 (in the discretion of Visa, MasterCard or other card companies).
All fraud losses incurred from the use of the compromised account numbers from the date of compromise forward.
Cost of re-issuing cards associated with the compromise
Cost of any additional fraud prevention/detection activities required by the card associations (i.e. a forensic audit) or costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraudulent activity).
Back to Top 23. Can the PCI compliance requirements change? Yes. As transaction volumes change for a merchant or third party, and as association rules change, an organization’s compliance requirements may change. It is the responsibility of each merchant or third party to be continuously aware of the data security requirements that currently apply to them. Back to Top 24. Where can I go online to get more information? For information on association cardholder information security programs, please visit the following websites on a regular basis:
Back to Top
--------------------------------------------------------------------------------
©2007 Protegrity Corporation. Privacy Policy Legal
|
Events
White Paper