PCI Compliance

General Information

What are the Payment Card Industry (PCI) Data Security Standards?

The PCI Data Security Standards are association (Visa®/MasterCard®) and industry mandated requirements for handling of credit card information, classification of merchants, and validation of merchant compliance. Merchants are responsible for the security of cardholder data and must be careful not to store certain types of data on their systems or the systems of their third party service providers. Merchants are also responsible for any damages or liability that may occur as a result of a data security breach or other non-compliance with the PCI Data Security Standards. The information security principles contained within these standards are based on ISO 17799, the internationally recognized standard for information security practices.

Q. To whom does the Payment Card Industry Data Security Standards Compliance Program apply?

A. The PCI DSS applies to all merchants and any organizations or service providers that store, process, or transmit cardholder data.

Q. Where can I find the PCI Data Security Standard (PCI DSS)?

A. The current PCI DSS documents can be found on the PCI Security Standards Council website. https://www.pcisecuritystandards.org/document_library.

Q. What are the benefits of being in compliance with the Payment Card Industry Data Security Standards?

A. For one thing it is simply good business practice to adhere to the PCI standards to protect cardholder information. It demonstrates your interest in the security issues confronting your customers and clients.

Q. What are the penalties for non-compliance?

A. The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine along until it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business. It is important to be familiar with your merchant account agreement, which should outline your exposure.

Q. What is "cardholder data"?

A. The PCI Security Standards Council (SSC) defines ‘cardholder data’ as the full Primary Account Number (PAN) or the full PAN along with any of the following elements: Cardholder name; Expiration date; Service code. In layman’s terms cardholder data is any personally identifiable data associated with a cardholder. This includes an account number, expiration date, name, address, social security number, etc. The account number is the critical component that makes the PCI Data Security Standards applicable. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data.

Q. What is the definition of ‘merchant’?

A. For the purposes of PCI Compliance, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Please note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers. Source: PCI SSC.

Q. What constitutes a Service Provider?

A. The PCI SSC defines a Service Provider as such: “Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data.” (Source: www.pcisecuritystandards.org) The service provider is further described by the PCI SSC as “a merchant that accepts payment cards as payment for goods and/or services…if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers .

Q. What constitutes a payment application?

A. What constitutes a payment application as it relates to PCI compliance? The term payment application has a very broad meaning in PCI. A payment application is anything that stores, processes, or transmits card data electronically. This means that anything from a Point of Sale system in a retail store or restaurant to a Website E-commerce Shopping cart (e.g., Magento, Sparkpay, Shopify, osCommerce, etc) are all classified as payment applications. Therefore any piece of software that has been designed to touch credit card data is considered a payment application.

Q. What is a payment gateway?

A. Payment gateways connect a merchant to the bank or processor that is acting as the front-end connection to the card brands. They are called gateways because they take many inputs from a variety of different applications and route those inputs to the appropriate bank or processor. Gateways communicate with the bank or processor using dial-up connections, web-based connections or privately held leased lines.

Q. How is a merchant's compliance classification level determined?

A. A merchant’s compliance classification level is determined by annual transaction volume. The volume calculation done for you will be based on the gross number of Visa, MasterCard or Discover Network transactions processed within your merchant account. However, it will not be based on the aggregate transaction volume of a corporation that owns several chains.

Q. What is the scope of the onsite review for Level 1 Merchants?

A. The scope of PCI Data Security Standards compliance validation for Level 1 Merchants is focused on any system(s) or system component(s) related to authorization and settlement where cardholder data is retained, stored, or transmitted, including: All external connections into the merchant network (i.e., employee remote access, VisaNet, third party access for processing, and maintenance). All connections to and from the authorization and settlement environment (i.e., connections for employee access or for devices such as firewalls and routers). Any data repository outside of the authorization and settlement environment where more than 500 thousand account numbers are stored. POS Terminals may be excluded from review unless: A POS environment is IP-based and there is external access via Internet, wireless, VPN, dial-in, broadband, or publicly accessible machines (such as kiosks) to the merchant location. In this case, the POS environment must be included in the scope of the on-site review. A POS environment is not IP-based nor has external access to the merchant location. In this case, the on-site review begins at the connection into the authorization and settlement environment.

Q. How is IP-based POS environment defined?

A. The point of sale (POS) environment is the environment in which a transaction takes place at a merchant location (i.e. retail store, restaurant, hotel property, gas station, supermarket, or other point of sale location). An Internet protocol (IP) -based POS environment is one in which transactions are stored, processed, or transmitted on IP-based systems, or systems communicating via TCP/IP.

Q. Are Level 4 merchants ever required to validate their compliance?

A. Yes. If a Level 4 merchant is deemed to be a “High Risk” merchant by Wells Fargo, they are required to validate compliance with the PCI Data Security Standards. Equity Payment will contact Level 4 “High Risk” merchants to discuss next steps.

Q. What is a "High Risk" merchant?

A. Currently, merchants that are known to use non-compliant payment applications (applications known to store magnetic stripe, Cardholder Verification Value (CVV), or Cardholder Verification Value 2(CVV2) or Card Validation Code 2 (CVC2) or Card Identification (CID) fall into this “High Risk” category.

Q. Can my compliance requirements change?

A. Yes. As your transaction volume changes, and as association and industry rules change, your compliance requirements may change. It is your responsibility to be continuously aware of the data security requirements that currently apply to you.

Data Storage Protocol

Q. When is it acceptable to store magnetic stripe data?

A. It is never acceptable to retain magnetic stripe data subsequent to transaction authorization. Visa, MasterCard, and Discover Network prohibit storage of the contents of the magnetic stripe as a unit. However, the following individual data elements may be retained subsequent to transaction authorization: * Cardholder Account Number * Cardholder Name * Card Expiration Date.

Q. Are there alternatives to encrypting stored data?

A. According to requirement 3.4 of the Payment Card Industry Security Audit Procedures (PDF*), stored cardholder data should be rendered unreadable. And, if encryption, truncation, or another comparable approach cannot be used, encryption options should continue to be investigated as the technology is rapidly evolving. In the interim, while encryption solutions are being investigated, stored data must be strongly protected by compensating controls. Any compensating controls should be considered as part of the compliance validation process. An example of compensating controls for encryption of stored data is complex network segmentation that may include the following:
• Internal firewalls that specifically protect the database.
• TCP wrappers or firewall on the database to specifically limit who can connect to the database.
• Separation of the corporate internal network on a different network segment from production, with a firewall separation from database servers.

Q. Are there alternatives, or compensating controls, that can be used to meet a requirement?

A. If a requirement is not, or cannot, be met exactly as stated, compensating controls can be considered as alternatives to requirements defined in PCI Data Security Standards. Compensating controls should meet the intention and rigor of the original PCI Data Security Standards, and should also be examined by the security assessor as part of the regular PCI Data Security standards compliance audit. Compensating controls should be “above and beyond” other PCI Data Security Standards, and should not simply be in compliance with PCI Data Security Standards.

Q. What if a merchant does not store cardholder data?

A. If a merchant does not store cardholder data, the PCI Data Security Standards still apply to the environment that transmits or processes cardholder data. This includes any service providers that a merchant uses.

Approved Software and Applications

Q. What processing software/applications are currently known to be compliant?

A. Below you will find a link to the card processing software programs that Visa has validated to be compliant with the PCI Data Security requirements, including the requirement that after authorization, Security Data will be purged from the records and systems. Security Data is certain security information, including the full contents of any track of the magnetic stripe from the back of a card and the cardholder validation code (the three or four digit value printed on the signature panel of the card). Copies of these software programs that have version numbers older (those with a lower version number) than those indicated must be either upgraded, have a special security patch installed, or be replaced with compliant software to ensure that you do not store Security Data in violation of Visa, MasterCard or Discover Network’s rules. If you are using any software programs different than the programs indicated, you must confirm with your software vendor that the version you are using is compliant with current security requirements.

Steps you should be taking

Q. What is a security assessor?

A. A security assessor is an auditing company that specializes in information security. They use card association developed criteria (the PCI Data Security Standards) to validate whether or not a merchant’s information security is robust enough to sufficiently protect cardholder data from unauthorized access or malicious parties.

Q. Is it a common practice for security assessors to perform a re-assessment?

A. Yes, assessors frequently are asked to revalidate those items that were not in place at the time of the initial review and provide an updated Report on Compliance.

Q. Where can the PCI Data Security Standards Compliance Questionnaire be found?

A. The PCI Self-Assessment Questionnaire is available for download at: pcisecuritystandards.org.

Q. What is a System Perimeter Scan?

A. A System Perimeter Scan involves an automated tool that checks a merchant’s or service provider’s systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan will identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company’s private network. The tool will not require the merchant or service provider to install any software on their systems, and it will not perform any denial-of-service attacks.

Q. Is the System Perimeter Scan only applicable to e-commerce merchants?

A. No. The System Perimeter Scan is applicable to all merchants and service providers with external-facing IP addresses. Even if an entity does not offer Web-based transactions, there are other services that make systems Internet accessible. Basic functions such as e-mail and employee Internet access will result in the Internet-accessibility of a company’s network. These paths to and from the Internet can provide unprotected pathways into merchant and service provider systems if not properly controlled. If a merchant or service provider does not have any external-facing IP addresses, they will only be required to complete the Report On Compliance or the Compliance Questionnaire, as appropriate.

Q. How do merchants determine the cost of compliance validation?

A. The cost of the review varies greatly depending on the size of the environment to be reviewed, the chosen assessor, and the degree to which the merchant is already in compliance when the review commences. The cost of a System Perimeter Scan depends on the number of IP addresses to be scanned, the frequency of the scans, and the chosen assessor. As a courtesy to its merchants, Well Fargo has negotiated preferred pricing with TrustWave for its merchants.

Q. What if a merchant has outsourced the storage, processing, or transmission of cardholder data to a service provider?

A. Merchants should deal only with PCI Data Security Standards compliant service providers. If there are service providers handling cardholder data on a merchant’s behalf, the merchant is still responsible for the security of this data and must ensure that contracts with these service providers specifically include PCI Data Security Standards compliance as a condition of business. Per association rules, you must inform Equity Payment if you are using a service provider.

Q. Do merchants need to include their service providers in the scope of their PCI Data Security Standards Review?

A. Yes. Merchants are responsible for the compliance of their service providers.

Q. Can a merchant be considered compliant if they have outstanding non-compliance issues, but provide a remediation plan?

A. No. Lack of full compliance will prevent a merchant from being considered compliant. Equity Payment encourages merchants to complete the initial review, develop a remediation plan; complete items on the remediation plan, and revalidate compliance of those outstanding items in a timely manner.

Penalties for Non-compliance

Q. Are there fines associated with non-compliance of the PCI Data Security Standards?

A. Yes. Visa, MasterCard, and Discover Network may impose fines on their member banking institutions when merchants do not comply with PCI Data Security Standards. You are contractually obligated to indemnify and reimburse us, as your acquirer, for such fines. Please note such fines could be significant.

Q. Are there fines if cardholder data is compromised?

A. Yes. If cardholder data that you are responsible for is compromised, you may be subject to the following liabilities and fines associated with non-compliance:
• Potential fines of up to $500,000 (in the discretion of Visa, MasterCard, Discover Network or other card companies).
• All fraud losses incurred from the use of the compromised account numbers from the date of compromise forward.
• Cost of re-issuing cards associated with the compromise.
• Cost of any additional fraud prevention/detection activities required by the card associations (i.e. a forensic audit) or costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraudulent activity)

Other PCI Compliance Resources

Q. Where can I go online to get more information?

A. For information on association and industry cardholder information security programs, please visit the following websites on a regular basis:
• Visa USA — http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html
• MasterCard — https://sdp.mastercardintl.com
• Discover Network — http://www.discovernetwork.com/fraudsecurity/disc.html
• PCI Security Standards Council — https://www.pcisecuritystandards.org
To Contact your PCI Compliance Team or to find out more about how we are helping our merchants become and maintain compliance, email us at: support@equitypayment.com