Merchant Data Security Program FAQ
Q. What are the penalties and fines associated with a security breach?
A. Per the card associations, the penalties and fines for failure to comply with requirements or to rectify a security issue can be severe. These fines range from $10,000 to $500,000 per incident. If a security breach occurs in your environment, you will be liable for the cost of the required forensic investigations, fraudulent purchases, and the cost of re-issuing cards. Please note that you may also lose your credit card acceptance privileges.
Q. Why should I enroll in Card Systems Merchant Data Security Program?
A. It’s important to register with PCI Compliance, LLC to complete the PCI DSS process—have a vulnerability scan and complete the full Self-assessment Questionnaire. PCI Compliance, LLC will help identify the steps you need to take to remediate your vulnerabilities and ensure that you protect your customers’ payment card information and your network.
Q. What is the PCI DSS? And what do the acronyms CISP, SDP, DISC and DSOP stand for?
A. The PCI DSS stands for Payment Card Industry Data Security Standard and is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council (Visa International, MasterCard Worldwide, Discover Financial Services, American Express and JCB), to help facilitate the adoption of consistent data security measures globally.
The PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures intended to proactively protect customer account data. The card brands each have their own programs that help merchants enforce compliance with the PCI DSS. The PCI Security Standards Council was founded in 2006 to oversee the standard itself, but each of the card brands issues fines and fees and schedules deadlines through their own enforcement programs.
Click on each of the links below to learn about each card brands' program:
Q. Are all merchants and service providers required to comply with the PCI DSS?
A. Yes. All entities (merchants or service providers) that store, process, or transmit cardholder data must comply with the PCI DSS. The requirements apply to all acceptance channels including retail (brick-and-mortar), mail/telephone order (MOTO) and e-commerce. Validation requirements vary depending on the number of transactions an entity processes.
Q. Is this a one time requirement?
A. No. PCI DSS compliance is an ongoing process. Validation actions vary depending on the actual number of transactions you process. However, the credit card associations require all merchants to comply with PCI DSS at all times. There are two main components of validation:
- Completing the PCI Self-Assessment Compliance Questionnaire annually
- Undergoing Vulnerability Scans performed by an Approved Scanning Vendor quarterly
Q. How is “cardholder data” defined?
A. Cardholder data is the full magnetic stripe or the PAN (Personal Account Number) plus any of the following:
- Cardholder name
- Expiration date
- Service Code
The PCI DSS applies to any of this cardholder data that is stored, processed, or transmitted.
Q. Can I store magnetic stripe data? How about the CVV2 and CVC?
A. It is never acceptable to store magnetic stripe data after authorization of the transaction. It is also never acceptable to retain CVV2 and CVC, (the last three digits printed on the signature panel) after transaction authorization.
Q. What is the PCI Self-Assessment Questionnaire?
A. The PCI Self-Assessment Questionnaire is a list of questions used to assess your compliance with the requirements of the PCI DSS. In February of 2008, the PCI Security Standards Council released four versions of the questionnaire to account for different merchant environments.
- SAQ A: Addresses requirements applicable to merchants who have outsourced all cardholder data storage, processing and transmission.
- SAQ B: Created to address requirements pertinent to merchants who process cardholder data via imprint machines or standalone dial-up terminals only.
- SAQ C: Constructed to focus on requirements applicable to merchants whose payment applications systems are connected to the Internet.
- SAQ D: Designed to address requirements relevant to all service providers defined by a payment brand as eligible to complete an SAQ and those merchants who do not fall under the types addressed by SAQ A, B or C.
For more information on the questionnaire, and to determine which one is right for your business, please visit PCI Security Standards.
Q. What is a Network Vulnerability Scan?
A. A vulnerability scan is an automated, non-intrusive scan that assesses your network and Web applications from the Internet (on the external-facing IPs). The scan will identify any vulnerabilities or gaps that may allow an unauthorized or malicious user to gain access to your network and potentially compromise cardholder data. The scans provided by PCI Compliance, LLC will not require you to install any software on their systems, and no denial-of-service attacks will be performed.
Q. What if I fail the scan?
A. If you fail the network vulnerability scan in the PCI Compliance, LLC portal, this means that the scan discovered areas of vulnerability in your network of high severity. PCI Compliance, LLC will help guide you to remediate a failed scan and work toward achieving compliance. First, you’ll want to login to PCI Compliance, LLC to review the scan results. The report will provide a description of the identified issues and resources to begin fixing the problems. You’ll need to address each of the problems and then schedule a directed scan to ensure your remediation of the problem meets the PCI DSS.
Q. How is a Level 4 merchant defined?
A. Visa & MasterCard Level 4 Merchant: Any merchant that processes fewer than 20,000 Visa or MasterCard e-commerce transactions or processes fewer than 1 million Visa or MasterCard transactions, regardless of acceptance channel.
Q. Do I have to use a QSA? Where do I find one?
A. Yes, you must use a Qualified Security Assessor that has been approved by Visa and MasterCard. A list of approved Qualified Data Security Companies can be found on the Visa Website. PCI Compliance, LLC is both a QSA and an Approved Scan Vendor (ASV) for the card associations.
Q. What if my business does not go through this compliance procedure?
A. If you do not comply with the security requirements of the card associations, you put your organization at risk of payment card compromise. Your acquirer may also pass fines levied by the card associations for non-compliance on to you.
Q. Do I get anything to prove I am compliant, if so, will it be automatically sent to Visa or MasterCard?
A. Once you have successfully completed the compliance program, PCI Compliance, LLC will issue you a Certificate of Compliance. Any reporting to your acquirer will be facilitated by PCI Compliance, LLC.
Q. Can our internal staff validate our compliance?
A. No. The card associations require that you use an Approved Scanning Vendor to perform the quarterly vulnerability scans. However, your internal staff can complete the Annual PCI Self-Assessment questionnaire.
Q.We don’t have time for this. How long will this take?
A. The length of the process varies. Once non-compliance issues have been identified, the length of time it takes an organization to implement solutions to resolve the issues will affect the length of the PCI DSS compliance process. The length of time also varies depending on the resolution and the complexity of the environment.
Q. Why is Card Systems using PCI Compliance, LLC?
A. In an effort to assist you with your compliance efforts, Card Systems has partnered with PCI Compliance, LLC, a company specializing in merchant compliance. PCI Compliance, LLC works with merchants to help them overcome their individual hurdles and achieve PCI DSS compliance.
To help facilitate PCI DSS compliance, PCI Compliance, LLC offers a fully-automated Internet testing service that enables you to assess the security of your Internet connection and devices. This service includes an easy-to-use online Self-Assessment Questionnaire that guides you through your payment card environment and processes, as well as a vulnerability scanning engine that performs over 37,000 different security tests on your computer systems.
Card Systems has partnered with PCI Compliance, LLC to offer PCI Compliance, LLC's services to our merchants at a significantly reduced cost.
In our PCI Compliance, LLC portal merchants have access to:
- Scanning engine that tests for more than 3,000 vulnerabilities
- PCI Self-Assessment Questionnaire
- Detailed compliance status reporting
- Vulnerability prioritization
- Remediation services to address security vulnerabilities and achieve compliance more quickly
- Comprehensive online support resources
Q. Who is 403 Labs?
A. 403 Labs, LLC, is a full-service information security and compliance consulting firm. 403 Labs specializes in performing penetration tests, network and application security assessments, compliance audits and computer forensic investigations for organizations with critical information security needs.
403 Labs is an Approved Scanning Vendor (ASV), a Qualified Security Assessor (QSA) and a Payment Application Qualified Security Assessor (PA-QSA), certified to perform the requirements of the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS).
For more information about 403 Labs, please visit them at www.403labs.com.