| |
| About Cardholder Data Security |
 |
|
Implementing a strong security policy that protects your customer’s cardholder information will help your business maintain a positive image by preventing a security breach, enhance customer confidence and avoid any unnecessary costs.
As part of MONEX's ongoing commitment in assisting our merchants in their processing needs, we want to provide you with some critical information regarding the Payment Card Industry (PCI) Data Security Standard (DSS) and the Card Association Compliance Programs.
It is important to note that all Merchants and Service Providers that store, process, or transmit cardholder data must comply with PCI DSS and the Card Association Compliance Programs. Certification requirements vary by business and are contingent upon your "Merchant Level" or "Service Provider Level.” Failure to comply with PCI DSS and the Card Brand Compliance Programs may result in a Merchant being subject to fines, fees or assessments and/or termination of processing services.
MONEX has taken the steps to provide our valued merchants with the necessary information and associated links to assist in assessing the actions your business should take to ensure that you are compliant. |
| |
 About PCI SSC
The PCI Security Standards Council (PCI SSC) is an independent body founded in September 2006 by five major credit card networks - American Express, Discover Financial, JCB, Master Card Worldwide, and Visa International. The PCI SSC is responsible for the development and ongoing evolution of security standards for account data protection.
The PCI SCC currently manages the following security standards:
| » |
PCI Data Security Standard (DSS) |
| » |
PCI PIN Entry Devices Program (PED) |
| » |
PCI Payment Application Data Security Standard (PA-DSS) |
| |
|
The PCI SSC is also responsible for the training and qualification of security assessors and vendors that validate merchant and service provider compliance against these standards. The PCI SSC is not responsible for enforcing compliance to these standards. Enforcement of compliance is managed independently by the Card Associations.
For more information on the PCI SSC please visit www.pcisecuritystandards.org . |
|
| |
Twelve Principle Requirements of PCI DSS
PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer credit card account data.
Below are the twelve principle requirements of PCI DSS:
| » |
Build and Maintain a Secure Network |
| |
| » |
Install and maintain a firewall configuration to protect cardholder data |
| » |
Do not use vendor-supplied defaults for system passwords and other security parameters |
|
| » |
Protect Cardholder Data |
| |
| » |
Protect stored cardholder data |
| » |
Encrypt transmission of cardholder data across open, public networks |
|
| » |
Maintain a Vulnerability Management Program |
| |
| » |
Use and regularly update anti-virus software |
| » |
Develop and maintain secure systems and applications |
|
| » |
Implement Strong Access Control Measures |
| |
| » |
Restrict access to cardholder data by business need-to-know |
| » |
Assign a unique ID to each person with computer access |
| » |
Restrict physical access to cardholder data |
|
| » |
Regularly Monitor and Test Networks |
| |
| » |
Track and monitor all access to network resources and cardholder data |
| » |
Regularly test security systems and processes |
|
| » |
Maintain an Information Security Policy |
| |
| » |
Maintain a policy that addresses information security |
|
| |
The PCI DSS and supporting documentation can be found at https://www.pcisecuritystandards.org . |
|
|
|
| |
Merchant Levels and Validation Requirements
All merchants that store, process, or transmit cardholder data must comply with the PCI DSS and validate their compliance & certification requirements using the appropriate “Merchant Level” for their business. |
|
| |
Merchant Level Description
| Level |
Level Description |
| 1 |
| » |
Any merchant regardless of acceptance channel, processing over 6,000,000 Visa or Master Card transactions per year. |
| » |
Any merchant that has suffered an unauthorized intrusion that resulted in an account data compromise. |
| » |
Any merchant that a Card Association, at its sole discretion, determines should meet the Level 1 merchant requirements. |
|
| 2 |
| » |
Any merchant processing between 1,000,000 and 6,000,000 Visa or Master Card transactions annually of one card plan. |
|
| 3 |
| » |
Any merchant processing between 20,000 and 1,000,000 Visa or Master Card e-commerce transactions per year. |
|
| 4 |
| » |
Any e-commerce merchant processing fewer than 20,000 Visa or Master Card e-commerce transactions per year. |
| » |
Any merchant (regardless of acceptance channel) processing less than 1,000,000 Visa or Master Card transactions per year. |
|
|
|
| |
Merchant Validation Requirements
| Merchant Level |
Validation Requirements |
Validations Performed By |
| 1 |
| » |
Annual PCI Self Assessment Questionnaire |
| » |
Quarterly Network Scan |
| » |
Annual On-site PCI Data Security Assessment |
|
| » |
Qualified Security Assessor (QSA) |
| |
|
| » |
Approved Scanning Vendor (ASV) |
|
| 2 |
| » |
Annual PCI Self Assessment Questionnaire |
| » |
Quarterly Network Scan |
|
| » |
Qualified Security Assessor (QSA) |
| » |
Approved Scanning Vendor (ASV) |
|
| 3 |
| » |
Annual PCI Self Assessment Questionnaire |
| » |
Quarterly Network Scan |
|
| » |
Qualified Security Assessor (QSA) |
| » |
Approved Scanning Vendor (ASV) |
|
4 -
Acquirer's Discretion |
| » |
Annual PCI Self Assessment Questionnaire |
| » |
Quarterly Network Scan |
|
| » |
Qualified Security Assessor (QSA) |
| » |
Approved Scanning Vendor (ASV) |
| |
Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants. |
|
|
|
| |
Service Providers Compliance Requirements
A service provider is defined an organization that stores, processes, or transmits cardholder data on behalf of merchants or other service providers. As a result, all service providers are required to comply with PCI DSS including validating their compliance to PCI DSS through the services of a Qualified Security Assessor (QSA). |
| For more information regarding service providers please see: |
|
|
|
| |
Payment Application Data Security Standard
The Payment Application Data Security Standard (PA-DSS) is a standard managed by the PCI SSC. This standard is based on Visa’s Payment Application Best Practices (PABP). Many merchants deploy third party payment applications that are tailored to their business needs to assist them in accepting credit card payments.
The goal of PA-DSS is to assist software vendors develop secure payment applications that do not store prohibited data, such as full magnetic stripe data, card verification values, or PIN data, and ensure their payment applications support compliance with the PCI DSS. Vulnerable payment applications that store prohibited are the leading cause of account data compromises among small merchants.
Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. In-house payment applications developed by merchants or service providers that are not sold to third parties are not subject to the PA-DSS requirements, but must still be secured in accordance with the PCI DSS. PA-DSS is not applicable to standalone point-of-sale terminals, database software or web server software.
Further information on PA-DSS including a list of payment applications that have validated their compliance to PA-DSS can be found at:
PCI Security Standards
Visa |
|
| |
Visa Canada's Payment Application Compliance Program
Visa Canada has established timeframe's by which acquirers must ensure that all merchants (new and existing) who use payment application software to process with their acquirers only use such software that has been validated against PA-DSS or PABP requirements.
| Phase |
Compliance Mandate |
Effective Date |
| 1 |
By 1 October 2008, all acquirers must ensure that any newly boarded merchant that uses payment application software only uses payment application software that has been validated to comply with PABP or PA-DSS requirements. |
October 01, 2008 |
| 2 |
By 1 July 2010, all acquirers must ensure that all merchants (new and existing) who use payment application software only use payment application software that has been validated to comply with PABP or PA-DSS requirements. |
July 01, 2010 |
|
|
|
|
|
|
| |
|
|
|