LiveZilla Live Help   LiveZilla Live Help
Site Français
  Services
 

PCI Data Security 
 
About Cardholder Data Security
Implementing a strong security policy that protects your customer’s cardholder information will help your business maintain a positive image by preventing a security breach, enhance customer confidence and avoid any unnecessary costs.

As part of MONEX's ongoing commitment in assisting our merchants in their processing needs, we want to provide you with some critical information regarding the Payment Card Industry (PCI) Data Security Standard (DSS) and the Card Association Compliance Programs.

It is important to note that all Merchants and Service Providers that store, process, or transmit cardholder data must comply with PCI DSS and the Card Association Compliance Programs. Certification requirements vary by business and are contingent upon your "Merchant Level" or "Service Provider Level.” Failure to comply with PCI DSS and the Card Brand Compliance Programs may result in a Merchant being subject to fines, fees or assessments and/or termination of processing services.

MONEX has taken the steps to provide our valued merchants with the necessary information and associated links to assist in assessing the actions your business should take to ensure that you are compliant.
 
About PCI SSC
The PCI Security Standards Council (PCI SSC) is an independent body founded in September 2006 by five major credit card networks - American Express, Discover Financial, JCB, Master Card Worldwide, and Visa International. The PCI SSC is responsible for the development and ongoing evolution of security standards for account data protection.

The PCI SCC currently manages the following security standards:
» PCI Data Security Standard (DSS)
» PCI PIN Entry Devices Program (PED)
» PCI Payment Application Data Security Standard (PA-DSS)
   
The PCI SSC is also responsible for the training and qualification of security assessors and vendors that validate merchant and service provider compliance against these standards. The PCI SSC is not responsible for enforcing compliance to these standards. Enforcement of compliance is managed independently by the Card Associations.
For more information on the PCI SSC please visit www.pcisecuritystandards.org .
 
Twelve Principle Requirements of PCI DSS
PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer credit card account data.

Below are the twelve principle requirements of PCI DSS:
» Build and Maintain a Secure Network
 
» Install and maintain a firewall configuration to protect cardholder data
» Do not use vendor-supplied defaults for system passwords and other security parameters
» Protect Cardholder Data
 
» Protect stored cardholder data
» Encrypt transmission of cardholder data across open, public networks
» Maintain a Vulnerability Management Program
 
» Use and regularly update anti-virus software
» Develop and maintain secure systems and applications
» Implement Strong Access Control Measures
 
» Restrict access to cardholder data by business need-to-know
» Assign a unique ID to each person with computer access
» Restrict physical access to cardholder data
» Regularly Monitor and Test Networks
 
» Track and monitor all access to network resources and cardholder data
» Regularly test security systems and processes
» Maintain an Information Security Policy
 
» Maintain a policy that addresses information security
  The PCI DSS and supporting documentation can be found at  https://www.pcisecuritystandards.org .
 
Merchant Levels and Validation Requirements
All merchants that store, process, or transmit cardholder data must comply with the PCI DSS and validate their compliance & certification requirements using the appropriate “Merchant Level” for their business.
 
Merchant Level Description
Level Level Description
1
»
Any merchant regardless of acceptance channel, processing over 6,000,000 Visa or Master Card transactions per year.
»
Any merchant that has suffered an unauthorized intrusion that resulted in an account data compromise.
»
Any merchant that a Card Association, at its sole discretion, determines should meet the Level 1 merchant requirements.
2
»
Any merchant processing between 1,000,000 and 6,000,000 Visa or Master Card transactions annually of one card plan.
3
»
Any merchant processing between 20,000 and 1,000,000 Visa or Master Card e-commerce transactions per year.
4
»
Any e-commerce merchant processing fewer than 20,000 Visa or Master Card e-commerce transactions per year.
»
Any merchant (regardless of acceptance channel) processing less than 1,000,000 Visa or Master Card transactions per year.
 
Merchant Validation Requirements
Merchant Level Validation Requirements Validations Performed By
1
» Annual PCI Self Assessment Questionnaire
» Quarterly Network Scan
» Annual On-site PCI Data Security Assessment
» Qualified Security Assessor (QSA)
   
» Approved Scanning Vendor (ASV)
2
» Annual PCI Self Assessment Questionnaire
» Quarterly Network Scan
» Qualified Security Assessor (QSA)
» Approved Scanning Vendor (ASV)
3
» Annual PCI Self Assessment Questionnaire
» Quarterly Network Scan
» Qualified Security Assessor (QSA)
» Approved Scanning Vendor (ASV)
4 -
Acquirer's Discretion
» Annual PCI Self Assessment Questionnaire
» Quarterly Network Scan
» Qualified Security Assessor (QSA)
» Approved Scanning Vendor (ASV)
 
Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants.
 
Service Providers Compliance Requirements
A service provider is defined an organization that stores, processes, or transmits cardholder data on behalf of merchants or other service providers. As a result, all service providers are required to comply with PCI DSS including validating their compliance to PCI DSS through the services of a Qualified Security Assessor (QSA).
For more information regarding service providers please see:
» Visa Canada Account Information Security Program
» Master Card Worldwide Site Data Protection Program
   
Visa and Master Card each publish a list of compliant service providers on their web sites. For a list of service providers that have validated their compliance to PCI DSS please see:
» Visa Canada Service Provider Listing
» Master Card Worldwide Service Provider Listing
 
Payment Application Data Security Standard
The Payment Application Data Security Standard (PA-DSS) is a standard managed by the PCI SSC. This standard is based on Visa’s Payment Application Best Practices (PABP). Many merchants deploy third party payment applications that are tailored to their business needs to assist them in accepting credit card payments.

The goal of PA-DSS is to assist software vendors develop secure payment applications that do not store prohibited data, such as full magnetic stripe data, card verification values, or PIN data, and ensure their payment applications support compliance with the PCI DSS. Vulnerable payment applications that store prohibited are the leading cause of account data compromises among small merchants.

Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. In-house payment applications developed by merchants or service providers that are not sold to third parties are not subject to the PA-DSS requirements, but must still be secured in accordance with the PCI DSS. PA-DSS is not applicable to standalone point-of-sale terminals, database software or web server software.

Further information on PA-DSS including a list of payment applications that have validated their compliance to PA-DSS can be found at:

PCI Security Standards
Visa
 
Visa Canada's Payment Application Compliance Program
Visa Canada has established timeframe's by which acquirers must ensure that all merchants (new and existing) who use payment application software to process with their acquirers only use such software that has been validated against PA-DSS or PABP requirements.

Phase Compliance Mandate Effective Date
1
By 1 October 2008, all acquirers must ensure that any newly boarded merchant that uses payment application software only uses payment application software that has been validated to comply with PABP or PA-DSS requirements.
 October 01, 2008
2
By 1 July 2010, all acquirers must ensure that all merchants (new and existing) who use payment application software only use payment application software that has been validated to comply with PABP or PA-DSS requirements.
 July 01, 2010
 
 
Services
Merchant Portal
On Site Service
Chip Technology
PCI Data Security
Fraud Awareness
 Home| About Monex | Media Room | Sitemap | FAQ's | Careers | Add to Bookmarks | Terms & Conditions Copyright 2011, MONEY Express POS Solutions               
All Rights Reserved
                                                                                                                                                                                                                                                                                                         
 
         
 Read More

Prevent Data Fraud and Protect Your Reputation with PCI Standards


One of the most valuable merchant account services that credit card processing companies can offer merchants is security: a secure connection and information about how to keep data secure and following established security standards can go a long way to instilling confidence on the part of merchants and their customers, while actually protecting them from fraud and theft that can hamper business efforts.

Payment Card Industry (PCI) Data Security Standards (DSS) were established by a global council comprised of five international credit card providers and industry security experts. The PCI Council set up these standards to ensure that consumers are protected in a uniformly efficient way. Small and medium sized business owners that lack a close relationship with the credit card industry may lack essential information about these standards, a shortcoming that can put them at risk of fines, assessment fees, or credit card processing service termination at the hands of credit card companies. Worse yet, it could leave merchants vulnerable to easily preventable security breaches.

 The PCI DSS can be boiled down to these simple principles:

-Build and Maintain a Secure Network

-Install and maintain a firewall configuration to protect cardholder data

-Do not use vendor-supplied defaults for system passwords and other security parameters

-Protect Cardholder Data

-Protect stored cardholder data

-Encrypt transmission of cardholder data across open, public networks

-Maintain a Vulnerability Management Program

-Use and regularly update anti-virus software

-Develop and maintain secure systems and applications

-Implement Strong Access Control Measures

-Restrict access to cardholder data by business need-to-know

-Assign a unique ID to each person with computer access

-Restrict physical access to cardholder data

-Regularly Monitor and Test Networks

-Track and monitor all access to network resources and cardholder data

-Regularly test security systems and processes

-Maintain an Information Security Policy

-Maintain a policy that addresses information security

These all seem like basic common sense security practices, yet are representative of the kinds of mistakes consumers and merchants frequently make regarding the security of sensitive information.

Fortunately, the PCI Council has published several in-depth guides to conducting a self-assessment of compliance and a correlated implementation guide, which can be accessed from the council’s website, www.pcisecuritystandards.org. However, for many small and medium sized business owners, this will prove a confusing endeavor without expert support. That’s where a merchant account services provider can help. A merchant’s payment processor has a clear incentive to keep its customers happy, secure, and in compliance so that they money continues to flow. So regardless of any other circumstances, there is no reason for any merchant to neglect implementing PCI Data Security Standards.