|
The Payment Card Industry Data Security Standard (PCI DSS) is a security standard that includes requirements for security management, policies, procedures, network setup, software design, and other protective measures. The PCI Security Standards Council (PCI SSC) is a forum comprised of members from each of the card companies. The PCI DSS provides a common standard with which the payment industry must adhere.
TSYS Merchant Solutions would like to remind our customers, you must meet the requirements of PCI DSS by properly safeguarding cardholder data. It is critical your business adheres to the security requirements to ensure the highest standard of care to help keep sensitive cardholder data from hackers and fraudsters. The following highlights the 12 main standards (please refer to the PCI SSC for complete requirements): Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data and sensitive information across open public networks Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software`
6. Develop and maintain secure systems and applications Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes Maintain an Information Security Policy
12. Maintain a policy that addresses information security
All businesses will fall into one of four levels based on transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa, MasterCard and Discover transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (DBA). In cases where a corporation has more than one DBA, the aggregate volume of transactions stored, processed or transmitted by the corporate entity will be used to determine the validation level. Other restrictions and conditions may apply. Merchant levels are defined as:
| Level | Description | Compliance Requirements | 1 | Any business-regardless of acceptance channel-processing over 6,000,000 Visa® or MasterCard® transactions per year.
Or at the discretion of the card associations.
| - Annual onsite assessment or ROC by a QSA
- Quarterly scans by a QSA/ASV
- CORA
| 2 | Any business, regardless of acceptance channel, processing 1,000,000 to 6,000,000 Visa or MasterCard transactions per year. | - Annual onsite assessment or ROC by a QSA
- Quarterly scans by a QSA/ASV
- CORA
| 3 | Any business processing 20,000 to 1,000,000 Visa or MasterCard e-commerce transactions per year. | - Annual SAQ
- Quarterly scans by a QSA/ASV
- CORA
| 4 | Any business processing fewer than 20,000 Visa or MasterCard e-commerce transactions per year, and all other businesses, regardless of acceptance channel, processing up to 1,000,000 Visa or MasterCard transactions per year. | - Annual SAQ
- Quarterly scans by a QSA/ASV
|
*Subject to change at any time by the card associations or PCI DSS council.
**Any business involved in an account-data compromise breach may be escalated to a higher validation level Compliance Documentation Defined QSA - Qualified Security Assessor. QSAs are certified by the PCI SSC. A QSA serves as an advisor to businesses seeking or maintaining compliance with the PCI DSS. TSYS Merchant Solutions customers can work with Trustwave. Approved QSAs are listed on the PCI SSC web site. ASV - Approved Scanning Vendor. ASVs are certified by the PCI SSC. ASVs complete the required quarterly network scans and serve as advisors on achieving compliance. Approved ASVs are listed on the PCI SSC web site. ROC - Report on Compliance. Level 1 businesses must submit a ROC annually completed by a QSA. SAQ - Self-Assessment Questionnaire. Annual SAQs must be submitted by businesses not required to submit a ROC. Quarterly Vulnerability Scans - Scans must be done quarterly by either a QSA or ASV. CORA - Confirmation of Report Accuracy. Required annually for Level 1, 2 and 3 businesses. Compliance ValidationOnce a business has met the compliance requirements, compliance must be validated. TSYS Merchant Solutions is required to provide monthly (or upon request) compliance status updates on our customers to the card associations. Level 4 businesses should validate compliance with Trustwave (https://www.validatepci.com/). Level 1 -3 customers should provide required documentation to our compliance review team - merchantpcicompliance@tsys.com.
Businesses using a vendor, payment application or third party software and/or hardware are required to use only compliant payment applications. For a list of compliant service providers visit the PCI DSS council web site. Each card association and the PCI DSS provide educational programs including brochures and webinars on their web sites and lists of compliant service providers. Additional information is available at:
In the event of a security incident, please contact TSYS Merchant Solutions immediately. Members, businesses and service providers must take immediate action to investigate the incident, limit the exposure of cardholder data, and notify the card associations to report investigation findings. Guides are available to assist in the event of a breach at the web sites listed above. Disclaimer Disclaimer: This document contains a compilation of information received from various sources. This information is presented solely for the convenience of the reader and should not be used as a substitute for your own research and reference to actual regulations and/or other official documents, or as a substitute for consulting your legal advisor. TSYS Merchant Solutions and its parents and affiliates are not responsible for inaccurate, outdated, or incomplete information. All information contained herein is subject to change.
 |
 |
