What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide mandate from the PCI Security Standards Council (PCI SSC). The Council consists of VISA, MasterCard, American Express, Discover, and JCB (the payment card brands). PCI DSS was established to help organizations that process card payments prevent credit and debit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations that store, process, or pass cardholder information from any card branded with the logo of one of the payment card brands.

What are the requirements of the standard?

There are twelve requirements that fall into six categories: Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data 3. Protect stored data (use encryption) 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses Information Security

For more information, please refer to the PCI Security Councils website www.pcisecuritystandards.org

Who needs to be compliant with PCI DSS?

All organizations that store, process or transmit payment card data are mandated by VISA, MasterCard, American Express, Discover, and JCB to achieve compliance with PCI DSS. This includes Banks, Payment Service Providers, on-line, face-to-face and mail/telephone order merchants. Compliance is not a one-time requirement. All organizations that store, process or transmit payment card data are required to validate their compliance once a year, however they are expected to maintain compliance at all times.

What are the deadlines for complying with PCI DSS?

The deadline for validating compliance with the PCI DSS has already passed. All entities that store, process or transmit payment card data must be compliant with PCI DSS. First Data Merchant Solutions customers must establish compliance when their account is approved and continue to maintain compliance and validate on an annual basis.

What do I need to do?

Depending upon your organizations size and type, you must either complete a PCI DSS Self Assessment Questionnaire (SAQ) or have a Formal Onsite Assessment by a Qualified Security Assessor (QSA) or a fully certified Internal Security Assessor (ISA). If you electronically transmit cardholder data or have a payment system that is connected to the Internet, you will also need quarterly network vulnerability scans

performed by an Approved Scanning Vendor (ASV) and provide scan reports to First Data Merchant Solutions via our PCI DSS Compliance Program portal or PCI DSS helpdesk.

Who are Qualified Security Assessors?

They are Information Security Consultants that have been trained and certified by the PCI Security Standards Council. QSAs carry out on-site security assessments for entities to verify their compliance with PCI DSS.

If I am a merchant, how do I verify PCI DSS compliance with First Data Merchant Solutions?
All merchants will be provided with logon credentials i.e. Personal Access Code and Password to allow them to enroll on our PCI DSS Compliance Program Portal. The credentials will be provided in writing to you via post and to protect the privacy of your information they will be sent separately. Following enrolment, all merchants must complete their SAQ and attest to their compliance with PCI DSS.

How do I enroll onto the PCI DSS Compliance Program Portal?

Enrolment occurs when you access the Portal for the first time as the primary user for your merchant outlet. To complete the process, you must follow the steps below: 1. On the homepage, click on New Enrolment. 2. You will be directed to the next screen, where you will be asked to enter your Merchant Account Number and the required characters from your Personal Access Code. This information is provided to you by letter. 3. Enter your Portal Password. 4. Please confirm your email address; this will be used for all future email correspondence. 5. You will now be able to update your Username and Portal Password information by entering new details for each and confirming. 6. Once complete, you will receive an email to confirm enrolment was successful. .

What happens if I have already validated compliance with another QSA?

You will still have to enroll with our PCI DSS Compliance Program and complete your compliance validation. However, providing you can present a copy of your Validation Certificate, issued by your QSA, we will refund the first year of your PCI DSS Management Fee. Subsequent years fees will remain.

What is a Network Vulnerability Scan?

A Network Vulnerability Scan is an automated, non-intrusive scan that assesses the security of your externally facing IP addresses and web applications from the Internet. The scan will identify any vulnerabilities or gaps that may allow an unauthorized or malicious user to gain access to your network and potentially compromise cardholder data.

Why do I need to have Quarterly Network Vulnerability Scanning and how does it work?
Quarterly Network Vulnerability Scanning is a requirement of the PCI DSS, as mandated by VISA, MasterCard, American Express, Discover, and JCB for an Approved Scan Vendor to conduct Quarterly Network Vulnerability Scans for you. This is if you host a Payment Page, store Credit Card data electronically (even if it is only momentarily), transmit Payment Card Data via an API link or have a payment application or terminal connected to the Internet. Network security scans are non-intrusive inspections that evaluate an organizations network perimeter for information security vulnerabilities that will potentially leave you exposed to hacking and consequential data compromise. A clean external network scan must be achieved and the requisite report presented to First Data Merchant Solutions before PCI DSS compliance can be achieved.

Who carries out the scan?

The Network Vulnerability Scan needs to be carried out by an Approved Scan Vendor. Sysnet are a certified Approved Scan Vendor and provide scanning services on behalf of First Data Merchant Solutions.

How often do I need to have scans run?

Quarterly network security scanning of all externally facing systems is required.

What happens if I fail a Network Vulnerability Scan?

You should try to correct any of the deficiencies found from the scan as soon as possible in order to protect your organization from hackers. You can discuss these issues with our PCI DSS Compliance Program helpdesk who will provide guidance on how to approach correcting the issues that came up within your Network Vulnerability Scan.

What are the rules around the storage of sensitive data such as CAV2/CVC2/CVV2/CID?
The storage of sensitive data such as CAV2/CVC2/CVV2/CID (commonly known as card security code) is strictly prohibited by all card schemes. In January 2007, Visa Europe decided to start communicating the importance of never storing such sensitive data and have continued emphasizing this message since.

What are the rules for the storage of information from merchants who take payment details through call centers?
The official PCI SSC guidelines on the storage of card data in voice recordings is as follows: It is a violation of PCI DSS requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted. It is therefore prohibited to use any form of digital audio recording (using formats such as wav, mp3 etc) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queried; recognizing that multiple tools exist that potentially could query a variety of digital recordings. Where technology exists to prevent recording of these data elements, such technology should be enabled. If these recordings cannot be data mined, storage of CAV2, CVC2, CVV2 or CID codes after authorization may be permissible as long as appropriate validation has been performed. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call recording formats. This requirement does not supersede local or regional laws that may govern the retention of audio recordings.

I complied with PCI DSS last year, why am I being asked to do it again?
Compliance with PCI DSS must be maintained at all times and validated on an annual basis. This is because a merchant may change their infrastructure due to growth, upgrades, acquisitions etc. It is also possible that the standard may change from time to time to adapt to new security threats or market requirements. Normally however, it is likely that PCI DSS compliance will be far easier in subsequent years and the time it takes for you to complete your compliance steps should reduce significantly.

Who needs to have an annual Formal Onsite Assessment?

Currently, it is any merchant who accepts more than six million transactions per card brand, per annum, Payment Service Providers that process over 300,000 transactions and most Banks. MasterCard have mandated that Level 2 Merchants (any merchant with greater than one million total combined MasterCard and Maestro transactions annually) complete an annual onsite assessment conducted by a Qualified Security Assessor (QSA) and they must validate compliance by 31 December 2010.

What is a Self-Assessment Questionnaire?

The Self Assessment Questionnaire is a validation tool, which is used by merchants to demonstrate that they are compliant or working towards PCI DSS compliance. The PCI council allows use of this questionnaire instead of undergoing an on-site assessment for PCI DSS compliance.

If we dont need a Formal Assessment, what Self Assessment Questionnaire (SAQ) should we complete and what do we do with it?
When enrolling with PCI DSS Compliance Program, a series of questions will guide you through the registration process. The answers to these questions will be used to identify the appropriate SAQ for your business.

How do compensating controls function in relation to PCI DSS requirements?

A compensating control can be allowed as a substitute for a PCI DSS requirement if an entity is able to prove that they cant meet that requirement due to either a technical or documented business constraint. In addition, the entity must also prove that they have reduced the risk associated with not meeting a certain requirement through the implementation of a compensating control which has been reviewed and approved by a QSA. There are other factors that are considered when assessing the effectiveness of a compensating control such as the specifics of the environment in which the control is implemented, the surrounding security controls and the configuration of the control. It should also be noted that certain compensating controls will not be effective in all environments.

What are PIN Transaction (PTS) Security Requirements?

These are a set of security requirements that manufacturers of devices which are used for processing cardholder PINs and other payment processing related activities must follow. The requirements provide manufacturers with guidelines on how the devises should be designed, manufactured and transported to entities who implement the device. All entities processing card details should only use devices or components that are tested and approved by the PCI SSC. Please follow the link below for further information: www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html

What is the Payment Application Data Security Standard (PA-DSS)

The PA-DSS applies to any entity that has either developed software or has integrated payment applications for the purpose of storing, processing or transmitting cardholder data as part of the authorization or settlement when these applications are sold, distributed or licensed to third parties. A full list of validated applications can be found at the following link: www.pcisecuritystandards.org/security_standards/pa_dss.shtml

What is a Head Office Account?

If you have more than one trading outlet, a Head Office Account is created (with no additional charges) to link your outlet records together. Through the PCI DSS Compliance Program, a Head Office can logon and view the status of related outlets.

Why do I have to pay per outlet?

PCI DSS compliance validation must be undertaken on an annual basis and a universal PCI DSS Management Fee is payable by every outlet to monitor and manage your compliance status.

I have multiple outlets, why do I have to complete an SAQ for each?

If you have multiple outlets, you will be required to complete an SAQ for each to ensure they are all compliant with PCI DSS. If all your outlets trade in the same manner and have the same SAQ requirement, you will have the opportunity via the PCI DSS Compliance Program portal to copy across a previously completed SAQ.

Who do I contact for assistance with PCI DSS?

For further assistance with PCI DSS, please contact our PCI DSS Compliance Program helpdesk

What happens if I refuse to comply with PCI DSS?

First Data Merchant Solutions are unable to allow merchants that refuse to comply with PCI DSS to continue taking transactions, as compliance is mandated by the Payment Card brands.