PCI Data Security Standards

We are all responsible to secure and protect cardholder data

Merchants and Service Providers that store, process, or transmit cardholder data must comply with PCI DSS and the Payment Card Network Compliance Programs. The PCI DSS is enforced by the Payment Card Networks (Visa International, MasterCard Worldwide, American Express, Discover Financial Services, and JCB). Even though certification requirements vary by business and depend on your "Merchant Level" or "Service Provider Level", failure to comply with PCI DSS and the Payment Card Network Compliance Programs may result in a Merchant having to pay fines, fees and/or their processing services terminated.

First Data wants to ensure all its merchants are compliant. Below we are providing data security information and links to assist in assessing the actions your business should take to ensure that it remains compliant.

 

Sales: 1-866-228-6184

Support: 1-888-263-1938

Request a callback->

The PCI Security Standards Council

The PCI Security Standards Council (PCI SSC) is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. The PCI Security Standards Council (PCI SSC) is an independent body founded in September 2006 by the five major credit card networks: American Express, Discover Financial, JCB, MasterCard Worldwide, and Visa International.

The PCI SCC currently manages the following security standards:

  • PCI Data Security Standard (DSS)
  • PCI PIN Entry Devices Program (PED)
  • PCI Payment Application Data Security Standard (PA-DSS)

The PCI SSC is also responsible for the training and qualification of security assessors and vendors that validate merchant and service provider compliance against these standards. The PCI SSC is not responsible for enforcing compliance to these standards. Enforcement of compliance is managed independently by the Payment Card Networks.

Visit www.pcisecuritystandards.org for more information.

Payment Card Industry Data Security Standard (PCI DSS)

The PCI DSS is a technical and broad-ranging set of security requirements created by the Payment Card Industry, laying out what Merchants need to do to protect customer information. The PCI Council requires that Merchants meet this set of security requirements if their business accepts, transmits or processes customer payment cards, such as credit cards or debit cards. Merchants that do not comply with these requirements can be penalized in a number of ways, up to and including having their card-processing privileges revoked, leaving them unable to accept customer payment cards.

Visit www.pcisecuritystandards.org for more information.

Importance of PCI DSS Compliance and/or Certification

Compliance with the PCI DSS is mandatory.  First Data wants to ensure all merchants adopt these standards and remain compliant.  If a merchant is not compliant with PCI DSS, the Payment Card Networks could charge the merchant additional fees and fines, and the merchant may no longer be able to process credit card transactions.

Compliance means all requirements of the PCI DSS are met. To become certified, you must engage the services of Qualified Security Assessor "QSA"  to validate your compliance to PCI DSS. The QSA will work on identifying areas of non-compliance. You must then remedy each area of non-compliance. Once all areas of non-compliance have been addressed, the QSA will re-evaluate and issue confirmation of compliance. If a merchant chooses to certify, the Certification to PCI DSS is at the merchant's expense.

Twelve Principle Requirements of PCI DSS

PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures, intended to help organizations proactively protect customer account data.

Failure to meet the PCI DSS 12 requirements may result in fines or termination of credit card processing privileges. Below are the twelve principle requirements of PCI DSS.  

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update antivirus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.

You can find PCI DSS and supporting documentation at www.pcisecuritystandards.org.

Merchant Levels and Validation Requirements

All merchants must comply with the PCI DSS regardless of the volume of transactions processed or the method the transactions are processed. That being said, certification requirements vary by business and are contingent upon the "Merchant Level".

 

Merchant level Description

LEVEL

LEVEL DESCRIPTION

1

Any merchant regardless of acceptance channel, processing over 6,000,000 Visa or MasterCard transactions annually.

Any merchant that has suffered a hack or an attack that resulted in an account data compromise.

Any merchant that a Payment Card Network, at its sole discretion, determines should meet the Level 1 merchant requirements.

2

Any merchant processing between 1,000,000 and 6,000,000 Visa or MasterCard transactions annually of one card plan.

3

Any merchant processing between 20,000 and 1,000,000 Visa or MasterCard e-commerce transactions annually.

4

Any e-commerce merchant processing fewer than 20,000 Visa or MasterCard e-commerce transactions annually.

Any merchant (regardless of acceptance channel) processing fewer than 1,000,000 Visa or MasterCard transactions annually.


Merchant Validation Requirements

MERCHANT LEVEL

VALIDATION REQUIREMENTS

VALIDATED BY

1

 

 

Annual On-site PCI Data Security Assessment

Qualified Security Assessor (QSA)

Annual PCI Self-Assessment Questionnaire

 Qualified Security Assessor (QSA)

Quarterly Network Scan

Approved Scanning Vendor (ASV)

2

 

Annual PCI Self-Assessment Questionnaire

Qualified Security Assessor (QSA)

Quarterly Network Scan

Approved Scanning Vendor (ASV)

3

 

Annual PCI Self-Assessment Questionnaire

Qualified Security Assessor (QSA)

Quarterly Network Scan

Approved Scanning Vendor (ASV)

4*

 

Annual PCI Self-Assessment Questionnaire

Qualified Security Assessor (QSA)

Quarterly Network Scan

Approved Scanning Vendor (ASV)

*PCI DSS requires that all merchants perform external network scanning to achieve compliance (requirement 11.2).  Acquirers may require submission of scan reports and/or questionnaires by Level 4 Merchants.