General Questions
PCI Standards Security Council
PCI Compliance
Validation
Third Party Entities
Payment Applications
Compromised Merchant Liabilities
How do I know if I am storing any data?
There are two strategies for determining if cardholder data is in your environment. First, make sure to speak with all software and POS vendors to determine if their solutions have stored cardholder data. It's possible that their solution could have stored it in the past and was never removed. Second, utilize a software tool to scan your environment for cardholder data (like Trustwave's TrustKeeper Agent).
back to top
Can I store magnetic stripe data?
It is never acceptable to retain magnetic stripe data subsequent to transaction authorization. Payment brands strictly prohibit storage of the contents of the magnetic stripe as a unit. However, the following individual data elements may be retained subsequent to transaction authorization:
- Cardholder Account Number (in an encrypted format)
- Cardholder Name
- Card Expiration Date
Prohibited cardholder data for storage subsequent to transaction authorization include:
- Magnetic stripe data (track 1, track 2 data)
- Card Security Codes (CVC2, CVV2, CID)
- PIN blocks
- Service codes
back to top
Can I store security code data (such as CVV2)
It is never acceptable to retain card security codes.
back to top
Who is the Payment Card Industry Security Standards Council?
The PCI-SSC is an independent body responsible for the development and ongoing evolution of security standards for account data protection.
back to top
Does the PCI-SSC enforce merchant compliancy?
No, the PCI-SSC sets the standards for data protection, and the payment brands utilize these standards in their rules and regulations. Typically, a payment brand's rules and regulations will require merchants to be PCI compliant.
back to top
Does the PCI-SSC have a website?
Yes, it is www.pcisecuritystandards.org.
back to top
Can I participate?
Yes, merchants, payment devices and services vendors, processors, financial institutions and others are eligible for membership as participating organizations. Please go here for further information.
back to top
What is data security?
Data Security is a term that refers to the strategies employed for the protection of data from unauthorized (accidental or intentional) modification, destruction, or disclosure.
back to top
What is PCI-DSS?
The Payment Card Industry Data Security Standard is a security initiative designed to offer merchants a single approach to safeguarding sensitive data for all card brands.
back to top
What are the 12 requirements?
Build and Maintain Network
- Install and maintain a firewall
- Vendor-supplied passwords are not allowed
Protect Cardholder Data
- Protect any stored data
- Encrypt all transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Update antivirus software
- Develop and maintain secure systems and applications
Implement Strong Access Controls
- Restrict access to cardholder data on a need-to-know basis
- Assign unique IDs
- Restrict physical access to cardholder data
Regularly Test and Monitor Networks
- Track and monitor all access
- Regularly test security systems and processes
Maintain an Informaiton Security Policy
- Maintain a policy that addresses information security
back to top
What is in scope of the PCI-DSS?
All parts of a merchant or service providers payment environment that stores, processes, transmits or has access to cardholder data. In addition, any system that is connected to one of the above systems and not separated by a network segmentation technique is also in scope for PCI DSS.
back to top
Does PCI apply to me?
PCI is directed to all entities that store, process, transmit or have access to cardholder data.
back to top
Is PCI compliance mandatory?
Yes. Compliance with PCI is mandatory for all entities that store, process, transmit or have access to cardholder data.
back to top
Where can I find PCI documents and information?
PCI documents may be found by navigating the PCI-SSC website.
back to top
What is the Prioritized Approach?
For a detailed explanation, please visit the PCI SSC webpage dedicated to the Prioritized Approach.
back to top
How do I validate PCI compliance?
All merchants will fall into one of the four merchant levels based on annual Visa or MasterCard transaction volume. The transaction volume is based on the aggregate number of Visa or MasterCard transactions from a Doing Business As (DBA) or a chain of stores (not of a corporation that has several chains). A merchant's level determines what is required and how they validate PCI compliance.
back to top
What data security reporting level am I?
Level 1 - Over 6 million Visa or MasterCard transactions in a 12 month period
Level 2 - Between 1 and 6 million Visa or MasterCard transactions in a 12 month period
Level 3 - Between 20,000 and 1 million Visa or MasterCard e-commerce transactions in a 12 month period
Level 4 - Less than 20,000 e-commerce or less than 1 million transactions with one card brand in a 12 month period
back to top
How does my merchant level validate compliance?*
The matrix below shows validation requirements based on data security reporting levels.
| Level |
Criteria |
Requirements |
 |
| 1 |
Over 6 million Visa or MasterCard transactions in a 12 month period |
- Onsite Assessment perfomed by QSA
- Quarterly network scans
|
|
| 2 |
Between 1 and 6 million Visa or MasterCard transations in a 12 month period |
- Self-Assessment Questionnaire performed by accredited internal staff or onsite assessment by QSA
- Quarterly network scans
|
|
| 3 |
Between 20,000 and 1 million Visa or MasterCard e-commerce transactions in a 12 month period |
- Self-Assessment Questionnaire (SAQ)
- Quarterly network scans
|
|
| 4 |
Less than 20,000 e-commerce or less than 1 million transactions with one card brand in a 12 month period |
- Self-Assessment Questionnaire (SAQ)
- Quarterly network scans
- Submission to acquirer not mandatory
|
*Different payment brands have their own guidelines on data security reporting levels. For example, American Express utilizes different reporting standards than Visa.
back to top
What is a Self Assessment Questionnaire?
The SAQ is a document intended to be a validation tool for merchants and service providers to self evaluate their payment environment for compliance with the PCI-DSS. More information on the SAQ may be found here.
back to top
What is a network vulnerability scan?
A network vulnerability scan involves an automated tool that checks a merchant or service provider's systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan will identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company's private network. As required to be conducted Approved Scanning Vendors, the tool will not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed.
back to top
What is an Approved Scanning Vendor (ASV)?
An ASV is an entity approved by the PCI-SSC to conduct network vulnerability scans for merchants and service providers to validate PCI compliance. For the full list of Approved Scanning Vendors, visit the PCI-SSC webpage.
back to top
What is a Third Party Provider (TPP) or Service Provider?
An entity, not defined as a VisaNet Processor, that provides payment related services, directly and indirectly, to a member and/or stores, processes, transmits or has access to third party cardholder data.
back to top
What if I have outsourced the storage, processing, or transmission of cardholder data to a third party other than Chase Paymentech?
If a merchant is using a third party provider to outsource their payment processing, it is said merchants responsibility to ensure that the third party provider is PCI compliant. A merchant outsourcing to a third party provider is liable for their customers’ cardholder data involved in any data breach of a third party provider.
Visa and MasterCard maintain a global list of PCI-DSS validated service providers, please note this list is for large service providers. A service provider may be PCI compliant and not on Visa or MasterCard's compliant list, however, that service provider should maintain a letter from Visa or MasterCard certifying their compliancy. Lists of validated service providers:
Visa
MasterCard
back to top
What is a payment application?
A payment application is computer software utilized by a merchant or service provider that is involved in authorization and settlement of credit or debit card transactions.
back to top
What is Payment Application-Data Security Standard (PA-DSS)?
The PA-DSS is a set of standards that ensures payment applications are secure, and which will promote merchants' and service providers' PCI DSS compliance efforts. When a payment applications meets the requirements of the PA-DSS, that application is deemed a PA-DSS compliant payment application. Utilizing a PA-DSS compliant payment application is one of the requirements to be PCI compliant.
back to top
What are POS-PED security requirements?
A Point of Sale-Pin Entry Device is a device that allows customers the option to enter in a PIN number when using a debit card. Due to the nature of these devices, the PCI-SSC has security requirements to ensure customers' PINs are secure. The PCI-SSC maintains a list of approved Pin Entry Devices for use in a PCI compliant environment.
back to top
Where can I get a list of approved compliant POS-PED?
The PCI-SSC list of POS-PED may be found here.
back to top
What are payment brand requirements?
Payment brands require that any entity that stores, processes, transmits or has access to cardholder data be PCI compliant. One of the many requirements for an entity to be PCI compliant is the use of a PA DSS payment application and an approved Pin Entry Device if applicable.
back to top
What is a data compromise?
It is a deliberate electronic attack on the communications or information processing systems exposing cardholder account information to third parties, and placing cardholders at risk of fraudulent use. This attack can be initiated by a disgruntled employee, a malicious competitor, or a misguided hacker. Attacks often result in damage or disruption to the entire payment system.
back to top
What is a network intrusion?
A network intrusion occurs when a third party gains unauthorized access to an entities computer network environment or payment system, most typically in an effort to illegally obtain and exfiltrate cardholder data. The unauthorized entity will typically install "malware" onto the system as the vehicle to illegally obtain cardholder data. Once cardholder data has been obtained, the network intrusion is now considered a data compromise.
back to top
What is malware?
Malware is computer software used by a hacker as the vehicle to obtain and exfiltrate cardholder data. Malware can be preexisting software or developed completely custom by the hacker
back to top
How do I know if I've been compromised?
Detecting a network intrusion is typically not an easy task, even to an vigilant and aware merchant. Therefore, it is quite important to distinguish normal events from an unauthorized intrusion. There are certain signs that may appear when an unauthorized intrusion has occurred. Please refer to page 4 of Visa’s document What To Do If Compromised for a list of identifiers of a breach.
back to top
What do I do if I've been compromised?
In the event a security incident is detected, immediate action must be taken to limit the exposure of cardholder data. The damage must be contained quickly, customer data protected, the root cause found, and an accurate record of events produced for authorities.
If you are a Chase Paymentech merchant, click here to report an incident. A member of the data compromise team will respond promptly.
back to top
Will I be fined if I am compromised?
If a merchant is compromised, they may be subject to various penalties in addition to the fines associated with non-compliance; some of these include, but are not limited to:
- Fraud losses perpetrated using the account numbers associated with the compromise (from date of compromise forward).
- Any additional fraud prevention/detection costs incurred by card issuers associated with the compromise, including but not limited to expenses associated with card issuers' monitoring of card accounts and reissuance of potentially affected cards.
- Assessment of fines from the Association for any merchant or service provider that is compromised. The assessment of fines will vary depending on the level of PCI compliance and the number of cited violations.
back to top
How do I report an incident?
If you have detected an incident on your system, contact your acquirer immediately to obtain an incident report. Your acquirer will coordinate communication with the payment brands regarding your incident. If you are a Chase Paymentech merchant, click here to report an incident.
back to top
Do I need to notify my customers?
Please refer to the State Security Breach Notification Laws. You should consult your legal counsel and company policies when making a public notification of a data breach.
back to top
For card brand updates on data security, visit the Merchant Support Center
Contact SalesCall 1.866.833.8182 from 8:00 AM until 8:00 PM EST, M-F or contact sales online.
Solutions by Industry
