Payment Card Industry Data Security Standard Information and Security Assessment:

The new "Payment Card Industry Data Security Standard" for the first time aligns the security requirements and standards for all card types into one standard. Merchants and service providers who store, transmit, or process credit card transactions must comply with this standard.

Failure to comply can result in permanent prohibition of the merchants or service providers participation in credit card processing programs, and a fine of up to $500,000 per incident. Furthermore liability will shift from the card associations to the merchants and payout's for fraud from the card associations will be shortcoming if compliance is not met.

The requirements of the "Payment Card Industry Data Security Standard" are not unreasonable and any business with any sense would want to have effective security controls such as those recommended in the standard.

How can StationX help you?

StationX can help you understand the complexities of the "Payment Card Industry Data Security Standard". We offer comprehensive PCI compliance assessment and readiness services to make sure you achieve PCI compliance. After the successful completion of our assessment and readiness work we will engage with our partner Qualified Security Assessor to perform an independent audit and certify results.

We are specialist in this area and have been performing security assessment since 1996. We are both fast and efficient while at the same time maintaining the utmost integrity in the quality of our audits.

Information on Understanding the PCI Security Standard

VISAs Announcement

December 16, 2004 : “In pursuit of a single approach to safeguarding sensitive data for all card brands, Visa and MasterCard have collaborated in creating common industry security requirements. The alignment of Visa’s Cardholder Information Security Program (CISP) and MasterCard’s Site Data Protection (SDP) Program has led to the formation of a worldwide standard for consumer data protection across the payment industry that will be known as the Payment Card Industry (PCI) Data Security Standard. Other card companies operating in the U.S. have also endorsed the PCI Data Security Standard within their respective programs.”

See VISAs Letter to Merchants[click here]


Assuring that cardholder information is handled in a secure manner is a major priority to the card associations. All merchants and service providors will be required to meet compliance guidelines.

The PCI Data Security Standard takes over from the below Previous Independent Security Standards:

• Visa Cardholder Information Security Program (CISP)

• MasterCard Site Data Protection Program (SDP)

• American Express Data Security Operating Policy (DSOP)

• Discover Information Security and Compliance (DISC)
  

The primary benefit of aligning all these standards under a single standard is to create a commonly accepted set of industry tools and measurements resulting in a single validation process that will satisfy all the card associations. By having a single set of standards to validate against, the process is intended to be much less complex for the merchant.

Q. What are the Merchant Levels and Compliance Validation Requirements?

The "Payment Card Industry Data Security Standard" defines 4 levels based primarily on the number of translations processed annually.

• Visa transaction volumes are tied to authorisation's.

• MasterCard transaction volumes are tied to settlements.

The below table summarizes the criteria for compliance;

Q. What are the Service Provider Levels and Compliance Validation Requirements?

The "Payment Card Industry Data Security Standard" defines 3levels based primarily on the number of transactions processed annually.

• Visa transaction volumes are tied to authorisation's.

• MasterCard transactions volumes are tied to settlements.

The below table summarizes the criteria for compliance;

Q. What are the Requirements of the Merchants and Service Providers?

For those who are familiar with the Visa Cardholder Information Security Program (CISP). The new "Payment Card Industry Data Security Standard" is a reorganized version of the original Visa CISP list of 12 requirements. Below is a summary of these:

Note that these Payment Card Industry (PCI) Data Security Requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data. Additionally, these security requirements apply to all “system components” which is defined as any network component, server, or application included in, or connected to, the cardholder data environment. Network components, include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Servers include, but are not limited to, web, database, authentication, DNS, mail, proxy, and NTP. Applications include all purchased and custom applications, including internal and external (web) applications.

Q. What are the Penalties and Fines?

Failure to comply can result in permanent prohibition of the merchant’s participation in credit card processing programs, and a fine of up to $500,000 per incident. Furthermore liability will shift from card associations to the merchants and payout's for fraud from card associations will be shortcoming if compliance is not met.

Q. If a Merchant or Service Provider has already been approved through the AIS programme, do they need to revalidate using the PCI Data Security Standard?

No, only at the time of their annual AIS compliance renewal. As AIS requires on going compliance validation, Members, merchants and service providers who have already been approved through the AIS programme, must consider the new PCI Data Security Standard and the aligned compliance.

Q. What is a Qualified Independent Vendor?

A qualified independent vendor provides an online self-assessment questionnaire and performs the required penetration testing to assure compliance. We are a qualified independent vendor.

Q. When does the PCI Data Security Standard come into effect?

The new alignment of Visa and MasterCard’s requirements, compliance criteria and validation processes will take effect immediately.

Q. When must Merchants and Payment Service Providers begin using the new Payment Card Industry (PCI) Data Security Standard materials?

The Payment Card Industry Standards, Security Audit Procedures, Self Assessment Questionnaire and Security Scanning Requirements are effective immediately. However, for compliance validation assessments currently underway, the old AIS materials can be used.

Q. When does the new validation requirement for annual service provider onsite audits become effective?

For service provider compliance validation annual renewals due before March 31st 2005, the old validation actions of a network security scan and Self-assessment questionnaire only can be used, as long as the service provider has not been identified as being of high risk due to a previous hack or compromise. The service provider must however use the new PCI Security Standard Security Scan procedures and Self-Assessment questionnaire. For all annual service provider renewals due after 1 April 2005, and for all first time service provider assessments, an onsite audit is required.

Q. What happens to Visa’s Account Information Security (AIS) and MasterCard’s Site Data Protection (SDP) programmes?

Visa’s AIS and MasterCard’s SDP programmes will continue to exist, but will adhere to the new PCI Data Security Standard.

Q. If a Merchant or Service Provider has already been approved through the AIS programme, do they need to revalidate using the PCI Data Security Standard?

No, only at the time of their annual AIS compliance renewal. As AIS requires on going compliance validation, Members, merchants and service providers who have already been approved through the AIS programme, must consider the new PCI Data Security Standard and the aligned compliance validation requirements as they prepare for their annual renewal.

Q. How does Account Information Security affect merchants?

The Account Information Security (AIS) programme was developed to define protection requirements for the management of sensitive account and transaction Information in the Visa acceptance environment. The programme helps merchants protect their customers’ information from hacking and fraud. Merchants ultimately benefit by lowering their liability, building a compelling reputation for transaction safety, and eliminating the possibility of damaging negative publicity due to compromise.

Q. In what way am I responsible as an Acquirer?

It is the Acquirer’s duty as a Member of Visa to ensure that all their Merchants and agents are compliant. If a Merchant/agent is victim of a compromise, and it is confirmed that the compromise is due to non-implementation or partial implementation of the AIS Programme, the Acquirer will be deemed responsible by the Visa membership, and Visa EU may fine the Acquirer for AIS non-compliance, at a rate of 5 euros per compromised account (VISA EU Operating Regulations 2.5).

Q. Is AIS only for e-commerce merchants?

No. AIS is for all Merchants. Under the AIS Programme, Acquirers are liable for compromise taking place at any of their Merchants and agents (VIOR 2.2.E.1).

Q. How do I as an Acquirer self-certify my compliance status?

Acquirers and Processors can self-certify their compliance status annually by completing the ‘AIS Self-Certification’ form and confirming whether they are compliant, partially compliant, or non-compliant. A compliant Acquirer is one that has validated that their merchants and agents are compliant in accordance with the AIS Compliance Validation Requirements for Merchants and Service Providers. All non-compliant and partially compliant Acquirers have to submit an action plan to Visa EU, which will review it for appropriateness and effectiveness and confirm acceptance.

Q. How do I as a service provider become certified with the AIS programme requirements?

A service provider needs to contract with an independent vendor or QSA to perform their assessment. The results of service providers’ assessments will need to be sent to Visa, and to the Acquirer if they require it. If there are no non-compliances found, Visa will approve the service provider’s scan, audit or Self-assessment questionnaire report and list the service provider as ‘Certified’ on the Visa website. If some non-compliances are found, Visa will request that service provider addresses the non-compliances in an action plan that will be monitored until completion.

Q. How do I as a merchant become certified with the AIS programme requirements?

Merchants must contact their Acquirer to determine the method and approach by which they will become certified. The Acquirer may suggest a vendor for the merchant to contract with to provide AIS validation services. Acquirers will inform Visa of their merchants’ compliance status on the annual self-certification statement.

Q. How long will the certification process take?

This depends on whether a merchant or service provider requires an audit, or a questionnaire. It is recommended that the whole process takes no longer than 60 days from start to finish. If an organisation takes longer than 60 days to complete their assessment, it is possible that their current assessment will be cancelled and they may need to start again.

Links to Other Resources on Payment Card Industry Data Security Standard:

• The Official "Payment Card Industry Data Security Standard" issued by VISA [December 15, 2004]
  This is the official standard document from VISA.
  
  

• Payment Card Industry Data Security Standard "Self Assessment Questionnaire" -
  This is generally used by merchants of level 4,3 and 2. Companies such as our can help you validate and confirm the answers to this questionnaire.
  
  

• Payment Card Industry Data Security Standard "Security Scan Procedures" -
  The procedures and guidelines for conducting network and application security scans, penetration testing and security assessments. This would be used by merchants of level 4,3 and 2 wishing to do independent assessment and by companies such as StationX.
  
  

• Payment Card Industry Data Security Standard "Audit Procedures and Reporting" -
  This document is used by those merchants and service provides who require an onsite review to validate compliance with the "Payment Card Industry Data Security Standard" and to create the report of compliance.
  
  

• VISA Europe AIS Certified Service Providers (Payment Processors)
  
  
  

• VISA Documents and Downloads on understanding PCI Data Security Standard
  
  
  

• VISAs Official CISP Web page
  The CISP is now replaced by the new PCI Data Security Standard but there are lots of links on here to relevant information about the PCI Data Security Standard.
  
  

• VISAs Account Information Security (AIS) Web page
  
  

• The Official "Payment Card Industry Data Security Standard" issued by MASTERCARD [January, 2005]
  This is the official standard document from VISA.
  
  

• IMRG (Interactive Media in Retail Group) Payment Card Industry Data Security Web page
  
  

• BBC article on Payment Card Industry Data Security
  
  

• Visa cuts CardSystems over security breach [July, 2005]
  "CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for those accounts," said Tim Murphy, Visa's SVP for operations in a memo leaked to The New York Times. "Visa USA has decided that CardSystems should not continue to participate as an agent in the Visa system."