Cardholder Data Security Requirements Overview
Security concerns continue to play a major role in purchases made via the Internet. For online merchants, a hacker break-in can have potentially devastating consequences, including service disruptions, vandalism, extortion, and the loss of consumer confidence.
Because of the potential risk, Visa, MasterCard, Discover® Network and other card associations require merchants to keep all systems and media containing cardholder account information in a secure manner to prevent access by, or disclosure to any unauthorized party. Additionally, all sensitive cardholder information that the merchant no longer considers necessary to retain must be destroyed in a manner that will render the data unreadable.
If an intrusion occurs, the merchant must notify IMS immediately and provide complete information about the compromise. The merchant may be required to engage a data security firm to assess the vulnerabilities of the merchant's data storage and systems.
To help combat the security threats associated with electronic commerce, the associations (MasterCard, Visa, Discover Network and others) have developed cardholder data security requirements for all merchants storing account data. This compliance initiative is known collectively as PCI. The payment card industry standards are available at the following Web sites: https://sdp.mastercardintl.com, http://usa.visa.com/business/merchants/cisp_index.html and http://www.discovernetwork.com/fraudsecurity/disc.html. We encourage you to visit these Web sites to obtain the complete requirements as failure to comply with the security standards or failure to rectify a security issue may result in fines, restrictions, or permanent prohibition to participate in the card acceptance program. Fines or assessments imposed will be the responsibility of the merchant. A summary of each program is outlined below.
The PCI Requirements
An easy to remember list of 12 basic security requirements with which all payment system constituents need to comply:
| Data Security Standard | |
| Build and Maintain a Secure Network |
|
| Protect Cardholder Data |
|
| Maintain a Vulnerability Management Program |
|
| Implement Strong Access Control Measures |
|
| Regularly Monitor and Test Networks |
|
| Maintain an Information Security Policy |
|
Separate from the mandate to comply is the validation of compliance. Listed below is the current criterion for validation.
Service provider levels defined
Service providers are organizations that process, store, or transmit Visa cardholder data on behalf of Visa members, merchants, or other service providers. Service provider levels are defined as:
| Level | Description |
| 1 | All VisaNet processors (member and Nonmember) and all payment gateways.* |
| 2 | Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually. |
| 3 | Any service provider that is not in Level 1 and stores, processes, or transmits fewer than 1,000,000 Visa accounts/transactions annually. |
*Payment gateways are a category of agent or service provider that stores, processes, and/or transmits cardholder data as part of a payment transaction. Specifically, they enable payment transactions (e.g., authorization or settlement) between merchants and processors (VisaNet endpoints). Merchants may send their payment transactions directly to an endpoint, or indirectly to a payment gateway.
Compliance validation basics
In addition to adhering to the PCI Data Security Standard, compliance validation is required for all service providers.
| Level | Validation Action | Validated By | Due Date |
| 1 |
Annual On-Site PCI Data Security Assessment Quarterly Network Scan |
Qualified Data Security Company Qualified Independent Scan Vendor |
9/30/04 |
| 2 |
Annual On-Site PCI Data Security Assessment Quarterly Network Scan |
Qualified Data Security Company Qualified Independent Scan Vendor |
9/30/04 |
| 3 |
Annual PCI Self-Assessment Questionnaire Quarterly Network Scan |
Service Provider Quarterly Network Scan |
9/30/04 |
