Cardholder Data Security is your Responsibility

Ensuring the safety of your customers' cardholder information can help your business strive to create and maintain a positive image, enhance customer confidence and even assist in improving your bottom line.

As part of Moneris' ongoing provision of credit and debit card processing services, we want to provide you with some critical information regarding the Payment Card Industry (PCI) Data Security Standard (DSS) and the Card Association Compliance Programs.

It is important to note that all Merchants and Service Providers that store, process, or transmit cardholder data must comply with PCI DSS and the Card Association Compliance Programs. However, certification requirements vary by business and are contingent upon your "Merchant Level" or "Service Provider Level". Failure to comply with PCI DSS and the Card Association Compliance Programs may result in a Merchant being subject to fines, fees or assessments and/or termination of processing services.

The PCI DSS is enforced by the Card Associations (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International). Moneris has taken the steps to provide our valued clients with necessary information and associated links to assist in assessing the actions your business should take to ensure that you are compliant.

Jump to:

About PCI SSC

The PCI Security Standards Council (PCI SSC) is an independent body founded in September 2006 by five major credit card networks - American Express, Discover Financial, JCB, MasterCard Worldwide, and Visa International. The PCI SSC is responsible for the development and ongoing evolution of security standards for account data protection.

The PCI SCC currently manages the following security standards:

  • PCI Data Security Standard (DSS)
  • PCI PIN Entry Devices Program (PED)
  • PCI Payment Application Data Security Standard (PA-DSS)

The PCI SSC is also responsible for the training and qualification of security assessors and vendors that validate merchant and service provider compliance against these standards. The PCI SSC is not responsible for enforcing compliance to these standards. Enforcement of compliance is managed independently by the Card Associations.

For more information on the PCI SSC please visit www.pcisecuritystandards.org.

 

About PCI DSS

PCI DSS was created to ensure the protection of cardholder data. Due to some high profile security breaches it became apparent that a global set of data security standards was required to assist merchants and service providers in meeting the requirements. Based on twelve principle requirements, PCI DSS requires merchants to make their physical and virtual environments secure to ensure protection of cardholder data. All merchants that accept credit cards as a form of payment, and all service providers involved in the processing of credit card transactions are required to be compliant with PCI DSS.

 

Twelve Principle Requirements of PCI DSS

PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

Below are the twelve principle requirements of PCI DSS:

Build and Maintain a Secure Network

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

  1. Protect stored cardholder data
  2. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  1. Use and regularly update anti-virus software
  2. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  1. Restrict access to cardholder data by business need-to-know
  2. Assign a unique ID to each person with computer access
  3. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes

Maintain an Information Security Policy

  1. Maintain a policy that addresses information security

The PCI DSS and supporting documentation can be found at https://www.pcisecuritystandards.org.

 

Importance of PCI DSS Compliance and/or Certification

Moneris strongly endorses the need for more stringent standards regarding the handling of cardholder data. In addition, we are taking proactive measures to ensure that all merchants adopt these standards and maintain compliance on an on-going basis.

Compliance with the PCI DSS is mandatory. If you and your service providers are not compliant with PCI DSS, the Card Associations could levy fees and fines against you and your credit card processing services could be terminated.

Compliance means all requirements of the PCI DSS have been met. To become certified, an entity must engage the services of Qualified Security Assessor "QSA" to validate an entity’s compliance to PCI DSS. The QSA will work on identifying areas of non-compliance. The merchant must remedy each area of non-compliance. Once all areas of non-compliance have been addressed the QSA will re-evaluate and issue confirmation of compliance. Certification to PCI DSS is at the merchant's expense.

 

Merchant Levels and Validation Requirements

It is important to note that all merchants that store, process, or transmit cardholder data must comply with the PCI DSS regardless of the volume of transactions processed or the method in which they are processed. However, certification requirements vary by business and are contingent upon your "Merchant Level".

Level Level Description
1
  • Any merchant regardless of acceptance channel, processing over 6,000,000 Visa or MasterCard transactions annually.
  • Any merchant that has suffered a hack or an attack that resulted in an account data compromise.
  • Any merchant that a Card Association, at its sole discretion, determines should meet the Level 1 merchant requirements.
2
  • Any merchant processing between 1,000,000 and 6,000,000 Visa or MasterCard transactions annually of one card plan.
3
  • Any merchant processing between 20,000 and 1,000,000 Visa or MasterCard e-commerce transactions annually.
4
  • Any e-commerce merchant processing fewer than 20,000 Visa or MasterCard e-commerce transactions annually.
  • Any merchant (regardless of acceptance channel) processing fewer than 1,000,000 Visa or MasterCard transactions annually.

* PCI DSS requires that all merchants perform external network scanning to achieve compliance (requirement 11.2). Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants.

Merchant Validation Requirements

Merchant Level Validation Requirements Validated By Validation Due Date
1 Annual On-site PCI Data Security Assessment Qualified Security Assessor (QSA)

MasterCard:
06-30-05

Visa:
12-31-05

Annual PCI Self Assessment Questionnaire
Quarterly Network Scan  Approved Scanning Vendor (ASV)
2 Annual PCI Self Assessment Questionnaire
Qualified Security Assessor (QSA) MasterCard:
12-31-08
Visa:
12-31-05
Quarterly Network Scan  Approved Scanning Vendor (ASV)
3 Annual PCI Self Assessment Questionnaire Qualified Security Assessor (QSA) MasterCard:
06-30-04
Visa:
12-31-05
Quarterly Network Scan  Approved Scanning Vendor (ASV)
4 Annual PCI Self Assessment Questionnaire Qualified Security Assessor (QSA) Acquirer's Discretion
Quarterly Network Scan  Approved Scanning Vendor (ASV)

Service Providers

A service provider is defined an organization that stores, processes, or transmits cardholder data on behalf of merchants or other service providers. All service providers are required to comply with PCI DSS. In addition all service providers are required to validate their compliance to PCI DSS through the services of a QSA. For more information regarding service providers please see:

Visa and MasterCard each publish a list of compliant service providers on their websites. For a list of service providers that have validated their compliance to PCI DSS please see:

    Moneris and Trustwave

    Moneris has partnered with Trustwave, to give our merchants access to the TrustKeeper® compliance portal – an online compliance portal to help you comply with PCI DSS. Trustwave is a leading Qualified Security Assessor, (www.trustwave.com) and an authorized QSA and PA-QSA for the PCI SSC. To enrol with Trustwave, please click here: https://pci.trustwave.com/moneris_solutions.

    Trustwave Contact Information: General: 1-312-873-7500 or info@trustwave.com
    Sales: 1-888-878-7817 or infosales@trustwave.com
    Support: 1-800-363-1621 or support@trustwave.com

     

    Helpful/Related Links

    For more information on the PCI security standards and the Card Association Compliance Programs please review the following websites:

    Industry Websites
    PCI Security Standards Council
    VISA Canada AIS Program
    MasterCard Worldwide SDP Program
    Trustwave

    Documentation
    PCI DSS Supporting Documentation
    PCI SSC FAQ
    PCI DSS Self Assessment Questionnaires
    List of Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV)
    PA-DSS Documentation