accepting_payments hosted_tokenization hosted_tokenization hosted_price info_services hosted_paypage accepting_payments account_padlock account_padlock_hover_teal account_setup account_setup account_setup_black account_setup_teal alert_red alert_yellow benefits_balance benefits_balance benefits_health benefits_health_white benefits_pay benefits_pay_white benefits_perks business_convenience Install business_retail business_showroom business_takeout business_warehouse call_us_dark_blue call_us_teal call_us_white carousel_button_pause carousel_button_play check_blue check_white checkmark_circle_blue chevron_down_grey chevron_down_normal chevron_down_normal_black chevron_down_normal_dark_blue chevron_down_normal_hover_teal chevron_left_bold_dark_blue chevron_left_normal_black chevron_left_normal_white chevron_right_bold_dark_blue chevron_right_normal_black chevron_right_normal_white chevron_right_skinny chevron_up_normal chevron_up_normal_black chevron_up_normal_dark_blue chevron_up_normal_hover_teal circle_1_grey circle_1_teal circle_2_grey circle_2_teal circle_3_grey circle_3_teal clock_black close_x close_x_dark_blue close_x_hover_teal divot_down divot_left divot_left_outline divot_up email_receipts extra_location icon_fraud icon_fraud extra_register extra_users extra_users facebook flag_canada flag_usa form_checkmark form_checkmark_teal form_error_arrow_up google_plus innovation_api innovation_chip innovation_ecommerce innovation_hosted_pay_page innovation_new_merchant_guides innovation_seamless innovation_support innovation_teal innovation_white innovation_testing innovation_testing_teal linkedin location_pointer logo_moneris_full logo_moneris_full_hover logo_moneris_symbol logo_moneris_symbol_hover mail mail_teal map_marker max_cash_flow menu_hamburger menu_hamburger_hover_teal minus_normal payd_reports payd_reports payment_chip benefits_balance_2 PaydProPlus_report Increased Control Login Login payment_contactless security payment_swipe icon_management_payment people_teal phone_hover_teal phone_white plus_normal product_tracking real_time_report real_time_report_teal real_time_report_white search_magnifying_glass search_magnifying_glass_hover_teal service_billing service_consultation service_custom_dev service_dedicated_support_blue service_flexible_pricing_options_blue service_installation service_revenue_sharing_blue service_training_blue social_facebook social_linkedin social_twitter support_icon take_to_new_website_arrow take_to_new_website_arrow_hover_teal technical_questions technology_teal terminal_spec tips_troubleshooting triangle twitter vid_play_overlay ecommerce increase_sales increase_sales login settings mass_merchandise extra_user email support_icon price_arbitrage gift-card egift-card delivery seamless-gift-card accept-credit-debit max-cash-flow hardware PaydProPlus_report icon-circled_phone financial financial cash business_mgnt_soln information icon-deliver_electronic_data icon-bank icon-ecommerce icon-fraud icon-bank icon-management_payment-solution icon-creat_new_diff icon-maximized_cash_flow icon-credit_card icon-loyalty_card icon-optimized_spend icon-optimized_interchange icon-calendar icon-ppp_reports icon-product_track icon-product_track icon-partners icon-seamless_integration icon-receipt_fraud icon-decal-open icon-decal-open-fr hardware increase_sales elearning lightbulb consultation female settings call
Support Page

Protecting Cardholder Data & Security Is Your Responsibility

Ensuring the safety of your customers' cardholder information can help your business strive to create and maintain a positive image, enhance customer confidence and even assist in improving your bottom line.

As part of Moneris' ongoing provision of credit and debit card processing services, we want to provide you with some critical information regarding the Payment Card Industry (PCI) Data Security Standard (DSS) and the Card Association Compliance Programs.

It is important to note that all Merchants and Service Providers that store, process, or transmit cardholder data must comply with PCI DSS and the Card Association Compliance Programs. However, certification requirements vary by business and are contingent upon your "Merchant Level" or "Service Provider Level". Failure to comply with PCI DSS and the Card Association Compliance Programs may result in a Merchant being subject to fines, fees or assessments and/or termination of processing services.

The PCI DSS is enforced by the Card Associations (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International). Moneris has taken the steps to provide our valued clients with necessary information and associated links to assist in assessing the actions your business should take to ensure that you are compliant.



About PCI SSC

The PCI Security Standards Council (PCI SSC) is an independent body founded in September 2006 by five major credit card networks - American Express, Discover Financial, JCB, MasterCard Worldwide, and Visa International. The PCI SSC is responsible for the development and ongoing evolution of security standards for account data protection.

The PCI SCC currently manages the following security standards:

  • PCI Data Security Standard (DSS)
  • PCI PIN Entry Devices Program (PED)
  • PCI Payment Application Data Security Standard (PA-DSS)

The PCI SSC is also responsible for the training and qualification of security assessors and vendors that validate merchant and service provider compliance against these standards. The PCI SSC is not responsible for enforcing compliance to these standards. Enforcement of compliance is managed independently by the Card Associations.

For more information on the PCI SSC please visit www.pcisecuritystandards.org.

About PCI DSS

PCI DSS was created to ensure the protection of cardholder data. Due to some high profile security breaches it became apparent that a global set of data security standards was required to assist merchants and service providers in meeting the requirements. Based on twelve principle requirements, PCI DSS requires merchants to make their physical and virtual environments secure to ensure protection of cardholder data. All merchants that accept credit cards as a form of payment, and all service providers involved in the processing of credit card transactions are required to be compliant with PCI DSS.

Twelve Principle Requirements of PCI DSS

PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

Below are the twelve principle requirements of PCI DSS:

Build and Maintain a Secure Network

1.) Install and maintain a firewall configuration to protect cardholder data

2.) Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

1.) Protect stored cardholder data

2.) Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

1.) Use and regularly update anti-virus software

2.) Develop and maintain secure systems and applications

Implement Strong Access Control Measures

1.) Restrict access to cardholder data by business need-to-know

2.) Assign a unique ID to each person with computer access

3.) Restrict physical access to cardholder data

Regularly Monitor and Test Networks

1.) Track and monitor all access to network resources and cardholder data

2.) Regularly test security systems and processes

Maintain an Information Security Policy

1.) Maintain a policy that addresses information security

The PCI DSS and supporting documentation can be found at https://www.pcisecuritystandards.org.

Importance of PCI DSS Compliance and/or Certification

Moneris strongly endorses the need for more stringent standards regarding the handling of cardholder data. In addition, we are taking proactive measures to ensure that all merchants adopt these standards and maintain compliance on an on-going basis.

Compliance with the PCI DSS is mandatory. If you and your service providers are not compliant with PCI DSS, the Card Associations could levy fees and fines against you and your credit card processing services could be terminated.

Compliance means all requirements of the PCI DSS have been met. To become certified, an entity must engage the services of Qualified Security Assessor "QSA" to validate an entity’s compliance to PCI DSS. The QSA will work on identifying areas of non-compliance. The merchant must remedy each area of non-compliance. Once all areas of non-compliance have been addressed the QSA will re-evaluate and issue confirmation of compliance. Certification to PCI DSS is at the merchant's expense.

Merchant Levels and Validation Requirements

It is important to note that all merchants that store, process, or transmit cardholder data must comply with the PCI DSS regardless of the volume of transactions processed or the method in which they are processed. However, certification requirements vary by business and are contingent upon your "Merchant Level".

Merchant Level Description
Level Level Description
1
  • Any merchant regardless of acceptance channel, processing over 6,000,000 Visa or MasterCard transactions annually.
  • Any merchant that has suffered a hack or an attack that resulted in an account data compromise.
  • Any merchant that a Card Association, at its sole discretion, determines should meet the Level 1 merchant requirements.
2
  • Any merchant processing between 1,000,000 and 6,000,000 Visa or MasterCard transactions annually of one card plan.
3
  • Any merchant processing between 20,000 and 1,000,000 Visa or MasterCard e-commerce transactions annually.
4
  • Any e-commerce merchant processing fewer than 20,000 Visa or MasterCard e-commerce transactions annually.
  • Any merchant (regardless of acceptance channel) processing fewer than 1,000,000 Visa or MasterCard transactions annually.

* PCI DSS requires that all merchants perform external network scanning to achieve compliance (requirement 11.2). Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants.

Merchant Validation Requirements
Merchant Level Validation Requirements Validated By Validation Due Date
1 Annual On-site PCI Data Security Assessment Qualified Security Assessor (QSA) MasterCard: 06-30-05
Visa: 12-31-05
  Annual PCI Self Assessment Questionnaire    
  Quarterly Network Scan Approved Scanning Vendor (ASV)  
2 Annual PCI Self Assessment Questionnaire Qualified Security Assessor (QSA) MasterCard: 12-31-08
Visa: 12-31-05
  Quarterly Network Scan Approved Scanning Vendor (ASV)  
3 Annual PCI Self Assessment Questionnaire Qualified Security Assessor (QSA) MasterCard: 06-30-04
Visa: 12-31-05
  Quarterly Network Scan Approved Scanning Vendor (ASV)  
4* Annual PCI Self Assessment Questionnaire Qualified Security Assessor (QSA) Acquirer's Discretion
  Quarterly Network Scan Approved Scanning Vendor (ASV)  

Service Providers

A service provider is defined an organization that stores, processes, or transmits cardholder data on behalf of merchants or other service providers. All service providers are required to comply with PCI DSS. In addition all service providers are required to validate their compliance to PCI DSS through the services of a QSA. For more information regarding service providers please see:

  • Visa Global Registry of Service Providers Program
  • MasterCard Worldwide Site Data Protection Program – Service Providers
  • Visa and MasterCard each publish a list of compliant service providers on their websites. For a list of service providers that have validated their compliance to PCI DSS please see:

  • Visa Global Registry of Service Providers
  • MasterCard Worldwide Service Provider Listing
    •  

      Moneris and Trustwave

      Moneris has partnered with Trustwave, to give our merchants access to the TrustKeeper® compliance portal – an online compliance portal to help you comply with PCI DSS. Trustwave is a leading Qualified Security Assessor, (www.trustwave.com) and an authorized QSA and PA-QSA for the PCI SSC. To enrol with Trustwave, please click here: https://pci.trustwave.com/moneris_solutions.

      Trustwave Contact Information: General: 1-312-873-7500 or info@trustwave.com
      Sales: 1-888-878-7817 or infosales@trustwave.com
      Support: 1-800-363-1621 or support@trustwave.com

      Helpful/Related Links

      For more information on the PCI security standards and the Card Association Compliance Programs please review our Frequently Asked Questions and the following websites:

      Industry Websites
      PCI Security Standards Council
      VISA Canada AIS Program
      MasterCard Worldwide SDP Program
      Trustwave

      Documentation
      PCI DSS Supporting Documentation
      PCI SSC FAQ
      PCI DSS Self Assessment Questionnaires
      List of Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV)
      PA-DSS Documentation