PCI Data Security

 

Protecting the card information of your customers is a top priority to help your business remain trustworthy and successful. PCI Data Security is here to make sure your business keeps that image.

More information

  • Twelve Principle Requirements of PCI DSS


    PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

    Below are the twelve principle requirements of PCI DSS:

    Build and Maintain a Secure Network

    1. Install and maintain a firewall configuration to protect cardholder data
    2. Do not use vendor-supplied defaults for system passwords and other security parameters


    Protect Cardholder Data

    1. Protect stored cardholder data
    2. Encrypt transmission of cardholder data across open, public networks


    Maintain a Vulnerability Management Program

    1. Use and regularly update anti-virus software
    2. Develop and maintain secure systems and applications


    Implement Strong Access Control Measures

    1. Restrict access to cardholder data by business need-to-know
    2. Assign a unique ID to each person with computer access
    3. Restrict physical access to cardholder data


    Regularly Monitor and Test Networks

    1. Track and monitor all access to network resources and cardholder data
    2. Regularly test security systems and processes


    Maintain an Information Security Policy

    1. Maintain a policy that addresses information security


    The PCI DSS and supporting documentation can be found at https://www.pcisecuritystandards.org.

  • Importance of PCI DSS Compliance and/or Certification


    Moneris strongly endorses the need for more stringent standards regarding the handling of cardholder data. In addition, we are taking proactive measures to ensure that all merchants adopt these standards and maintain compliance on an on-going basis.

    Compliance with the PCI DSS is mandatory. If you and your service providers are not compliant with PCI DSS, the Card Associations could levy fees and fines against you and your credit card processing services could be terminated.

    Compliance means all requirements of the PCI DSS have been met. To become certified, an entity must engage the services of Qualified Security Assessor "QSA" to validate an entity’s compliance to PCI DSS. The QSA will work on identifying areas of non-compliance. The merchant must remedy each area of non-compliance. Once all areas of non-compliance have been addressed the QSA will re-evaluate and issue confirmation of compliance. Certification to PCI DSS is at the merchant's expense.

  • Merchant Levels and Validation Requirements


    It is important to note that all merchants that store, process, or transmit cardholder data must comply with the PCI DSS regardless of the volume of transactions processed or the method in which they are processed. However, certification requirements vary by business and are contingent upon your "Merchant Level".

    Level Level Description
    1
    • Any merchant regardless of acceptance channel, processing over 6,000,000 Visa or MasterCard transactions annually.
    • Any merchant that has suffered a hack or an attack that resulted in an account data compromise.
    • Any merchant that a Card Association, at its sole discretion, determines should meet the Level 1 merchant requirements.
    2
    • Any merchant processing between 1,000,000 and 6,000,000 Visa or MasterCard transactions annually of one card plan.
    3
    • Any merchant processing between 20,000 and 1,000,000 Visa or MasterCard e-commerce transactions annually.
    4
    • Any e-commerce merchant processing fewer than 20,000 Visa or MasterCard e-commerce transactions annually.
    • Any merchant (regardless of acceptance channel) processing fewer than 1,000,000 Visa or MasterCard transactions annually.

    * PCI DSS requires that all merchants perform external network scanning to achieve compliance (requirement 11.2). Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants.


    Merchant Validation Requirements

    Merchant Level Validation Requirements Validated By Validation Due Date
    1 Annual On-site PCI Data Security Assessment Qualified Security Assessor (QSA)

    MasterCard:
    06-30-05

    Visa:
    12-31-05

    Annual PCI Self Assessment Questionnaire
    Quarterly Network Scan  Approved Scanning Vendor (ASV)
    2 Annual PCI Self Assessment Questionnaire
    Qualified Security Assessor (QSA) MasterCard:
    12-31-08

    Visa:
    12-31-05
    Quarterly Network Scan  Approved Scanning Vendor (ASV)
    3 Annual PCI Self Assessment Questionnaire Qualified Security Assessor (QSA) MasterCard:
    06-30-04

    Visa:
    12-31-05
    Quarterly Network Scan  Approved Scanning Vendor (ASV)
    4 Annual PCI Self Assessment Questionnaire Qualified Security Assessor (QSA) Acquirer's Discretion
    Quarterly Network Scan  Approved Scanning Vendor (ASV)
  • Service Providers

    A service provider is defined an organization that stores, processes, or transmits cardholder data on behalf of merchants or other service providers. All service providers are required to comply with PCI DSS. In addition all service providers are required to validate their compliance to PCI DSS through the services of a QSA. For more information regarding service providers please see:

    Visa and MasterCard each publish a list of compliant service providers on their websites. For a list of service providers that have validated their compliance to PCI DSS please see:

      Moneris recommends that merchants and partners that require a site scan for PCI DSS compliance refer to the PCI Council’s list of Approved Scanning Vendors found here: https://pcidss.com/listing-category/asv-authorized-scanning-vendor/

    • Helpful/Related Links

      For more information on the PCI security standards and the Card Association Compliance Programs please review the following websites:

      Industry Websites
      PCI Security Standards Council
      VISA Canada AIS Program
      MasterCard Worldwide SDP Program
      Trustwave

      Documentation
      PCI DSS Supporting Documentation
      PCI SSC FAQ
      PCI DSS Self Assessment Questionnaires
      List of Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV)
      PA-DSS Documentation