PA-DSS Program

Specifically targeted at meeting Visa’s Payment Application Mandate 5, WorldPay will roll out its Payment Application and Level 3 Level 4 Program beginning January 2010. In addition to meeting the Visa payment application mandates, this program is designed to assess Level 3 and Level 4 merchants based upon their risk. For starters, it is important to recognize our security partner who will assist us in meeting this challenge.

Arsenal Security Group is a Virginia headquartered Qualified Security Assessor (QSA) with offices located throughout the United States and London. WorldPay has entered into agreements with Arsenal Security Group to provide global security programs to our merchant base. These security programs vary from payment application validation, to merchant PCI compliance, to data encryption and other security consulting efforts. They are a global PCI consulting provider and have expertise in dealing with large global Fortune 500 companies, along with smaller franchise locations and brick and mortar merchant businesses. They are a PCI approved QSA and have over 25 years of PCI and IT consulting services.

In addition to the Visa mandates, announced in 2007, Visa also instituted a program called The Compliance Acceleration Program (CAP). As part of the CAP, acquirers were to create a plan to address PCI in the Level 3 and Level 4 population. Visa recommended a risk based approach for enforcement to this large population. Currently, WorldPay monitors 100% of its Level 3 (e-commerce) customers by mandating compliance validation quarterly. Therefore, the Arsenal risk ranking program concentrates on the Level 4 population.

To put this in perspective, WorldPay Level 4 merchant base is a significant portion of our considerable portfolio. It is evident then that management of compliancy to the standards for this population would be difficult to obtain without implementing a risk based approach.

With the roll out of the Level 3 Level 4 Payment Application Program will be delivered to customers boarded from 10-1-08 through 12-31-09. Effective January 1, 2010 this program will become part of the boarding process for all merchant on an on-going basis; whereby, any merchant in the boarding process will be susceptible to the program outlined below.

The program will involve WorldPay identifying merchants who are deemed higher risk based off initial boarding criteria. These merchants will be provided access to a complimentary PCI scan tool. This tool will scan a merchants internal systems against three PCI factors, 1) Is the merchant storing cardholder data on the resident systems 2) Do system passwords meet PCI requirement 8.5 criteria and 3) What is the exact payment application and version number utilized by the payment terminal. This information will be gathered and reviewed by WorldPay PCI management. Based on the results of the scan, next steps will be determined and discussed with the merchant. Examples of next steps could be deletion of cardholder data found, upgrading of a payment application, modifications to system password rules, no further action needed at all, or a combination of any of the above elements.

WorldPay Merchants Boarded 10-1-08 through 12-31-09

In October 2009, WorldPay began a test run of the new program with a population of approximately 500 merchants. The steps to this process are as follows:

1. First notification letters were sent to the test population. These letters notified them of the WorldPay program, along with referencing the specific Visa mandates and the need for compliance. The letter instructed the merchants to perform the following actions
   1. Go to https://rbsworldpayus-vsreg.arsenalsecuritygroup.com and register for Arsenal Security Group’s SST (SmartSearch Technology). This is a free risk analysis tool provided to the merchants by WorldPay
   2. Upon completion of the SST download both WorldPay and the merchant will receive notification of the results of the scan. The SST scan searches three elements
      1. Does the merchant have any unprotected cardholder data on their systems
      2. What is the merchant’s payment application
      3. Does the merchant passwords meet PCI standards
   3. The results of the scan are reviewed by an WorldPay PCI Manager and a decision is made concerning future action
      1. If the scan comes back as passing there is no further action
      2. If the scan comes back as failing the merchant must then enter Arsenal Security Group’s CMP (Compliance Management Portal)
   4. Failure to perform the download of SST or enrollment in the CMP will result in a $25.00 per month penalty fee until action is performed
      1. The merchant has 60 days to download the SST
      2. The merchant has 90 days to complete the CMP
   5. The $25.00 fee may be reimbursed should the merchant notify WorldPay of its intent to perform the appropriate action.
   6. This test program will be reviewed at the end of 2009 for improvements to the process

Newly Boarded WorldPay Merchants as of January 2010

1. Effective January 2010, every two weeks there will be a mailing sent to all merchants boarded within that time frame who were identified as Unknown
2. The process for existing merchants outlined in steps 1a will then commence
3. This process will become routine for all newly boarded merchants on the WorldPay platform.