Common Questions

The Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive requirements for enhancing payment account data security. The founding members of the PCI Security Standards Council; American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa International, developed the standard to help facilitate the broad adoption of consistent data security measures on a global basis.

Put simply, PCI DSS is about preventing card payment information held by merchants, or their third parties, from being used fraudulently and all the consequential financial and reputational losses associated with this.

PCI Security Standards Council assumed responsibility for PCI DSS in 5 main areas:

PCI DSS applies to every business that accepts or processes payment cards. It equally applies to manual processing and storage of cardholder information as well as to electronic methods of storage.

A merchant can only reach compliance if its associated third parties are also compliant.

If you want to access the detailed standard, please visit the PCI Standard Security Council site at https://www.pcisecuritystandards.org/ or email PCISecurity@WORLDPAY.US.

Other useful links; http://www.qualys.com/forms/ebook/pcifordummies/
https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf

MasterCard and Visa both classify merchants according to the number of transactions processed. Below helps to explain in more detail;

Level 1

1. Any merchant processing over 6,000,000 Visa or MasterCard transactions per year (all acceptance channels) AND Any merchant compromised in the last year, or identified by a card scheme
2. Annual Report on Compliance (ROC) by either a Qualified Security Assessor (QSA), or qualified internal security resource Quarterly network scan by an Approved Scan Vendor (ASV)
3. Attestation of Compliance Form

Level 2

1. Any merchant processing one million to six million Visa or MasterCard transactions per year
2. Annual Self Assessment Questionnaire (SAQ)
3. Quarterly network scan by an Approved Scan Vendor (ASV)
4. Attestation of Compliance Form found within the Self Assessment Questionnaire (SAQ)

Level 3

1. Any eCommerce merchant processing up to one million Visa or MasterCard eCommerce transactions per year
2. Annual Self Assessment Questionnaire (SAQ)
3. Quarterly network scan by an Approved Scan Vendor (ASV)
4. Attestation of Compliance Form found within the Self Assessment Questionnaire (SAQ)

Level 4

1. Any merchant processing less than 20,000 Visa or MasterCard eCommerce transactions per year, and all other merchants processing up to one million Visa or MasterCard transactions per year.
2. Annual Self Assessment Questionnaire (SAQ) recommended

Currently, Level 1 merchants must successfully:

1. Complete annual on-site assessments, conducted by a Payment Card Industry Standards Security Council (PCI SCC)-Approved Qualified Security Assessor (QSA) or via an internal auditor or equivalent
2. Pass quarterly scans by a PCI SCC-Approved Scanning Vendor (ASV)

By June 30, 2011, according to MasterCard’s latest revisions to its SDP program, Level 1 merchants who use internal auditors (or the equivalent) for completing on-site assessments must ensure that their auditors:

1. Attend PCI SSC merchant training programs, which have yet to be announced
2. Pass annual PCI SSC-associated accreditation programs
3. Pass quarterly scans by a PCI SCC-Approved Scanning Vendor (ASV)

Currently, Level 2 merchants must successfully:

1. Complete annual Self-Assessment Questionnaires (SAQs).
2. Pass quarterly scans by a PCI SCC-Approved Scanning Vendor.

By June 30, 2011, according to MasterCard’s latest revisions to its SDP program, Level 2 merchants must provide their compliance through an annual SAQ. They must also make sure that the internal auditor (or the equivalent) who conducts the SAQ does the following:

1. Attend PCI SSC-offered merchant training programs, which have yet to be announced
2. Pass annual PCI SSC-associated accreditation programs (to continue the option of self assessment for compliance validation)
3. Pass quarterly scans by a PCI SCC-Approved Scanning Vendor (ASV)
4. Alternatively, Level 2 merchants may, at their own discretion, complete an annual on-site assessment conducted by a PCI SSC-Approved Qualified Security Assessor.

The Prioritized Approach is a new, advisory document to help merchants completing Self Assessment Questionnaire (SAQ) D to reach compliance using a risk based approach. It provides guidance, based on insight from recent data compromises, on how to focus PCI DSS compliance work in a way that prioritizes the highest security risks.

This approach groups together the requirements of the PCI DSS v1.2 into six key milestones. A merchant can assess where they are against the Prioritized Approach by using the tool available on the PCI SSC website, which allows organizations to mark the requirements they are compliant with and returns the percentage compliance reached for each individual milestone and for the full PCI DSS.

In order to show the Card Schemes that you are progressing towards compliance we require you to report on your progress against the Prioritized Approach, even if you are not following it as a remediation plan. This way we can defend your position with the Card Schemes, especially if you are at the strong position of reaching at least stage four.

Use of the Prioritized Approach is optional for merchants.

For more information, and to access the Prioritized Approach tool, please visit the PCI SSC website; https://www.pcisecuritystandards.org/education/prioritized.shtml

WorldPay is required to provide full and detailed updates to Visa, MasterCard and Discover on merchants progress towards compliance. These reports are required monthly by Visa, quarterly by MasterCard and semiannually by Discover.

The level of progress reported can significantly help to reduce the threat of Card Scheme imposed fines. Over and above this, there are compromises and fraud costs associated with any breaches plus of course the potential loss of reputation.

PCI DSS is an ongoing requirement and you are expected to renew your compliance certificate every year. This involves either completing an Annual on-site security audit or Self Assessment Questionnaire and if you have an eCommerce presence, you will have to continue performing (and passing) quarterly network scans.

In gaining compliance it is important to remember that this process needs to be a holistic approach and any changes you implement need to be PCI DSS compliant.

Please also remember that your third parties are required to continue to be PCI DSS compliant too.

If you have any questions or require assistance you can contact the PCI DSS team at PCISecurity@WORLDPAY.US

Fraudsters will always be looking to find ways to get hold of cardholder data and a system that is secure now may not be so in the future. It is important to continue to keep the most up to date protection on your systems. The test tools employed by the vendors will be continuingly updated to meet the changing needs of the market.

Therefore the more often you scan the quicker you will be aware of any issues with your firewalls etc.

Please talk to the vendor who will be carrying out the vulnerability scans or on-site audits. They have a great deal of expertise in this area and will be able to provide guidance. Furthermore there are some very useful sections on SAQ's on the PCI Security Council's own website at: https://www.pcisecuritystandards.org/

You should look to correct any deficiencies identified in the scan as soon as possible. Discuss this with your Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) as they will be able to offer advice on what to do. The longer it is left the more likely a fraudster will be able to hack into your systems.

Card Schemes have never permitted the storage of sensitive data (track data and/or CVV2) post-authorization. In addition, since 2007, Visa has focused through communication and compliance activity, the removal of this data.

Storage of this sensitive data can heavily increase the threat of Card Scheme imposed fines plus also the threat of serious fraud.

If you have someone at WorldPay managing the updates on your progress to the Card Schemes, you must make them aware if you suspect that your systems are storing sensitive data immediately.

Many merchants use a call center to accept payments from their customers and this generally means that payments will be taken over the phone. If this data is being recorded in an analogue format (i.e. on tape) and there is no way to access this data other than by manually searching through it, then the tapes must be subject to the same level of security as normal paper transaction records. Access must be restricted to this data and it must be held in a secure storage facility.

If this data is stored electronically and could be searched using data mining or other automated means, the same access controls methods would need to be adopted as for any storage of digital media. This will include the removal of the CVV2 checks after authorization, and will involve rendering the PAN unreadable using any of the accepted techniques.

If in doubt you must contact a Qualified Security Assessor (QSA).

The cost will depend on the size of your business and which Qualified Security Assessor (QSA) or Approved Scanning Vendor (ASV) you choose to carry out your assessments. Any cost should be compared to the effect on your business if card data you held was stolen. As well as possible fines levied by the card schemes and other costs associated with actual card data being stolen; your reputation as a business would suffer and customers could go elsewhere.

Any information given to you by WorldPay in respect of data security is based upon our interpretation of the PCI Data Security Standards and the information you have provided concerning your own circumstances. Such information is given for guidance only. If a merchant has detailed questions relating to the technicalities of PCI DSS, we would suggest that you first refer to the PCI DSS website direct (https://www.pcisecuritystandards.org/), or approach a Qualified Security Assessor (QSA).

You will also find the 'PCI DSS Quick Reference Guide' useful - https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf

Provided you have fulfilled you duty under PCI DSS rules and had met these at the time of the compromise, any loss as a direct result of our non-compliance would mitigate any fines imposed by the schemes.

Our merchants are encouraged to contact us immediately in the event of a suspected or actual compromise, providing details of the incident and their contact details to our PCI DSS email address PCISecurity@worldpay.us. We will coordinate card scheme contact and work with the merchant on the position, including providing information on Qualified Forensic Investigators who would be required to investigate the position / support prevention of further data loss.