REQUEST A QUOTE

PCI DATA SECURITY

Implementing a strong security policy that protects your customer’s cardholder information will help your business maintain a positive image by preventing a security breach, enhance customer confidence and avoid any unnecessary costs.

  • About Cardholder Data Security
    • As part of MONEXgroup’s ongoing commitment in assisting our merchants in their processing needs, we want to provide you with some critical information regarding the Payment Card Industry (PCI) Data Security Standard (DSS) and the Card Association Compliance Programs.It is important to note that all Merchants and Service Providers that store, process or transmit cardholder data must comply with PCI DSS and the Card Association Compliance Programs. Certification requirements vary by business and are contingent upon your ‘Merchant Level’ or ‘Service Provider Level.’ Failure to comply with PCI DSS and the Card Brand Compliance Programs may result in a Merchant being subject to fines, fees or assessments and/or termination of processing services.MONEXgroup has taken the steps to provide our valued merchants with the necessary information and associated links to assist in assessing the actions your business should ensure that you are compliant.
  • About PCI SSC
    • The PCI Security Standards Council (PCI SSC) is an independent body founded in September 2006 by five major credit card networks – American Express, Discover Financial, JCB, Master Card Worldwide, and Visa International. The PCI SSC is responsible for the development and ongoing evolution of security standards for account data protection.
  • The PCI SCC currently manages the following security standards
    • – PCI Data Security Standard (DSS)
      – PCI PIN Entry Devices Program (PED)
      – PCI Payment Application Data Security Standard (PA-DSS)The PCI SSC is also responsible for the training and qualification of security assessors and vendors that validate merchant and service provider compliance against these standards.The PCI SSC is not responsible for enforcing compliance to these standards. Enforcement of compliance is managed independently by the Card Associations.
  • Twelve Principle Requirements of PCI DSS
    • • Build and Maintain a Secure Network
      – Install and maintain a firewall configuration to protect cardholder data
      – Do not use vendor-supplied defaults for system passwords and other security parameters• Protect Cardholder Data
      – Protect stored cardholder data
      – Encrypt transmission of cardholder data across open public networks• Maintain a Vulnerability Management Program
      – Use and regularly update anti-virus software
      – Develop and maintain secure systems and applications

      • Implement Strong Access Control Measures
      – Restrict access to cardholder data by business need-to-know
      – Assign a unique ID to each person with computer access
      – Restrict physical access to cardholder data

      • Regularly Monitor and Test Networks
      – Track and monitor all access to network resources and cardholder data
      – Regularly test security systems and processes

      • Maintain an Information Security Policy
      – Maintain a policy that addresses information security

  • Merchant Levels and Validation Requirements
    • All merchants that store, process, or transmit cardholder data must comply with the PCI DSS and validate their compliance & certification requirements using the appropriate Merchant Level for their business.
  • Merchant Level Description
    • Any merchant regardless of acceptance channel, processing over 6,000,000 Visa or MasterCard transactions per year
      Any merchant that has suffered an unauthorized intrusion that resulted in an account data compromise
      Any merchant that a Card Association, at its sole discretion, determines should meet the Level 1 merchant requirementsAny merchant that a Card Association, at its sole discretion, determines should meet the Level 1 merchant requirementsAny merchant between 20,000 and 1,000,000 Visa or MasterCard E-Commerce Transactions per year

      Any E-Commerce merchant processing fewer than 20,000 Visa or MasterCard E-Commerce transactions per year
      Any merchant (regardless of acceptance channel) processing less than 1,000,000 Visa or MasterCard transactions per year

  • Merchant Validation Requirements
    • Merchant Level Validation Requirements Validations Performed by:
      Annual PCI Self Assessment Questionnaire
      Quarterly Network Scan
      Annual On-Site PCI Data Security Assessment – Quarterly Assessor (QSA)
      Approved Scanning Vendor (ASV)Annual PCI Self Assessment Questionnaire
      Quarterly Network Scan – Qualified Security Assessor (QSA)
      Approved Scanning Vendor (ASV)Annual PCI Self Assessment Questionnaire
      Quarterly Network Scan – Qualified Security Assessor (QSA)
      Approved Scanning Vendor (ASV)

      (Acquirer’s Discretion) – Annual PCI Self Assessment Questionnaire
      Quarterly Network Scan – Qualified Security Assessor (QSA)
      Approved Scanning Vendor (ASV)

  • Service Providers Compliance Requirements
    • A service provider is defined by an organization that stores, processes or transmits cardholder data on behalf of merchants or other service providers. As a result, all service providers are required to comply with PCI DSS including validating their compliance to PCI DSS through the services of a Qualified Security Assessor (QSA).
  • Payment Application Data Security Standard
    • The Payment Application Data Security Standard (PA-DSS) is a standard managed by the PCI SSC. This standard is based on Visa and Payment Application Best Practices (PABP). Many merchants deploy third party payment applications that are tailored to their business needs to assist them in accepting credit card payments.The goal of PA-DSS is to assist software vendors develop secure payment applications that do not store prohibited data, such as full magnetic stripe data, card verification values, or PIN data, and ensure their payment applications support compliance with the PCI DSS. Vulnerable payment applications that store prohibited are the leading cause of account data compromises among small merchants.Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. In-house payment applications developed by merchants or service providers that are not sold to third parties are not subject to the PA-DSS requirements, but must still be secured in accordance with the PCI DSS. PA-DSS is not applicable to standalone point-of-sale terminals, database software or web server software.
  • Visa Canada’s Payment Application Compliance Program
    • Visa Canada has established timeframe’s by which acquirers must ensure that all merchants (new and existing) who use payment application software to process with their acquirers only use such software that has been validated against PA-DSS or PABP requirements.Phase Compliance Mandate Effective Date
      1 By October 1, 2008, all acquirers must ensure that any newly boarded merchant that uses payment application software only uses payment application software that has been validated to comply with PABP or PA-DSS requirements October 1, 20082 By July 1, 2010, all acquirers must ensure that all merchants (new and existing) who use payment application software only use payment application software that has been validated to comply with PABP or PA-DSS requirements July 01, 2010
Chat Button