|
Payment Card Industry Data Security Program
The Payment Card Industry (PCI) Data Security Programs are designed to protect merchants and the payments industry. These programs provide tools and measurements to control the privacy of cardholder data. Visa USA and MasterCard International provide common industry data security standards.
Merchants Using Wireless Networks
Merchants with wireless access points into their environment introduce significant risk to their network if appropriate controls are not in place. Since wireless technologies may be susceptible to compromise, merchants should carefully evaluate the need for this technology against the risk before deploying wireless systems.
If your company uses wireless technology to transmit cardholder data or if a wireless LAN is connected to or part of the cardholder environment (e.g., not separated by a firewall), wireless security features should be implemented. Common wireless vulnerabilities include the following:
- Eavesdropping - An attacker can gain access to a wireless network just by "listening" to traffic. Radio transmissions can be freely and easily intercepted by nearby devices or laptops.
- Trust problems - If a wireless LAN is part of an enterprise network, a compromise of the LAN may lead to the compromise of the entire enterprise network. An attacker with a rogue wireless access point can fool a mobile station into authenticating with the rogue access point, thereby gaining access to the mobile station.
- Denial of Service - Due to the nature of radio transmission, wireless LANs are vulnerable to denial of service attacks and radio interference. Such attacks can be used to disrupt business operations or to gather additional information for use in initiating another attack.
- Man-in-the-middle - Packet spoofing and impersonation, whereby traffic is intercepted midstream, then redirected by an unauthorized individual for malicious purposes.
Recent forensic investigations reveal that many entities are not properly securing their wireless networks, leading to the compromise of cardholder data, brand damage and financial and regulatory concerns. Merchants should consult with IT staff to ensure proper awareness of the security risks associated with wireless technology and to develop risk mitigation strategies to protect their computing environments.
Important Reminders
- Compliance with PCI is mandatory for all entities that store, process or transmit Visa and/or MasterCard cardholder data. Merchants are required to prove PCI compliance annually.
- Association regulations prohibit storage of the magnetic stripe contents as a unit. Merchants or service providers may never retain magnetic stripe data subsequent to transaction authorization. Only the following data elements may be securely retained subsequent to transaction authorization: Cardholder Account Number, Cardholder Name and Card Expiration Date.
- Merchants or service providers may never retain CVV2/CVC2, the last three digits printed on the signature panel, subsequent to transaction authorization, whether encrypted or unencrypted
Reporting Requirements
Chase Paymentech reports progress toward PCI compliance for Level 1, 2, and 3 merchants prior to each of the following dates to MasterCard and Visa to mitigate potential fines.
Quarter 1 2006 - March 31, 2006
Quarter 2 2006 - June 30, 2006
Quarter 3 2006 - September 30, 2006
Quarter 4 2006 - December 31, 2006
Please note that all compliance deadlines have passed. Merchants must become fully PCI compliant to prevent fines. As your acquirer, Chase Paymentech requests that all non-compliant merchants provide a compliance target date for the non-compliant items on a quarterly basis until fully compliant.
What fines are possible if merchants do not comply?
| Visa Fines |
MasterCard Fines |
 |
- Non-compliance
- 1st violation - $50,000
- 2nd violation - $100,000
- 3rd violation - discretionary
- Failure to report compromise - $100,000
- Egregious violation - $500,000Egregious violation - $500,000
- Storing full track data
- $50,000 initial fine
- $100,000 monthly until issue is resolved
|
Failure to comply with the SDP mandate
- Level 1 Merchants - Up to $25,000
- Level 2 Merchants - Up to $5,000
- Level 3 Merchants - Up to $5,000
|
What are merchants' compliance obligations?
| Level |
Selection Criteria
(based on Visa or MC transactions) |
Validation Actions |
Validation Process |
Merchant Requirements |
|
| 1 |
- 6 million annual trans.
(all acceptance channels)
- Incurred a compromise
|
- Annual onsite security visit
-and-
- Quarterly network scan
|
Qualified Independent Security Assessor or Internal Audit Staff with CISA designation if signed by company officer |
- Submission of successful Report on Compliance (ROC)
- Quarterly scan showing no high vulnerabilities
|
|
| 2 |
150,000 - 6 million e-commerce trans. |
- Annual PCI self-assessment questionnaire
-and-
- Quarterly network scan
|
- Validated by merchant
- Qualified independent scan vendor
|
- Submission of PCI self-assessment questionnaire with green rating
- Results of quarterly scan showing no high vulnerabilities
|
|
| 3 |
20,000 - 150,000 e-commerce trans |
- Annual PCI self-assessment questionnaire
-and-
- Quarterly network scan
|
- Validated by merchant
- Qualified independent scan vendor
|
- Submission of PCI self-assessment questionnaire with green rating
- Results of quarterly scan showing no high vulnerabilities
|
|
| 4 |
Others
(regardless of acceptance channel) |
- Recommended annual PCI self-assessment questionnaire
-and-
- Recommended quarterly network scan
|
- Validated by merchant
- Qualified independent scan vendor
|
- Compliance mandatory
- Validation optional
|
Important Contact Information
If you have any PCI questions please contact us via email at compliance_coordinator@chasepaymentech.com, or contact your Relationship Manager as appropriate. Below are links to the Card Associations' data security programs, AmbironTrustWave, and Chase Paymentech Solutions' website for the data security program.
|
More Information
|
