Card Brand Requirements | Solutions | Chase Paymentech Solutions

Chase Paymentech - merchant services and credit card processing

Solutions

PCI Security Compliance


-	Requirements
-	Risk Assessment
-	Helpful Tips
-	Contacts
-	Frequently Asked Questions

FRAUD PROTECTION

GIFT CARDS

METHODS OF PAYMENT

MERCHANT SUPPORT CENTER

CONTACT SALES

Requirements

Guidelines and Information Provided by the Card Associations

	Reporting
	Obligations
	Prohibited Data
	General Guidelines about Fines

Reporting
Chase Paymentech reports progress toward PCI compliance for Level 1, 2, and 3 merchants prior to each of the following dates to MasterCard and Visa to mitigate potential fines.

First Quarter - End of March
Second Quarter - End of June
Third Quarter - End of September
Fourth Quarter - End of December

Merchants must become fully PCI compliant to prevent fines. As your acquirer, Chase Paymentech requests that all non-compliant merchants provide a compliance target date for the non-compliant items on a quarterly basis until fully compliant.

Obligations

Level

Selection Criteria

Validation Actions

Validation Process

Merchant Requirements

	6 million annual Visa or MC trans. (all acceptance channels)
	Incurred a compromise

	Annual onsite security visit
- and -
	Quarterly network scan

Qualified Independent Security Assessor or Internal Audit Staff with CISA designation if signed by company officer

	Submission of successful Report on Compliance (ROC)
	Quarterly scan showing no high vulnerabilities

1 million to 6 million annual Visa or MC trans. (all acceptance channels)

	Annual PCI self-assessment questionnaire
- and -
	Quarterly network scan

	Validated by merchant
	Qualified independent scan vendor

	Submission of PCI self-assessment questionnaire with green rating
	Results of quarterly scan showing no high vulnerabilities

20,000 - 1 million
Visa or MC
e-commerce trans.

	Annual PCI self-assessment questionnaire
- and -
	Quarterly network scan

	Validated by merchant
	Qualified independent scan vendor

	Submission of PCI self-assessment questionnaire with green rating
	Results of quarterly scan showing no high vulnerabilities

Others
(regardless of acceptance channel)

	Recommended annual PCI self-assessment questionnaire
- and -
	Recommended quarterly network scan

	Validated by merchant
	Qualified independent scan vendor

	Compliance mandatory
	Validation optional

Prohibited Data

Merchants and their services providers are allowed to store only the following data subsequent to authorization:

Cardholder Account Number

Cardholder Name

Card Expiration Date

Service Code

Card Verification Data (CVV2/CVC2/CID) and full content of the magnetic stripe can never be stored after authorization.

General Guidelines About Fines

Visa Fines

MasterCard Fines

	Non-compliance
		1^st violation - $50,000
		2^nd violation - $100,000
		3^rd violation - discretionary
	Failure to report compromise - $100,000
	Egregious violation - $500,000
	Storing full track data
		$50,000 initial fine
		$100,000 monthly until issue is resolved

Failure to comply with the SDP mandate

	Level 1 Merchants - Up to $25,000
	Level 2 Merchants - Up to $5,000
	Level 3 Merchants - Up to $5,000

For card association updates on data security, visit the Merchant Support Center