Payment Card Industry Data Security Program
The Payment Card Industry (PCI) Data Security Programs are designed to protect merchants and the payments industry. These programs
provide tools and measurements to control the privacy of cardholder data. Visa USA and MasterCard International provide common
industry data security standards.
Merchants Using Wireless Networks
Merchants with wireless access points into their environment introduce significant risk to their network if appropriate controls are
not in place. Since wireless technologies may be susceptible to compromise, merchants should carefully evaluate the need for this
technology against the risk before deploying wireless systems.
If your company uses wireless technology to transmit cardholder data or if a wireless LAN is connected to or part of the cardholder
environment (e.g., not separated by a firewall), wireless security features should be implemented. Common wireless vulnerabilities
include the following:
 |
Eavesdropping - An attacker can gain access to a wireless network just by "listening"
to traffic. Radio transmissions can be freely and easily intercepted by nearby devices or laptops. |
|
Trust problems - If a wireless LAN is part of an enterprise network, a compromise of
the LAN may lead to the compromise of the entire enterprise network. An attacker with a rogue wireless access point can fool a
mobile station into authenticating with the rogue access point, thereby gaining access to the mobile station. |
|
Denial of Service - Due to the nature of radio transmission, wireless LANs are
vulnerable to denial of service attacks and radio interference. Such attacks can be used to disrupt business operations or to
gather additional information for use in initiating another attack. |
|
Man-in-the-middle - Packet spoofing and impersonation, whereby traffic is intercepted
midstream, then redirected by an unauthorized individual for malicious purposes. |
Recent forensic investigations reveal that many entities are not properly securing their wireless networks, leading to the
compromise of cardholder data, brand damage and financial and regulatory concerns. Merchants should consult with IT staff to
ensure proper awareness of the security risks associated with wireless technology and to develop risk mitigation strategies to
protect their computing environments.
Important Reminders
|
Compliance with PCI is mandatory for all entities that store, process or transmit Visa and/or MasterCard
cardholder data. Merchants are required to prove PCI compliance annually. |
|
Association regulations prohibit storage of the magnetic stripe contents as a unit. Merchants or service
providers may never retain magnetic stripe data subsequent to transaction authorization. Only the following data elements may
be securely retained subsequent to transaction authorization: Cardholder Account Number, Cardholder Name and Card Expiration
Date. |
|
Merchants or service providers may never retain CVV2/CVC2, the last three digits printed on the signature
panel, subsequent to transaction authorization, whether encrypted or unencrypted |
Reporting Requirements
Chase Paymentech reports progress toward PCI compliance for Level 1, 2, and 3 merchants prior to each of the following dates to
MasterCard and Visa to mitigate potential fines.
Quarter 1 2006 - March 31, 2006
Quarter 2 2006 - June 30, 2006
Quarter 3 2006 - September 30, 2006
Quarter 4 2006 - December 31, 2006
Please note that all compliance deadlines have passed. Merchants must become fully PCI compliant to
prevent fines. As your acquirer, Chase Paymentech requests that all non-compliant merchants provide a compliance target date for
the non-compliant items on a quarterly basis until fully compliant.
What fines are possible if merchants do not comply?
| Visa Fines |
MasterCard Fines |
 |
|
Non-compliance |
 |
 |
1st violation - $50,000 |
|
|
2nd violation - $100,000 |
|
|
3rd violation - discretionary |
|
Failure to report compromise - $100,000 |
|
Egregious violation - $500,000 |
|
Storing full track data |
|
|
$50,000 initial fine |
|
|
$100,000 monthly until issue is resolved |
|
Failure to comply with the SDP mandate
|
Level 1 Merchants - Up to $25,000 |
|
Level 2 Merchants - Up to $5,000 |
|
Level 3 Merchants - Up to $5,000 |
|
What are merchants' compliance obligations?
| Level |
Selection Criteria
(based on Visa or MC transactions) |
Validation Actions |
Validation Process |
Merchant Requirements |
|
| 1 |
|
6 million annual trans.
(all acceptance channels) |
|
Incurred a compromise |
|
|
Annual onsite security visit |
| - and - |
|
Quarterly network scan |
|
Qualified Independent Security Assessor or Internal Audit Staff with CISA designation if signed by company
officer |
|
Submission of successful Report on Compliance (ROC) |
|
Quarterly scan showing no high vulnerabilities |
|
|
| 2 |
150,000 - 6 million e-commerce trans. |
|
Annual PCI self-assessment questionnaire |
| - and - |
|
Quarterly network scan |
|
|
Validated by merchant |
|
Qualified independent scan vendor |
|
|
Submission of PCI self-assessment questionnaire with green rating |
|
Results of quarterly scan showing no high vulnerabilities |
|
|
| 3 |
20,000 - 150,000 e-commerce trans. |
|
Annual PCI self-assessment questionnaire |
| - and - |
|
Quarterly network scan |
|
|
Validated by merchant |
|
Qualified independent scan vendor |
|
|
Submission of PCI self-assessment questionnaire with green rating |
|
Results of quarterly scan showing no high vulnerabilities |
|
|
| 4 |
Others
(regardless of acceptance channel) |
|
Recommended annual PCI self-assessment questionnaire |
| - and - |
|
Recommended quarterly network scan |
|
|
Validated by merchant |
|
Qualified independent scan vendor |
|
|
Compliance mandatory |
|
Validation optional |
|
Important Contact Information
If you have any PCI questions please contact us via email at compliance_coordinator@chasepaymentech.com,
or contact your Relationship Manager as appropriate. Below are links to the Card Associations' data security programs,
AmbironTrustWave, and Chase Paymentech Solutions' website for the data security program.
|
 |
This document can be viewed electronically on most computers in a PDF format. The
freely available Adobe Acrobat
reader is required to view and print PDF files. Use of Adobe Acrobat Reader 7.0 is recommended. |
|
|
|
