Merchant Services PCI Compliance Information
Click for our POS system and network PCI compliance documentation.
What is PCI?
PCI stands for “Payment Card Industry”, but it is usually means one or other of the following:
- The Payment Card Industry Security Standards Council. This is an industry body made up of organizations like Visa, MasterCard, American Express, Discover, etc. The Council is how these companies cooperate to agree upon a single, common security standard that they insist merchants meet.
- The actual security standard put together by the Council described in the first definition above. The real name for this standard is the Payment card Industry ‘Data Security Standard’ (PCI DSS). Merchants must meet this set of security requirements if their business accepts, transmits, or processes customer payment cards (such as credit cards or debit cards).
What is the ‘PCI DSS’?
PCI DSS stands for ‘Payment Card Industry Data Security Standard’. This is a (quite technical and broad-ranging) set of security requirements created by the Payment Card Industry, laying out what Merchants need to do to protect customer information. The PCI Council requires that Merchants meet this set of security requirements if their business accepts, transmits, or processes customer payment cards (such as credit cards or debit cards). Merchants that do not comply with these requirements can be penalized in a number of ways, up and including having their card-processing privileges revoked, leaving them unable to accept customer payment
A copy of the PCI DSS is available here. It should be noted that this site gives Merchants additional tools and advice to help them deal with the requirements of the PCI DSS.
View our complete Glossary of POS terms.
To whom does PCI apply?
PCI applies to ALL organizations or Merchants, regardless of size, that accept, transmit, or store any payment card information. In other words, if any customer of that organization ever pays using a credit card or debit card, then the PCI DSS requirements apply.
What if a Merchant refuses to cooperate?
PCI is not, in itself, a law: the standard was put together by business organizations including Visa, MasterCard, and the other major card companies. Merchants that do not comply with PCI DSS are not necessarily breaking any law, but they are probably violating their Terms of Service or contract with their acquiring bank and the card associations. This means that the Merchant might be penalized or sued, or these companies might refuse to work with the Merchant. This would mean that the merchant would be unable to process credit or debit cards.
What does a merchant have to do in order to satisfy the PCI requirements?
To satisfy the requirements of PCI, a Merchant must do two things:
- Comply with the Data Security Standard (by meeting all of the requirements laid out in the Data Security Standard), and
- Validate their compliance. This means the Merchant must SHOW (in a manner appropriate to their size and situation) that they are complying with the Data Security Standard. For some Merchants (those with a high volume of card transactions, or with a history of security problems) validation involves on-site audits by certified professionals, but for many Merchants the primary requirements are:
• Annual completion and submission by the merchant of a PCI Self-Assessment
Questionnaire (the ‘SAQ’); and
• Where appropriate, undertaking a quarterly network vulnerability scan undertaken
by a certified scanning company.
More information is available in the FAQ sections on Compliance and Validation.
It is important to note that being in Compliance does NOT automatically mean that the Merchant has met their Validation requirement (in the same way that individuals must comply with the Tax Code by paying income tax, AND validate their compliance via the use of receipts and other documents.)
What is the ‘Self-Assessment Questionnaire’?
The Self-Assessment Questionnaire is a form that Merchants may be required to complete every year and submit to their Acquiring Bank. It was created by the PCI Council. Completing a Self-Assessment Questionnaire helps Merchants do two things:
- Check their Compliance, by finding out for themselves if they are in compliance with the Data Security Standard; and
- Complete part of their Validation, but giving others, such as their Acquiring Bank, evidence that they are in Compliance with the PCI Data Security Standard.
As of February 2008, there is no longer a single ‘one size fits all’ Self-Assessment Questionnaire. Merchants now need to identify which of 5 ‘Validation Type’ categories they fit into, and then complete the appropriate Self-Assessment Questionnaire for their category. For some Merchants, the appropriate Self-Assessment Questionnaire is short and simple, which for other merchants the appropriate Self- Assessment Questionnaire is long and extremely technical. Note that for all versions of the Self-Assessment Questionnaire, Merchants will only pass if they pass (or be able to say ‘Not Applicable’ to) ALL of the questions in the Questionnaire.
This web site gives Merchants access to free tools and services that make it much easier for them to identify the Self-Assessment Questionnaire that is appropriate for them, and complete it. In fact, the tools here do it for the Merchant, based on their answers to some much simpler questions that this web site asks. Where the questions are complicated or technical, the tools provide expert assistance and guidance. Merchants also have access through this site to a variety of tools and services to help them quickly and easily solve any Compliance failures they might have.
What is the ‘SAQ’?
‘SAQ’ stands for the PCI ‘Self-Assessment Questionnaire’. See the above question and answer for more detail.
What is meant by ‘Compliance’?
Being in Compliance means ‘meeting all of the requirements laid out in the Payment Card Industry Data Security Standard’. The requirements for Compliance are the same for ALL Merchants, large or small. (However, smaller Merchants typically avoid many of the Compliance problems that larger organizations face, because their systems and networks are usually simpler.)
What is meant by ‘Validation’?
Validation means a Merchant’s ability to show, via standard documents and/or tests, that they are meeting the PCI DSS requirements. The different types of Merchant face different levels of Validation burden, depending on which of four levels they are assigned to. Merchants that were directed to this web site are, at the very least, required to complete the Self-Assessment Questionnaire.
How are the different Merchant Levels defined?
The following table defines the levels:
|Merchant Level 1:||•||Any Merchant that processes over 6,000,000 Visa or MasterCard transactions per year (regardless of whether the transactions are e-commerce or not), OR|
|•||Any Merchant that is declared to be Level 1 by any Card Association|
|•||Any Merchant that has suffered a security incident or attack that resulted in an account data compromise |
|Merchant Level 2:||Any Merchant processing 1,000,000 to 6,000,000 Visa or MasterCard transactions per year.|
|Merchant Level 3:||Any Merchant processing 20,000 to 1,000,000 Visa or Mastercard e-commerce transactions per year.|
|Merchant Level 4:||Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants processing fewer than 1,000,000 transactions per year.|
What meant by ‘Remediation’?
Remediation means the process of fixing any Compliance failures. A Merchant who constructs an appropriate remediation program and completes it will be (by definition) in compliance with the PCI DSS.
Is PCI a government program? Is it a law?
No: PCI is not, in itself, a law: the standard was put together by business organizations including Visa, MasterCard, and the other major card companies. Merchants that do not comply with PCI DSS are not necessarily breaking any law, but they are probably violating their Terms of Service or contract with their acquiring bank and the card associations. This means that the Merchant might be penalized or sued, or these companies might refuse to work with the Merchant. This would mean that the merchant would be unable to process credit or debit cards.
Are Merchants required to use the tools provided through this web site to fix any Compliance problems?
No: The tools provided through this web site are offered as a low-cost convenient way to fix problems, but Merchants are free to use any remediation tools they want to fix their Compliance problems. Merchants who use other tools are then solely responsible for making sure that those tools are appropriately selected and properly implemented, and are then responsible for re-taking the Self-Assessment Questionnaire.
Glossary of PCI Technical Terms
A financial institution that provides services for merchants who accept payment cards.
Visa / MasterCard or any other card issuer that provides cards that are accepted by merchants.
A chronological record of system events and activities. It makes possible a review or reconstruction of the entire chain of events surrounding an event or operation on the computer systems in question.
The process of verifying identity of a subject or process. For example, users of a computer may be forced to authenticate by showing that they know the proper password.
Devices that are known AND have given permission to be on the network in question.
Duplicate copies of data made as protection against damage or loss, or for archiving purposes. If the original data needed protection against theft, the backups also require the same level of protection.
A network device (a ‘box’) that sits at the edge of the network and connects the network to the rest of the world.
Full magnetic stripe or the Primary Account Number (PAN), plus any of the following:
• Cardholder name
• Expiration date
• Service Code
This data needs to be protected.
Client Side-Input Controls:
Security measures designed to make the user do the right thing on their computer. These cannot be trusted completely, which is why software developers need to also rely on server-side security controls.
An arrangement between a merchant and another company, generally an Internet Service Provider, in which the merchant is allowed to house its own computer and software at the company’s location. The merchant generally manages its own computer, but benefits from other infrastructure and services at the company’s location.
The rules on a firewall that tell it what traffic is ‘good’ (and is allowed) and what traffic is ‘bad’ (and is blocked).
A piece of data exchanged between a web server and a web browser to maintain a session. Cookies may contain user preferences and personal information.
A computer system for storing and organizing information in a structured way. It can be a special
program, or something simple like an Excel spreadsheet.
Using a machine to erase all the information on a hard-disk or floppy-disk (or anything else that uses magnetic recording, like a VCR tape). This does NOT work on media such as CDs or DVDs, and it is often cheaper and simpler to physically destroy the recording media.
Systems that are not used for ‘real work’, but for designed or building new solutions or programs. The idea is that if something goes wrong, the systems that are used for real work are not damaged or interfered with. DMZ stands for “Demilitarized Zone”. It is a network added between a private and a public network to provide an additional layer of security for the private network.
“Doing Business As” (DBA):
A merchant’s legal business name as differentiated from the names of a company’s principals or other entity that owns or manages the business. A DBA that is significantly different from the principals’ or other entity’s name can result in an unrecognizable merchant name, or descriptor, on a cardholder’s monthly statement, which can in turn lead to potential copy requests and chargebacks.
Egress and Ingress Filters:
Filters at the edge of a network that block traffic from coming into the network without permission, and block traffic from leaving the network without permission. Encryption Process of converting information into a scrambled form except to holders of the proper cryptographic key. Using encryption protects information against unauthorized disclosure while it is encrypted.
Extended Point of Sale:
An extended POS is a Point of Sale terminal that in addition to processing sales, does something else like inventory management, seating, reservations, accounting, or customer relationship management.
A security product that protects resources on one network from intruders from other networks by restricting network traffic flows. They are often separate devices that sit on your computer network, but can be software that exists on another computer (such as on a laptop).
The process of making a computer harder to attack by turning off programs inside it that are not really needed. (IDS/IPS) signatures The part of an Intrusion Detection System or Intrusion Prevention System that lets them tell the difference between an attack and ‘normal operations’.
A pre-prepared formal plan laying out what to do in case of an emergency or security event, with roles and responsibilities laid out in advance.
Addresses An address for a computer that identifies it as belonging inside a given network, as opposed to being an ‘outside computer’.
The part of a network that is restricted to insiders. It does not include the DMZ, and is normally kept separate from the rest of the world by a firewall.
Any computer or application designed to be accessed over the Internet or Web. (These systems are usually the first to be attacked, so they need to be well designed and protected.)
A security system used to identify and raise alerts concerning any network or system intrusion
attempts. They are similar in that sense to burglar alarms. A typical Intrusion Detection System consists of sensors which generate security events; a console to monitor events and alerts, and control the sensors; and a central engine that stores the event data in a database.
A security system used to identify, raise alerts concerning, and actively block any network or system intrusion attempts. A typical Intrusion Prevention System consists of an Intrusion Detection System coupled with an active enforcement mechanism.
An authentication tool for wireless networks.
Recorded somewhere so that administrators or managers know that something happened, and know what, where, and when it happened.
Masked (credit card information):
Obscured in some way, such as being replaced with **** (this is often used to hide all except the last 4 digits of a card number, turning it into something like “**** **** **** 4777”) Media Anything used to store information. It includes hard disks, thumb-drives, paper, CDs, DVDs, etc.
A financial institution that enters into agreements with merchants to accept payment cards as payment for goods and services; also called acquirers or acquiring banks.
A computer that is supposed to move around easily, like a notebook, or PDA.
A collection of computers other devices that are all interconnected together.
Network Address Translation (“NAT”):
Sometimes known as network masquerading or IP masquerading. It is a standard networking process whereby an IP address used within one network is changed to a different IP address for use within another network. It is used by many networks as a way for internal computers talk to the rest of the world with greater convenience and privacy.
Operational security is security that is based on processes and procedures, as opposed to technology.
PAN/Primary Account Number:
The payment card number (credit or debit) that identifies the issuer and the particular cardholder account. It is usually stamped on the front of a debit/credit card, and also encoded in the magnetic stripe.
A secret word or string of letters used to authenticate the user. Similar in purpose to a bank account PIN.
Payment Card Account Information:
This is an important idea in PCI, and one that you need to understand. The Payment Card Environment is that part of your computer network that possesses cardholder data or sensitive authentication data, and those systems and segments that directly attach or support cardholder processing, storage, or transmission. For example, if you have a computer directly connected to a Point of Sale terminal, that computer is part of the payment card environment, no matter what you do (or do not do) on that computer. The scope of the Payment Card Environment may be limited through the use of proper network segmentation.
Payment Card Environment:
This is an important idea in PCI, and one that Merchants need to understand. The payment card
environment includes ALL devices that:
• Process payment cards, OR
• Store information about payment cards, OR
• That transmit that sort of information,
AND ALL devices that connect directly to one of those devices. For example, if a Merchant has a
computer connected to a Point of Sale terminal, that computer is part of the payment card
environment, no matter what the Merchant does (or does not do) on that computer.
A system that provides services to Internet merchants for the authorization and clearing of online payment card transactions.
A controlled (and officially approved) attempt by someone playing the part of an attacker to see if they can break into a given computer system. It is not necessary that they actually break in: it can be more like ‘rattling all the door-knobs to see if any are unlocked’. Any successes that they have can then be used as guidance to improve the security systems in question.
A firewall device that sits at the edge of a network and is designed to protect the network by keeping malicious network traffic out.
A piece of software that sits on a computer and protects it no matter where it goes. It is different from a ‘normal’ firewall (which is a box that sits in one place on a network and does not move around).
Point of Sale (POS):
The device used to process transactions at the checkout. These can be simple swipe-card devices with a pin-pad, or can be joined onto a computer that also handles inventory and other tasks.
Official, documented rules about how a Merchant’s security systems and process/procedures are to operate, what tools should be used, how they should be used, what actions are NOT allowed, and so on.
An Association Member, or Association-approved non-member acting as the agent of a Member, that provides authorization, clearing, or settlement services for merchants and processors:
authorizing processors, and clearing processors.
Production Systems and Applications:
Any computer, software, or equipment that is actually used in the operations of a business, instead of being ‘just for testing’ or similar.
Any computer network or communications system that is intended for use by the general public. The most obvious examples are the Internet, Web, GPRS, and GSM. Communications over a public network cannot be assumed to be private, and therefore require the use of encryption.
Publicly Reachable Network Segment:
Any part of a network that outsiders can connect to from their computers. Examples include any web server that outsiders can look at pages on.
Controlling a computer from a remote location. This is usually done to fix problems or to change settings.
Roles and Responsibilities:
Official, documented rules about who should do what in the case of an emergency or particular event. These need to be prepared in advance, with everyone involved knowing in advance what their responsibilities are.
The ‘boss’ account on a computer: the account that has permission to do anything possible to the computer.
Hardware or software that connects two or more networks, and allows computers to talk to each other.
Process for deleting sensitive data from a file, device, or system; or for scrambling data so that it is useless if accessed.
Destroying or wiping media so that the information on it cannot be read or mis-used by outsiders. At current media prices, itt is relatively cheap to do this properly by physically destroying the thing holding the data (for example, by breaking the CD in half).
Sharing information in a secure way, so that attackers can neither read it nor change it.
Cardholder Data Any information belonging to a cardholder that needs to be protected (because of identity-theft
concerns, or privacy requirements, etc). The most important examples of this are information taken the magnetic stripe of a card, or the card number, plus things like card expiration dates, or cardholder name, Server-side Controls or security measures imposed on servers, rather than relying on attempted control at the user’s end (where the software creator does not have proper control).
Shared WEP Keys:
Encryption keys used for wireless communications encryption (Wired Equivalent Privacy) that are used by more than one person.
A shopping cart is a piece of software that acts as an online store’s catalog and ordering process. Typically, a shopping cart is the interface between a merchant’s web site and its deeper infrastructure, allowing consumers to select merchandise; review what they have selected; make necessary modifications or additions; and purchase the merchandise.
Using a machine to cut paper up into hundred of tiny pieces, so that an attacker cannot read it.
SNMP Community Strings:
SNMP is a set of tools for managing computer networks. “Community strings” are passwords that restrict access to these tools to approved people.
Spoofed IP Addresses:
A technique used by an intruder to gain unauthorized access to computers. In this attack, the intruder sends deceptive messages to a computer, with the message using an IP address indicating that the message is coming from a trusted host.
A form of attack on database-driven applications and web sites. An attacker executes unauthorized SQL commands by putting them in what was supposed to be a name or an address (or similar) so that an unprotected database system will get confused and execute the malicious instructions. SQL injection attacks are used to steal information from a database, to destroy databases, and/or to gain access to an organization’s host computers through the computer that is hosting the database.
SSID Service Set Identifier:
The ‘public name’ assigned to a wireless computer network.
The automatic broadcast by a wireless network of its name (its ‘SSID’). This makes it visible to other computers using wireless nearby.
SSL (Version 3.0 with 128-bit encryption):
Secure Sockets Layer. Established industry standard for encrypting the channel between a web browser and web server to ensure the privacy and reliability of data transmitted over this channel. There are different types of SSL, with the modern, strong, version being version 3.0 with 128-bit encryption. Another solution, called TLS (Transport Layer Security), is an even-better replacement.
Hardware or software that connects two or more networks, and allows computers to talk to each other.
Making sure that various clocks are all showing the exact same time. Having synchronized clocks makes record keeping and trouble-shooting simpler and more reliable.
Systems that are not used for ‘real work’, but for testing solutions or programs. The idea is that if something goes wrong, the systems that are used for real work are not damaged or interfered with.
A recorded time, showing when a particular thing happened. These are used in audit records and in trouble-shooting computer problems.
A non-member organization that performs transaction authorization and processing, account record keeping, and other day-to-day business and administrative functions for issuers and merchant banks.
Information flowing between computers over a network. Traffic can be carrying email, files, web pages, phone conversations, or a wide variety of other things.
Communications: sending information over a network.
The practice of removing data segments. Commonly, when account numbers are truncated, the first 12 digits are deleted, leaving only the last 4 digits.
Vendor Default Accounts:
System login account predefined in a manufactured system to permit initial access when the system is first put into service.
Vendor Default Security Settings:
Many pieces of equipment or software come with built-in security features. “Vendor default security settings” means the ‘out of the box’ settings that these security features come with. For example, system administration or service accounts will ship from the manufacturer with a ‘default password’. These default accounts and passwords are published and well known, and so do NOT provide adequate security.
A program capable of detecting, blocking, and/or removing various forms of malicious code or malware such as viruses, worms, spyware, and Trojans.
Virtual Private Network. A way of using encryption to make sure that your communications back to a computer are private, even over a public network.
A scan of a given network by another computer to identify any weaknesses in any computer security systems.
Web hosting is a service that provides a physical location in which a web site resides. Customers’ web sites are stored on computer servers located in environments permanently connected to the Internet through high-speed data lines.
A computer used to display web pages.
WEP Wired Equivalent Privacy:
An encryption protocol for wireless network traffic. It is an old system that is very simple, but does NOT work very well. Avoid it if possible, by using newer, better systems like WPA or 802.11i.
The secret numbers or letters used in WEP encryption to (hopefully) keep wireless communications private.
Wi-Fi Protected Access:
Commonly called ‘WPA’. A way of encrypting wireless network traffic so that it cannot be read or changed by attackers. It is a newer, better, replacement for WEP.
Wireless Access Points:
A network device (a ‘box’) that lets users connect to the network via wireless (i.e. without using a cable). They usually, but not always, have small antennas, and THEY are attached to the network via a cable.
A machine or program designed to inspect a wireless environment, detect all computers and systems using wireless technology, and analyze them to identify what types of wireless they are using, and how they are set up.