Transcription
SecurityStandardsCardholder Data Securityis your ResponsibilityEnsuring the safety of your customers’cardholder information can help yourbusiness create and maintain a positiveimage, enhance customer confidenceand assist in improving your bottom line.As part of CIBC FirstCaribbean InternationalBank’s provision of card processing services,we want to provide you with some criticalinformation regarding maintenance ofData security and how the Payment CardIndustry (PCI) Data Security Standard(DSS) and the Card Networks’ CompliancePrograms will assist with this goal.The PCI DSS is enforced by the CardNetworks (American Express, DiscoverFinancial Services, JCB, MasterCardWorldwide and Visa International).CIBC FirstCaribbean International Bankhas taken the steps to provide you, ourvalued client, with necessary informationand associated links to assist in assessingthe actions your business should take toensure that you are compliant.Please note that all Merchants who store,process, or transmit cardholder datamust comply with PCI DSS and the CardNetworks’ Compliance Programs. However,certification requirements vary by businessand are contingent upon your “MerchantLevel”. Failure to comply with PCI DSS andthe Card Networks’ Compliance Programsmay result in your business being subjectto fines, fees or assessments and/ortermination of processing services.1
Contents3 About PCI SSC3 About PCI DSS3 Twelve Principle Requirements of PCI DSS3 Importance of PCI DSS Compliance and/or Certification4 Merchant Levels and Validation Requirements5 Third Party Service Providers5 Payment Application Data Security Standard6 Helpful/Related Links2
About PCI SSCThe PCI Security Standards Council (PCI SSC) is anindependent body founded in September 2006 byfive major credit card networks - American Express,Discover Financial, JCB, MasterCard Worldwide,and Visa International. The PCI SSC is responsible forthe development and ongoing evolution of securitystandards for account data protection.For more information on the PCI SSC please visit:https://www.pcisecuritystandards.org/pci security/About PCI DSSThe Payment Card Industry Data Security Standards(PCI DSS) was created to assist with the protectionof cardholder data. Due to a few high profile securitybreaches it became apparent that a global set ofdata security standards was required to assistmerchants and service providers in meeting thesetechnical and operational requirements.In direct response to this need, the PCI SSCdeveloped the six goals which translate to the twelverequirements of the PCI DSSTwelve Principle Requirementsof PCI DSSPCI DSS is a multifaceted security standard thatincludes requirements for security management,policies, procedures, network architecture, softwaredesign and other critical protective measuresThis comprehensive standard is intended to helporganizations proactively protect customeraccount data.The Twelve standards can be found here:https://www.pcisecuritystandards.org/pci security/maintaining payment securityImportance of PCI DSS Complianceand/or CertificationCIBC FirstCaribbean International Bank stronglyendorses the need for stringent standards regardingthe handling of cardholder data. In addition, weare taking proactive measures to ensure that allmerchants adopt these standards and maintaincompliance on an on-going basis.Compliance with the PCI DSS is mandatory. If youand your service providers are not compliant withPCI DSS, the Card Networks could levy fees and finesagainst you and your card processing services couldbe terminated.Compliance means all technical and operationalrequirements of the PCI DSS have been met. Tobecome certified, an entity must engage the servicesof Qualified Security Assessor “QSA” to validate anentity’s compliance to PCI DSS. The QSA will work onidentifying areas of non-compliance. The merchantmust remedy each area of non-compliance. Onceall areas of non-compliance have been addressedthe QSA will re-evaluate and issue confirmationof compliance. Certification to PCI DSS is at themerchant’s expense. Merchants will be required toprovide evidence of certification when requested byCIBC FirstCaribbean.To assist merchants with understanding theenvironment in which you accept cards and therisks that you may be exposed to the PCI SSC hasdeveloped a number of tools that you can refer to:Merchant Guide to Safe /SmallMerchant Guide to Safe Payments.pdfMerchant Data Security Essentials Evaluation Tool:https://www.pcisecuritystandards.org/pci security/small merchant tool/index.html3
Merchant Levels and Validation RequirementsIt is important to note that all merchants that store, process, or transmit cardholder data must complywith the PCI DSS regardless of the volume of transactions processed or the method in which they areprocessed. However, certification requirements vary by business and are contingent upon your “MerchantLevel”.Merchant Level DescriptionLevelLevel Description1Any merchant regardless of acceptance channel, processing over 6,000,000 Visa or MasterCardtransactions annually (all channels).Any merchant that has suffered a hack or an attack that resulted in an account data compromise.Any merchant that a Card Network, at its sole discretion, determines should meet the Level 1merchant requirements.2Any merchant processing between 1,000,000 and 6,000,000 Visa or MasterCard transactions annuallyof one card plan (all acceptance channels).3Any merchant processing between 20,000 and 1,000,000 Visa or MasterCard e-commercetransactions annually.4Any e-commerce merchant processing fewer than 20,000 Visa or MasterCard e-commercetransactions annually.Any merchant (regardless of acceptance channel) processing fewer than 1,000,000 Visa or MasterCardtransactions annually.Validation RequirementsMerchant Level1Validation RequirementsAnnual On-site PCI DataSecurity AssessmentValidated ByQualified Security Assessor (QSA)ValidationDue DateAnnuallyAnnual PCI Self AssessmentQuestionnaireQuarterly Network Scan2Annual PCI Self Assessment Qualified Security Assessor (QSA)QuestionnaireQuarterly Network Scan3AnnuallyApproved Scanning Vendor (ASV)Annual PCI Self Assessment Qualified Security Assessor (QSA)QuestionnaireQuarterly Network ScanAnnuallyApproved Scanning Vendor (ASV)Annual PCI Self Assessment Qualified Security Assessor (QSA)QuestionnaireQuarterly Network Scan4*Approved Scanning Vendor (ASV)AnnuallyApproved Scanning Vendor (ASV)*PCI DSS requires that all merchantsperform external network scanning toachieve compliance (requirement 11.2).Acquirers may require submission ofscan reports and/or questionnaires bylevel 4 merchants.4
Payment Application DataSecurity StandardThe Payment Application Data Security Standard(PA-DSS) is a standard managed by the PCI SSC.This standard is based on Visa’s Payment ApplicationBest Practices (PABP). Many merchants deploy thirdparty payment applications that are tailored to theirbusiness needs to assist them in accepting creditcard payments.The goal of PA-DSS is to assist software vendorsdevelop secure payment applications that donot store prohibited data, such as full magneticstripe data, card verification values, or PIN data,and ensure their payment applications supportcompliance with the PCI DSS. Vulnerable paymentapplications that store prohibited dat are the leadingcause of account data compromises among smallmerchants.Service ProvidersA service provider is defined as an organization thatstores, processes, or transmits cardholder data onbehalf of merchants or other service providers. Allservice providers are required to comply with PCIDSS. In addition all service providers are requiredto validate their compliance to PCI DSS through theservices of a QSA.Visa and MasterCard each publish a list ofcompliant service providers on their websites. Fora list of service providers that have validated theircompliance to PCI DSS please see:Payment applications that are sold, distributed orlicensed to third parties are subject to the PADSS requirements. In-house Payment applicationsdeveloped by merchants or service providers thatare not sold to third parties are not subject to thePA-DSS requirements, but must still be securedin accordance with the PCI DSS. PA-DSS is notapplicable to standalone point-of-sale terminals,database software or web server software.Further information on PA-DSS including a list ofpayment applications that have validated theircompliance to PA-DSS can be found at:www.pcisecuritystandards.orgVisa Global Registry of Service p.doThe MasterCard SDP Compliant Registered ServiceProvider tection pci-list.pdf5
Helpful/Related LinksFor more information on the PCI securitystandards and the Card Network CompliancePrograms, please review the following websites:PCI Security Standards Council:https://www.pcisecuritystandards.orgVisa LAC AIS smallbusiness/information-security.htmlMasterCard Worldwide SDP protection-PCI.htmlIndustry WebsitesPCI Security Standards Council:https://www.pcisecuritystandards.orgVisa LAC AIS asterCard Worldwide SDP Program:http://mastercard.com/sdpCall us toll free at 1-866-743-2257 for more details.The CIBC logo is a trademark of Canadian Imperial Bank of Commerce,used by FirstCaribbean International Bank under license.6
service providers are required to comply with PCI DSS. In addition all service providers are required to validate their compliance to PCI DSS through the services of a QSA. Visa and MasterCard each publish a list of compliant service providers on their websites. For a list of service providers that have validated their compliance to PCI DSS .
