VISA EUROPE ACCOUNT INFORMATION SECURITY (AIS) PROGRAMME FREQUENTLY ASKED QUESTIONS (FAQS)



Similar documents
Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Payment Card Industry Data Security Standard

How To Protect Your Credit Card Information From Being Stolen

The PCI DSS Compliance Guide For Small Business

Registration and PCI DSS compliance validation

Westpac Merchant. A guide to meeting the new Payment Card Industry Security Standards

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Third Party Agent Registration and PCI DSS Compliance Validation Guide

How To Protect Your Business From A Hacker Attack

La règlementation VisaCard, MasterCard PCI-DSS

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Frequently Asked Questions

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standards.

PCI Compliance Overview

Payment Card Industry Compliance Overview

PCI Compliance: How to ensure customer cardholder data is handled with care

How To Protect Visa Account Information

Your Compliance Classification Level and What it Means

An article on PCI Compliance for the Not-For-Profit Sector

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

SecurityMetrics Introduction to PCI Compliance

Two Approaches to PCI-DSS Compliance

FAQ s. SaferPayments. Be smart. Be compliant. Be protected. The benefits of compliance SaferPayments Non-compliance fees

Josiah Wilkinson Internal Security Assessor. Nationwide

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

PCI Compliance. Top 10 Questions & Answers

MEETING PCI COMPLIANCE WITH SONICWALL GLOBAL MANAGEMENT SYSTEM

Western Australian Auditor General s Report. Information Systems Audit Report

PCI Security Compliance

A Compliance Overview for the Payment Card Industry (PCI)

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

What a Processor Needs from a University to Validate Compliance

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

PCI Standards: A Banking Perspective

PCI Compliance Top 10 Questions and Answers

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

PCI DSS. CollectorSolutions, Incorporated

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

How To Ensure Account Information Security

PCI DSS Compliance Information Pack for Merchants

Payment Card Industry Data Security Standard Explained

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

PCI Compliance Just the Facts. Rick Dakin President ext. 7001

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants

WHITE PAPER. PCI Compliance: Are UK Businesses Ready?

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Brown Smith Wallace, LLC

Achieving Compliance with the PCI Data Security Standard

Adyen PCI DSS 3.0 Compliance Guide

Merchant guide to PCI DSS

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI DSS. Payment Card Industry Data Security Standard.

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

PROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN

Achieving Compliance with the PCI Data Security Standard

Information for merchants. Program implementation details for merchants. Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS and SSC what are these?

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

SecurityMetrics. PCI Starter Kit

A multi-layered approach to payment card security.

Project Title slide Project: PCI. Are You At Risk?

PAI Secure Program Guide

Mobile Device Payment Card Processing: How Secure is It? Richard Poworski CISSP, ISP, ITCP, SCF, PCI QSA, PCIP Managing Consultant

Credit Card (PCI) Security Incident Response Plan

Clark University's PCI Compliance Policy

Agent Registration. Program Guidelines. (For use in Asia Pacific, Central Europe, Middle East and Africa)

University of York Policy on the Management of Debit/ Credit Card Data

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Payment Card Industry Data Security Standards Compliance

PCI DSS Compliance Services January 2016

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

White Paper September 2013 By Peer1 and CompliancePoint PCI DSS Compliance Clarity Out of Complexity

Transcription:

VISA EUROPE ACCOUNT INFORMATION SECURITY (AIS) PROGRAMME FREQUENTLY ASKED QUESTIONS (FAQS) Q1: What is the purpose of the AIS programme? Q2: What exactly is the Payment Card Industry (PCI) Data Security Standard Q3: Why is the new PCI standard necessary? Q4: What areas are covered by the PCI Data Security Standard? Q5: What are the compliance validation requirements for merchants? Q6: What are the compliance validation requirements for service providers? Q7: Aside from establishing a global set of security requirements, are there other specific benefits to the PCI Data Security Standard? Q8: When does the PCI Data Security Standard come into effect? Q9: When must Merchants and Payment Service Providers begin using the new Payment Card Industry (PCI) Data Security Standard materials? Q10: When does the new validation requirement for annual service provider onsite audits become effective? Q11: How does Account Information Security affect merchants? Q12: If a Merchant or Service Provider has already been approved through the AIS programme, do they need to revalidate using the PCI Data Security Standard? Q13: How does Account Information Security affect merchants? Q14: What risk is my business exposed to by not complying with the PCI Data Security Standard? Q15: What should a merchant or service provider do if they suspect compromise? Q16: Is there a deadline for compliance with AIS? Q17: In what way am I responsible as an Acquirer? Q18: Is AIS only for e-commerce merchants? Q19: How do I as an Acquirer self-certify my compliance status? Q20: How do I as a service provider become certified with the AIS programme requirements? Q21: How do I as a merchant become certified with the AIS programme requirements? Q22: How long will the certification process take? Q23: Where can I find more information on Visa Europe s AIS programme? Page 1

Q1: What is the purpose of the AIS programme? A: The AIS programme aims to enhance the protection of sensitive account and transaction information in the Visa acceptance environment. It protects the interests of all payment participants, including Members, merchants and cardholders in both the physical and virtual world. Visa was the first in the industry to create such a programme, including standards and selfassessment security tools. Q2: What exactly is the Payment Card Industry (PCI) Data Security Standard The Payment Card Industry (PCI) Data Security Standard is a new, single set of data security requirements, developed by Visa and MasterCard that will apply across the payment industry worldwide, and replaces the old AIS Standards and Best Practices, The AIS programme is based on the PCI Data Security Standard. The PCI Data Security Standard aligns Visa s original Account Information Security (AIS) and Cardholder Information Security (CISP) programmes with MasterCard s Site Data Protection (SDP) programme, resulting in a common set of industry tools and measurements that will ensure the safe handling of sensitive information and improve consumer confidence. For more information on AIS and the Payment Card Industry (PCI) Data Security Standard go to www.visaeurope.com/acceptingvisa/ais or email: ais@visa.com. Q3: Why is the new PCI standard necessary? The PCI Data Security Standard provides a unified approach to safeguarding sensitive data across all card brands, and meets member, merchant and service provider business needs for a streamlined set of requirements across the payment industry. It also addresses merchants and Acquirers concerns about having to meet two sets of standards to accomplish a single goal. Q4: What areas are covered by the PCI Data Security Standard? The PCI Data Security Standard encompasses: Technical Foundation: The Standard details technical requirements for the secure storage, processing and transmission of cardholder data. Testing Methodologies: The Standard provides for common auditing procedures, scanning procedures and a common security Self-Assessment Questionnaire. Vendor Certification: Vendor certification is cross-recognised; MasterCard has agreed to recognise Visa approved onsite security assessors, and Visa will recognise all MasterCard security scan vendors. Page 2

Q5: What are the compliance validation requirements for merchants? The compliance validation requirements for all types of merchant are described in the table below. Merchant Compliance Validation Requirements Level Selection Criteria Validation Action Validated By 1 Any merchant - regardless of acceptance channel - processing over 6,000,000 Visa transactions per year 1 Any merchant that has suffered a hack or an attack that resulted in a data compromise. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements in order to minimise risk to the Visa system Any merchant identified by another payment card brand as a Level 1. 2 Any e-commerce merchant processing 150,000 to 6,000,000 Visa transactions per year. 3 Any e-commerce merchant processing 20,000 to 150,000 Visa transactions per year. Annual Onsite Security Audit and Scan Network Annual PCI Self- Assessment Questionnaire and Scan Network Security Assessor or Internal Audit if signed by an officer of the company Scan Vendor 2 Merchant Scan Vendor 1 The annual transaction volume for the previous 12 months from the date that the organisation started their AIS project or registered with a QSA. 2 A Qualified Scan vendor must be a MasterCard certified security vendor. Page 3

4 All other merchants, regardless of acceptance channel Recommended Annual PCI Self- Assessment Questionnaire and Recommended Annual Network Scan Merchant Vendor Scan Whilst compliance is mandatory for Level 4 merchants, compliance validation is not mandatory but strongly recommended. 3 3 Acquirers are reminded that they are responsible for the compliance of their merchants and agents (Visa International Operating Regulations section 2.2.E) and will be held liable for any financial losses resulting from a data compromise. Therefore it is strongly recommended that they require their level 4 merchants to carry out the recommended validation actions. Page 4

Q6: What are the compliance validation requirements for service providers? The compliance validation requirements for all types of merchant are described in the table below. Service Provider Levels and Compliance Validation Requirements Level Selection Criteria Validation Action Validated By 1 All VisaNet processors, payment gateways, and Internet Payment Service Providers regardless of transaction volumes Annual Onsite Security Audit and Network Scan Security Assessor Scan Vendor 2 Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually 4. Annual Onsite Security Audit Network Scan Security Assessor Scan Vendor 3 Any service provider that is not in Level 1 and stores, processes, or transmits less than 1,000,000 Visa accounts/transactions annually. Annual PCI Self- Assessment Questionnaire Network Scan Service Provider Scan Vendor 4 The annual transaction volume for the previous 12 months from the date that the organisation started their AIS project or registered with a QSA Page 5

Q7: Aside from establishing a global set of security requirements, are there other specific benefits to the PCI Data Security Standard? As part of Visa and MasterCard s alignment of security standards, merchants and service providers will be able to assess the status of their security by using a single validation process for all payment organisations. This will result in lower costs, reduced complexity and wider acceptance of standard security requirements for the industry. The alignment also allows merchants and service providers to select one vendor and implement a single process to comply with all payment card data security programmes. Q8: When does the PCI Data Security Standard come into effect? The new alignment of Visa and MasterCard s requirements, compliance criteria and validation processes will take effect immediately. Q9: When must Merchants and Payment Service Providers begin using the new Payment Card Industry (PCI) Data Security Standard materials? A: The Payment Card Industry Standards, Security Audit Procedures, Self Assessment Questionnaire and Security Scanning Requirements are effective immediately. However, for compliance validation assessments currently underway, the old AIS materials can be used. Q10: When does the new validation requirement for annual service provider onsite audits become effective? For service provider compliance validation annual renewals due before March 31 st 2005, the old validation actions of a network security scan and Selfassessment questionnaire only can be used, as long as the service provider has not been identified as being of high risk due to a previous hack or compromise. The service provider must however use the new PCI Security Standard Security Scan procedures and Self-Assessment questionnaire. For all annual service provider renewals due after 1 April 2005, and for all first time service provider assessments, an onsite audit is required. Q11: What happens to Visa s Account Information Security (AIS) and MasterCard s Site Data Protection (SDP) programmes? Visa s AIS and MasterCard s SDP programmes will continue to exist, but will adhere to the new PCI Data Security Standard. Q12: If a Merchant or Service Provider has already been approved through the AIS programme, do they need to revalidate using the PCI Data Security Standard? No, only at the time of their annual AIS compliance renewal. As AIS requires on going compliance validation, Members, merchants and service providers who have already been approved through the AIS programme, must consider Page 6

the new PCI Data Security Standard and the aligned compliance validation requirements as they prepare for their annual renewal. Q13: How does Account Information Security affect merchants? A: The Account Information Security (AIS) programme was developed to define protection requirements for the management of sensitive account and transaction Information in the Visa acceptance environment. The programme helps merchants protect their customers information from hacking and fraud. Merchants ultimately benefit by lowering their liability, building a compelling reputation for transaction safety, and eliminating the possibility of damaging negative publicity due to compromise. Q14: What risk is my business exposed to by not complying with the PCI Data Security Standard? The PCI Data Security Standard is designed to assist organisations in protecting Visa account and transaction Information. Failure to protect account and transaction Information may result in financial loss due to fraud or a decrease in business caused by lower consumer confidence. Additionally, Acquirers may choose to penalise merchants, which, following a data compromise, are found to be non-compliant with the PCI Standard. Visa can enforce the PCI Standard using financial penalties and may require that specific actions be taken to protect account and transaction Information. In extreme circumstances, Visa may choose to revoke the acceptance privilege of a merchant or service provider that is found to have caused, through negligent behaviour, unnecessary hardship to the Visa system. Q15: What should a merchant or service provider do if they suspect compromise? Merchants and service providers fearing card and transaction details may have been compromised must: Act immediately to contain and limit the exposure, to prevent the further loss of data, conduct a thorough investigation of the suspected or confirmed loss or theft of account information within 24 hours of the compromise. To facilitate the investigation, whenever possible, Merchants should not access or alter compromised systems, but rather isolate compromised systems from the network. They should preserve all logs and electronic evidence of the compromise, and log all actions taken. Contact their Acquiring bank immediately, providing all necessary information, including all account numbers feared compromised, the time window of the possible compromise. Contact the local police/security agency if the compromise is believed to be of criminal nature Follow further instructions from the Acquiring bank Page 7

Q16: Is there a deadline for certification with AIS? The new compliance validation requirements for AIS require that merchants and service providers validate their compliance with the PCI Data Security Standard by. Q17: In what way am I responsible as an Acquirer? It is the Acquirer s duty as a Member of Visa to ensure that all their Merchants and agents are compliant. If a Merchant/agent is victim of a compromise, and it is confirmed that the compromise is due to non-implementation or partial implementation of the AIS Programme, the Acquirer will be deemed responsible by the Visa membership, and Visa EU may fine the Acquirer for AIS non-compliance, at a rate of 5 euros per compromised account (VISA EU Operating Regulations 2.5). Q18: Is AIS only for e-commerce merchants? No. AIS is for all Merchants. Under the AIS Programme, Acquirers are liable for compromise taking place at any of their Merchants and agents (VIOR 2.2.E.1). Q19: How do I as an Acquirer self-certify my compliance status? Acquirers and Processors can self-certify their compliance status annually by completing the AIS Self-Certification form and confirming whether they are compliant, partially compliant, or non-compliant. A compliant Acquirer is one that has validated that their merchants and agents are compliant in accordance with the AIS Compliance Validation Requirements for Merchants and Service Providers. All non-compliant and partially compliant Acquirers have to submit an action plan to Visa EU, which will review it for appropriateness and effectiveness and confirm acceptance. Q20: How do I as a service provider become certified with the AIS programme requirements? A service provider needs to contract with an independent vendor or QSA to perform their assessment. The results of service providers assessments will need to be sent to Visa, and to the Acquirer if they require it. If there are no non-compliances found, Visa will approve the service provider s scan, audit or Self-assessment questionnaire report and list the service provider as Certified on the Visa website. If some non-compliances are found, Visa will request that service provider addresses the non-compliances in an action plan that will be monitored until completion. Q21: How do I as a merchant become certified with the AIS programme requirements? Merchants must contact their Acquirer to determine the method and approach by which they will become certified. The Acquirer may suggest a vendor for Page 8

the merchant to contract with to provide AIS validation services. Acquirers will inform Visa of their merchants compliance status on the annual selfcertification statement. Q22: How long will the certification process take? This depends on whether a merchant or service provider requires an audit, or a questionnaire. It is recommended that the whole process takes no longer than 60 days from start to finish. If an organisation takes longer than 60 days to complete their assessment, it is possible that their current assessment will be cancelled and they may need to start again. Q23: Where can I find more information on Visa Europe s AIS programme? For more information on Visa Europe s AIS programme, go to www.visaeurope.com/acceptingvisa/ais or email: ais@visa.com. Page 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information