Appendix 2 PCI DSS Payment Card Industry Data Security Standard Merchant compliance guidelines for level 4 merchants CONTENTS 1. What is PCI DSS? 2. Why become compliant? 3. What are the requirements? 4. What do we have to do? 5. How do we achieve compliance? 6. Are there any Fines for not being compliant? 6.1 Non-compliance with PCI DSS 6.2 Fine Schedule for Data Compromises
1. WHAT IS PCI DSS? Security of personal data is a growing concern, with press coverage increasing on the subject. Criminals are always looking at ways of getting this type of information from different sources. A vulnerable point of compromise which fraudsters have identified is card financial data which has been collected during the acceptance of cards. The Payment Card Industry Data Security Standards (PCI DSS) is a global mandated standard which has been introduced by Visa, MasterCard, Amex, JCB, Diners Club and Discovery (hereinafter referred to as the card schemes ) to bring a greater level of security to this type of data. PCI DSS covers areas such as: security management security policies procedures system network architecture software design This comprehensive standard is intended to help organisations proactively protect customer account data. PCI DSS is not completely new. It is based on existing ISO standards and industry best practices, and is very much based on a commonsense approach to security. It should not be viewed purely as a card requirement but as a general way of doing business. A good maxim to follow is treat card data as you would cash, this includes: store card data securely limit access (from both internal and external sources) to the data update and maintain any security you may have in place on a regular basis have a policy which you can share with your employees on the security process in place PCI DSS has been adopted by all the main card schemes as the industry standard. However, the individual card schemes have their own programmes entitled: MasterCard Site Data Protection (SDP) Visa Account Information Security (AIS) You may see both terms referred to in documents from these card schemes. There are differences in the implementation of PCI DSS.
2. WHY BECOME COMPLIANT? The aim of the PCI DSS is to provide a global standard which all merchants have to meet in order to protect cardholder information. Without this standard being in place the instances of card data compromises will continue to increase resulting in: decreased customer confidence in using cards for purchases increased level of fraud in the card market increased costs for all involved in accepting cards substantial fines and costs applied by Card Schemes if a security breach occurs (see Section 6) The potential reputational risk of a security breach could have massive consequences on the profitability and image of any merchant. Cardholders are becoming increasingly aware of security issues and a lack of confidence in the security of their information could stop them using that particular merchant completely, or at least reduce their use of cards to make purchases with that merchant. By becoming compliant, and maintaining that compliance, will protect from both significant financial and reputational loss. 3. WHAT ARE THE REQUIREMENTS? The 12 key requirements are: 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for employees and contractors Behind these high level requirements are more detailed questions. The requirements cover all card acceptance channels so you can see from the above list that some may not be relevant.
4. WHAT DO WE HAVE TO DO? All merchants are required to be compliant with PCI DSS. However, only merchants that fall into certain levels as defined by the Card Schemes need to verify that compliance through an independent third party. The Level you fall into is determined by: how many card transactions you accept per annum, per card scheme which channel you use to accept those transactions Based upon existing transaction levels, we have been categorised as a level 4 merchant. Essentially, we must register with a Qualified Security Assessor to ensure compliance with the PCI DSS requirements. Additionally compliance is subject to renewal on an annual basis PCI DSS will evolve and continue to change as fraudsters identify new ways to compromise data. if we provide any Third Party/Payment Service Provider (PSP) with our accepted card transaction information, these companies will need to be compliant with PCI DSS before we can complete our compliance. Our compliance status would be considered void by the Card Schemes should a data compromise occur within the business and our PSP was found to be non-compliant. We would therefore be at risk of significant fines as a result, due to non-compliance (see Section 6). Much more information on PCI DSS is available on the PCI Security Standards Council (PCI SSC) website: https://www.pcisecuritystandards.org 5. HOW DO WE ACHIEVE COMPLIANCE? SecurityMetrics We have entered into a contractual agreement with SecurityMetrics. HSBC Merchant Services has negotiated discounted packages for our customers with SecurityMetrics who are an accredited QSA.
6. ARE THERE ANY FINES FOR NOT BEING COMPLIANT? 6.1 Non-Compliance with PCI DSS There are no fines in place at this time for non-compliance alone (for Level 4 Merchants). However, the costs involved after a data security breach, which can be very high, are reduced considerably, as are the risks of a breach occurring, if a merchant is fully compliant. 6.2 Fine Schedule for Data Compromises In the event of a data compromise, MasterCard and Visa rules require that an independent forensic investigation takes place. This can potentially cost thousands of pounds with no upper limit. Following the results of this investigation, the card schemes may levy the following schedule of fines: 6.2.1 MasterCard US$25 for every card that needs to be reissued and US$5 for each potential compromised card being monitored. Also an additional maximum of US$100,000 fine per incident, plus up to US$100,000 for storage of CVC2. 6.2.2 Visa The fine is based on the number of card details that have been breached. If it is determined during the forensic investigation that the compromised entity was storing sensitive authentication data at the time of the compromise and that no remedial action plan was in place, an immediate fine of 50,000 euro will be applied and then a subsequent 200,000 euro per 30 calendar days from initial notification until Visa Europe receives confirmation that sensitive authentication data is no longer stored or that a risk mitigation plan has been received and agreed by Visa Europe. In addition, be liable for all card issuer reissue costs and related fraud losses, which are potentially unlimited. Number of Accounts Fine (Euro) 0 19,999 25,000 20,000 99,999 100,000 100,000 199,999 200,000 200,000 299,999 300,000 300,000 399,999 400,000 400,000 499,999 500,000 >500,000 750,000