FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program



Similar documents
FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

A Compliance Overview for the Payment Card Industry (PCI)

John Verdeschi Vice President Payment Systems Integrity March 31, and The PCI SSC s Prioritized Approach

How To Protect Your Business From A Hacker Attack

What a Processor Needs from a University to Validate Compliance

How To Ensure Account Information Security

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

PCI DSS Compliance Information Pack for Merchants

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Third Party Agent Registration and PCI DSS Compliance Validation Guide

Registration and PCI DSS compliance validation

PCI Compliance Overview

The PCI DSS Compliance Guide For Small Business

Registry of Service Providers

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

PCI DSS. Payment Card Industry Data Security Standard.

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

PROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN

How To Protect Your Credit Card Information From Being Stolen

PCI DSS and SSC what are these?

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

PCI DSS. CollectorSolutions, Incorporated

Internal Audit Activity Update

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

VISA EUROPE ACCOUNT INFORMATION SECURITY (AIS) PROGRAMME FREQUENTLY ASKED QUESTIONS (FAQS)

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

Payment Card Industry (PCI) Data Security Standard

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Payment Card Industry Compliance Overview

PCI Standards: A Banking Perspective

Your Compliance Classification Level and What it Means

Why Is Compliance with PCI DSS Important?

Payment Card Industry - Achieving PCI Compliance Steps Steps

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Validation of PCI Compliance Requirements NC Office of the State Controller June 23, 2015

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

PCI Compliance. Top 10 Questions & Answers

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

THIRD PARTY AGENT REGISTRATION PROGRAM

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

PCI Compliance Top 10 Questions and Answers

Securing The Data. Payment System Forum Bank Negara Malaysia. 27 th November Murugesh Krishnan Head of Risk, South & Southeast Asia

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Third Party Agent Registration Program Frequently Asked Questions

Property of CampusGuard. Compliance With The PCI DSS

Payment Card Industry (PCI) Data Security Standard

PCI DSS Gap Analysis Briefing

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

Payment Card Industry Data Security Standard

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Adyen PCI DSS 3.0 Compliance Guide

Understanding Payment Card Industry (PCI) Data Security

Data Security Basics for Small Merchants

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

E Pay. A Case Study in PCI Compliance. Illinois State Treasurer. Dan Rutherford

PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard

Payment Card Industry Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Merchant guide to PCI DSS

PCI DSS Presentation University of Cincinnati

SecurityMetrics Introduction to PCI Compliance

Becoming PCI Compliant

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

PCI Compliance: How to ensure customer cardholder data is handled with care

Payment Card Industry Data Security Standards.

PCI Security Compliance

FAQ S: TRUSTWAVE TRUSTKEEPER PCI MANAGER

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

PAI Secure Program Guide

Agent Registration. Program Guidelines. (For use in Asia Pacific, Central Europe, Middle East and Africa)

Key USP s. Multiple PCI level GRC tool

FAQ s. SaferPayments. Be smart. Be compliant. Be protected. The benefits of compliance SaferPayments Non-compliance fees

La règlementation VisaCard, MasterCard PCI-DSS

Payment Card Security

Information for merchants. Program implementation details for merchants. Payment Card Industry Data Security Standard (PCI DSS)

Transcription:

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program MERCHANTS Can Level 1 merchants currently use internal auditors to perform an onsite assessment? Yes. However, after June 30, 2012, the MasterCard SDP Program mandate for PCI DSS compliance validation will require Level 1 merchants to successfully complete an annual onsite assessment conducted by a PCI SSC certified QSA or an internal auditor who has attended and passed the PCI ISA training offered through the PCI SSC. Will level 2 merchants be permitted to continue to validate with a Self Assessment Questionnaire indefinitely, provided they attend and pass the required PCI SSC ISA training? Yes, Level 2 merchants will be permitted to continue to validate annually via a Self Assessment Questionnaire (SAQ) provided that the merchant s internal auditors have attended and passed the PCI ISA training offered through the PCI SSC prior to June 30, 2012. After the June 30, 2012 effective date, the ISA must perform the assessment and complete its SAQ. Does the merchant's staff simply need to be trained and certified by June 30, 2012? Or does the merchant also need to revalidate its SAQ or onsite assessment by June 30, 2012 using its certified ISA? The deadline is only specific to training and certification. Merchants should continue to validate compliance on an annual basis. There is no requirement to re-validate by June 30, 2012. Rules Language: Effective 30 June 2012, Level 2 merchants must ensure that staff engaged in the self-assessment attend the PCI SSC ISA Program and pass the associated accreditation examination annually to continue the option of self-assessment for compliance validation. If a merchant has a corporate structure that involves franchisees or subsidiaries, does the merchant need to send individuals from each franchisee or subsidiary to PCI SSC training, or can one corporate individual be PCI SSC trained and certified? The rule is intended to provide flexibility for merchants. If there is one corporate employee that is accountable and has appropriate oversight into the applicable franchisees or subsidiaries, then that individual could perform assessments on behalf of the corporation. Where can we find out more information on the ISA Program? Please visit https://www.pcisecuritystandards.org/training/isa_training.php for more information and registration details. How does MasterCard define an ISA? An ISA is a merchant employee who has attended the PCI SSC ISA Program training and passed any associated accreditation on an annual basis. How does the ISA Training requirement affect Level 3 merchants? Level 3 merchant requirements remain unchanged. The initial PCI compliance validation date for Level 3 merchants was June 2005. 1 MasterCard Worldwide

How does MasterCard define a QSA? A Qualified Security Assessor (QSA) is a firm with employees individually qualified as PCI Security Standards Council (SSC) QSAs. The firm must be listed at https://www.pcisecuritystandards.org/approved_companies_providers/index.php. When does the new MasterCard PA-DSS mandate go into effect? The Payment Application Data Security Standard (PA-DSS) Program mandate is effective July 1, 2012. PA-DSS requires vendors of third party payment applications to ensure proper security controls are in place to safeguard cardholder data. Many of the controls within PA-DSS are designed to specifically address common vulnerabilities that were identified as main causes in credit card data loss. The MasterCard PA-DSS mandate will help continue to drive global adoption of and compliance with the PCI DSS for all stakeholders within the payment channels. Effective 1 July 2012, MasterCard requires all merchants and Service Providers that use third party-provided payment applications to only use those applications that are compliant with the Payment Card Industry Payment Application Data Security Standard (PCI PA-DSS), as applicable. The applicability of the PCI PA-DSS to third party-provided payment applications is defined in the PCI PA-DSS Program Guide found at www.pcisecuritystandards.org. If a merchant has outsourced all their cardholder data processes and are currently using SAQ A to attest they are not storing, processing or transmitting data because they are using a PCI certified Third Party Processor (TPP), can they use SAQ A? Due to the fact the merchant is attesting that it does not handle cardholder data and the TPP it is using requires an on-site assessment by a QSA for validation, the merchant can use SAQ A to validate compliance. Please note that does not apply to face to face merchants. MasterCard s position on corporate cards and PCI Compliance According to MasterCard rules concerning corporate cards, there is no obligation by the corporate card client to provide validation that corporate card data is protected in accordance with PCI DSS. The corporate card client is not obligated to secure their data as it is their cardholder data and their risk to assume and manage. As a result, while MasterCard does not require corporate card entities to validate PCI DSS compliance for its commercial cards it does highly recommends taking appropriate steps to secure those account numbers. Corporate cards are in scope of PCI for acceptance, that is, a merchant who accepts credit, debit or corporate cards must have all of those transactions within scope of PCI DSS. Entities should consider adequately segmenting their own commercial card data from other consumer or merchant data in order to reduce risks of compromise and the scope of PCI DSS compliance efforts. Single Use Virtual Card numbers corporate cards Single use virtual cards do not require PCI DSS be applied because these cards are inactive/disabled after use therefore the PANS no longer pose fraud risk to the payment system. Virtual Card numbers which are MasterCard corporate cards require no obligation by the corporate card client to provide validation that corporate card data is protected in accordance with PCI DSS. The corporate card client is not obligated to secure their data as it is their cardholder data and their risk to assume and manage. As a result, MasterCard does not require corporate card entities to validate PCI DSS compliance for its commercial cards but highly recommends taking appropriate steps to secure those account numbers. Non-commercial card virtual Card numbers or remote transaction accounts that can be utilized for multiple transactions must be handled in accordance with the full PCI DSS requirements. 2 MasterCard Worldwide

ACQUIRERS What is Initiated? Initiated is when a merchant has started implementing the PCI DSS and has reported initial steps to their acquirer. The first step for a merchant is usually implementing PCI DSS requirement 11.2 by completing a quarterly scan with an Approved Scanning Vendor (ASV) and addressing any issues identified during the scan. Customers reporting via Prioritized Approach worksheet can report validation of requirements met within each milestone. This type of reporting is also considered an initiated step for non-compliant merchants. After initiating, the merchant must continue to demonstrate progress toward full PCI DSS compliance. Activities such as reading the standard, sending an RFP to potential vendors, and creating project plan, are not considered initiated as the goal is to mitigate risks to cardholder data as soon as possible. If a merchant validates PCI compliance annually in the middle of the year, will the effective date be based on the calendar year, or one year from the date of merchant notification? The compliance renewal date is one year from the date the merchant validates PCI compliance with their acquirer. However, the merchant should confirm with its individual acquirers to determine its exact validation dates. If a merchant transitions or is reclassified from one merchant level to another (for example transitions from Level 4 to Level 3) due to the transaction volume increase, how long does the merchant have to validate compliance. The acquirer must ensure, with respect to each merchant that transitions from one PCI level to another, that each merchant achieves and validates PCI compliance as soon as practical, but not later than one year after the date of the event that results in the merchant reclassification. How long does a newly acquired merchant affected by the SDP mandate have to validate PCI compliance? Any newly boarded Level 1, 2 or 3 merchant should have already met the initial PCI compliance validation dates. As MasterCard's Prioritized Approach reporting is required for all non-compliant merchants, a merchant that is non-compliant upon boarding is required to provide current compliance progress and status via the Prioritized Approach. At the next quarterly SDP report submission, the merchant's non-compliance status should be reported via the Prioritized Approach reporting fields. The Prioritized Approach helps acquirers and MasterCard determine the level of PCI DSS compliance activity completed by the merchant and helps measure the level of risk associated with noncompliance. What does MasterCard require from the acquirer as validation? PCI compliance information is reported to MasterCard on quarterly basis using the Acquirer Submission and Compliance Status Form. Please visit www.mastercard.com/sdp to download the Acquirer Submission and Compliance Status Form. Please note: MasterCard does not receive PCI validation documentation directly from merchants. Does the Prioritized Approach replace the PCI DSS? No. All businesses that touch payment card data are required to achieve and maintain compliance with the PCI DSS. The Prioritized Approach does not replace the standard. Why is MasterCard requesting acquirers to report on merchant compliance using the Prioritized Approach? The Prioritized Approach helps acquirers and MasterCard determine the level of PCI DSS compliance activity completed by the merchant and helps measure the level of risk associated with noncompliance. As an Acquirer, how will I communicate progress against the Prioritized Approach to MasterCard? Acquirers can use the information provided in the Prioritized Approach tool. This tool allows merchants and service providers to measure and track their progress to populate the SDP Acquirer Submission and Compliance Status Form. 3 MasterCard Worldwide

Is the Prioritized Approach a fast track to PCI Compliance? No. The Prioritized Approach will help organizations understand where they can act first on their compliance journey to have the most immediate impact on card data security. All requirements of the PCI DSS must be met and maintained in order to achieve compliance. What entities do the six new Prioritized Approach reporting data fields in the MasterCard Acquirer Submission and Compliance Status Form pertain to? These six new fields only apply to those merchants completing SAQ D or those merchants required to have onsite assessments. Entities that are reported as PCI compliant do not have to complete the Prioritized Approach fields. How do acquiring banks fill out the PA-DSS compliance fields? When completing the PA-DSS fields on the SDP Acquirer Submission and Compliance Status Form, use the drop-down menu to select from the following response options as to whether the merchant uses third party-provided payment applications that are PA-DSS compliant. Response Yes No Not Applicable (N/A) Description The merchant has validated that it is using an applicable payment application listed on the PCI SSC Web site. The merchant is using a commercially available payment application not listed as PA-DSS compliant on the PCI SSC Web site. The merchant is not using an applicable payment application. For example, the merchant is using a dumb terminal or custom application in conjunction with appropriate PCI DSS controls to protect cardholder data stored, processed, or transmitted by the terminal, payment application, or both. Acquirers must complete the form in its entirety and submit via e-mail message to sdp@mastercard.com. SERVICE PROVIDERS What does MasterCard require from the acquirer as validation for their Service Providers? This depends on what category of Service Provider they fall under with MasterCard. Note that MasterCard requires all newly identified Service Providers first register as an MSP (Member Service Provider) with the MSP registration team at MasterCard. The MSP team can be contacted via member_service_provider@mastercard.com. Please Note: that one or more member banks can enter a service provider into the system. If a Service Provider has a direct relationship with one or more of our member banks, the Service Provider should contact each one for separate registration. If the Service Provider does not have a direct relationship with one or more of our members, it would need to get sponsorship from their customer s bank to get set up (this may be either a merchant or another processor, such as a Third Party Processor many of which have direct relationships with our banks). Once a Service Provider is registered with MasterCard, it is required to validate PCI compliance. All TPPs (regardless of volume) and DSEs with > than 300,000 transactions annually are required to successfully complete an onsite assessment and quarterly network scans. Validation in the form of the Attestation of Compliance (or Certificate of Validation) is submitted only once annually to satisfy the SDP requirement. The AOC for onsite assessments must be completed by the QSA and should be submitted by the QSA to MasterCard at PCIReports@mastercard.com. 4 MasterCard Worldwide

For those DSEs performing < 300,000 transactions annually, MasterCard accepts the AOC for Self-Assessment Questionnaire D Service Provider Version 1.2 and the most recent clean scan report. How can a Service Provider be listed on the Compliant Service Provider List on the SDP website? MasterCard only lists those Service Providers that have successfully completed an annual onsite assessment performed by a QSA and provided validation to MasterCard. Where can a Service Provider find the latest version of the Service Provider PCI Action Plan? Please go to www.mastercard.com/sdp or email sdp@mastercard.com to request the latest version. Where can I find the Attestation of Compliance (AOC) form? Please visit www.pcisecuritystandards.org to find the current AOC forms. 5 MasterCard Worldwide

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information