|
At Spectrum Merchant Services, we value our client’s business and are dedicated to providing the highest level of service possible. As part of our service, we constantly monitor the payments industry to ensure our customers are operating within Visa and MasterCard regulations.
The major card issuing companies (Visa, MasterCard, Discover Card, JCB and American Express) have introduced new regulations regarding how businesses handle cardholder data. Specifically, these new regulations require all businesses to have proper controls in place in order to minimize the potential compromise of cardholder data. This new standard is called PCI DSS Compliance and applies to all businesses within the United Stated who accept credit cards as a form of payment.
With the introduction of the PCI DSS regulation and the many different methods and systems used by merchant’s to accept credit cards, many merchants require guidance in determining what to do to become compliant. Since PCI DSS compliance is a new requirement we are proactively reaching our customer base with information, education, and most importantly, a solution to PCI DSS Compliance.
Spectrum Merchant Services has partnered with 403 Labs, a Visa/MasterCard Third party Assessment firm, to assist our customers with ensuring the compliance process is as smooth and cost effect as possible.
Most of our clients can become compliant by simply filling out our online Self-Assessment Questionnaire. Please review the PCI DSS Compliance Overview for details regarding PCI Compliance. Included in the overview is a step by step process you will follow to complete the compliance process.
Be assured both Spectrum Merchant Services and 403 Labs are available to assist you and answer any questions you may have along the way.
PCI Compliance Overview
The PCI Security Standards Council has introduced the Payment Card Industry Data Security Standard (PCI) due to the steady increase of stolen cardholder account data. In 2005, nearly 6,000 new vulnerabilities were discovered. That averages over 16 new vulnerabilities every day. Visa, MasterCard, American Express, Discover, JCB International, continually monitor cases of account data compromise. These compromises cover the full spectrum of organizations, from the very small to very large merchants. These card companies have established the PCI Security Standards Council for the purpose of establishing rules, requirements and processes to reduce the amount of cardholder compromise.
The PCI standard mandates that all merchants, banks, Point of Sale Providers, Software companies and Service Providers implement this standard to ensure cardholder data is protected at all times. Today, there are several ways in which cardholder data can be compromised. Successful attacks often rely on weaknesses like these:
• Storage of prohibited data or card numbers in clear text
• Systems exposed directly to the Internet without a firewall
• Weak passwords or access controls for remote access
• Lack of security patches or anti-virus software
• Improper handling of paper documents containing cardholder data
Merchants must recognize that the compromise of sensitive cardholder data occurs regardless of the size of the business or complexity of their internal computer networks. In fact, industry trends reflect that the highest occurrence of compromise is occurring in those businesses that process less than 1,000,000 transactions per year. Any merchant who experiences a compromise incur significant expense for such compromise in the form of;
• Possible Chargeback Reimbursement
• Chargeback fines
• Costs to replace actual Cardholder Credit cards
• Fines imposed by Visa and MasterCard for Non-PCI Compliance
• Possibility of Termination
• Potential Cost for Visa/MasterCard mandated Forensic Audit
• Potential Loss of Business due to total costs associated with Compromise
• Possible Litigation initiated from Cardholder’s
• Negative Media Exposure affecting future business
>Back to Top
PCI Levels and Requirements
Given that there is a wide array of merchant types, volume of credit card transactions and complexities with internal computing networks, the PCI Security Standards Council has establish the following risk-prioritized merchant validation categories and requirements based on annual volume.
| LEVEL |
MERCHANT
CRITERIA |
SELF ASSESSMENT
QUESTIONNAIRE |
NETWORK SECURITY
SCAN |
ON SITE AUDIT |
| 1 |
All merchants including Retail and E-Commerce who process more than 6,000,000 Transactions Per Year |
REQUIRED |
REQUIRED |
REQUIRED |
| Any Merchant who has experienced a compromise/breach is considered Level 1 and required to satisfy all requirements |
| 2 |
All merchants including Retail and E-Commerce who process more than 1,000,000 Transactions Per Year but less than 6,000,000 Per Year |
REQUIRED |
REQUIRED |
NOT REQUIRED |
| 3 |
All E-Commerce Merchants who process greater than 20,000 Transactions per Year but less than 1,000,000 per Year |
REQUIRED |
REQUIRED |
NOT REQUIRED |
| 4 |
All other Merchants who do not fall within Level 1-3 based on volume |
REQUIRED |
REQUIRED IF USING POS SYSTEMS WITH IP CONNECTION, OR USE SOFTWARE RESIDING ON COMPUTER NETWORK CONNECTED TO INTERNET |
NOT REQUIRED |
NOT REQUIRED IF
MERCHANT USING STAND
ALONE POS SYSTEM,
DOES NOT STORE
CARDHOLDER DATA AND
DOES NOT HAVE
INTERNET CONNECTION |
*** SMS expects 90% of our Merchant based to fall in the Level 4 category with NO scan required****
>Back to Top
Frequently Asked Questions
Who has created the PCI Rules?
The PCI standards have been established by the five main card issuers; Visa, MasterCard, American Express, Discover Card and JCB International. In order to establish a common stand, all five companies joined together to form the PCI Security Council to establish rules and regulate the requirements of all merchants, banks and service providers involved in payment processing.
>Back to FAQ
How much will I be charged for this requirement and how am I billed?
| Self Assessment Questionnaire Only: |
No Charge |
| Monthly or Quarterly Scanning: |
$15.00 Per Month |
| On Site Audit: |
TBD by 403 Labs based on Work Involved |
>Back to FAQ
What if I am considered Level 4 based on my transaction volume but I do not have my credit card
equipment connected at all to a network and or I do not have internet access at all?
For those merchants who do not require a network scan because they do not have payment applications connected at all to any network that has public access, a Self Assessment Questionnaire is the only requirement. However, should a merchant’s POS systems or infrastructure change, they are required to go through a new Compliance process to avoid fines and costs associated with compromise due to Non-Compliance.
>Back to FAQ
What exactly do I get for Compliance?
Assurance that your business is protected against compromise. Because a breach or compromise can produce significant expense, loss of reputation, and potential litigation from cardholders, Compliance far outreaches the potential losses involved. Further, the scanning of your internal computing network will provide recommendations on how to resolve any areas of your network that may be exposed to potential compromise. This will include newly identified ways in which hackers can penetrate networks.
>Back to FAQ
Does 403 Labs provide a certificate for my business to post on our website indicating we are complaint?
Yes. Once you have registered via the Vulnerability Management Portal and become complaint, 403 Labs provides you with their Security Seal, which can be updated automatically with a "click to verify" option.
>Back to FAQ
What if I choose not to participate in this requirement?
If you choose not to participate, as required by Visa and MasterCard, we will require you provide us with a letter to this affect. This means that you will be liable for any and all costs in the event of a compromise.
>Back to FAQ
How can I learn more and verify the information provided in this letter?
MASTERCARD: www.mastercard.com/us/merchant/security/datasecurityrules/index.html
VISA: http://usa.visa.com/merchants/risk_management/...
PCI SECURITY COUNCIL: www.pcisecuritystandards.org
>Back to FAQ
What do I do in the event I am compromised?
In the event of Compromise, you must contact Spectrum Merchant Services Risk management Department immediately. In order to determine the way in which the compromise took place, it is important to keep everything in the same state as when the compromise occurred.
>Back to FAQ
What if I am not considered Compliant upon completion of the questionnaire and/or scan?
403 Labs and Spectrum are here to assist all our clients towards Compliance. Therefore, we will provide you through the web portal the necessary steps required to reach Compliance.
>Back to FAQ
Do I have to re register for Compliance and if so how often?
Yes, The PCI Standard requires all merchants re-register on an annual basis.
>Back to FAQ
Why aren’t all processors requiring this Compliance?
Visa and MasterCard have mandated that all Processors and Service Providers implement PCI Compliance to their merchant base. Although other processors and service providers may not have announced their program to date, they will be shortly. Again, Visa and MasterCard require full Compliance and those Processors and Service Providers that do not comply within the specified timeframes are subject to significant fines and penalties for Non Compliance.
>Back to FAQ
Compliant Process
- Log into https://scanner.403labs.com/partners/spectrum
- Choose the PCI DSS Compliance Link
- Fill in your merchant information
- You will be asked general questions about how you accept and handle cardholder data. This will assist in directing you to the appropriate questionnaire that needs to be filled out.
- You will then complete the questionnaire
- If you qualify as a merchant who requires a network scan, you will be asked to provide all public IP addresses. This will allow 403 labs to implement the quarterly scanning process.
- At any time, if you require support, please contact the toll free number posted on the site. Upon completion of the process, Spectrum Merchant Services will be provided with notification of your completion of the process.
- Spectrum Merchant Services will provide the processor with evidence of Compliance which will ensure you are not billed directly from the processor for Compliance fees.
- Spectrum Merchant Services will initiate the appropriate billing for the Compliance services as agreed to.
- If you qualify as a scanning merchant, you will receive notification prior to each scan being performed. Upon completion of the scan, you will access your profile on line for status.
- The on line reporting will advise you of those aspects of your network that require attention. If there are critical weaknesses in your network, you will be required to implement the appropriate ‘patches’ to resolve the concern. You will then contact 403 Labs to request another scan to ensure the issues have been resolved.
- For those merchants who only require a Self Assessment Questionnaire, you will receive a friendly reminder annually to re-certify.
>Back to Top
|
