BB&T Personal BankingBB&T Business BankingBB&T Customer ServiceBB&T Racing
Print Page BB&T Home

Merchant Services
Credit and Debit Cards
Gift and Loyalty Cards
Check Processing
Security Compliance

  

Security Compliance

 Printable VersionPrintable Version

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is required of all merchants and service providers that store, process, or transmit cardholder data. No matter how you process payments, it is your responsibility to fulfill these requirements.
  • Understand your security obligations

  • Learn how to validate your compliance

  • Get answers to your questions

Request a free pricing quote. Get Started.
  • PCI DSS Requirements
  • Compliance Validation
  • FAQ
  • Additional Resources

Identity theft and data security have become worldwide concerns for both consumers and businesses. To ensure the protection of cardholder data, all card association security programs, including that of Visa, MasterCard, American Express and Discover Network have been incorporated into a single industry standard referred to the PCI DSS.

It is the merchant’s obligation to be aware of the following rules and to remain in compliance:

Build and Maintain a Secure Network
  • Install and maintain a firewall configuration to protect data.
  • Avoid using vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data
  • Protect stored data.
  • Encrypt transmission of cardholder data and sensitive information across public networks.

Maintain a Vulnerability Management Program
  • Use and regularly update antivirus software.
  • Develop and maintain secure systems and applications.

Implement Strong Access Control Measures
  • Restrict access to data by business need-to-know.
  • Assign a unique ID to each person with computer access.
  • Restrict physical access to cardholder data.

Regularly Monitor and Test
  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.

Maintain an Information Security Policy
  • Maintain a policy that addresses information security.

Certification requirements vary by business and are contingent upon your merchant level. Some of the standards above may not be applicable to all processing environments.


Validation of compliance with PCI DSS is required based on the volume of transactions and the potential risk and exposure introduced into the payment system. BB&T may require proof of compliance from a merchant at our discretion.

To validate compliance, merchants must take the following steps:

  • Conduct an on-site audit and assessment (in certain instances).
  • Complete the appropriate PCI DSS self-assessment questionnaire annually.
  • Engage a qualified vendor to perform the required network/perimeter scans, if applicable.

Network Scans
Network security scans are automated, nonintrusive Web scans performed by compliant security vendors. The scans evaluate your Web perimeter for any known vulnerabilities. A current listing of qualified payment application security companies can be found by visiting the PCI Security Council.


PCI DSS is a set of policies and procedures that help all entities that process transmit and store card data protect card information. Please review the following information to better understand your obligations.

Display all the answers
What is the PCI DSS?

The PCI DSS is a set of policies and procedures that help all entities that process transmit and/or store card data protect the card information. PCI DSS aligns all card brand security programs, such as, Visa Cardholder Information Security Program (CISP), MasterCard Site Data Protection (SDP) and Discover Information Security and Compliance (DISC) programs.

The PCI DSS, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, is a mandatory program developed to ensure the protection, safety and security of cardholder data.

Merchants are responsible for the security of cardholder data and must be careful not to store certain types of data on their systems or the systems of their third-party service providers. Merchants are also responsible for any damages or liability that may occur as a result of a data security breach or noncompliance with the PCI DSS.


What are the components of the PCI DSS?
  1. Install and maintain a firewall configuration to protect data.
  2. Avoid using vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored data.
  4. Encrypt transmission of cardholder data and sensitive information across public networks.
  5. Use and regularly update anti-virus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict physical access to cardholder data.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.

What are the compliance requirements and who is required to comply?

All merchants, no matter how they process credit card transactions, are required to be in compliance with the PCI DSS. Compliance requirements vary based on the following levels:

Merchant Definition
Criteria
Onsite Review
Self Assessment
Network Security Scan
Level 1 Any merchant processing in excess of 6 million card brand transactions a year

Any merchant that has lost data due to a security breach, compromise or hack		 Required annually Not required Required quarterly
Level 2* Any merchant processing between 1 and 6 million card transactions a year Not required Required annually Required quarterly
Level 3* Any e-commerce merchant processing between 20,000 and 1 million card brand transactions a year Not required Required annually Required quarterly
Level 4 Any merchant not level 1, 2 or 3 Not required May be required annually May be required quarterly

*E-commerce includes the use of any type of Internet protocol (IP) (broadband, DSL or frame relay connectivity). Even if you do not offer Web-based transactions, there are other services that make systems Internet accessible. Basic functions such as email and employee Internet access will result in the Internet-accessibility of a company's network. These seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems if not properly controlled.

How is an IP-based point-of-sale (POS) environment defined?

The POS environment is one in which a transaction takes place at a merchant location (for example, a retail store, restaurant, hotel property, gas station or supermarket). An IP-based POS environment is one in which transactions are stored, processed or transmitted on IP-based systems, or systems communicating via Internet Protocol Suite.


How is the transaction volume that determines a merchant's compliance
level measured?

The number of transactions will be determined based on the gross number of Visa, MasterCard and Discover Network transactions processed by a merchant outlet or a chain of stores. In those cases where a corporation owns several chains, each chain will qualify independently.


Can my compliance requirements change?

Yes, as your transaction volume changes, and as card association (such as Visa, MasterCard and Discover) rules change, your compliance requirements may change. It is your responsibility to be aware of the data security requirements that currently apply to you.


How is cardholder data defined?

Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address or Social Security number. The account number is the critical component that makes the PCI DSS applicable. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data. However, PCI DSS applies even if the only data stored, processed or transmitted is account numbers.


When is it acceptable to store magnetic stripe data?

It is never acceptable for acquirers, merchants or service providers to retain magnetic stripe data, including the card verification value or code (CVV2/CVC). The Visa, MasterCard and Discover Network operating regulations prohibit storage of the contents of the magnetic stripe data. The CVV2/CVC is a three-digit code located on the back of a card, inside the signature panel area. The three-digit code helps merchants ensure that the card is in the owner's possession.


What are the penalties and fines for noncompliance?

The penalties and fines for failure to comply with the requirements or rectify a security issue are severe. Fines range from $10,000 to $500,000 per incident depending on the severity of the situation and the magnitude of the compromise. In addition, should a security breach occur in your environment, you will be liable for the cost of any required forensic investigations, any fraudulent purchases, the cost of reissuing cards, and you may be subject to the loss of credit card acceptance privileges.


What is a network security scan?

A network security scan involves an automated tool that checks a merchant or service provider's system for vulnerabilities. The tool will conduct a nonintrusive scan to remotely review networks and Web applications based on the external-facing IP addresses provided by the merchant or service provider.

The scan will identify vulnerabilities in operating systems, services and devices that could be used by hackers to target the company's network—private or public (for example, the Internet). As provided by the qualified scan vendor, the tool will not require the merchant or service provider to install any software on their systems. No denial-of-service attacks will be performed.


Is there a cost to use a qualified security assessor (QSA) or approved scanning vendor (ASV)?

Yes, there is a cost to using a QSA or ASV to ensure compliance. The specific cost will vary depending on your level, the number of IP addresses to be scanned, the frequency of the scans and the chosen scan vendor. To make this process as cost effective as possible, BB&T negotiated preferred pricing with Trustwave, an industry leading QSA. Contact Trustwave by calling (800) 363-1621 or visit Trustwave online to register and complete the assessment questionnaire.


Do I have to use a QSA or ASV?

Yes, you must use an approved assessor.


How can I find a list of approved security and scanning vendors?

A list of approved QSAs and ASVs can be found on the PCI DSS website.


What if I have already engaged with a QSA other than Trustwave?

You may choose any approved QSA but you will be required to provide BB&T with a copy of your compliance certificate issued by the QSA and/or a copy of your remediation plan or status. Submit this information to:

BB&T Merchant Services
Attn: PCI Data Security Manager
2713 Forest Hills Rd
Wilson, NC 27893


If I use a third-party software developer or internet payment gateway, do they need to be in compliance with the PCI DSS?

Yes, any third-party software provider or internet payment gateway that processes transmits or stores cardholder data must be compliant. You must check with your provider to confirm their compliance status; there are several companies that are doing business out of compliance. If you use a provider that is not compliant, you should discontinue use of that provider and notify BB&T Merchant Services of this provider.


Where can I go to get more information?

What should I do if I suspect a breach has occurred and cardholder data may have been compromised?

In the event of a security incident, immediately contact BB&T Merchant Services at 1-877-672-4228. For step-by-step guidelines to address a security incident, visit Visa to review What To Do If Compromised guide.


Who can I speak to at BB&T if I have questions?

For help, please contact BB&T Merchant Services at 1-877-672-4228 and request to speak with the PCI Data Security Manager.



Merchants may find information on the following sites useful:

Resources

Understand security requirements and your compliance obligations:
» Security Compliance

Learn how to identify fraud, reduce charge-backs and ensure compliance:
» Merchant Services Reference Kit [3.48 MB PDF]

Logon

Current clients, log on to access reports and review processing information:
Merchant Connection

Contact Us Request a Merchant Consultant contact you: Email

Speak to a Merchant Consultant: 1-866-238-2420

Request Maintenance on your existing merchant account: Email

Register for Merchant Connection online access: 1-877-672-4228

Personal | Business | Customer Service | Privacy & Security | Learn & Plan | About BB&T | Legal
 
Copyright © 2009, Branch Banking and Trust Company. All Rights Reserved.
BB&T Complete Client Protection
Branch Banking and Trust Company is a Member FDIC.
BB&T Credit Cards and Merchant Services are issued by BB&T Financial, FSB, a subsidiary of BB&T Corporation, Member FDIC.
BB&T Merchant Services are subject to business type and credit approval and are offered by BB&T Financial, FSB, a subsidiary of BB&T Corporation. Member FDIC.