The Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive requirements for enhancing payment account data security in order to reduce credit card data theft and fraud. It applies to all merchants that take credit and debit cards, regardless of size or transaction volume, as well as any business involved in the storage, processing, or transmission of cardholder data. The PCI DSS was developed by the founding payment brands of the PCI Security Standards Council (American Express®, Discover Financial Services®, JCB International, MasterCard Worldwide® and Visa Incorporated®) to help facilitate the global adoption of consistent data security measures. The PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other measures to proactively protect customer account data. PCI DSS compliance does not guarantee that a security breach will never occur, but it does greatly minimize the chance of a successful breach. If your business is validated as compliant at the time of a breach, the payment networks may give you safe harbor from fines.
The full PCI DSS is managed by the PCI Security Standards Council and can be downloaded here:
The card brands each have their own programs that help businesses enforce compliance with the PCI DSS. The PCI Security Standards Council was founded in 2006 to oversee the standard itself, but each card brand issues fines, fees and schedule deadlines through their own enforcement programs.
All merchants, no matter how they process credit card transactions, are required to be in compliance with the PCI DSS. Compliance requirements vary based on the following levels:
||Network Security Scan
||Any merchant processing in excess of six million card brand transactions a year
Any merchant that has lost data due to a security breach, compromise or hack
||Any merchant processing between one and six million card transactions a year
||Any e-commerce merchant processing between 20,000 and one million card brand transactions a year
||Any merchant not level 1, 2 or 3
||May be required annually
||May be required quarterly
|*E-commerce includes the use of any type of Internet protocol (IP) (broadband, DSL or frame relay connectivity). Even if you do not offer Web-based transactions, there are other services that make systems Internet accessible. Basic functions such as email and employee Internet access will result in the Internet-accessibility of a company's network. These seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems if not properly controlled.
In order to become compliant, you may be required to upgrade your equipment or software to a PA-DSS version. You may also need to address vulnerabilities within your networks. You will need to contact your equipment and/or software vendors to discuss options available and costs associated with an upgrade. The costs associated with any equipment and/or software upgrade are the merchant's responsibility and are not covered by BB&T.
The POS environment is one in which a transaction takes place at a merchant location (for example, a retail store, restaurant, hotel property, gas station or supermarket). An IP-based POS environment is one in which transactions are stored, processed or transmitted on IP-based systems, or systems communicating via Internet Protocol Suite.
The number of transactions will be determined based on the gross number of Visa, MasterCard and Discover Network transactions processed by a merchant outlet or a chain of stores. In those cases where a corporation owns several chains, each chain will qualify independently.
Yes, as your transaction volume changes, and as card association (such as Visa, MasterCard and Discover) rules change, your compliance requirements may change. It is your responsibility to be aware of the data security requirements that currently apply to you.
Yes. Changes to your payment processes or environment may increase your vulnerability to a security breach and may require recertification. Please contact BB&T as soon as possible to discuss the changes and next steps.
Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address or Social Security number. The account number is the critical component that makes the PCI DSS applicable. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data. However, PCI DSS applies even if the only data stored, processed or transmitted is account numbers.
It is never acceptable for acquirers, merchants or service providers to retain magnetic stripe data, including the card verification value or code (CVV2/CVC). The Visa, MasterCard and Discover Network operating regulations prohibit storage of the contents of the magnetic stripe data. The CVV2/CVC is a three-digit code located on the back of a card, inside the signature panel area. The three-digit code helps merchants ensure that the card is in the owner's possession.
According to the Payment Networks, the penalties and fines for failure to comply with requirements or to rectify a security issue can be severe. These fines range from $10,000 to over $500,000 per incident. If a security breach occurs in your environment, you will be liable for the cost of the required forensic investigations, as well as covering the costs of fraudulent purchases, and the costs of re-issuing the stolen cards.
Beyond the direct fines, your business may also lose your credit card acceptance privileges, at least for a period of time. Furthermore, you may also experience a loss of customer confidence as customers discover your business is not doing as much as others to protect their private information.
A network security scan involves an automated tool that checks a merchant or service provider's system for vulnerabilities. The tool will conduct a nonintrusive scan to remotely review networks and web applications based on the external-facing IP addresses provided by the merchant or service provider.
The scan will identify vulnerabilities in operating systems, services and devices that could be used by hackers to target the company's network—private or public (for example, the Internet). As provided by the qualified scan vendor, the tool will not require the merchant or service provider to install any software on their systems. No denial-of-service attacks will be performed.
Yes, there is a cost to using a QSA or ASV to ensure compliance. The specific cost will vary depending on your level, the number of IP addresses to be scanned, the frequency of the scans and the chosen scan vendor.
A list of approved QSAs and ASVs can be found on the PCI SSC.
The use of a terminal/payment application/gateway that is Payment Application-Data Security Standard (PA-DSS) certified by the PCI Security Standards Council is only one of many components that are evaluated in the PCI DSS compliance assessment.
How you utilize the validated Service Provider determines the PCI DSS requirements and SAQ that you must complete. However, if you utilize a validated Service Provider and process card transactions from your merchant environment, you are required to complete the SAQ and quarterly scan of your external-facing IP network environment.
In the event of a security incident, immediately contact BB&T Merchant Services at 877-672-4228. For step-by-step guidelines to address a security incident, visit Visa to review the guide, "What To Do If Compromised."
Please contact the BB&T PCI Support Center at 877-672-4228.