Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is required of all merchants and service providers that store, process, or transmit cardholder data. No matter how you process payments, it is your responsibility to fulfill these requirements.
Identity theft and data security have become worldwide concerns for both consumers and businesses. The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express®, Discover Financial Services®, JCB International, MasterCard Worldwide® and Visa Incorporated® to facilitate the broad adoption of consistent data security measures on a global basis.
All merchants, whether small or large, that process, store or transmit cardholder data must adhere to the following requirements for PCI DSS compliance:
Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test
Maintain an Information Security Policy
Some of the standards above may not be applicable to all processing environments.
PCI DSS compliance does not guarantee that a security breach will never occur, but it does greatly minimize the chance of a successful breach occurring. If your business is validated as compliant at the time of a breach, the payment networks may give you safe harbor from fines.
BB&T requires all merchants to validate their PCI DSS compliance. We recommend that you engage a Qualified Security Assessor (QSA) to assist you through this process.
To validate compliance, merchants must take the following steps:
Additional certification requirements may apply based on your processing environment and the number of transactions you process annually.
The PCI DSS requires that all merchants with external-facing IP addresses perform quarterly, external network scans to achieve compliance. Scans identify vulnerabilities in operating systems, services and devices that could be used by hackers to target the company’s private network. A current list of qualified scanning vendors can be found at PCI SSC.
The card brands each have their own programs that help businesses enforce compliance with the PCI DSS. The PCI Security Standards Council was founded in 2006 to oversee the standard itself, but each card brand issues fines, fees and schedule deadlines through their own enforcement programs.
|Merchant Definition||Criteria||Onsite Review||Self Assessment||Network Security Scan|
|Level 1||Any merchant processing in excess of six million card brand transactions a year
Any merchant that has lost data due to a security breach, compromise or hack
|Required annually||Not required||Required quarterly|
|Level 2*||Any merchant processing between one and six million card transactions a year||Not required||Required annually||Required quarterly|
|Level 3*||Any e-commerce merchant processing between 20,000 and one million card brand transactions a year||Not required||Required annually||Required quarterly|
|Level 4||Any merchant not level 1, 2 or 3||Not required||May be required annually||May be required quarterly|
|*E-commerce includes the use of any type of Internet protocol (IP) (broadband, DSL or frame relay connectivity). Even if you do not offer Web-based transactions, there are other services that make systems Internet accessible. Basic functions such as email and employee Internet access will result in the Internet-accessibility of a company's network. These seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems if not properly controlled.|
The POS environment is one in which a transaction takes place at a merchant location (for example, a retail store, restaurant, hotel property, gas station or supermarket). An IP-based POS environment is one in which transactions are stored, processed or transmitted on IP-based systems, or systems communicating via Internet Protocol Suite.
The number of transactions will be determined based on the gross number of Visa, MasterCard and Discover Network transactions processed by a merchant outlet or a chain of stores. In those cases where a corporation owns several chains, each chain will qualify independently.
Yes, as your transaction volume changes, and as card association (such as Visa, MasterCard and Discover) rules change, your compliance requirements may change. It is your responsibility to be aware of the data security requirements that currently apply to you.
Yes. Changes to your payment processes or environment may increase your vulnerability to a security breach and may require recertification. Please contact BB&T as soon as possible to discuss the changes and next steps.
Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address or Social Security number. The account number is the critical component that makes the PCI DSS applicable. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data. However, PCI DSS applies even if the only data stored, processed or transmitted is account numbers.
It is never acceptable for acquirers, merchants or service providers to retain magnetic stripe data, including the card verification value or code (CVV2/CVC). The Visa, MasterCard and Discover Network operating regulations prohibit storage of the contents of the magnetic stripe data. The CVV2/CVC is a three-digit code located on the back of a card, inside the signature panel area. The three-digit code helps merchants ensure that the card is in the owner's possession.
According to the Payment Networks, the penalties and fines for failure to comply with requirements or to rectify a security issue can be severe. These fines range from $10,000 to over $500,000 per incident. If a security breach occurs in your environment, you will be liable for the cost of the required forensic investigations, as well as covering the costs of fraudulent purchases, and the costs of re-issuing the stolen cards.
Beyond the direct fines, your business may also lose your credit card acceptance privileges, at least for a period of time. Furthermore, you may also experience a loss of customer confidence as customers discover your business is not doing as much as others to protect their private information.
A network security scan involves an automated tool that checks a merchant or service provider's system for vulnerabilities. The tool will conduct a nonintrusive scan to remotely review networks and web applications based on the external-facing IP addresses provided by the merchant or service provider.
The scan will identify vulnerabilities in operating systems, services and devices that could be used by hackers to target the company's network—private or public (for example, the Internet). As provided by the qualified scan vendor, the tool will not require the merchant or service provider to install any software on their systems. No denial-of-service attacks will be performed.
Yes, there is a cost to using a QSA or ASV to ensure compliance. The specific cost will vary depending on your level, the number of IP addresses to be scanned, the frequency of the scans and the chosen scan vendor.
A list of approved QSAs and ASVs can be found on the PCI SSC.
The use of a terminal/payment application/gateway that is Payment Application-Data Security Standard (PA-DSS) certified by the PCI Security Standards Council is only one of many components that are evaluated in the PCI DSS compliance assessment.
How you utilize the validated Service Provider determines the PCI DSS requirements and SAQ that you must complete. However, if you utilize a validated Service Provider and process card transactions from your merchant environment, you are required to complete the SAQ and quarterly scan of your external-facing IP network environment.
In the event of a security incident, immediately contact BB&T Merchant Services at 877-672-4228. For step-by-step guidelines to address a security incident, visit Visa to review the guide, "What To Do If Compromised."
Please contact the BB&T PCI Support Center at 877-672-4228.
Merchants may find information on the following sites useful:
Watch this webinar to learn more about achieving PCI DSS Compliance and the challenges in securing payment card data: