PCI DSS Security Compliance

""

Request a Quote

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is required of all merchants and service providers that store, process or transmit cardholder data. No matter how you process payments, EMV or otherwise, it is your responsibility to fulfill these requirements.

  • Understand your security obligations
  • Learn how to validate your compliance
  • Get answers to your questions

BB&T requires all merchants to validate their PCI DSS compliance. We recommend that you engage a Qualified Security Assessor (QSA) to assist you through this process.

To validate compliance, merchants must take the following steps:

  • Complete and pass an annual PCI DSS Self-Assessment Questionnaire (SAQ) appropriate for your merchant processing environment
  • If you are storing or processing cardholder data on or through an Internet-facing environment, you must also pass quarterly vulnerability scans of your network.

Additional certification requirements may apply based on your processing environment and the number of transactions you process annually.

Network Scans

The PCI DSS requires that all merchants with external-facing IP addresses perform quarterly, external network scans to achieve compliance. Scans identify vulnerabilities in operating systems, services and devices that could be used by hackers to target the company’s private network. A current list of qualified scanning vendors can be found at PCI SSC.

Identity theft and data security have become worldwide concerns for both consumers and businesses. The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including Visa® Inc., MasterCard® Worldwide, American Express®, Discover® Financial Services and JCB International to facilitate the broad adoption of consistent data security measures on a global basis.

All merchants, whether small or large, that process, store or transmit cardholder data must adhere to the following requirements for PCI DSS compliance:

Build and Maintain a Secure Network

  • Install and maintain a firewall configuration to protect data.
  • Avoid using vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

  • Protect stored data.
  • Encrypt transmission of cardholder data and sensitive information across public networks.

Maintain a Vulnerability Management Program

  • Use and regularly update antivirus software.
  • Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

  • Restrict access to data by business need-to-know.
  • Assign a unique ID to each person with computer access.
  • Restrict physical access to cardholder data.

Regularly Monitor and Test

  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.

Maintain an Information Security Policy

  • Maintain a policy that addresses information security.

Some of the standards above may not be applicable to all processing environments.

PCI DSS compliance does not guarantee that a security breach will never occur, but it does greatly minimize the chance of a successful breach occurring. If your business is validated as compliant at the time of a breach, the payment networks may give you safe harbor from fines.

What is the PCI DSS? Who defines this standard?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive requirements for enhancing payment account data security to reduce credit card data theft and fraud. It applies to all merchants that take credit and debit cards, regardless of size or transaction volume, as well as any business involved in the storage, processing or transmission of cardholder data. The PCI DSS was developed by the founding payment brands of the PCI Security Standards Council (American Express®, Discover® Financial Services, JCB International, MasterCard® Worldwide and Visa® Inc.) to help facilitate the global adoption of consistent data security measures. The PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other measures to proactively protect customer account data. PCI DSS compliance does not guarantee that a security breach will never occur, but it does greatly minimize the chance of a successful breach. If your business is validated as compliant at the time of a breach, the payment networks may give you safe harbor from fines.

Where can I get more information on the actual published PCI DSS, or on the individual credit card brands' security programs?

The full PCI DSS is managed by the PCI Security Standards Council and can be found at the PCI Security Standards Council website.

The card brands each have their own programs that help businesses enforce compliance with the PCI DSS. The PCI Security Standards Council was founded in 2006 to oversee the standard itself, but each card brand issues fines, fees and schedule deadlines through their own enforcement programs.

Who is required to comply, and what are the validation requirements?

All merchants, no matter how they process credit card transactions, are required to be in compliance with the PCI DSS. Compliance requirements vary based on the following levels:

Merchant DefinitionCriteriaOnsite ReviewSelf AssessmentNetwork Security Scan
Merchant Definition
Level 1
Criteria

Any merchant processing in excess of six million card brand transactions a year

Any merchant that has lost data due to a security breach, compromise or hack

Onsite Review

Required annually

Self Assessment

Not required

Network Security Scan

Required quarterly

Merchant Definition
Level 21
Criteria

Any merchant processing between one and six million card transactions a year

Onsite Review

Not required

Self Assessment

Required annually

Network Security Scan

Required quarterly

Merchant Definition
Level 31
Criteria

Any e-commerce merchant processing between 20,000 and one million card brand transactions a year

Onsite Review

Not required

Self Assessment

Required annually

Network Security Scan

Required quarterly

Merchant Definition
Level 4
Criteria

Any merchant not level 1, 2 or 3

Onsite Review

Not required

Self Assessment

May be required annually

Network Security Scan

May be required quarterly

Will I need to upgrade my equipment, software or networks to become PCI DSS compliant?

To become compliant, you may be required to upgrade your equipment or software to a PA-DSS version. You may also need to address vulnerabilities within your networks. You will need to contact your equipment and/or software vendors to discuss options available and costs associated with an upgrade. The costs associated with any equipment and/or software upgrade are the merchant's responsibility and are not covered by BB&T.

How is an IP-based point-of-sale (POS) environment defined?

The POS environment is one in which a transaction takes place at a merchant location (for example, a retail store, restaurant, hotel property, gas station or supermarket). An IP-based POS environment is one in which transactions are stored, processed or transmitted on IP-based systems, or systems communicating via Internet Protocol Suite.

How is the transaction volume that determines a merchant's compliance level measured?

The number of transactions will be determined based on the gross number of Visa, MasterCard and Discover Network transactions processed by a merchant outlet or a chain of stores. In those cases where a corporation owns several chains, each chain will qualify independently.

Can my compliance requirements change?

Yes, as your transaction volume changes, and as card association (such as Visa, MasterCard and Discover) rules change, your compliance requirements may change. It is your responsibility to be aware of the data security requirements that currently apply to you.

What if I change the way I process transactions including storage or transmission of cardholder data, do I have to recertify my compliance?

Yes. Changes to your payment processes or environment may increase your vulnerability to a security breach and may require recertification. Please contact BB&T merchant services at 877-672-4228 to discuss the changes and next steps.

How is cardholder data defined?

Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address or Social Security number. The account number is the critical component that makes the PCI DSS applicable. All personally identifiable information associated with the cardholder that is stored, processed or transmitted is also considered cardholder data. However, PCI DSS applies even if the only data stored, processed or transmitted is account numbers.

When is it acceptable to store magnetic stripe data?

It is never acceptable for acquirers, merchants or service providers to retain magnetic stripe data, including the card verification value or code (CVV2/CVC). The Visa, MasterCard and Discover operating regulations prohibit storage of the contents of the magnetic stripe data. The CVV2/CVC is a three-digit code located on the back of a card, inside the signature panel area. The three-digit code helps merchants ensure that the card is in the owner's possession.

What if my business does not comply with PCI DSS?

PCI DSS is mandatory. Fees has been implemented to encourage compliance validation. The penalties and fines for failure to comply with requirements or to rectify a security issue can be severe.

  • According to the payment networks, fines range from $10,000 to over $500,000 per incident. If a security breach occurs in your environment, you will be liable for the cost of the required forensic investigations, as well as covering the costs of fraudulent purchases, and the costs of re-issuing the stolen cards.
  • If PCI DSS compliance certification isn't received by BB&T Merchant Services, a non-compliance fee could be assessed monthly until you provide proper validation of your compliance. The non-compliance fee can be avoided by certifying and maintaining ongoing PCI DSS compliance.
  • Beyond the direct fines, your business may also lose your credit card acceptance privileges, at least for a period of time. Furthermore, you may also experience a loss of customer confidence as customers discover your business is not doing as much as others to protect their private information.

What is a network security scan?

A network security scan involves an automated tool that checks a merchant or service provider's system for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and web applications based on the external-facing IP addresses provided by the merchant or service provider.

The scan will identify vulnerabilities in operating systems, services and devices that could be used by hackers to target the company's network—private or public (for example, the Internet). As provided by the qualified scan vendor, the tool will not require the merchant or service provider to install any software on their systems. No denial-of-service attacks will be performed.

Is there a cost to use a qualified security assessor (QSA) or approved scanning vendor (ASV)?

Yes, there is a cost to using a QSA or ASV to ensure compliance. The specific cost will vary depending on your level, the number of IP addresses to be scanned, the frequency of the scans and the chosen scan vendor.

How can I find a list of approved security assessors and scanning vendors?

A list of approved QSAs and ASVs can be found on the PCI SSC website.

I use a PCI DSS compliant terminal/gateway. Why do I need to certify I am PCI DSS compliant?

The use of a terminal/payment application/gateway that is Payment Application-Data Security Standard (PA-DSS) certified by the PCI Security Standards Council is only one of many components that are evaluated in the PCI DSS compliance assessment.

I currently use a PCI-compliant (and validated) Service Provider. Why do I need to certify I am PCI DSS compliant?

How you utilize the validated Service Provider determines the PCI DSS requirements and SAQ that you must complete. However, if you utilize a validated Service Provider and process card transactions from your merchant environment, you are required to complete the SAQ and quarterly scan of your external-facing IP network environment.

What should I do if I suspect a breach has occurred and cardholder data may have been compromised?

In the event of a security incident, immediately contact BB&T Merchant Services at 877-672-4228.

Who can I speak to at BB&T if I have questions?

Please contact the BB&T PCI Support Center at 877-672-4228.

Contact Us

Sales:
866-238-2420

Locations