A Little History

In 2005, Visa established the Payment Application Best Practices (PAPB), “to provide software vendors guidance in developing payment applications that help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data (i.e. full magnetic stripe data, CVV2 or PIN data) and support overall compliance with the PCI Data Security Standard (PCI DSS)”.  In 2008, the Security Standards Council (PCI SSC) adopted Visa’s PAPB and released it as the Payment Application Data Security Standard (PA-DSS).  The PA-DSS relates to vendors who develop secure payment applications and its goal is to ensure that the applications are PCI compliant and do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data.  The standard requires vendor software applications to be validated for compliance on an annual basis.  

On January 1, 2008, Visa implemented a series of mandates that requires its acquirers to ensure that its merchants and agents only use third-party payment software that is compliant with the PA-DSS. The mandates, in line with Visa’s Cardholder Information Security Program (CISP), intent is to eliminate “vulnerable payment applications from the Visa payment system”.  Failure to do so could result in financial penalties for acquirers.  Since the mandates were established over two years ago, and there have been 4 prior checkpoints, acquirers have had plenty of time to get their merchants geared up for this final mandate and July 1 deadline. 

Visa’s global merchants have until July 1, 2012.  MasterCard has also set a July 1, 2012, global deadline for PA-DSS compliance for its merchants, under their Site Data Protection (SDP) program.  According to their SDP update issued in June, MasterCard will also establish new PA-DSS compliance validation requirement for Level 1, 2, and 3 merchants and Level 1 and 2 Service Providers.

However, Visa is not completely rigid on the July 1 date.  According to an article in ISO & Agent Weekly, Visa intends to work with merchants who do not meet the July 1 deadline.  The exception to this assistance will be for merchants who are purposely avoiding compliance.  (Visa welcomes information regarding merchants who are not in compliance.) 

What Merchants Need To Do

Merchants need to be proactive from the gate.  To avoid non-compliance, and subsequent data security risks, they should not wait to hear the news of new policies from their processors.  They need to stay ahead of the pack by checking the PCI SSC site, as well as staying abreast of any pertinent news from the card companies.  Most importantly, they should always ensure they are using vendors who are PCI compliant.  How can they do that?  For starters, and for the purpose of Visa’s security mandates, they should only use vendors who are on the list of PCI SSC validated payment applications, which have been assessed for compliance with the PA-DSS.  Merchants should also only use vendors who use Payment Application Qualified Security Assessors (PA-QSAs), who are certified by the PCI SSC.  Even if a vendor states their payment application is PA-DSS qualified or have been evaluated by a PA-QSA, merchants should check the PCI SSC site for its validation.  Vendors are on the list for one year for only the software version which has been evaluated.  If a vendor has released a new version, a merchant should only consider using the compliant version and never use a beta version.  The PA-DSS never validates beta versions. 

If a merchant discovers that their vendor is non-compliant with the PA-DSS, it should either switch to a compliant vendor (which many not be as easy as it sounds) or assist the vendor in gaining compliance.  That’s not to mean that the merchant should assist them financially, but guide them if they can.  By working together, they can build a stronger relationship, resulting in secure data protection for their customers and cardholders. 

So, what happens if a merchant uses non-compliant vendor?  Aside from the risk of compromising cardholder data, if a breach occurs, the merchant can be fined by the card associations and/or forced to undergo a forensic audit, which is not free.  Merchants are having a tough enough time in this economy and should not jeopardize their business further by using non-compliant third-party payment processing vendors, nor risk adding costs that can be otherwise avoided. 

References:

Information regarding PCI SSC Validated Payment Applications and Payment Application Qualified Security Assessors (PA-QSAs) can be found at http://www.pcisecuritystandards.org  

Visa CISP – http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html

MasterCard SDP – http://www.mastercard.com/us/merchant/pdf/SDP_Program_Revisions.pdf

In order to be PCI compliant, all acquirers, merchants and third parties using a card association’s payment system must not only abide by the PCI DSS requirements but also that association’s guidelines.  For example, any organization using Visa’s payment system (i.e. any organization which receives, processes or passes Visa branded cardholder information) must abide by Visa’s International Operating Guidelines.  Failure to comply can result in monetary fines and possible disqualification or merchant account termination.

Association compliance for merchants is based on levels of validation for each card association.  Visa, MasterCard, and Discover each have four levels of validation for merchants.  American Express has three levels and JCB has two levels.  Each level is based on annual transaction volume with Level 1 being the highest.  It is the responsibility of the merchant to check the criteria for each card brand it accepts and adhere to the validation requirements for the appropriate level in which it falls.

NOTE: MasterCard made some changes to their security program recently, whereby a merchant falls into a certain level based on its level with Visa.  So, if a merchant processes over 6 million Visa transactions (Level 1), but only 2 milllion with MasterCard (Level 2), it would be a Level 1 merchant with both associations.

Non-Compliant Activities

So, what type of activity can result in a fine or merchant termination?  Basically, two words – non-compliance.  Credit card compliance covers PCI DSS and card association guidelines.  Any activity violating those can result in fines, being put on MATCH or account termination.

Using Visa as an example again, per their operating guidelines, if Visa determines that a member, its agent, or a merchant has been deficient or negligent in securely maintaining the account or transaction information or reporting or investigating the loss of this information as specified in this section, Visa may fine the member, as specified in Section 1.6.D, or require the member to take immediate corrective action.  Visa members are financial institutions who issue and maintain account information (i.e. acquirers).

“Repetitive violations can incur heavier fines, possible listing on MATCH or account termination.”

Visa’s operating guidelines define the reason for terminating a merchant account (aka, Revocation of Privileges):

Visa may permanently prohibit a Merchant, IPSP, or any other entity, or one of its principals, from participating in the Visa or Visa Electron Program for any reasons it deems appropriate, such as:

• Fraudulent activity
• Presenting Transaction Receipts that do not result from an act between the Cardholder and the Merchant (laundering)
• Activity that causes the Acquirer to repeatedly violate the Visa International Operating Regulations
• Activity that has resulted in a Regional Office prohibiting the Merchant from participating in the Visa or Visa Electron Program
• Any other activity that may result in undue economic hardship or damage to the goodwill of the Visa system

Similarly, MasterCard’s rules state that failure by a Merchant or Acquirer or both to comply with any Standard may result in chargebacks, an assessment to the Acquirer, and/or other disciplinary action.

Repetitive violations can incur heavier fines, possible listing on MATCH or account termination.  Associations will also continue to levy fines if the merchant does not correct the action deemed as non-compliant.  Any fines from the card associations related to merchant activities will be passed down to the merchants.  If a merchant does not take correction action or neglects to pay the acquirer, the merchant account is at threat of being terminated and listed on MATCH.

Be Careful Using Third-Party Service Providers

Using third party vendors can certainly streamline your business operations and credit card sales.  However, they can also hurt your business if they are not compliant with industry guidelines.  Aside from any possible data breach, simply using a non-compliant vendor can result in fines from the associations as well.  Third party service providers include payment gateway, web hosting, or backup storage services.

There are many reasons to use a PCI compliant vendor – aside from following PCI compliance guidelines, using a compliant vendor helps to protect your customer records, which should be the number one priority.

According to PCI guidelines, merchants are required to verify service provider compliance.  The PCI DSS requirement 12.8 (outlined below) requires a merchant to “manage” any service providers:

12.8.1 Maintain a list of service providers.

12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.

12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.

12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status.

To assist with compliance on this level, the PCI SSC adopted the Payment Application Data Security Standard (PA-DSS), formerly managed by Visa as the Payment Application Best Practices (PABP), for software vendors or other companies who develop secure payment applications.  A list of validated payment applications is available on the PCI SSC web site.  Each payment application on the list is valid for one year, so application vendors and developers need to go through similar annual reviews and due diligence as required by the PCI DSS for organizations.

Additionally, card companies have put requirements into place regarding service provider compliance.  Visa, for example, stipulates that issuers and acquirers must use, and are responsible for ensuring that their merchants use, service providers that are compliant with the PCI Data Security Standard (DSS). Although there may not be a direct contractual relationship between merchant service providers and acquirers, Visa issuers and acquirers are responsible for any liability that may occur as a result of non-compliance.

Service providers must register with Visa in order to be included on their list of PCI DSS-compliant service providers.  Visa defines two levels (based on volume) of compliance for service providers.  Visa defines service providers as TPAs (Third Party Agents), which are entities that provide payment-related services, directly or indirectly, to a Visa client and / or stores, processes or transmits Visa account numbers. TPAs include Independent Sales Organizations (ISOs), Third Party Servicers (TPSs), Encryption and Support Organizations (ESOs) and Merchant Servicers (MSs).  TPAs must be registered in Visa’s Agent Registration Program, mandated by Visa to “ensure that Visa clients are in compliance with Visa Inc. Operating Regulations (“Visa rules”) and policies regarding their use of TPAs.”  Only Visa clients (i.e. acquirers) can register TPAs and are thus responsible and liable for their TPAs.  POS software providers that provide the payment application only and do not store, process and / or transmit Visa account numbers also need to adhere to the PA-DSS.  Fines from Visa include $10,000 for using an unregistered TPA.

Under its SDP program, MasterCard also requires third party service providers to follow compliance guidelines.  It defines service providers as a collective term for Third Party Processors (TPPs) and Data Storage Entities (DSEs).  It also defines two service provider levels for compliance.

PCI compliance for service providers includes onsite assessments, self-assessment questionnaires, and network security scanning.  Summed up by MasterCard, the compliance process for its service providers is a 3 step process:

1. Review the relevant PCI documentation, validation tools and procedures
2. Engage an approved vendor, as appropriate, and follow the validation procedures
3. Once compliant, work with a qualified security assessor to send a Certificate of Validation to MasterCard

In all cases with service provider compliance, PCI SSC Qualified Security Assessors and Approved Scanning Vendors must be used.  For a merchant to ensure complete compliance across the board, it is necessary for its service provider(s) to be on all relevant compliance lists.

View Visa’s current list (as of March 6) of PCI DSS Validated Service Providers here.

View MasterCard’s list of compliant service providers here.

Using a third-party vendor or company in the processing of credit cards does not exclude a merchant from PCI compliance responsibility.  The merchant is still responsible for data security and abiding by PCI compliance rules and the operating guidelines of the card brands.  Issuers and acquirers are also responsible for any liability that may occur as a result of non-compliance.

How Merchants Can Avoid Fines and Account Termination

Before account termination or being put on MATCH, a merchant may be warned and fined for non-compliance for risky activities, such as excessive chargeback ratios or not following PCI DSS.  That is a warning which should not be taken lightly by any merchant.  Corrections for any non-compliance should be fixed immediately.  If a data breach has occurred, it is the merchant’s responsibility to report it as soon as it is discovered.

Using a third-party vendor or company in the processing of credit cards does not exclude a merchant from PCI compliance responsibility.  The merchant is still responsible for data security and abiding by PCI compliance rules and the operating guidelines of the card brands.  Merchants are responsible for reading and understanding the card association guidelines in their entirety for each card type they accept.  Merchants should also use a payment processor who explains compliance and helps avoid fines by keeping an eye on chargeback ratios and understanding their third-party vendors.  Of all the parties (with the exception of the customer) involved the payment transaction process, the merchant is the one who loses out the most if data security is compromised or the merchant account is terminated.  Merchants can prioritize compliance by assigning a security officer – or other responsible party – to ensure that all necessary compliance requirements are being met.  This includes making sure service providers are consistently compliant as well.

Reference documents

Card association operating guidelines

MasterCard

Visa

American Express

Guidelines for Discover and JCB are not available online.  Merchants can obtain them from the card associations directly.

Card association requirements for merchant compliance

Visa Cardholder Information Security Program for Merchants

MasterCard Merchant Requirements

Discover Information & Security Compliance

American Express

JCB Data Security Program

The Importance of PCI Compliance

According to Privacy Rights Clearinghouse.org, more than 346 million records with sensitive information have been breached since January 2005.  According to the Ponemon Institute’s annual study, the cost of a data breach was $204 per compromised customer record for 2009.  The data, obtained from 45 companies that publicly acknowledged – and were willing to discuss – a breach of sensitive customer information.  The study also revealed that the average total cost of a data breach was $6.75 million in 2009.

Most laws involving credit card fraud and data security breaches target the criminals who conduct the breaches and obtain the card data.  Although, state attorney offices have investigated and filed suits against companies who were found to be non-compliant during a data breach.  In an effort to stay ahead of the curve, the only way the card associations are able to enforce the security standards is to penalize those who do not comply and/or jeopardize data protection.

The Payment Card Industry Data Security Standard (PCI DSS) applies to any organization or merchant that accepts, transmits or stores any cardholder data.  The PCI DSS was created in 2004 by the PCI Security Standards Council (SSC), which include the major card brands – otherwise known as associations – American Express, Discover, JCB, MasterCard, and Visa.  Each card association stipulates that the PCI DSS, in addition to the individual association guidelines, must be followed in order to be fully compliant.  Achieving PCI compliance means that you have met the technical requirements of the PCI DSS.

Consequences of Non-Compliance

Non-compliance can result in fines or other actions by the card associations.  Even though the PCI SSC managed the PCI DSS, any fines levied for non-compliance are done so by the card associations, not by the security council.  The card associations usually fine the acquirer under which the non-compliant merchant processes transactions.  The acquirer then passes the fine onto the merchant, ISO or third-party.  However, a merchant can be fined or terminated directly by the card association.

“T.J. Maxx agreed to pay as much as $40.9 million in a settlement with Visa.”

The amount of the fines and fees are dependent upon the type of activity.  A breach of data would cost a merchant a lot more than if they were discovered to be non-compliant with no data breach.  For example, in the largest data breach thus far, T.J. Maxx (TJX) agreed in November, 2007, to pay as much as $40.9 million in a settlement with Visa and the bank that processes the company’s credit card payments, as a result of a massive data breach, discovered in 2006, of TJX’s customer records.  (TJX admitted to 45.7 million compromised records, but court filings by the banks suing TJX estimate that about 100 million cards were affected.)  The settlement funds were reported to be used to help the U.S. credit card issuers (i.e. banks) recover costs related to the breach.  Last year, they agreed to pay $9.75 million to settle investigations by 41 state attorney generals.  That settlement was the sixth one that TJX announced regarding the breach.  Visa originally fined Fifth Third, TJX’s acquiring bank, close to $900,000 for non-compliance.  $500,000 was assessed “due to the seriousness of this security incident and the impact on the Visa system,” according to a Boston Globe report. $380,000 was assessed for “TJX’s failure to cease storing prohibited data.”

Visa announced, following the TJX breach, that it began fining level one merchants (6M + transactions annually) $25,000 per month if they fail to comply with the PCI DSS.  Although this information is relative to the largest data breach in U.S. history, merchants of every level should take these actions very seriously to avoid risking loss of data, not to mention customer confidence.

How Does Account Termination Affect A Merchant?

So, your processor terminated your account.  You may ask, “What’s the big deal?  I will just get a new merchant account elsewhere.”  Well, it’s not as easy as it sounds.  A merchant who has been terminated is put on MATCH, more or less known as a blacklist in the credit card processing industry.  Formerly known as the TMF (Terminated Match File), the MATCH (Member Alert to Control High-Risk) list is a file of merchants who have been terminated for “cause”.  Reasons include activities such as fraud or excessive chargebacks.  (See a previous blog on this subject here.)  The list is used primarily by acquirers to assess the risk of a business when it applies for a merchant account.  It is tied to MasterCard and Visa, so all acquirers check the MATCH file against any new merchants who apply for an account.  (It’s rare, with the exception of Costco for instance, for a merchant to accept other cards but not MasterCard and Visa.)  A MATCH listing includes the company name and principal names of the company, but a company’s inclusion on the list does not mean it, or its principals, would be prohibited from obtaining a merchant account again.  Acquirers use the MATCH file as an informational tool and will usually base a merchant application approval or denial on a complete investigation.  Once a merchant is on the MATCH list, it is almost impossible for them to removed, but it can be done.

Stay tuned for Part II, which will discuss who is really responsible for PCI compliance, working with third party service providers and how to avoid fines, MATCH and account termination.

There are two notable changes, one requires that off-site data storage locations be visited and validated as compliant with PCI DSS. The other imposes a sunset date on wired equivalency privacy (WEP) use. For those of us who don’t speak techie, WEP is a software application intended to protect data as it travels across wireless networks. In previous posts, I have talked about WEP having to be upgraded by June 30^th, 2010 to Wi-Fi protected access (WPA).

Here are the 12 core requirements as outlined by the card associations:

1. Install and maintain a firewall configuration to protect card holder data
2. Change all default passwords on all systems
3. Protect stored card holder data
4. Encrypt transmission of cardholder data across open public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data on a need to know basis
8. Assign a unique ID to each person with computer access
9. Restrict physical access to card holder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses security information

Many acquirers and large ISO’s have begun charging PCI compliance fees to their merchants to offset the costs they have had to incur in becoming compliant. As a merchant, I would want to know why they were not compliant to begin with and why I am being charged an additional amount for something they should already be doing. Online merchants can take matters into their own hands and ensure that their networks are following current PCI DSS guidelines and dispute compliance fees that are charged to them directly by their processor.

This decision to extend is said to be largely due to complaints from creditors that they were unaware of the existence of the new regulation and some say they only found out after the deadline had passed. This deadline according to the official press release only applies to organizations that are not under the jurisdiction of any of the other regulatory agencies other than the Federal Trade Commission. FACTA requires financial institutions and creditors to implement a written identity theft prevention program that should help detect identity theft, hopefully before any damage is done. If identity theft is not detected, the regulation calls for the financial institution or the creditor to reduce the risk to the consumer and the organization.

Many creditors have complained that there is not a clear cut way of indicating how they will be audited, and it has not been indicated how penalties will be assessed. The FTC Enforcement Policy now clearly defines all the parameters for creditors to follow. Going forward there will be no question that if you fit into the category of “creditor” you will be required to comply with Red Flag Rules. Still many organizations feel they are flying under the radar or won’t be caught. What does a company have to gain by allowing identity theft to occur?

Rules to be followed range from watching for suspicious social security numbers that may be on the Security Administration’s Death Master File to suspicious, or repeated, address or phone number tracking. Plain and simple, following Red Flag Rules will reduce identity theft and every business should want to participate in keeping our personal information safe.

PCI Compliance is a key element in protecting card holder data. So how can your business stay compliant without breaking the bank?

1.     Although a firewall provides a first line of defense, by itself it can still leave a website vulnerable. You or your service provider should perform manual reviews of all application source code. There are tools available that auto scan source code for vulnerability and security risks.

2.     In addition to a standard Network Firewall, it is recommended to put in place a web application firewall between your web server and end-point devices.

3.     As of September 30^th, 2009, all Level 1 and Level 2 merchants who are classified as large merchants (processing one to over six million visa transactions) will no longer be allowed to retain any data that is currently encoded on a magnetic stripe. If you are a merchant that falls into this category, you will be required to do annual on site PCI Assessment and a quarterly network scan. By September 30^th, 2010, acquiring banks must prove that all Level 1 Merchants have demonstrated compliance with the PCI DSS. For more information you can refer to Visa’s website and download compliance policies and procedures.

Compliance regulations get added each year, so my recommendation is to stay ahead of pack. A small amount of money invested in security now can save you a lot of money in fines and lost data later.

Some online merchants think if they select a PCI Compliant gateway and shopping cart that they are automatically PCI Compliant. It is important that online merchants remember that physical location security and written policy is part of the process as well. Merchants are required to submit a SAQ (Self Assessment Questionnaire) to their acquirer once a year, but just submitting the SAQ may not be enough. It is also important that employees undergo training on security policies. Businesses must have ongoing assessment and remedies.

Merchants may think that PCI Compliance is for large businesses and may be too expensive for the average small retailer; however fines from noncompliance are much greater. Businesses will not only lose out on audit fees but also will have to consider a loss of reputation. Even if you are a smaller business, you are still required to be PCI Compliant regardless of the volume your business does.

Some businesses think if they install a firewall they are able to effectively and safely store card holder data. Although the storing of card holder data is strongly discouraged, if you have to store data a firewall will not be enough. Firewalls don’t ensure your devices, such as laptops, will not be stolen or sent out for repair. Make sure that all laptops are properly wiped before being transported.

The majority of small business owners don’t really have an IT person, or any idea of where to start. There are many websites that can support small business owners in ensuring their compliance. The PCI Security Standards Council website is a helpful resource.

In the PCI DSS 1.2 Summary of Changes, the PCI Security Standards Council announced several adjustments to the wireless network security requirements:

• Wireless must be implemented using strong encryption for authentication and transmission. The Council cites IEEE 802.11i as an appropriate example.
• Merchants are no longer permitted to deploy any new Wired Equivalent Privacy (WEP) networks as of March 31^st, 2009.
• Merchants using WEP networks must transition to Wi-Fi Protected Access (WPA) security no later than June 30, 2010.

Converting to WPA should be a fairly easy process. Most technical websites show that all wireless equipment manufactured since late 2003 comes standard with WPA (Wireless Application Protocol), which is an open standard for application layer network communications in a wireless environment. It is mainly used to enable mobile phones.

Many retailers will have to replace their existing obsolete hardware, and the upgrade may force retailers to spend a lot of money on new systems. PCI DSS also states that “Wireless must now be implemented according to industry best practices (e.g., IEEE 802.11i) using strong encryption for authentication and transmission.”

Most large retailers have IT professionals correctly put in place authentication methods. There are also additional requirements for companies that run on enterprise networks. It is important to get more than one opinion when trying to get compliant because some options are definitely more costly than others.  PCI DSS is still new and has many different rules and regulations.  You don’t want to put your company at risk and have to pay fines later.

According to the bank card associations, in October 2008 any merchant that applies for a new merchant ID from any credit card processing company must be PCI DSS compliant. In some cases this may mean the merchant will have to download a new application into their terminal. By October of 2009, all merchants must be PCI DSS compliant.

If you are using a POS terminal at a retail location, you are still passing data through the system. The application running on your terminal must be an up-to-date version. Most card processors call you to do a download or an upgrade similar to when truncation laws were put into effect. If you have not received a call yet, be proactive and call your card processor to get compliant.

So why is it important for a merchant to be PCI DSS compliant? Well for one thing the members of PCI Security Standards Council (American Express, Discover, JCB International, MasterCard, and Visa) continually monitor cases of account data compromise. A security breach and subsequent compromise of payment card data affects many different entities from card holders to business owners.

If you are a merchant, below are some suggestions from the PCI Data Security Standards website:

1. Make sure that sensitive data is never stored. This includes any magnetic stripe information or PIN numbers.
2. Find out what type of security is in place from your POS vender. Find out if you need to install a firewall.
3. Are complex and unique password required to access your POS system?
4. Does your POS Vender have access to your system remotely?  If so, who has access?

These things will get you started but make sure to consult PCI DSS Compliance guidelines to make sure you do not end up getting fined.