Interfirst Merchant Services

Apply Now - Fast, secure and effective payment solutions from InterFirst Merchant Services

PCI Compliance

Overview

The Payment Card Industry Data Security Standard (PCI DSS) is a mandatory global standard established by the major card associations to ensure the protection of cardholder data. Based on twelve guidelines, the PCI DSS requires merchants to make their physical and virtual environments secure to ensure protection of cardholder data. As a merchant accepting credit cards as a form of payment, you are required by the card associations to adhere to the PCI DSS. The PCI DSS encompasses the security programs from Visa and MasterCard, Cardholder Information Security Program (CISP) and Site Data Protection (SDP), respectively.

The PCI DSS sets technology requirements such as the use of data encryption, end-user access control, and activity monitoring and logging. It also includes procedural mandates, such as the need to implement formal and documented security policies and vulnerability-management programs. They were developed to ensure that cardholder data is protected throughout the transaction process. Compliance with the standard applies to all types of merchants, retail, MO/TO, and Internet. All merchants need to follow best practices for storage and destruction of all paper or electronic records containing account numbers or cardholder data. Additionally, merchant service providers processing credit cards need to be PCI compliant. To verify that InterFirst Merchant Service is compliant, click here.

Back to top

Importance of PCI Data Security Standard Compliance and/or Certification:

It is clear that ensuring the safety of your customers' cardholder information can help your business strive to create and maintain a positive image, enhance customer confidence and even assist in improving your bottom line. Additional benefits include:

Back to top

PCI Assessment Requirements

The more credit card transactions a merchant processes, the more stringent the compliance procedure. For most merchants, compliance consists of passing quarterly or annual network scans and completing an annual self-assessment questionnaire. If you process more than 20,000 e-commerce or 6 million total V/MC transactions per DBA annually, you will need to provide evidence of certification from a V/MC certified vendor.

Level Level Description    

1

Any merchant- regardless of acceptance channel- processing over 6,000,000 V/MC transactions per year.
Any merchant that has suffered a hack or an attack that resulted in an account data compromise.
Any merchant that V/MC determines should meet the Level 1 merchant requirements to minimize risk to their systems.
Any merchant identified by any payment card brand as Level 1

Comply with DSS

Required
On-Site Security Audit Required Annually
Self-Assessment Questionnaire  
Network Scans Required Quarterly
Validated By Qualified Data Security Company and Independent Scan Vendor

2

Any merchant processing 1,000,000 to 6,000,000 V/MC e-commerce transactions per year.

Comply with DSS

Required
On-Site Security Audit  
Self-Assessment Questionnaire Required Annually
Network Scans Required Quarterly
Validated By Merchant and Independent Scan Vendor

3

Any merchant processing 20,000 to 1,000,000 V/MC e-commerce transactions per year.

Comply with DSS

Required
On-Site Security Audit  
Self-Assessment Questionnaire Required Annually
Network Scans Required Quarterly
Validated By Merchant and Independent Scan Vendor

4

Any merchant processing fewer than 20,000 V/MC e-commerce transactions per year, and all other merchants processing up to 1,000,000 Visa transactions per year.

Comply with DSS

Required
On-Site Security Audit N/A
Self-Assessment Questionnaire Recommended Annually
Network Scans Quarterly Network Scan completed by Approved Scanning Vendor (if applicable)
Validated By Requirement set by Interfirst Merchant Services

 

Back to top

The PCI Data Security Standard

All merchants that accept credit cards are required to comply with the PCI DSS including retail stores (card present transactions) and Internet or mail order/telephone order businesses (card-not-present transactions). 

Link to PCI Data Standards (below)

MasterCard’s PCI Data Security Standard Manual

Back to top

On-Site Security Audit

The audit must be completed by Level 1 merchants. A V/MC approved, Qualified Data Security Company should be engaged to complete the Report on Compliance.

PCI Security Audit Procedures & Reporting

Back to top

Self-Assessment Questionnaire

This must be completed and submitted by Level 2 and 3 merchants. It should address any system(s) or system component(s) involved in processing, storing, or transmitting cardholder data. It is recommended that Level 4 merchants complete the assessment to ensure their own compliance to the standard.

Back to top

Network Scans

Network scans check systems for vulnerabilities. The non-intrusive scan is conducted remotely to review networks and Web applications based in the externally facing Internet Protocol (IP) address provided by the merchant. Level 1, 2, and 3 merchants are responsible for ensuring that a quarterly network scan is performed on their Internet-facing perimeter systems by a qualified independent scan vendor.

Back to top

Validation

Level 1, 2 and 3 merchants are required to conduct quarterly network scans and either annual self-assessments or audits with V/MC approved vendors. InterFirst Merchant Services has partnered with Trustwave, the leading information security firm certified by the major card associations, to offer our merchants a simple solution to validate PCI compliance.

Level 4 merchants are advised to conduct quarterly network scans and annual self-assessments, but they're not required to, so long as they comply with the 12 other requirements of the PCI standard. Merchants that process fewer than 20,000 V/MC transactions online are considered level 4 merchants.

Back to top

Next Steps

It is important that merchants become PCI compliant as quickly as possible to respond to the growing concern among credit cardholders about data security. Below is a list of steps to get started:

  1. Identify the individuals that will be responsible for PCI compliance in your organization and assemble a team that includes members from each compliance area.
  2. Determine your merchant level.
  3. Complete the PCI Data Security Standard Self-Assessment questionnaire.
  4. Make sure that your organization has an Information Security Policy and that it is being enforced.
  5. Engage a qualified vendor to perform the required Network/Perimeter Scans, if appropriate.
  6. Immediately address any significant deficiencies discovered during the assessment or scan.
  7. Retain record of self-assessments, scans, and follow-up activities. Be prepared to provide these documents upon request.

Back to top

Fines and Penalties

Penalties for failure to comply with the PCI requirements, failure to rectify a security issue, or failure to report a compromise are severe:

Back to top

What to do if compromised: 

In the event of a security incident, merchants must take immediate action to:

  1. Contain and limit the exposure. Conduct a thorough investigation of the suspected or confirmed loss or theft of account information within 24 hours of the compromise
  2. Alert all necessary parties. Be sure to notify:
  1. Provide the compromised Visa accounts to Visa Fraud Control Group within 24 hours.
  2. Within four business days of the reported compromise, provide Visa with an incident report.

The CISP What To Do If Compromised guide from Visa contains step-by-step guidelines.

Back to top

Payment Card Industry (PCI) Data Security Standard

12 Requirements

Build and Maintain a Secure Network

1: Install and maintain a firewall configuration to protect data

2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3: Protect stored data

4: Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a Vulnerability Management Program

5: Use and regularly update anti-virus software

6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7: Restrict access to data by business need-to-know

8: Assign a unique ID to each person with computer access

9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10: Track and monitor all access to network resources and cardholder data

11: Regularly test security systems and processes.

Maintain an Information Security Policy

12: Maintain a policy that addresses information security

Note that these Payment Card Industry (PCI) Data Security Requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data. Additionally, these security requirements apply to all “system components” which is defined as any network component, server, or application included in, or connected to, the cardholder data environment. Network components, include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Servers include, but are not limited to, web, database, authentication, DNS, mail, proxy, and NTP. Applications include all purchased and custom applications, including internal and external (web) applications.

Back to top

No Surcharging Rule

Back to top