Preliminary Questions for PCI DSS Compliance by UT ...



Payment Card Industry Data Security Standard Compliance Q&A

1. What is Payment Card Industry (PCI) Data Security Standard (DSS)?

The Payment Card Industry (PCI) Security Standards Council was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. The PCI Security Standards Council is an independent body formed to develop, enhance, disseminate and assist with implementation of security standards for payment account security. The PCI Security Standards Council will maintain and evolve the PCI Data Security Standard (DSS), which focuses on the following six security issues:

• Build and maintain a secure network

• Protect cardholder data

• Maintain a vulnerability management program

• Implement strong access control measures

• Regularly monitor and test networks

• Maintain an information security policy

PCI DSS Version 1 was replaced with Version 1.1 effective September 7, 2006. There was a phase out period for Version 1, which became obsolete effective January 1, 2007.

While working to promote its broad industry adoption, PCI Security Standard Council also provides the tools needed for compliance with the standard. These tools include critical documents such as audit guidelines, scanning vendor requirements, and a self assessment questionnaire. The PCI DSS requirements and tools can be found at .

2. Why should merchants within UT System comply with PCI DSS?

PCI DSS states that PCI DSS requirements are applicable if a payment card number is stored, processed, or transmitted. All UT merchants are therefore required to comply with PCI DSS.

If one of the following adverse events occurs, UT System’s acquirer (see the answer to question #4 for the definition of acquirer), Global Payments, Inc. has discretion to impose Level 1 PCI validation actions on a merchant. These validation actions are costly and must be performed by PCI Security Standard Council approved security professionals.

• A merchant suffered a hack or an attack that resulted in an account data compromise.

• A merchant is identified by any other payment card brand as Level 1.

• A merchant uses payment applications with security flaws, which may cause security risk to the Visa system.

Merchants may also be subject to fines by both Visa and MasterCard if deemed non-compliant. See Appendix B for the fine schedules Visa and MasterCard. Ultimately merchants may lose the ability to process payment cards.

3. How is the merchant level determined?

Merchant level is determined by the acquirer (see the answer to question #4 for the definition of an acquirer) based on the total number of transactions per payment card type (Visa or MasterCard). A spreadsheet showing merchant level transaction activity for UT institutions for 2006 is posted at

In the spreadsheet, each UT institution is identified by a unique Hierarchy Number, and each merchant within a UT institution is identified by a unique Merchant Number. The Annual transaction total for a specific merchant is included in the column “# Trans”. For PCI level determination purposes, the total number of transactions of each merchant needs to be separated into subtotals of Visa or MasterCard. In general, a merchant, whether receiving payments through stand-alone terminals or websites, is treated as an individual merchant. However, merchants receiving web payments may be grouped as one if their transactions are routed through the same server (for example, application or database server) in the institution’s network.

Level 1 is the most stringent level and is assigned to a merchant with all Visa transactions exceeding 6 million annually, or with all MasterCard transactions exceeding 6 million annually, or any merchant that has experienced a security breach that resulted in an account compromise. A level 1 merchant is required to have an annual on-site PCI security audit performed annually, while the other three levels do not require such on-site annual audit.

Level 2&3 are for all practicable purposes the same, being a merchant with either all Visa e-commerce transactions exceeding 20,000 annually, or all MasterCard e-commerce transactions exceeding 20,000 annually. Level 2 and 3 merchants are required to complete an annual self-assessment questionnaire, and to perform a vulnerability network scan at least quarterly (for outward facing IP addresses).

Level 4 merchant is a merchant that has either, less than 20,000 Visa e-commerce transactions, or less than 20,000 MasterCard e-commerce transactions annually. Completion of the annual Self-Assessment questionnaire and conducting on a quarterly vulnerability network scan (same as required of a level 2 and 3 merchant) are recommended by Visa and MasterCard, but may be required by the merchant’s acquirer (Global Payments).



See Appendix A for PCI level criteria published by Global Payments. These criteria incorporated Visa USA’s revisions in July 2006. When using Level 1 and 2 criteria, please note that the total number of transactions includes all transactions processed annually regardless of processing methods (web payments, payment applications, stand-alone terminals, etc.)

4. What is an acquirer? Who is the acquirer for UT System?

An acquirer is a bankcard association member that initiates and maintains relationships with merchants that accept payment cards. Global Payments, Inc. is the acquirer for UT System. For information about Global Payments, please visit their website at .

5. What validation actions are required by UT System’s acquirer for merchants at different levels?

Level 1 - Annual onsite security audit and quarterly scans are required.

Level 2 - Annual self-assessment questionnaire and quarterly scans are required.

Level 3 - Annual self-assessment questionnaire and quarterly scans are required.

Level 4 - Global Payments Inc. recommends the completion of an annual self-assessment questionnaire and quarterly scans for merchants at this level, but does not require these validation actions. However, all merchants with internal systems that store, process, or transmit cardholder data are required to be compliant with PCI security standards.

6. What are the best practices for UT institutions to ensure compliance with PCI security standards?

The following best practices are recommended based on merchants’ payment card acceptance channels.

• Merchants accepting web payments should consider the following applicable best practices:

o Establish management buy-in

o Assess current campus environment

o Segment your network

o Ensure third-party compliance

o Provide training, development and education

Please visit the website of the Treasury Institute of Higher Education at for details of recommended best practices.

• Merchants using payment processing software should consider the following Payment Application Best Practices developed by Visa Cardholder Information Security Program (CISP):

o Do not retain full magnetic stripe, card validation code or value, or PIN block data

o Protect stored cardholder data

o Provide secure password features

o Log application activity

o Develop secure applications

o Protect wireless networks transmitting cardholder data

o Test applications to address vulnerabilities

o Facilitate secure network implementation

o Cardholder data must never be stored on a server connected to the internet

o Facilitate secure remote software updates

o Facilitate secure remote access to application

o Encrypt sensitive traffic over public networks

o Encrypt all non-console administrative access

o Maintain instructional documentation and training programs for customers, resellers, and integrators

Please visit the Visa CISP website at for details.

• Merchants using a stand-alone terminal should continue to follow best practices regarding storage and destruction of all physical records containing account numbers or cardholder data, as detailed in Global Payments’ CARD ACCEPTANCE GUIDE. The Guide is published at .

7. What is a Qualified Security Assessor (QSA) or an Approved Scanning Vendor (ASV)? How to contact them?

QSAs and ASVs are information security professionals certified through the PCI Security Standards Council to perform required PCI annual onsite audits and quarterly scans, respectively. See a list of approved QSAs at and a list of approved ASVs at .

8. How can UT institutions’ internal auditors assist with the compliance of PCI security standards?

Internal auditors may contribute to their school’s PCI DSS compliance by taking the following actions:

• Get familiar with PCI compliance issues

• Understand the institution’s payment card processing environment and practices

• Get involved with the institution’s compliance efforts

• Assist in developing guidelines for approving a qualifying merchant

• Assist in developing standardized IT infrastructure for accepting payment cards

• Perform audits on merchants who achieved compliance

• Assist in developing monitoring procedures at institution & merchant levels

• Assist in preparing PCI security related policies and procedures including, but not limited to, the following:

o Merchant Handbook

o Web hosting Requirements

• Perform on-going PCI security-related audits

• Provide on-going PCI security-related trainings

9. What are the PCI security standards compliance requirements for merchants using stand-alone terminals without payment applications?

Most UT System merchants process fewer than 1 million Visa transactions per year using stand-alone terminals with or without payment applications and are Level 4 merchants based on PCI level criteria. For these merchants, payment card information is transmitted to Global Payments and from there to the issuing banks. Depending on the payment applications used, payment card information may or may not be stored. Global Payments recommends (but does not require) that Level 4 merchants perform the self-assessments and quarterly scans since merchants at different levels are all required to be compliant with PCI security standards.

Merchants may store physical records of payment card information and should continue to follow best practices regarding storage and destruction of these records.

10. Why and how should merchants with web payments be grouped as a single merchant?

Merchants who route web payments (e-commerce) through a shared server within a UT institution’s network will be grouped as one for PCI level determination purposes because vulnerabilities within the shared segment of network infrastructure put all transmitted, stored, and/or processed digital payment card information at risk of being compromised.

11. Where are major PCI compliance resources located?

• The PCI security standards are located at the following website .

• PCI Self-Assessment Questionnaire

• PCI DSS Security Audit Procedures

• PCI DSS Security Scanning Procedures

• Global Payments PCI Requirements

• Visa CISP compliant service provider (copy and paste the following link into a browser)

• Payment Application Best Practice by Visa CISP (copy and paste the following link into a browser)

• PCI DSS Forum at

Appendix A

PCI Level Criteria and Validation Requirements

|Merchant Level |

|First Violation |Up to $50,000 USD for rolling 12-month period |

|Second Violation |Up to $100,000 USD for rolling 12-month period |

|Third Violation |At Management's discretion for more than two violations in a rolling 12 month period |

MasterCard Assessment Schedule

|Failure to comply with the SDP Program mandate… |Will result in an assessment of… |

|Level 1 |Up to $25,000 USD per merchant |

|Level 2 |Up to $5,000 USD per merchant |

|Level 3 |Up to $5,000 USD per merchant |

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download