Are you PCI Compliant?
Self-Assessment Questionnaire
The "SAQ" is a validation tool for merchants and service providers who are not required to
do on-site assessments for PCI DSS compliance. Please refer to the following SAQs and
information for more details.
SAQ Validation
Type |
Self-Assessment Questionnaire - Description |
SAQ ID |
|
4
|
Merchants with POS systems connected to the internet, no
electronic cardholder data storage.
[Word Document]
|
C
|
|
5
|
All other merchants (not included in Type 4) and all service
providers defined by a payment card brand as eligible to complete a SAQ
[Word Document]
|
D
|
Getting Started with PCI Data Security Standard
PCI security for merchants and payment card processors is the vital byproduct of
applying information security best practices in the Payment Card Industry
Data Security Standard (PCI DSS). The standard includes 12 requirements for any
business that stores, processes or transmits payment cardholder data.
[more]
Payment Card Industry (PCI) Data Security Standard
[PDF]
Frequently Asked Questions
[PDF]
Cardholder Data Security is your Responsibility
Ensuring the safety of your customers' cardholder information can help your business
strive to create and maintain a positive image, enhance customer confidence and
even assist in improving your bottom line.
As part of NSI's ongoing provision of credit and debit card processing services,
we want to provide you with some critical information regarding the Payment Card
Industry (PCI) Data Security Standard (DSS) and the Card Association Compliance
Programs.
It is important to note that all Merchants and Service Providers that store, process,
or transmit cardholder data must comply with PCI DSS and the Card Association Compliance
Programs. However, certification requirements vary by business and are contingent
upon your "Merchant Level" or "Service Provider Level". Failure to comply with PCI
DSS and the Card Association Compliance Programs may result in a Merchant being
subject to fines, fees or assessments and/or termination of processing services.
The PCI DSS is enforced by the Card Associations (American Express, Discover Financial
Services, JCB, MasterCard Worldwide and Visa International). NSI has taken the steps
to provide our valued clients with necessary information and associated links to
assist in assessing the actions your business should take to ensure that you are
compliant.
- About PCI DSS
- Twelve Principle Requirements of PCI DSS
- Card Association Compliance Programs
- Importance of PCI DSS Compliance and/or Certification
- Merchant Levels and Validation Requirements
- Third Party Service Providers
- Third Party Payment Applications
- PCI Security Standards Council
- Helpful/Related Links
Top
PCI DSS is a global data security standard that was established by VISA International
and MasterCard Worldwide in December 2004. PCI DSS was the result of the alignment
of the data security standards included in the VISA International and MasterCard
Worldwide data security programs. PCI DSS proceeded to be endorsed by American Express,
Discover Financial Services, and JCB. In September 2006 the five major credit card
payment networks announced the formation of an independent body, PCI Security Standards
Council, to develop and maintain the evolution of PCI DSS.
PCI DSS was created to ensure the protection of cardholder data. Due to some high
profile security breaches it became apparent that a global set of data security
standards was required to assist merchants and service providers in meeting the
requirements. Based on twelve principle requirements, PCI DSS requires merchants
to make their physical and virtual environments secure to ensure protection of cardholder
data. All merchants that accept credit cards as a form of payment, and all service
providers involved in the processing of credit card transactions are required to
be compliant with PCI DSS.
Top
PCI DSS is a multi-faceted security standard that includes requirements for security
management, policies, procedures, network architecture, software design and other
critical protective measures. This comprehensive standard is intended to help organizations
proactively protect customer account data.
Below are the twelve principle requirements of PCI DSS:
- Build and Maintain a Secure Network
- 1) Install and maintain a firewall configuration to protect cardholder data
- 2) Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect Cardholder Data
- 3) Protect stored cardholder data
- 4) Encrypt transmission of cardholder data across open, public networks
- Maintain a Vulnerability Management Program
- 5) Use and regularly update anti-virus software
- 6) Develop and maintain secure systems and applications
- Implement Strong Access Control Measures
- 7) Restrict access to cardholder data by business need-to-know
- 8) Assign a unique ID to each person with computer access
- 9) Restrict physical access to cardholder data
- Regularly Monitor and Test Networks
- 10) Track and monitor all access to network resources and cardholder data
- 11) Regularly test security systems and processes
- Maintain an Information Security Policy
- 12) Maintain a policy that addresses information security
The PCI DSS and supporting documentation can be found at
https://www.pcisecuritystandards.org.
Top
The Card Associations have each developed their own compliance program to ensure
merchants and service providers are compliant with PCI DSS. Each program has specific
validation requirements which must be followed for the Card Associations to recognize
certification to PCI DSS. Some key differences in the programs include; validation
levels, validation requirements, approved third party assessors.
Below is a list of the Card Association compliance programs:
- Visa USA Cardholder Information Security Program (CISP)
- Visa Canada Account Information Security (AIS) Program
- MasterCard International Site Data Protection (SDP) Program
- American Express Data Security Operating Policy (DSOP) Program
- Discover Card Information Security and Compliance (DISC) Program
- JCB PCI DSS
Top
NSI strongly endorses the need for more stringent standards regarding the handling
of cardholder data. In addition, we are taking proactive measures to ensure that
all merchants adopt these standards and maintain compliance on an on-going basis.
Compliance with the PCI DSS is mandatory. If you and your service providers are
not compliant with PCI DSS, the Card Associations could levy fees and fines against
you and your credit card processing services could be terminated. Your obligation
to comply with the Card Associations' rules and regulations (including those related
to security standards) is detailed in your agreement with NSI.
Compliance means all requirements of the PCI DSS have been met. To become certified,
an entity must engage the services of QSA to validate an entity's compliance to
PCI DSS. The QSA will work on identifying areas of non-compliance. The merchant
must remedy each area of non-compliance. Once all areas of non-compliance have been
addressed the QSA will re-evaluate and issue confirmation of compliance. Certification
to PCI DSS is at the merchant's expense.
Top
It is important to note that all merchants that store, process, or transmit cardholder
data must comply with the PCI DSS regardless of the volume of transactions processed
or the method in which they are processed. However, certification requirements vary
by business and are contingent upon your "Merchant Level".
|
Merchant Level Description & Validation Requirements |
|
Level |
Level Description |
Validation
Requirements |
Validated By |
Validation
Due Date |
|
1 |
- Any merchant regardless of acceptance channel, processing over 6,000,000 transactions
annually of one card plan.
- Any merchant that has suffered a hack or an attack that resulted in an account data
compromise.
-
Any merchant that the card associations at its sole discretion, determines should
meet the Level 1 merchant requirements.
|
Annual On-site PCI Data Security Assessment |
Qualified Security Assessor (QSA)
|
June 30, 2005 |
|
Quarterly Network Scan |
Approved Scanning Vendor (ASV) |
|
2 |
- Any merchant processing between 150,000 to 6,000,000 e-commerce transactions annually
of one card plan.
|
Annual PCI Self Assessment Questionnaire |
Qualified Security Assessor (QSA)
|
June 30, 2004 |
|
Quarterly Network Scan |
Approved Scanning Vendor (ASV) |
|
3 |
- Any merchant processing between 20,000 to 150,000 e-commerce transactions annually
of one card plan.
|
Annual PCI Self Assessment Questionnaire |
Qualified Security Assessor (QSA)
|
June 30, 2004 |
|
Quarterly Network Scan |
Approved Scanning Vendor (ASV) |
|
4A |
- Any merchant processing between 1,000,000 and 6,000,000 transactions annually of
one card plan.
|
Annual PCI Self Assessment Questionnaire |
Qualified Security Assessor (QSA)
|
December 31, 2005 |
|
Quarterly Network Scan |
Approved Scanning Vendor (ASV) |
|
4B |
- Any merchant processing fewer than 1,000,000 transactions of one card plan per year.
- Any e-commerce merchant processing fewer than 20,000 transactions annually of one
card plan.
|
Annual PCI Self Assessment Questionnaire |
Qualified Security Assessor (QSA)
|
Acquirer's discretion |
|
Quarterly Network Scan |
Approved Scanning Vendor (ASV) |
Top
All third party service providers that store, process, or transmit cardholder information
on behalf of a merchant are required to comply with PCI DSS. In addition all service
providers are required to validate their compliance to PCI DSS through the services
of a QSA.
Many merchants deploy third party payment applications that are tailored to their
business needs to assist them in accepting credit card payments. For a merchant
to be compliant with PCI DSS, the payment application(s) they deploy must meet the
data security requirements that are applicable to it within PCI DSS.
VISA has developed the Payment Application Best Practices (PABP) to assist software
vendors in creating secure payment applications that help ensure merchants comply
with PCI DSS. A list of payment applications that have validated their compliance
to PABP can be found on the VISA CISP website.
NSI strongly recommends that merchants discuss PCI DSS and PABP with their vendors
and refer to the list of validated payment applications when selecting a payment
application.
Top
The five major credit card networks (American Express, Discover Financial Services,
JCB, MasterCard Worldwide and Visa International) announced the formation of an
independent body to manage the ongoing evolution of the PCI DSS.
The PCI Security Standard Council will:
- Develop and manage the PCI DSS, including maintenance, clarification and revisions
of the standard
- Establish and maintain industry-level approval processes for qualified security
assessors and network scanning vendors, and routinely evaluate and approve qualified
assessors and vendors
- Publish and distribute the PCI DSS, and all related documents associated with Qualified
Security Assessor (QSA) and Approved Scanning Vendors (ASV) policies and procedures
- Provide an open forum where all key stakeholders can provide input into the ongoing
development of other payment security standards and business practices
Each payment credit card network will still be responsible for enforcing compliance
to PCI DSS through their individual compliance programs.
More information on the PCI Security Standards Council can be found at
https://www.pcisecuritystandards.org.
Top
For more information on PCI DSS and the card association compliance programs please
review the following websites:
Top