X-Payments:PCI FAQs - Revision history

Dohtur: Undo revision 1131 by Dohtur (talk)

2017-12-05T14:03:44Z

Undo revision 1131 by Dohtur (talk)

Dohtur at 13:54, 5 December 2017

2017-12-05T13:54:16Z

Dohtur at 12:31, 31 May 2016

2016-05-31T12:31:17Z

Dohtur at 12:27, 31 May 2016

2016-05-31T12:27:19Z

Dohtur at 12:20, 31 May 2016

2016-05-31T12:20:47Z

Dohtur: /* Am I PCI compliant if I have an SSL certificate? */

2016-02-04T07:30:03Z

‎Am I PCI compliant if I have an SSL certificate?

Dohtur: /* What does a small-to-medium sized business (Level 4 merchant) have to do in order to satisfy the PCI requirements? */

2015-08-17T13:04:39Z

‎What does a small-to-medium sized business (Level 4 merchant) have to do in order to satisfy the PCI requirements?

Dohtur: /* See also */

2015-08-17T13:00:54Z

‎See also

Dohtur: /* See also */

2015-08-17T13:00:40Z

‎See also

Dohtur: /* What is PCI? */

2015-08-17T12:46:59Z

‎What is PCI?

@@ Line 169: / Line 169: @@
 * [https://help.x-cart.com/index.php?title=X-Cart:PCI_DSS PCI DSS]
 * [[X-Payments:PCI DSS implementation guide | PCI DSS implementation guide]]
-* [https://www.x-payments.com/help/File:Braintree_PCI_DSS_compliance_Quick_Guide.pdf Braintree PCI DSS compliance Quick Guide]
+* [http://www.braintreepaymentsolutions.com/assets/308/PCI-Compliance.pdf Braintree PCI DSS compliance Quick Guide]
 [[Category:PCI DSS]]
 [[Category:X-Payments Developer Guide]]

@@ Line 169: / Line 169: @@
 * [https://help.x-cart.com/index.php?title=X-Cart:PCI_DSS PCI DSS]
 * [[X-Payments:PCI DSS implementation guide | PCI DSS implementation guide]]
-* [http://www.braintreepaymentsolutions.com/assets/308/PCI-Compliance.pdf Braintree PCI DSS compliance Quick Guide]
+* [https://www.x-payments.com/help/File:Braintree_PCI_DSS_compliance_Quick_Guide.pdf Braintree PCI DSS compliance Quick Guide]
 [[Category:PCI DSS]]
 [[Category:X-Payments Developer Guide]]

@@ Line 155: / Line 155: @@
 ==What should I do if I am compromised?==
-We recommend following the procedures outlined in Visa’s "What to Do If Compromised Visa Fraud Control and Investigations Procedures" document. Link below. [http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf]
+We recommend following the procedures outlined in Visa's "What to Do If Compromised Visa Fraud Control and Investigations Procedures" document. Link below. [http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf]
 ==Do states have laws that requiring data breach notifications to the affected parties?==

@@ Line 117: / Line 117: @@
 ==What is PA-DSS (formerly PABP)?==
-PA-DSS refers to Payment Application Data Security Standard maintained by the PCI Security Standards Council. PABP is Visa’s Payment Application Best Practices, which is now referred to as PA-DSS. Visa started the program and it has bees transitioned to the PCI Security Standards Council (PCI SSC). To address the critical issue of payment application security, PA-DSS requirements have been developed to ensure vendors provide products which support merchants' efforts to maintain PCI DSS compliance and eliminate the storage of sensitive cardholder data. The Payment Card Industry Security Standards Council (PCI SSC) will maintain the PA-DSS and administer a program to validate payment applications' compliance against this standard. The PCI SSC now publishes and maintains a list of PA-DSS validated applications. See [https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml] for more information.
+PA-DSS refers to Payment Application Data Security Standard maintained by the PCI Security Standards Council. PABP is Visa's Payment Application Best Practices, which is now referred to as PA-DSS. Visa started the program and it has bees transitioned to the PCI Security Standards Council (PCI SSC). To address the critical issue of payment application security, PA-DSS requirements have been developed to ensure vendors provide products which support merchants' efforts to maintain PCI DSS compliance and eliminate the storage of sensitive cardholder data. The Payment Card Industry Security Standards Council (PCI SSC) will maintain the PA-DSS and administer a program to validate payment applications' compliance against this standard. The PCI SSC now publishes and maintains a list of PA-DSS validated applications. See [https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml] for more information.
 '''VISA MANDATE PHASE DEADLINE'''
-* New PCI Level 4 merchants (including new locations of existing relationships) may not use vulnerable payment application versions – those that store prohibited cardholder data. January 1, 2008
+* New PCI Level 4 merchants (including new locations of existing relationships) may not use vulnerable payment application versions - those that store prohibited cardholder data. January 1, 2008
 * New PCI Level 4 merchants using third-party payment software must be either PCI DSS compliant or use PA-DSS validated compliant payment applications. October 1, 2008
 * ALL PCI Level 4 merchants (new and existing) using third-party software must use validated applications. July 1, 2010
@@ Line 127: / Line 127: @@
 ==Can the full credit card number be printed on the consumer's copy of the receipt?==
-PCI DSS requirement 3.3 states "Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).” While the requirement does not prohibit printing of the full card number or expiry date on receipts (either the merchant copy or the consumer copy), please note that PCI DSS does not override any other laws that legislate what can be printed on receipts (such as the U.S. Fair and Accurate Credit Transactions Act (FACTA) or any other applicable laws). See the italicized note under PCI DSS requirement 3.3 “Note: This requirement does not apply to employees and other parties with a specific need to see the full PAN, nor does the requirement supersede stricter requirements in place for displays of cardholder data (for example, for point of sale (POS) receipts).” Any paper receipts stored by merchants must adhere to the PCI DSS, especially requirement 9 regarding physical security.
+PCI DSS requirement 3.3 states "Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed)." While the requirement does not prohibit printing of the full card number or expiry date on receipts (either the merchant copy or the consumer copy), please note that PCI DSS does not override any other laws that legislate what can be printed on receipts (such as the U.S. Fair and Accurate Credit Transactions Act (FACTA) or any other applicable laws). See the italicized note under PCI DSS requirement 3.3 "Note: This requirement does not apply to employees and other parties with a specific need to see the full PAN, nor does the requirement supersede stricter requirements in place for displays of cardholder data (for example, for point of sale (POS) receipts)." Any paper receipts stored by merchants must adhere to the PCI DSS, especially requirement 9 regarding physical security.
 ''Source: PCI SSC''
@@ Line 137: / Line 137: @@
 ==What is a network security scan?==
-A network security scan involves an automated tool that checks a merchant or service provider's systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan will identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company's private network. As provided by an Approved Scanning Vendors (ASV’s) the tool will not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed.
+A network security scan involves an automated tool that checks a merchant or service provider's systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan will identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company's private network. As provided by an Approved Scanning Vendors (ASV's) the tool will not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed.
 Note, typically only merchants with external facing IP address are required to have passing quarterly scans to validate PCI compliance. This is usually merchants completing the SAQ C or D version.
@@ Line 155: / Line 155: @@
 ==What should I do if I am compromised?==
-We recommend following the procedures outlined in Visa’s” What to Do If Compromised Visa Fraud Control and Investigations Procedures” document. Link below. [http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf]
+We recommend following the procedures outlined in Visa’s "What to Do If Compromised Visa Fraud Control and Investigations Procedures" document. Link below. [http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf]
 ==Do states have laws that requiring data breach notifications to the affected parties?==

@@ Line 13: / Line 13: @@
 ==What are the PCI compliance deadlines?==
-All merchant that stores, processes or transmits cardholder data must be compliant now. However, as a Level 4 merchant, you will have to refer to your merchant bank for their specific validation requirements and deadlines. All deadline enforcement will come from your merchant bank. You may also find more information on Visa’s Website: [http://usa.visa.com/download/merchants/payment_application_security_mandates.pdf http://usa.visa.com/download/merchants/payment_application_security_mandates.pdf].
+All merchant that stores, processes or transmits cardholder data must be compliant now. However, as a Level 4 merchant, you will have to refer to your merchant bank for their specific validation requirements and deadlines. All deadline enforcement will come from your merchant bank. You may also find more information on Visa's Website: [http://usa.visa.com/download/merchants/payment_application_security_mandates.pdf http://usa.visa.com/download/merchants/payment_application_security_mandates.pdf].
 ==What are the PCI compliance levels and how are they determined?==
-All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’). In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level.
+All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As ('DBA'). In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA's individual transaction volume to determine the validation level.
 '''Merchant levels as defined by Visa:'''
@@ Line 46: / Line 46: @@
 To satisfy the requirements of PCI, a merchant must complete the following steps:
-'''1.''' Identify your Validation Type as defined by PCI DSS – see below . This is used to determine which Self Assessment Questionnaire is appropriate for your business.
+'''1.''' Identify your Validation Type as defined by PCI DSS - see below . This is used to determine which Self Assessment Questionnaire is appropriate for your business.
 : [[File:Pci_faqs_saq.gif|border]]
@@ Line 52: / Line 52: @@
 '''2.''' Complete the Self-Assessment Questionnaire according to the instructions in the Self- Assessment Questionnaire Instructions and Guidelines.
-'''3.''' Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). Note: scanning does not apply to all merchants. It is required for Validation Type 4 and 5 – those merchants with external facing IP addresses. Basically if you electronically store cardholder information or if your processing systems have any internet connectivity, a quarterly scan by an approved scanning vendor is required.
+'''3.''' Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). Note: scanning does not apply to all merchants. It is required for Validation Type 4 and 5 - those merchants with external facing IP addresses. Basically if you electronically store cardholder information or if your processing systems have any internet connectivity, a quarterly scan by an approved scanning vendor is required.
 '''4.''' Complete the relevant Attestation of Compliance in its entirety.
@@ Line 58: / Line 58: @@
 '''5.''' Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer.
-==I’m a small merchant with very few card transactions; do I need to be compliant with PCI DSS?==
+==I am a small merchant with very few card transactions; do I need to be compliant with PCI DSS?==
 All merchants, small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data.
@@ Line 89: / Line 89: @@
 The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business. It is important to be familiar with your merchant account agreement, which should outline your exposure.
-==What is defined as ‘cardholder data’?==
+==What is defined as 'cardholder data'?==
 Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data.
-==What is the definition of ‘merchant’?==
+==What is the definition of 'merchant'?==
 For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers
@@ Line 125: / Line 125: @@
 * ALL PCI Level 4 merchants (new and existing) using third-party software must use validated applications. July 1, 2010
-==Can the full credit card number be printed on the consumer’s copy of the receipt?==
+==Can the full credit card number be printed on the consumer's copy of the receipt?==
 PCI DSS requirement 3.3 states "Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).” While the requirement does not prohibit printing of the full card number or expiry date on receipts (either the merchant copy or the consumer copy), please note that PCI DSS does not override any other laws that legislate what can be printed on receipts (such as the U.S. Fair and Accurate Credit Transactions Act (FACTA) or any other applicable laws). See the italicized note under PCI DSS requirement 3.3 “Note: This requirement does not apply to employees and other parties with a specific need to see the full PAN, nor does the requirement supersede stricter requirements in place for displays of cardholder data (for example, for point of sale (POS) receipts).” Any paper receipts stored by merchants must adhere to the PCI DSS, especially requirement 9 regarding physical security.
@@ Line 149: / Line 149: @@
 PCI is not, in itself, a law. The standard was created by the major card brands such as Visa, MasterCard, Discover, American Express, and JCB. At their acquirers/service providers discretion, merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach event occur. For a little upfront effort and cost to comply with PCI, you greatly help reduce your risk from facing these extremely unpleasant and costly consequences.
-==If I’m running a business from my home, am I a serious target for hackers?==
+==If I am running a business from my home, am I a serious target for hackers?==
 Yes, home users are arguably the most vulnerable simply because they are usually not well protected. Adopting a 'path of least resistance' model, intruders will often zero-in on home users - often exploiting their 'always on' broadband connections and typical home use programs such as chat, Internet games and P2P files sharing applications. Security scanning services allow home users and network administrators alike to identify and fix any security vulnerabilities on their desktop or laptop computers.
-==What should I do if I’m compromised?==
+==What should I do if I am compromised?==
 We recommend following the procedures outlined in Visa’s” What to Do If Compromised Visa Fraud Control and Investigations Procedures” document. Link below. [http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf]

@@ Line 80: / Line 80: @@
 ==Am I PCI compliant if I have an SSL certificate?==
-No. SSL certificates do not secure a Web server from malicious attacks or intrusions. High assurance SSL certificates provide the first tier of customer security and reassurance such as the below, but there are other steps to achieve PCI Compliance. See Question [http://lu53.crtdev.local/%7Emixon/google-cache-w.php?q=/index.php?title=PCI_FAQs#What_does_a_small-to-medium_sized_business_.28Level_4_merchant.29_have_to_do_in_order_to_satisfy_the_PCI_requirements.3F #What does a small-to-medium sized business (Level 4 merchant) have to do in order to satisfy the PCI requirements?]
+No. SSL certificates do not secure a Web server from malicious attacks or intrusions. High assurance SSL certificates provide the first tier of customer security and reassurance such as the below, but there are other steps to achieve PCI Compliance.
 * A secure connection between the customer's browser and the web server

@@ Line 1: / Line 1: @@
 ==   What is PCI?  ==
-The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID). The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.). It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council. A copy of the PCI DSS is available [https://help.x-cart.com/index.php?title=X-Cart:PCI_DSS here].
+The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID). The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.). It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council. A copy of the PCI DSS is available [http://help.x-cart.com/index.php?title=X-Cart:PCI_DSS here].
 ==To whom does PCI apply?==