The mandatory guide for storing, processing or transmitting cardholder information

PCI DSS stands for Payment Card Industry Data Security Standard . This is a compliance requirement that aims to ensure cardholder information is always stored, processed and transmitted securely. Sensitive cardholder data is a tempting target which requires the need for adequate security and increased vigilance to prevent and deter the threat of a data theft.
This is an issue which has been given increasingly more publicity over the last few years where big household named merchants have been the unfortunate targets of intelligently orchestrated data hacks. This is not industry scaremongering, but in fact a very real threat to today’s businesses engaged in taking payments.
In light of this threat to the protection of customer details, the Card Schemes (MasterCard and
Visa) need to ensure merchants, Issuers, Acquirers and Payment Service Providers (PSP’s) have sufficient protection in place to alert, prevent and continually defend against hackers and criminals. Cardholder data is proving an ever increasing target for fraudsters, which has been evidenced by a series of recent high-profile breaches around the world.
If you accept payments by Credit or Debit card you are affected. Any business that stores, processes or transmits any cardholder data must take responsibility for PCI and achieve compliance.
The Card Schemes have divided businesses in to 4 levels depending on the volume and type of transaction processed. See the table below to find out which level your business is, and what you need to do to comply. IMPORTANT: Please remember that if progress towards PCI compliance is not started your business could be fined for non-compliance. There are also fines associated with the storage of Sensitive Authentication Data (SAD) post authorisation. Worst case scenario is that your business is subject to an Account Data Compromise (ADC) for which there will be fines associated plus of course the potential loss of business and reputation.
As your Acquirer it is our responsibility to report your progress towards PCI compliance to the
Card Schemes. These updates can ultimately help reduce the threat of fines which can occur if non-compliance is not managed correctly. WorldPay (UK) Ltd will pass on fines it receives for your non-compliance as outlined in your Terms & Conditions.
PCI Level 1-3 merchants, and the updates they provide, are supported by our dedicated Payment
Security team. If your business is currently Level 4 , please continue to read through this guide plus visit www.worldpay.com/saferbusiness in order to understand what steps you need to take to ensure your business complies.
Regardless of level – please start your journey at www.worldpay.com/saferbusiness
The PCI Levels, as prescribed by the Card Schemes, are as follows:
Please Note : Effective 30 June 2011 All Level 1 and 2 merchants must complete an annual onsite assessment conducted by a PCI SSC certified Qualified Security Assessor (QSA). This is a key change to the existing requirement for level 2 merchants. MasterCard strongly encourages that all impacted merchants engage a QSA as soon as possible.

Level Criteria Validation Requirement
1
Any merchant processing in excess of 6 Million
MasterCard OR Visa transactions a year, regardless of acceptance channel.
ƒ
Annual Report on Compliance (ROC) (by either a
Qualified Security Assessor, or qualified internal security resource)
Any merchant that has lost data due to a security breech or hacking with the last 12 months.
ƒ Compliant quarterly network scan by Approved
Scan Vendor (ASV)
ƒ Attestation of Compliance Form
2
Any merchant processing between 1 and 6
Million MasterCard OR Visa transactions a year, regardless of acceptance channel
ƒ Annual Report on Compliance (ROC) (by either a
Qualified Security Assessor, or qualified internal security resource)
ƒ
Compliant quarterly network scan by ASV
ƒ Attestation of Compliance Form
3
Any e-commerce merchant processing between
20,000 and 1 Million MasterCard OR Visa transactions a year
ƒ Annual Self-Assessment Questionnaire (SAQ)
ƒ
Compliant quarterly network scan by ASV
ƒ Attestation of Compliance Form
4
Merchants processing fewer than 20,000 Visa or
MasterCard eCommerce transactions annually and all other merchants processing up to one million Visa or MasterCard transactions annually.
ƒ
Level 4 merchants register compliance through our merchant portal www.worldpay.com/saferbusiness
Merchants currently in scope of deadlines are those who process fewer than 1 million Visa eCommerce transactions per year
A Qualified Security Assessor (QSA) conducts an onsite audit or review of your systems that store, process or transmit cardholder data.
The PCI Self-Assessment Questionnaire (SAQ) is an important validation tool that is primarily used by smaller merchants and service providers to demonstrate compliance to the PCI DSS.
The PCI Security Standards Council’s official website has links to these SAQ’s and also some very useful Instructions and Guidelines document which includes on page 15 a simple flowchart that will help you decide which SAQ your business needs to complete. https://www.pcisecuritystandards.org/saq/index.shtml
https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_instr_guide.pdf
There is also plenty of useful information on our own dedicated PCI website: www.worldpay.com/saferbusiness
These are external scans of your internet facing IP addresses that check for unknown vulnerabilities in your network.

MasterCard and Visa have become increasingly concerned with the level of security protecting businesses account and transaction information. They need to ensure that the level of protection a merchant employs is sufficient to deter hackers and criminals. Cardholder data is a tempting target for fraudsters with a series of recent high-profile security breaches worldwide, highlighting the problem.
In January 2005, MasterCard and Visa combined their individual security standards for cardholder data to create a joint program, which is also endorsed by American Express, JCB and
Diners (collectively known as the Card Schemes).
PCI DSS requires everyone who stores, processes or transmits card data to comply with 12 requirements, covering both IT security and operational practices.
Build and maintain a secure computer network
1 Install and maintain a security protection programme (known as a firewall configuration) to protect the card data you may hold
2 Do not use computer passwords that have been provided by external suppliers or businesses. Ensure you issue your own unique passwords and security measures
Protect cardholder data
3 Protect stored data but do not store card and transaction data unnecessarily. Such as:
•
The full card number
•
The contents of any information within the magnetic strip. Data stored within the magnetic strip is known as Track data. See Appendix 1
•
The card security code on the signature strip (CVV2)
•
The PIN (Personal Identification Number), if you operate an ATM machine.
4 If you are sending out card data or sensitive information by email or on disc through the post, you must always ensure that you encrypt it (electronically secure it so it cannot be hacked or read by anyone other than the authorised person) before you send it. If you are using the postage system, you should ensure it is at least by recorded delivery which requires signed receipt upon delivery and preferably by a method that can be tracked.
Maintain a vulnerability management program / Minimise IT vulnerability
5 Use and regularly update anti-virus software
6 Develop and maintain secure computer systems and applications
Implement robust control measures / Control access to card data
7 Only access card data when there is a business requirement 8 Assign a unique ID to each member of your staff who has computer access 9 Restrict physical access to the storage area where the cardholder data is kept.
Regularly monitor and test your computer networks
10 Regularly check to see who accesses your computers and cardholder data that you hold.
11 Regularly test your security systems and processes.
Make information security a priority
12 Create and maintain your own security policy to ensure you remain compliant with PCI
DSS guidance.

A few simple steps you can take now to begin making sure your business is compliant:
•
View and bookmark our dedicated PCI website - www.worldpay.com/saferbusiness
•
View and bookmark the PCI SSC website at https://www.pcisecuritystandards.org/
•
Establish your PCI level and validation requirements; assess your organisation to confirm where card data is stored, processed and transmitted.
•
Take time to look at Prioritised Approach which is detailed at www.worldpay.com/saferbusiness . This risk based approach which is now being formally requested by the Card Schemes for PCI level 1-3 merchants.
•
If confirming compliance using a Self Assessment Questionnaire (SAQ), download the appropriate version from either https://www.pcisecuritystandards.org/saq/index.shtml
or www.worldpay.com/saferbusiness
•
Assign (QSA) if appropriate
•
Approved Scan Vendor (ASV) should be contacted if external vulnerability scans are required. The ASV will be able to discuss your requirements with the programme.
•
Level 4 merchants should visit the following for guidance specific to them: www.worldpay.com/saferbusiness
If you use a Payment Service Provider (PSP) that stores, processes or transmits cardholder data on your behalf, then your PSP is responsible for complying with the PCI DSS. However you still need to complete a Self Assessment Questionnaire (SAQ) to ensure your business is compliant.
If you use a computer programme that enables you to capture the card details on your systems, then your business will need to comply with the PCI DSS standard.
If you have any doubt about what is required for your business, please contact your PSP who will be able to advise you of this and your level of responsibility.
The first place to go is our dedicated PCI website at www.worldpay.com/saferbusiness as this provides plenty of useful information that will help give your business a head start. It includes:
•
A useful PCI Overview
•
Compliance Management Programme just launched for Level 4 merchants
•
PCI update newsletters
•
Frequently Asked Questions
•
Contact details for the PCI team
•
Links to other sources of useful PCI information including Visa, MasterCard and the PCI
Security Standards Council

The Card Schemes have instructed us to highlight to our merchants the regulations about ‘track data’. Track data is the information that is held on the magnetic strip and the chip of a credit or debit card. The detail includes the Primary Account Number across the card, expiry data, the security code on the signature strip and service code (used to control your card machine responses). It can also be called full track, track, track 1, track2, and magnetic stripe data.
Some track data can be stored but it must not be stored in full even if it is protected. If you accept card payments by Mail Order or Telephone Order you may have some of the details written down.
Therefore you must have the necessary arrangements to ensure that these written details are securely protected or destroyed once they have been processed.
This table is an extract from the Security Standards Council PCI DSS requirements document and highlights what can and cannot be stored.
Data Type
Storage
Permitted?
Protection
Required?
Primary Account Number
(PAN)
YES YES
Cardholder Name YES YES
Cardholder
Data
Expiry Date YES YES
Service Code YES YES
Full Magnetic Stripe NO N/A
Sensitive
Authenticati on Data
3 or 4 digit Security Code
(CVC2/CVV2/CID)
NO N/A
PIN / PIN Block NO N/A
PLEASE NOTE:
Sensitive Authentication Data MUST NEVER be stored subsequent to authorisation (even if encrypted). As a minimum the Primary Account Number should be unreadable anywhere it is stored (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks) You should use some method to protect any data kept, see https://www.pcisecuritystandards.org/ for advice.
Some merchants may not be aware that they are storing track data, because it can be done automatically by application software. If you have bought software that stores, processes or transmits card information, you should speak to your supplier to ask where track data may be stored.

ASV - Approved Scan Vendor
A provider approved by the PCI Security Standard Council to carry out a vulnerability scan of your systems.
A list is available from https://www.pcisecuritystandards.org/index.htm
Cardholder
Customer to whom a card is issued or individual authorised to use the card
Cardholder data
Cardholder data is defined as the primary account number (PAN) or credit card number) and other data obtained as part of a paying transaction, including the following data elements:
ƒ PAN
ƒ name
ƒ Expiry
ƒ
Service
ƒ Sensitive Authentication Data
Card Schemes
Visa, MasterCard, American Express, Diners, JCB (Japan Credit Bureau)
These independent organisations have set up systems for issuing and accepting card payments worldwide, some using local financial institutions as agents.
Card Validation Value or Code (CVV, CVC)
The code on the signature strip, normally 3 digits printed to the right of the card number. For American
Express the code is 4 digit un-embossed number printed above the card number on the face of all payment cards. The code is uniquely associated with each individual piece of plastic and ties the card account number to the plastic
Compromise
Intrusion into computer systems where unauthorised disclosure, modification or destruction of cardholder data is suspected
Default passwords
Password set by manufacturer that is freely available. All passwords should be reset and changed often to prevent compromise.
Encryption
A way of converting information into an unintelligible format that allows storage or transmission without compromise.
Firewall
Hardware, software, or both that protects data on one network or computer from intruders from other networks. Typically, an enterprise with an intranet that permits workers access to the wider internet must have a firewall to prevent outsiders from accessing internal private data resources.
Forensic Investigation
Investigation carried out under scientific procedures with or without police involvement. This can involve removal of computer equipment and data storage from your premises.
Magnetic Stripe Data (Track Data)
Data encoded in the magnetic stripe used for authorisation during transactions when the card is presented.
If chip and PIN is used to read the card then an equivalent is used by the terminal to authorise and this should not be kept either.
Merchant
Any business that takes card payments for goods and services

Network
A network exists if two or more computers are connected.
PAN
Primary Account Number is the card number that normally runs across the card. It identifies the organisation that issued the card, the Card Scheme and the card.
Password
A mixture of characters that can be used to authenticate a user allowing them access to a system, computer or network
Payment Service Provider (PSP)
Offers merchants online services for accepting electronic payments by a variety of payment methods including cards.
PCI SSC
The Payment Card Industry Security Standards Council which was formed by the main Card Schemes –
Amex, Visa, MasterCard, Diners and JCB.
PIN
Personal Identification Number used in Chip and PIN and Cash Machines to validate the cardholder. This should never be stored or kept during transactions or given or asked of the cardholder.
PIN block
When a card holder enters their PIN, the information is first encoded into a plain text ‘PIN block’, derived from the PIN length, the PIN digits, and a portion of the PAN (primary account number). The plain text ‘PIN block’ is then encrypted using a standard algorithm and it is this that is used to verify the card.
Prioritised Approach
Now a mandatory risk based process that should be followed by all PCI level 1-3 merchants. The
Prioritised Approach provides guidance on how to focus PCI DSS compliance work in a way that ensures prioritising the highest security risks.
QSA – Qualified Security Assessor
The PCI Security Standards Council maintains a list of all persons qualified to assess your systems and processes. For a list see https://www.pcisecuritystandards.org/
SAQ – Self Assessment Questionnaires
Validation tool intended to assist merchants and service providers in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS).
Sensitive Authentication Data (SAD)
This is defined as full magnetic stripe data, CAV2/CVC2/CVV2/CID and PIN’s/PIN blocks. None of this should be stored post authorisation.
Service Code
Messages contained within a card’s magnetic strip or Chip that tells a terminal the process to follow when processing a transaction.
Service Provider
Business entity that is not a payment card brand member or a merchant directly involved in the processing, storage, transmission and switching or transaction data and cardholder information or both.
Track Data
Information about the card and cardholder that is kept in the magnetic strip or Chip
Transaction Data
Information that identifies the purchases a cardholder makes with their card.
Vulnerability Scan
These are external facing scans of your internet facing IP addresses that check for unknown vulnerabilities in your network .