Electronic transactions are becoming more popular with retailers. Many consumers have switched to debit cards and credit cards as their preferred method of payment. To ensure retailers adhere to security standards, the Payment Card Industry Data Security Standard was created (PCI-DSS).
According to AIG Cyberedge, a pizzeria was found to be the common place of purchase for cardholders who had been involved in fraudulent credit-card transactions. After investigation, it was found that the pizzeria wasn’t in compliance with PCI DSS. It was required to verify compliance. The insurer also provided a forensic audit to aid the credit card processor assess and confirm the merchant’s compliance. The processor was paid for the audit by the credit card companies and any fines imposed by the insurer.
This is one example of an insurance company that steps in to help cover costs. In many cases, a PCI DSS assessment is required after a breach occurs. Credit card companies may also be subject to “fines or penalties.” In the case above, it is not clear if the insurer paid any assessment costs that were subsequently incurred. Some insurance carriers will pay for all or part of such assessment costs. Some insurance carriers will not cover or limit coverage for assessment expenses.
This scenario shows the danger merchants face when they are required to conform with the PCI DSS. This is understandable as legitimate merchants do not want to be associated with fraudulent activity.
It is important to understand how payments card transactions work. Usually, the customer presents their card to the merchant. Point of sale systems send the information to a processor, who then gets authorization from the card brand as well as the bank that issued the card (the “issuing banks”). The funds are then collected by the payment processor and sent to merchant’s bank (“acquiring bank”).
Let’s assume you are the merchant. You may then have been notified by your acquiring bank that you must submit Payment Card Industry compliance validation. Not providing the validation by a specified date could result in you being subject to penalties, including fees and possible termination of your card acceptance agreement.
First, you must understand the credit card brand’s classification for your business. Each credit card brand has its own compliance program that focuses only on the number transactions per credit card.
Different credit card companies have different levels and submission requirements for compliance validation. According to Visa’s criteria Level 4 merchants are those organizations that have more than 1 million Visa transactions per year. MasterCard classifies organizations that have more than 1 million MasterCard transactions per year as Level 3 merchants. American Express does not have a Level 4. Each level has its specific compliance validation requirements.
Visa may classify your business as a Level 4, but American Express might consider it a Level 2, merchant. A Level 3 American Express merchant must provide quarterly scans to validate compliance. An Level 4 Visa merchant will only need to do this at the discretion of their bank.
Check out the following pages to find out what level you are according to credit card brand.
• Visa
• MasterCard
• Discover
• American Express
If you’re not sure, gather the transactions by credit card brand and contact your acquirer bank to confirm. The ultimate authority to decide on merchants’ levels is held by acquirer banks. Your bank should confirm your assumptions. Your level could be raised if you are the victim of a breach. You should check with your acquiring bank in the event of a breach.
Once you have determined your level, you can determine the information you must provide to the bank in order to prove compliance. Once you have met the brand level 4 requirements, the next steps are to identify which SAQ to submit and – if required – to choose an Authorized Scanning vendor (ASV).
Anytime the requirements of an acquiring bank may be changed, it is up to them. It is important that you confirm your expectations before beginning work.
Qualified and pre-approved by PCI Council, Authorized Scanning Vendors conduct quarterly external scans on merchants. All companies that submit quarterly network scans must use an ASV-certified company.
Clean scans are required. This means that there have not been any failing vulnerabilities discovered and the scans have been verified by you and your ASV. Many organizations choose to run their first scans before the quarter ends in order to fix any issues or vulnerabilities that were found.
By Keith Daniels
After explaining the process of PCI DSS compliance, my next article will focus on the coverage issues raised by cyber liability policies regarding the cost of PCI DSS assessments. There are still ambiguities that can be confusing for insurance buyers, as shown by several cases.