PCI Data Security Standards

This is a reminder that as of December 31st, 2014, all merchants must validate using PCI DSS V.3. We recommend that all our merchants comply with the PCI Standards V.3 moving forward. For more information, please visit: https://www.pcisecuritystandards.org/index.php

Cardholder Data Security

Cardholder Data Security is your Responsibility

Ensuring the safety of your customers' cardholder information can help your business strive to create and maintain a positive image, enhance customer confidence and even assist in improving your bottom line.

As part of Moneris' ongoing provision of credit and debit card processing services, we want to provide you with some critical information regarding the Payment Card Industry (PCI) Data Security Standard (DSS) and the Card Association Compliance Programs

It is important to note that all Merchants and Service Providers that store, process, or transmit cardholder data must comply with PCI DSS and the Card Association Compliance Programs. However, certification requirements vary by business and are contingent upon your "Merchant Level" or "Service Provider Level". Failure to comply with PCI DSS and the Card Association Compliance Programs may result in a Merchant being subject to fines, fees or assessments and/or termination of processing services.

To help our clients protect their customers' cardholder data and maintain PCI-DSS compliance, Moneris has established the Moneris PCI Program with our partner, Trustwave, a leading provider of PCI DSS compliance services for merchants. In joining forces with Trustwave, the Moneris PCI Program provides you with all the tools you need to successfully complete the steps necessary to help your business validate compliance to PCI DSS and protect your business for the long-term through data security best practices. TO BEGIN YOUR COMPLIANCE VALIDATION TODAY, please visit https://pci.trustwave.com/moneris If you need assistance or require more information, please call Moneris Customer Service at 800-471-9511.

The PCI DSS is enforced by the Card Associations (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International). Moneris has taken the steps to provide our valued clients with necessary information and associated links to assist in assessing the actions your business should take to ensure that you are compliant.

About PA DSS
Twelve Principle Requirements of PCI DSS
Card Association Compliance Programs
Importance of PCI DSS Compliance and/or Certification
Merchant Levels and Validation Requirements
Third Party Service Providers
Payment Application Data Security Standard
PCI Security Standards Council
Helpful/Related Links

PCI DSS is a global data security standard that was established by VISA International and MasterCard Worldwide in December 2004. PCI DSS was the result of the alignment of the data security standards included in the VISA International and MasterCard Worldwide data security programs. PCI DSS proceeded to be endorsed by American Express, Discover Financial Services, and JCB. In September 2006 the five major credit card payment networks announced the formation of an independent body, PCI Security Standards Council, to develop and maintain the evolution of PCI DSS.

PCI DSS was created to ensure the protection of cardholder data. Due to some high profile security breaches it became apparent that a global set of data security standards was required to assist merchants and service providers in meeting the requirements. Based on twelve principle requirements, PCI DSS requires merchants to make their physical and virtual environments secure to ensure protection of cardholder data. All merchants that accept credit cards as a form of payment, and all service providers involved in the processing of credit card transactions are required to be compliant with PCI DSS.

Twelve Principle Requirements of PCI DSS
PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

Below are the twelve principle requirements of PCI DSS:

Build and Maintain a Secure Network
1.) Install and maintain a firewall configuration to protect cardholder data
2.) Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
3.) Protect stored cardholder data
4.) Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program
5.) Use and regularly update anti-virus software
6.) Develop and maintain secure systems and applications

Implement Strong Access Control Measures
7.) Restrict access to cardholder data by business need-to-know
8.) Assign a unique ID to each person with computer access
9.) Restrict physical access to cardholder data

Regularly Monitor and Test Networks
10.) Track and monitor all access to network resources and cardholder data
11.) Regularly test security systems and processes

Maintain an Information Security Policy
12.) Maintain a policy that addresses information security

The PCI DSS and supporting documentation can be found at https://www.pcisecuritystandards.org.

Card Association Compliance Programs
The Card Associations have each developed their own compliance program to ensure merchants and service providers are compliant with PCI DSS. Each program has specific validation requirements which must be followed for the Card Associations to recognize certification to PCI DSS. Some key differences in the programs include; validation levels, validation requirements, approved third party assessors.

Below is a list of the Card Association compliance programs:

Visa USA Cardholder Information Security Program (CISP) 

MasterCard International Site Data Protection (SDP) Program 

American Express Data Security Operating Policy (DSOP) Program 

Discover Card Information Security and Compliance (DISC) Program 


Importance of PCI DSS Compliance and/or Certification
Moneris strongly endorses the need for more stringent standards regarding the handling of cardholder data. In addition, we are taking proactive measures to ensure that all merchants adopt these standards and maintain compliance on an on-going basis.

Compliance with the PCI DSS is mandatory. If you and your service providers are not compliant with PCI DSS, the Card Associations could levy fees and fines against you and your credit card processing services could be terminated. Your obligation to comply with the Card Associations' rules and regulations (including those related to security standards) is detailed in your agreement with Moneris.

Compliance means all requirements of the PCI DSS have been met. To become certified, an entity must engage the services of QSA to validate an entity’s compliance to PCI DSS. The QSA will work on identifying areas of non-compliance. The merchant must remedy each area of non-compliance. Once all areas of non-compliance have been addressed the QSA will re-evaluate and issue confirmation of compliance. Certification to PCI DSS is at the merchant's expense.

Merchant Levels and Validation Requirements
It is important to note that all merchants that store, process, or transmit cardholder data must comply with the PCI DSS regardless of the volume of transactions processed or the method in which they are processed. However, certification requirements vary by business and are contingent upon your "Merchant Level".

Third Party Service Providers
All third party service providers that store, process, or transmit cardholder information on behalf of a merchant are required to comply with PCI DSS. In addition all service providers are required to validate their compliance to PCI DSS through the services of a QSA.

PCI Security Standards Council
The five major credit card networks (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) announced the formation of an independent body to manage the ongoing evolution of the PCI DSS.

The PCI Security Standard Council will:

• Develop and manage the PCI DSS, including maintenance, clarification and revisions of the standard;

• Establish and maintain industry-level approval processes for qualified security assessors and network scanning vendors, and routinely evaluate and approve qualified assessors and vendors;

• Publish and distribute the PCI DSS, and all related documents associated with Qualified Security Assessor (QSA) and Approved Scanning Vendors (ASV) policies and procedures;

• Provide an open forum where all key stakeholders can provide input into the ongoing development of other payment security standards and business practices.

Each payment credit card network will still be responsible for enforcing compliance to PCI DSS through their individual compliance programs.

More information on the PCI Security Standards Council can be found at https://www.pcisecuritystandards.org.

Helpful/Related Links
For more information on PCI DSS and the card association compliance programs please review the following websites:

The information contained herein is for informational purposes only and Moneris Solutions does not warrant the accuracy or completeness of the information. Although we believe the information to be reliable, we cannot guarantee that it will not be subsequently amended as a result of intervening factors such as rules changes from the Card Associations. The information contained herein is subject to change without notice and we encourage you to visit frequently to look for updates. Moneris Solutions does not endorse any external sites linked herein.