Retailers are relying more and more on electronic transactions with their customers at the point of sale. Debit cards and credit cards have taken the place of cash in many consumers' wallets. The Payment Card Industry Data Security Standard (PCI-DSS) has been created to ensure that retailers comply with security standards.
In a not unusual case, according to AIG Cyberedge, one pizzeria was discovered to be the common point of purchase for cardholders who had experienced fraudulent credit-card activity. Upon investigation, it was determined that the pizzeria was not in compliance with PCI-DSS. It was mandated to validate compliance and the insurer provided a forensic auditor to help the credit card processor confirm and assess the merchant's compliance. The processor was reimbursed for the audit and fines assessed by the credit card companies by the insurer.
This is an example of when an insurer does step in to cover costs. However, as will be discussed in a subsequent article, once a breach has occurred, in many cases a PCI DSS assessment will be required in addition to paying "fines and penalties" to the credit card companies. In the example cited above, it is unclear whether the insurer did cover any assessment costs, if any, subsequently incurred by the pizzeria. Some insurance carriers will cover some or all such assessment costs. But, others will exclude coverage or limit coverage for assessment costs.
Nevertheless, this scenario illustrates the peril now faced by merchants who are being required to comply with the PCI-DSS. That makes sense as no legitimate merchant wants to be known as the source of fraudulent activity.
An understanding of how payment card transactions work is helpful. Typically, the customer presents his or her card to the merchant. The merchant's point of sale system sends the information to a payment processor which then obtains authorization from the card brand and the bank that issued the customer's card (the "issuing bank"). The funds are then collected and sent to the merchant's bank (the "acquiring bank").
Now, let's say you are the merchant. Then, you may have received notification that you are required to submit Payment Card Industry (PCI) compliance validation from your acquiring bank. You also will be informed that there are penalties - most likely fees, but also possible termination of the card acceptance agreement, or other forms of repercussions associated with not providing this validation by a certain date.
Initially, you need to understand which level your business falls under by credit card brand. Each credit card brand has their own umbrella compliance program which focuses on the number of transactions for their credit card alone.
Credit card companies differ in their level definitions and compliance validation submission requirements. Level 4 merchants, according to Visa's criteria, are organizations which have up to 1 million Visa transactions annually. MasterCard categorizes organizations which have up to 1 million MasterCard transactions annually as Level 3 merchants, and American Express doesn't even have a Level 4 category. Each level has its own specific compliance validation requirements.
Your business may be a Level 4 merchant according to Visa's classifications, but may be a Level 2 merchant according to American Express. The compliance validation requirement for a Level 3 American Express merchant is to provide quarterly scans. A Level 4 Visa merchant is only required to do so upon the discretion of their acquiring bank.
Visit the following pages to determine which level you are by credit card brand:
• Visa
• MasterCard
• Discover
• American Express
If you aren't sure, assemble the number of transactions separated by credit card brand, contact your acquirer bank and ask. Acquiring banks have the ultimate decision authority over their merchants' levels. You should verify your assumptions with your bank. If you suffer a breach at any time, your level may be increased. Check with your acquiring bank if this occurs.
Once you know what level you are, you can now determine what you are responsible to provide to the acquiring bank to show valid compliance. If you meet the requirements of the brand level 4, then the remaining steps to perform prior to beginning your compliance validation are to determine which SAQ is the appropriate one to submit, and - if you are required to submit quarterly external scans - to select an Authorized Scanning Vendor (ASV).
The acquiring bank can change its requirements at any time. It is prudent to verify expectations prior to beginning work.
Authorized Scanning Vendors perform the quarterly external scans for merchants and need to be qualified and pre-approved by the PCI Council. It is required that all companies submitting quarterly network scans use a company who has achieved ASV status.
You will be required to submit "clean" scans, meaning there are no failing vulnerabilities found and the scans have been attested-to by both you and your ASV. Organizations frequently choose to perform their first few scans a little earlier than when the quarter ends so that any failing vulnerabilities or issues found can be remediated and a rescan performed in time.
By Keith Daniels
In my next article, now that the process of PCI-DSS compliance is explained, I will discuss in more detail the coverage issues that have been raised under cyber liability policies for the costs of PCI-DSS assessments. As indicated by several cases, there remain ambiguities which can surprise an insurance buyer.
Tidak ada komentar:
Posting Komentar