PCI DSS: An Acquirers guide for PCI Compliance Best Practices
As deadline dates for PCI compliance looms for Level 1 and 2 merchants, the number of questions surrounding guidelines and methods of achieving that compliance keeps growing. Though the broad outline of compliance areas are clearly defined, not only on the credit card association side, but from acquirers as well, the intricate steps-within-steps of the outlined areas are proving to be bothersome for some.
When visiting most acquirer and Independent Sales Organization (ISO) Web sites, a whole web page is dedicated to PCI compliance steps, but, from the standpoint of merchants working with a qualified security assessors (QSA) and approved scanning vendor (ASV), when the drilldown begins on the 12 steps, the areas of security issues becomes painstakingly specific. For many, it's what makes PCI DSS a more through standard for protection like it's cousins HIPPAA, FISMA, but for others, it proves to be a no-win situation for gaining compliance.
Recently, in a PCI compliance seminar hosted by Visa, the most common security holes that are leading merchants to flunk their audits are as follows:
- Un-patched systems
- Poor password policies and enforcement
- Insecure services on servers
- Insecure default settings, such as unencrypting wireless connections
- Poorly coded, web-facing applications which cause SQL injections
- Storage and location of prohibited data such as account numbers, CVV2 and PINs
"First, 'Poorly coded web-facing applications resulting in SQL injections and other vulnerabilities'. PCI mandates pen testing--yet try to find any pen test who can confidently say, 'Yep, my test or pen testing tool was 100% thorough.'" Pen testing will always fail to miss issues. So when a PCI auditor comes around and finds a flaw then--poof--you're on the PCI black list," he wrote.
He continued, "Second: 'finding and the storage of prohibited data (such as account numbers, CVV2, PINs)"… Sniffing out all of the potential places, such as log files, is not easy in complex environments. Yet PCI only requires manual code audits to sift through the code…I don't mean to knock PCI. On the contrary, it's a good idea and I'm always in favor of industry self-regulation. PCI has several components that help stop cyber fraud. But PCI technology prescriptions should be designed to help merchants pass their audits."
Depending on what side of the PCI fence you sit on-acquirer, auditor, card association, and merchant-will determine how the following statistics are interpreted.
According to Visa, as of July 2007:
- 40 percent of Level 1 merchants were PCI compliant.
- 33 percent of Level 2 merchants were PCI compliant
- 52 percent of Level 3 merchants were PCI compliant
Even with Visa's Compliance Acceleration program (CAP), introduced in December 2006, with it's discounted credit card transaction fees, designed to reward merchants who jump the hurdles to PCI compliance by the original date of September 30, the numbers are obviously not what was hoped for by August 2007.
This may be good news for merchants and acquirers alike, as Visa is toning down some of the talk of high fines and total non-compliance status for merchants who have not met the standard by September 30.
Instead of non-compliant merchants not being eligible for reduced Visa transaction fee programs, now Visa says the following concerning interchange rates for non-compliant merchants:
"Effective October 1, 2007 acquirers whose Level 1 or 2 merchant are not compliant with PCI Data Security Standard ("DSS") compliant will no longer receive the best available interchange rate, being downgraded one tier. Additionally, acquirer's of non-compliant Level 1 merchants will be fined monthly starting in October and Level 2 merchants in January 2008. Visa considers merchants that do not make these deadlines to be delinquent in meeting their obligations to properly secure cardholder data," said Rosetta Jones, vice president, Visa USA.
Since the PCI DSS policy and procedures were introduced, an early and obvious compliance emphasis was placed on documentation for merchants and s ISOs.
Implicitly, Level 1 and 2 merchants have had the spotlight shining brightly on them, because of the mammoth breaches occurring that garner the media's attention, but they don't represent the majority of merchants and ISOs, both in the US and globally.
Based on transaction volume alone, Level 4 merchants far outweigh Level 1 and 2 merchants, but the rules for attaining compliance for Level 1 and Level 2 merchants are clearly defined, though the number of merchants actually complying varies, depending on who is providing the research.
For Level 4 merchants-brick and mortar or e-commerce sites with Less than 20,000 V/MC e-commerce transactions annually, and all merchants across channels up to 1,000,000 VISA transactions annually-understanding and following the rules of PCI compliance has been murky journey at best.
Despite the copious documentation available at the PCI Security Standards Web site, for many merchants, especially Level 4 merchants, knowing how to introduce and maintain a PCI compliance program is proving to be a puzzling endeavor.
It's critical that acquirers maintain active and open communication of all policies and procedures with merchants, member banks and the card associations.
Acquirers are the new gatekeepers for PCI compliance information for merchants, but they also serve as information convergence points for card issuers and for third party vendors like ASVs.
It's up to the acquirers, according to PCI Standards and Security Council, Visa and MasterCard, to ensure that their merchants follow the procedures for compliance.
For acquirers who are not vigilant about merchant compliance, the fines for non-compliance will be steep. Acquirers, whose Level 1 and 2 merchants are not compliant, will be fined between $5,000 and $25,000 a month.
Whether they wish to take on the gate-keeper role or not, Acquirers must step up to the plate, answer and clarify questions that merchants have, concerning the PCI process, or they face the consequences.
According to some merchants, and those working for merchants, how much involvement an acquirer has with the merchant, or the information that is given to the merchant by that acquirer, depends on the acquirer. The acquirer's information is directly linked to the particular credit card brand's rules, as well as PCI DSS guidelines. If there is little or no communication between the merchant, acquirer and the card brand, problems begin to accrue.
"The fact that the five major brands have agreed on a single standard is good. Unfortunately, due to federal laws, they do not have full freedom to agree on implementation standards," said Ron Greenberg, COO of merchant acquirer, PowerPay, LLC.
Based in Portland, ME, PowerPay works with merchants across the US, from retailers, restaurants to convenience stores, all through it's 'member bank' HSBC, and whose business partners include companies like Time Warner Cable, and The California ISP Association.
According to Greenberg, the different credit card brands introduce a whole new level of confusion for merchants and acquirers alike, when it comes to PCI compliance.
"For instance, Visa has defined four levels of compliance for merchants along with a set of fines and penalties," he explained.
"MasterCard has a different set of rules as well as reporting requirements. Multiply this by five and it creates a mess of rules and compliance issues we need to track."
When asked, bluntly, whether he felt PCI DSS was going to help or hinder acquirers, his answer was just as blunt.
"They [PCI guidelines] are a necessary evil. Any time you add more procedures it is a headache. Will it help? In the long run it should. But everyone must realize it will not solve the problem."
Some merchants and employees of merchants, who are charged with facilitating the merchant acquirer relationship, seem to add credence to Greenberg's assertions.
"I have the feeling, although I can not substantiate it to any degree, that the requirements a merchant is under (particularly absolute compliance dates) varies depending on which Acquirer you are going through," posted Information Security Manager Andrew Mason, on a PCI Compliance Web forum, recently.
Mason, who works for a merchant company in Spain, is paired with an acquirer based in the United Kingdom; an acquirer that isn't offering the kind of support he thinks is needed. As well, the answers he's receiving from the credit cards, themselves, have been nebulous, at best.
"Visa seems happy as long as you can prove 'progress' in your PCI Compliance project," commented Mason. "MasterCard appears to be less clear on the various aspects of compliance, particularly the dates."
He continued, "I asked a question in a webinar recently which was joint hosted by MasterCard. The question was directed to the MasterCard rep. who was VP of something or other to do with PCI / Compliance. The question was, 'when is the absolute deadline date for compliance?' "
"The answer? Any guesses? 'Speak to your Acquirer'" .
It's a basic question, yet for merchants new to PCI compliance in general, the name 'acquirer' may mean several different things.
For some, it means the 'acquiring bank,' which is also known as the 'member bank.' The member or acquiring bank is the bank that underwrites and issues the credit card from the card associations to acquirers and ISOs. The member bank is just that: a member of the card association-the card association that gives it's approval and permission for that bank to issue cards with the Visa, MasterCard, Discover or American Express logo.
But an 'acquirer' usually refers to the entity-usually a credit card processor--that provides credit card processing services for Visa, MasterCard, AmEx and Discover receipts collected by merchants, directly or through an affiliated ISO.
Moreover, another layer of merchant confusion comes in because there are times when an ISO is considered an acquirer as well, or, in the case of a company like North American Bancard, a Super ISO-an entity that takes the liability responsibility on, that the acquirer would usually take on for the ISO.
The member bank/acquiring bank receives funds from a cardholder when a credit card transaction is completed, and deposits the payment amount, minus any fees, into the merchant's Merchant Account and from there into his business checking account. From a merchant perspective, knowing the acquirer may be a rather confusing question to even ponder, but it falls to the acquirer to make sure merchants, no matter their level, become compliant. With these new directives in place, it's incumbent upon the acquirers take their own steps to ensure that they understand what their merchants, ISOs and, in some cases, third party vendors need and to make their merchants understand the PCI compliance process completely.
ISOs and the acquirer
According to an article entitled, "PCI Demands the Attention of Acquirers Now More than Ever Dramatic Non-Compliance Puts ISOs and Acquirers at Risk," in the May 2007 online edition of "The Exchange" newsletter from the Strawhecker Group-a management consulting company focused exclusively on the merchant acquiring sector of the payments Industry-the relationship between an ISOs and acquirers is very important.
"The liability for non-compliance, when a merchant is breached and/or compromises sensitive data, lies on the acquiring institution; typically, this is passed on to the ISO providing Merchant Services and by that ISO onto the merchant themselves," wrote Cliff Gray, a PCI expert and associate with The Strawhecker Group.
"Considering that the vast majority of Tier 4 merchants are signed by ISOs, it's imperative that these ISOs take a stronger stance at ensuring their merchants comply."
To strengthen the alliance between the ISO and acquirer, Gray offered the following step for moving toward PCI compliance.
"ISOs should carefully review their contract(s) with their sponsor acquirer, to understand exactly what liability they bear upon the event of a merchant breach."
Greenberg and Joan Herbig, chief executive officer, ControlScan - a leading PCI compliance provider focused exclusively on Level 4 merchants, who works with ISOs and acquirers on PCI compliance for their small merchants, weighed in on certain steps that acquirers should take in order to facilitate PCI DSS Compliance for their merchants.
Prior to an acquirer starting a PCI Compliance program setting out guidelines to a merchant everyone one in the Management team must be on board for a PCI compliance solution, it must be a company decision.
"No matter is an acquirer has a large or small merchant base, the acquirer has to make sure that PCI compliance is important at all levels of the acquirer management team," said Herbig.
"It's your job to communicate the need for all merchants in your book of business meet the PCI Compliance DSS standards, you need to raise the awareness of PCI at all levels of your organization."
According to Herbig, acquirers are in the best position-contractually-to help a merchant, and acquirers have ample incentives to make their portfolio of merchants get on board with PCI compliance, including making them aware of the tools of PCI compliance.
"It's a large decision to step towards a PCI compliance program but it may be one of the wisest ones you will ever make," she added.
Adding to the swirl of confusion, as of July 31, 2007, Visa Inc. is making all acquirers submit a summary of their small merchant-Level 4-compliance plans, as well as requiring acquirers to provide data-security education to its small-business customers.
In addition, Visa is partnering with the National Federation of Independent Business (NFIB), to offer a new Web site, with free information, including webinars, educational materials and tools to assist educate small-business owners.
Whether these tools work or not remains to be seen as compliance dates loom. However, internally, for Greenberg and PowerPay, statement messages and direct contact have worked for all levels of merchants. According to him, all of PowerPay's Level 1, 2 and 3 merchants are fully PCI compliant, and level 4 merchants are not far behind.
"Currently we only send statement messages and contract verbiage for level 4 merchants, plus direct contact for level 1, 2 & 3 merchants," he stated.
"Once our level 4 plans have been solidified, we will have a very direct approach with our remaining merchants that will include statement messages, e-mail, direct mail and phone contact."
For liability concerns, an acquirer should not directly advocate any one ASV or QSA to their merchants, however it is acceptable for the acquirer to tell the merchants what third party company or companies that they have strategic partnerships with.
"Try to seek a partner who you can rely on to assist with your PCI Compliance program, ControlScan offers a number of solutions for merchants, ISOs and acquirers and currently partners with one of the largest acquirers in the United States," said Herbig.
As well, the PCI Security Council has a list of approved ASVs and QSAs. Visa and MasterCard also offer their own lists on each Web site.
"Acquirers and ISOs should establish a relationship with a trusted, association-approved PCI assessor, and develop a program for all their merchants to establish compliance, and ensure periodic testing so that compliance remains intact moving forward," wrote Gray.
A model relationship
Third Party ASV
Headquartered in Atlanta, Georgia, ControlScan is the leading provider of Payment Card Industry (PCI) compliance and security solutions designed exclusively for small- to medium-sized e-commerce and retail merchants. ControlScan provides easy-to-use Web-based security solutions and a personal level of service that make it easy and cost-effective for these businesses to analyze, remediate and validate compliance. Acquirers and other merchant service providers rely on ControlScan to manage PCI compliance programs for their entire merchant portfolios to ensure maximum compliance rates.
Not only do acquirers and/or the ISO's of the acquirers need to promote and advocate for PCI Compliance within the doors of their own companies, getting the word out to all merchants is an ongoing key component to any successful implementation program.
"Use whatever media outlet you can utilize," says Herbig. This may include websites, statement insert programs, e-mails, call center personnel," he continued.
According to Herbig, ControlScan builds a customized PCI gateway for all ISO and acquirer partners which can be used as a centerpiece of the PCI compliance solution. The PCI gateway provides a one-stop place for everything needed to meet and pass the PCI compliance DSS standards. It also provides ISO and acquirers a place to track and monitor their merchants compliance status.
It is up to the acquirer to make sure that all of the tools needed for the merchant to obtain PCI certification and validation are available to the merchant.
This includes offering suggestions on partner service providers who can advice and consult with the merchants in the areas of forensic investigation, network scans (ASVs) and security assessments.
Third party providers, such as ControlScan in the model above, offer a complete checklist and procedure package for the partnering acquirer or ISO.
Communication is crucial between the acquiring bank, ISO, merchants and the third party ASVs and QSAs. It's imperative that the acquiring bank track and report all of its progress with the merchants and third-party providers.
As discussed in the introduction to this article, Visa is implementing a program for Level 4 merchants and acquirers. Acquirers are now responsible for obtaining a project plan from all of their Level 4 merchants, which outlines what steps the merchant is taking to become PCI compliant.
"Track your efforts as an acquiring bank," explained Herbig. "Make sure that your communication strategy has been effective," Herbig added.
David Press, president of Integrity Bankcard Consultants, Inc.-a consulting firm specializing in Acquirer Back Office Solutions, including Underwriting, Risk, Merchant Operations and compliance with Visa and MasterCard Rules and Regulations-believes the first 30 to 40 days after an acquirer issues a merchant ID are the most important for monitoring the merchant.
"It's the first 30-40 days when I like to watch the processes," he said. "That's when you research and find out whether the organization is a bricks and mortar or an e-commerce business."
With over 25 years of experience in the areas of financial crime and insurance fraud investigations, he has worked and trained the Secret Service and local law enforcement agencies to understand, recognize and prosecute credit card fraud.
Add to that, he has worked he worked on the acquirer side as a manager with Peach Tree Bancard, Harbridge Merchant Services and First Interstate Bank in the areas of underwriting, compliance, chargebacks, collections, security and investigations.
Press knows a lot about the relationship between the acquirer, ISO and merchant.
"It's [the relationship] like dating," he continued. "The first 30 to 40 days is when the merchant lays the foundation…if they are doing things that need scrutiny now, you can correct them and make a good relationship."
With his years of consulting with ISOs, numerous acquiring banks, and third-party processors, he offered the following tips and guidelines for acquirers, ISOs and third party vendors, concerning PCI compliance.
Acquiring banks can do a lot, in the beginning of the relationship with the merchant, to make sure that merchant is well on its way to compliance, by underwriting the merchant application, according to Press.
"You really need to dot all Is and cross all Ts," said Press. "Make sure the information on the merchant application is correct. Verify who the principals are, and their credit worthiness. Ask yourself, 'If the person has no assets, how do you collect if they file for bankruptcy?"
As it relates to the merchant, Press explained that all aspects of the merchant's business come into play.
"Does the merchant answer the phone properly?" says Press. "Do they have terms and conditions with Trade Commission?"
He emphasized making sure that the said merchant is not putting the acquirer or ISO at risk with their own rules and regulations.
If the merchant is an e-commerce organization, it's important to distinguish whether the organization owns his or her own Web site, according to Press.
"Do they own their website or fronting for another company? Do they own their own domain? " These are some of the questions Press said should be asked by the acquirer, or a third party service provider.
Checking the MATCH File
According to Press, acquirers and ISOs often have issues concerning merchant MATCH files. "An acquirer may approve a merchant on a Monday, but the merchant is not on the match file until Wednesday, so you must check the match file immediately," he said.
An acquiring bank cannot approve a merchant, if their name is on the MATCH list.
"The acquirer must check the MATCH file, as soon as possible, and if there is no record of that merchant on the MATCH file, then print the screen and put it in their folder," Press explained. "Failure to do that can cause the merchant to be terminated, because the acquirer didn't make and inquiry into the match until days after the initial approval."
A chargeback fee is charged to a merchant when a customer makes a claim that their card has been charged and the merchant has not delivered the product or performed the service.
For the first 45 days that an acquirer or ISO is working with a new merchant, it's important to note whether the merchant is getting chargebacks right away, according to Press.
"Immediate chargebacks tells you what this merchant is doing…it could be something as simple as a different company name on a bill, or it could be that when someone entered the phone number they transposed the numbers," he said.
One of the biggest areas that acquirers need to assess is Risk.
It's up to the acquirer or ISO to make sure the merchant's information is always kept up-to-date.
"A merchant my change ownership, but they don't get in touch with the acquirer or the credit card company," said Press. "What happens is that on the merchant's credit card terminal, there is the old merchant name, but he's changed the name of the business…the merchant gets charged leasing fees for the terminal."
If the business changes ownership, or if there is a name change, the new owners have to fill out a new merchant application.
Out of all of the areas outlined above, Press says that acquirers signing up fraudulent merchants are the biggest risk issue as it relates to laying the groundwork for PCI compliance.
"Card issuers are likely to file compliance cases to transfer their losses due to acquirers signing up fraudulent merchants," he said. "For PCI Compliance to be successful, first there has to be a smooth working relationship with the ISO, acquirers, and card issuers."