I have gone through the website https://www.pcisecuritystandards.org/ and want to ask some information about the PCI Data Security Standards (PCI DSS) from the eminent members of this forum. my queries aer

1. As for as my understanding is concerned, I think that these standards are only applicable to the E-Commerce merchants (i.e. the merchants who sells goods or services over internet through website). Please correct me, if I am wrong.

2. If my perception is incorrect, then please let me know, on which entities these standards are applicable.

3. In our country normal card transactions takes place on POS machines, i.e. merchant swipe the card (usually Debit/Credit card with magnetic stripe). Do these merchants need to comply with PCI DSS?

4. In our country GPRS enabled POS machines (wireless machines) are also working for accepting Debit/Credit cards for payment, so do merchants offering this type of service need to comply with PCI DSS?

5. What are the roles and responsibilities of acquiring bank (bank offering merchant accounts) and issuing bank (banks issuing Debit/ credit cards)? To what extent they need to comply with PCI DSS.


All above questions asked are about the merchants processing more than 20,000 transactions per year. What about the merchants processing less than 20,000 transactions per year?

I would appreciate to receive your valuable response as soon as possible.

1. As for as my understanding is concerned, I think that these standards are only applicable to the E-Commerce merchants (i.e. the merchants who sells goods or services over internet through website). Please correct me, if I am wrong.

Sorry, but it is any merchant, service provider, processor, etc. that transmits, processes or stores cardholder data (CHD). CHD includes the primary account number (PAN), expiration date, cardholder name and card track data.

Since you are not in the US, the PCI process applies BUT only to the extent that your regional card organizations subscribe to it. So, you will have to consult with them as to how much of the PCI DSS process they are enforcing.

As such, the answers I have provided here may not apply in your region of the world.

2. If my perception is incorrect, then please let me know, on which entities these standards are applicable.

As stated earlier, ANY organization that processes, stores or transmits CHD must comply with the PCI DSS.

3. In our country normal card transactions takes place on POS machines, i.e. merchant swipe the card (usually Debit/Credit card with magnetic stripe). Do these merchants need to comply with PCI DSS?

Possibly.

If the merchant is using a device that is connected to a separate network that does not include the merchant's POS or any other system operated by the merchant, such as the solution operated by VeriPhone in the US, then the merchant does not have to comply with the PCI DSS because they are not processing, storing or transmitting CHD.

If the merchant is using an integrated POS system which processes, transmits or stores CHD, then they must comply with the PCI DSS.

4. In our country GPRS enabled POS machines (wireless machines) are also working for accepting Debit/Credit cards for payment, so do merchants offering this type of service need to comply with PCI DSS?

Possibly. It depends on how the wireless is configured and whether it's the merchant's network or another organization's network. If it's their network, then they are responsible and they need to comply with the PCI DSS. Or if the wireless transmits data to the merchant's POS, they must comply with the PCI DSS.

5. What are the roles and responsibilities of acquiring bank (bank offering merchant accounts) and issuing bank (banks issuing Debit/ credit cards)? To what extent they need to comply with PCI DSS.

They must also comply with the PCI DSS. The good news in the US anyway is that the US regulatory bodies already enforce a lot of the PCI DSS, so security in the banks is already strong around their core processing systems. They still have issues with data on notebooks and the usual remote processing security issues.

All above questions asked are about the merchants processing more than 20,000 transactions per year. What about the merchants processing less than 20,000 transactions per year?

Any merchant, processor, service provider, etc. must comply with the PCI DSS.

The amount of transactions processed dictates whether a merchant must go through the Report On Compliance (ROC) process or if they can just do the self assessment.

For processors, they are considered Level 1 regardless of transaction volume.

For service providers, they are treated like merchants but have different transactions volumes.

I hope this helps.

Jeff is right on. I would only add that the term 'processor' is often used incorrectly. A true processor is a Level 1 as it will be resistered as a VisaNet Processor or MasterCard Third Party Processor (TPP). "Processor" is often used (incorrectly) to describe what are technically gateways etc.

Jeff and mark thanks for the reply, your answers are very much helpful for me. I still have some queries which I will be thankful, if you or any other eminent member of this forum may answer:

I am from Pakistan so please tell me that, to what extent my regional card organizations subscribe to these standards. In Pakistan we have presence of VISA, MasterCard and American Express.

In our country only 1 bank provides Payment gateway service to the web merchants for acceptance of only VISA and MasterCard. So in that case web merchants ask the card holder to provide his details such as name, card number, and CCV2 code on their websites. Web merchants verify these details from the card organizations through the payment gateway services offered by the bank. On the back end all process are taken care by bank and bank process the complete transaction. In the above mentioned scenario, which entity needs to comply with the PCI DSS?


In the point 3 i.e. about POS machines, the scenario is that merchant swipe the card on the POS machine (in Pakistan POS machines of verifone and Hypercom are used, and these machines are provided to the merchants by banks called acquiring bank). After swiping the card the normal transaction takes place in a way that, the call is dialled using the phone line, the call is routed to the network access controller (NAC) of the acquiring bank which then moves it to the network of international card associations, after completion of the transaction the receipt is printed through POS machine on which details of the card such as name of the cardholder, card number and card expiry date are printed, 1 copy is provide to customer and merchant retain the other copy with himself. In that scenario when merchant has retained a receipt which carries the card number, card holder name and card expiry date. Is this also a way of storing PAN? In that case on which entity these standards apply. (The above mentioned scenario is about the merchants having normal shops i.e. in the local markets not in cyber world).

I think I understand the challenges. In the US that model of eCommerce is relatively rare and somewhat new. The 'hosted payment' page model you describe is very common in the UK and other countries. There are two things to consider.

1) the merchant is always responsible for compliance TO THE EXTENT IT APPLIES

2) The requriements may be reduced through the use of outsourced providers.

If, in the case you describe, the consumer is being re-directed to the banks' hosted payment page and the merchant does not actually store, transmit or process data, then the merchants' only real responsibility would be to ensure that the service provider they are using (in this case the bank) is compliant with teh PCI DSS and that the merchant has (under 12.8 of the standard) appropriate contractual language.

The bank, as they are a processor, would need to validate compliance with teh PCI DSS according to the regional rules. MasterCard would consider that bank a TPP but would not require validation unless the processing was being handled by a third party. Visa EMEA may have different rules. If you need to speak with the local visa rep the person's name is Mani. Send me a private message and I will forward his email address to you.

Please let me know if I can provide any more information.

Regarding point 3. Again, this is more common internationally then in the US. The acquiring bank is responsible for providing compliant terminals. Based upon your description it sounds as if hte only real PCI DSS requiremetns that would apply are those related to physical security of the receipts and POS terminal (requirement 9). You would want to ensure that you can protect the hard copy receipts and the pos terminals. In the US there is a growing trend of criminals stealing the actual terminals as many batch the data using flash memory.

Since you do not own the terminal or have the ability to manage or modify your responsibilities are likely limited to only hte physical protection of the receipts and terminal.

Please let me know if I can provide any mroe info

I would like to expand a couple of minor points based on what I'm seeing in Asia Pacific.

In terms of point 3:
PCI applies to any payment card, regardless of type (debit, credit, pre-paid debit, stored value debit etc) from the major card brands, and other payment brands and some domestic industry bodies are adopting PCI-DSS in some form.

In terms of point 3:
Even some of POS terminals that are not integrated with the merchant's systems may impose some PCI compliance actions onto the Merchant. For example, some terminals provide an end-of-day function that prints a list of all transactions including PAN e.g. for reconciling the days transactions. Consequently, Section 9 media storage may apply, as well as destruction policies and processes.

If in doubt, consult your friendly Card Scheme representative.

Lyal

Just to clarify.

From a PCI DSS compliance versus some other standard standpoint, Visa is the only card company where this is an issue. This is because Visa is a group of organizations around the world that are associated with one another. Versus the corporate structure of American Express, MasterCard, Discover and JCB where there is an overall holding company that dictates how their respective international subsidiaries operate.

As a result, Visa USA has no authority to force the other Visa organizations to comply with or obey the PCI DSS. It is up to these other Visa organizations to agree to accept the PCI DSS or to go with their own program. That is why you will hear about the AIS program in certain parts of the world.

However, this situation is changing. Last year, Visa Canada agreed to start accepting PCI Reports On Compliance for companies with Canadian operations. We have also seen Visa Europe change their stance as well. Over time, it is my belief that, the rest of the Visa organizations will come around and accept the PCI DSS as the standard. However, until that occurs, you will have to abide by the rules of your particular Visa organization.