What are the details and variables to have in to account to define the PCI DSS scope in a issuer bank institution.?

Issuers are allowed to keep not only the cardholder name, primary account number (PAN) and expiration date, but they can also retain everything contained on a credit cards magnetic strip (i.e., track data). That said, all of this data must be encrypted and access to it severely restricted to only those personnel that absolutely need access to perform their jobs.

In the US, banks typically outsource the issuing of their credit and debit cards to a company like First Data, Chase Paymentech or similar organization and thus the banks are only the logical issuers of the cards. As a result, it is First Data and the like that are the physical issuers and have the track data.

For credit cards, most US banks will have no access to the cardholder data (CHD) since they are not involved in any aspect of the credit card and typically use the physical issuer's systems in any dealings with customers. So credit card information is typically not in the bank's systems.

In the case of debit cards, all banks will have to have at least the PAN of the debit card so that they can link the debit card to the appropriate customer account. Those PANs need to be encrypted and access restricted.

Because the Banks in the scenario you describe are only the logical issuers of the cards, they generate and save the track data to send it to the physical issuers. This data could be out of the scope of the PCI evaluation.?.

That said, all of this data must be encrypted and access to it severely restricted to only those personnel that absolutely need access to perform their jobs.

Yeah, riiiiiiiight
/sarcasm off

lyalc

Can someone please show the rest of us, where exactly in the PCI-DSS documentation there is a reference to "Issuing Banks" as being subject to the PCI standard.
Please cite the reference point(s) from the PCI-DSS Version 1.2 documentation dated October, 2008 (either the SAQ D or the QSA's Requirements and Security Assessment Procedures)

Could I please respectfully remind all respondents, this blog is about PCI-DSS compliance for merchants, acquirers, and the collection of other validated service providers as published by Visa on their web site: (http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf).

I spent 4 years with a major Canadian Bank here in Canada in Retail Markets Technology which included the Visa division, and while we were subject to laws, regulations, standards, guidelines published variously by the Basel II Accord, the Canadian Depository Insurance Corporation, Finance Canada, plus a plethora of contractual commitments with Visa Inc, SWIFT, Interac and a host of others, as an Issuing Bank, we had absolutely no compliance or reporting requirements with the PCI Security Standards Council.

In contrast, our merchant acquirer, Global Payments Canada, was required to validate their compliance as a PCI-DSS Tier 1 Service Provider in accordance with the Council's PCI-DSS Version 1.2 dated October, 2008.

In a similar way, we had extensive communication with Global Payments concerning problematic merchants and the status of the merchant's PCI-DSS validation of compliance, as merchant compliance with PCI-DSS was their responsibility to enforce.

OJ:

See this FAQ. http://selfservice.talisma.com/display/2n/index.aspx?c=58&cpc=MSdA03B2IfY15uvLEKtr40R5a5pV2lnCUb4i1Qj2q2g&cid=81&cat=&catURL=&r=0.691250562667847

It is up to each card brand to determine what and how an issuer complies with in regards to the PCI DSS.

Hope that clarifies things.

OJ:

See this FAQ. http://selfservice.talisma.com/display/2n/index.aspx?c=58&cpc=MSdA03B2IfY15uvLEKtr40R5a5pV2lnCUb4i1Qj2q2g&cid=81&cat=&catURL=&r=0.691250562667847

It is up to each card brand to determine what and how an issuer complies with in regards to the PCI DSS.

Hope that clarifies things.

Jeff: Can you please repost the link as it doesn't seem to work.

Jeff: Could you please confirm the link as it doesn't seem to work

Apparently, the links for the PCI SSC FAQ area do not work when copied and pasted.

Go to the PCI SSC Web site (https://www.pcisecuritystandards.org) and click on the FAQ button on the left hand side (second button down) to go to their FAQ area. Search for either "issuer" or article #5391. Select article 5391 and you will have what the PCI SSC and the card brands have issued as guidance for issuer's compliance with the PCI DSS.

Bottom line. Issuers must contact each card brand to determine what they need to do to comply with the PCI DSS.

That's not exactly what it says as follows:

PCI DSS applies to any entity that stores, processes, or transmits cardholder data and any such entity is expected to comply with PCI DSS. However, each payment card brand manages their own PCI DSS compliance programs that may include, for example, who must validate compliance, merchant and service provider levels, and due dates. At their discretion, payment card brands may require issuers to validate PCI DSS compliance. For more specific information on PCI DSS compliance validation requirements, please contact the individual payment card brands at the following email addresses:

american.express.data.security@aexp.com
askdatasecurity@discoverfinancial.com
riskmanagement@jcbati.com
sdp@mastercard.com
cisp@visa.com


While they don't refer to them as 'Issuing Banks', but rather 'issuers' perhaps there are issuers that are not banks - more confusion and ambiguity.

I would be interested to know how many 'issuers' the various readers of this thread have conducted or know of someone who has conducted a PCI-DSS compliance validation for an issuing bank such Bank of America, Wells Fargo, TD Bank or JPChase Morgan.

Many issuing banks do, in fact, have their data even if they outsource many aspects of their card issuing services. Issuers will often have huge amounts of sensitive authentication data for many different reasons. Keep in mind that issuing banks are banks at their core and as such support ATM, debit etc.

I was on the PCI SSC while working for MasterCard when we were talking about including specific language for issuing banks. It was intentionally left out of the standard because Issuing banks are not required to validate compliance with the PCI DSS unless they provide a service that puts them into a validation category. You could image if a statement said: "issuers are allowed to retain mag stripe data" we would have 6 million+ level 4 merchants asking if they were issuers. Many issuing banks will provide other services that put them into such a category.

The term issuer is used by the card brands to refer to banks. It has become synonymous with any entity that issues payment cards. Prepaid issuers, etc. are really agents of banks. If they do not own the BIN then they are likely required to validate compliance.

I would be interested to know how many 'issuers' the various readers of this thread have conducted or know of someone who has conducted a PCI-DSS compliance validation for an issuing bank such Bank of America, Wells Fargo, TD Bank or JPChase Morgan.[/B]


It might be interesting to know this information but hopefully since we are security professioanls we will not release this information. :cool:

While they don't refer to them as 'Issuing Banks', but rather 'issuers' perhaps there are issuers that are not banks - more confusion and ambiguity.

Don't get hung up on the semantics. There is no ambiguity, just a need to clarify how the world works in the area of issuers.

Ultimately, a bank must be behind any credit card issued. But in the US most banks do not physically issue credit cards. That process is contracted out to an organization that specializes in issuing cards such as First Data. To make matters more confusing, most banks also do not do any processing related to the credit cards they issue as that is also contracted out to a third party. The only relationship banks have with their credit cards is their brand being placed on the credit card. For debit cards, the banks have a more active role as the bank needs to link the debit card accounts to physical bank accounts which brings them under the PCI DSS for storing debit card PANs.

Then there are companies like American Express, GMAC and Discover Financial Services that are also not banks, although American Express and GMAC did convert to banks for federal bailout money last fall.

Just for a historical background, AT&T became the first corporate issuer of a credit card when it bought a small bank (about $100M in total assets) in Georgia back in the 1980s. The bank was purchased merely for its federal bank charter so that AT&T could issue an AT&T credit card to its customers. GM followed suit a couple of years later to issue their own GM credit card. Today a corporation goes to a bank such as Capital One, B or A or Chase and partners with one of them to create a co-branded credit card. The AT&T and GM cards are now co-branded credit cards.

In Wells Fargo, Bank of America, JP Morgan Chases cases, they have wholly owned subsidiaries that are the issuers, but the banks themselves are technically not issuing the cards, it's their subsidiaries.