Security Regulations for Credit Card Processing

By ShawnTe Pierce

  • Overview

    There are security measures to which every merchant who accepts any of the four major associations must adhere. These measures or regulations are administered to help protect you, the cardholder. In addition, these security regulations help decrease the amount of fraud claims merchants and the associations process daily.
  • The Four Major Associations

    A credit card association is similar in nature to a brand. Not to be confused with a credit card issuer or acquirer, which are banks and other FDIC insured financial institutions, an association is the brand of credit card. These branded credit cards can either be issued by the association itself or by a financial institution. The four major associations are American Express, Discover, MasterCard and Visa. American Express and Discover are also financial institutions and therefore act as credit card issuers as well as using select banks for their brand. On the other hand, MasterCard and Visa rely on their brand being issued by banks and financial institutions that are under agreement with them to offer and accept their brand, a process that American Express is venturing into as well.
  • PCI DSS is the Security Standard for Credit Card Processing

    Payment Card Industry Data Security Standard (PCI DDS) is a standard of the PCI Security Standards Council chartered in the state of Delaware. PCI was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.All five brands equally share in the governance of the council and in responsibilities. PCI DSS is a 12-requirement standard with which the four major credit card associations mandate their merchants and acquirers to comply. The six principles of PCI DSS and their accompanying requirements are as follows: Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security (courtesy of www.pcisecuritystandards.org)


  • Security Regulations for American Express Credit Card Processing

    American Express requires that merchants and their processing third-party partners only store cardholder information to help facilitate card transactions as per the card acceptance agreement. The merchant is only allowed to retain charge and credit records for up to 24 months after submitting the record to American Express. American Express states in the agreement that cardholder information is the property of the association and is not to be shared with outside parties not listed in the agreement. The merchant is not to compile a list or database of cardholder personal and transactional information. Also the merchant is to keep cardholder information secure and destroy it once the retention period of 24 months has elapsed.
  • Discover's Security Regulations for Credit Card Processing

    Discover Information Security and Compliance (DISC) makes sure that merchants perform due diligence in maintaining the security of cardholder information. DISC is a "checks and balances" system that ensures that the different levels of merchants in the network are adhering to the industry standards for credit card processing security. Discover utilizes DISC to obtain compliance records submitted to PCI Security Standards Council, an industry organization. If Discover finds out a merchant is not in full compliance with PCI standards Discover will require the merchant to complete an attestation of compliance. The association also supports and strongly urges merchants to use payment applications that have been validated and are in compliance with the Payment Application Data Security Standard (PA-DSS). For more information on the Discover's security measures please visit their Fraud & Security site.
  • Credit Card Processing Security Regulations for MasterCard

    MasterCard has a 134-page manual for merchants on their security rules and procedures. Section 10 specifically provides details on transaction or card processing security measures. All transaction data that contains MasterCard cardholder information must be stored in a secured area with access limited to select personnel. Any data containing cardholder information must be destroyed in a manner that will render the information unreadable. Data stored in computers must be limited to select personnel with password protection. MasterCard regulations state that a merchant terminal cannot display, copy or store any card-read information except the account number, expiration date, service code and cardholder name. This same information can only be recorded on paper, microfiche or an online authorization file in a secured environment. MasterCard, at its discretion, can impose up to $100,000 per each individual violation of their standards with a maximum assessment of $500,000 for additional or continual violations in a rolling 12-month period. For additional security measures visit MasterCard's Security site.
  • Visa's Credit Card Security Regulation Standard: CISP

    Visa's Cardholder Information Security Program (CISP) is the security standard to which the association holds merchants to protect cardholder information during processing. Established in June 2001, CISP's intention is to protect Visa cardholder information wherever it resides by ensuring that members, merchants and service providers maintain the highest standard in information security. Visa, along with MasterCard and other associations, is a founding member of PCI DSS and still manages all compliance enforcement and validation initiatives. Visa holds its acquirers responsible for making sure merchants comply with PCI DSS, and these banks must do so by including it in their contract with the merchant. Merchant must report their compliance to the acquirer according to their PCI defined level. Visa will exact compliance fines and impose restrictions on any merchant or service provider who does not comply with the security requirements or fails to correct any security issue.
  • Considerations

    Maintaining cardholder security is an important matter to the credit card associations. This is evident by their development of the PCI Security Council, which sets standards globally. Merchants have to stay on their "P's and Q's" in complying with the standards each brand has in their agreements with them. Rest assured, if a merchant is not doing its part to secure your cardholder information, your credit card brand wants to hear from you about it so they can address the issue with the merchant and protect your information.
  • © High Speed Ventures 2011