Legal
© 2009 William Davidson Institute
All rights reserved
No part of this site or the publications found here may be reproduced, used in
a presentation, or transmitted in any form - electronic or physical - without
the permission of The William Davidson Institute. To obtain permission please
email us to permissions@globalens.com.
To learn more about permissions go to www.GlobaLens.com/permissions.
Compliance Policy for Payment Card Industry Data Security
Standards
1. Purpose
Departments and business
units throughout the William Davidson Institute (WDI) have entered into
merchant contracts with the Payment Card Industry (PCI) as part of their
business transaction service sets. Because of rapidly evolving financial crimes
and cyber-related security challenges, the payment industry, including American
Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa
International, has published specific "PCI Data Security Standards"
in an effort to better secure payment account data in a globally consistent
manner. All merchant contract holders are required to adopt and implement
tools, practices, and policies to comply with these standards. Failure to
comply may result in financial penalties or security breaches.
This policy helps ensure PCI
compliance requirements are met throughout all William Davidson Institute (WDI)
business units and departments. It also provides WDI procedures for use,
reporting requirements of contracted payment card services, and the process for
obtaining and maintaining merchant contracts.
2. Policy
Definitions
Merchant: Any office, unit, department, or organization at
the William Davidson Institute (WDI) that accepts credit cards as a form of
payment for goods and/or services.
Merchant Level: PCI security standards provide four different
levels of compliance activities that must be completed annually. These levels,
(merchant levels 1–4) are based on the transaction volumes of a merchant.
Essentially, merchants with the most transactions have the most compliance work
to perform to stay in compliance. The specific compliance requirements for each
merchant level can be found below:
Merchant Levels and Compliance Validation Requirements Defined
All
merchants will fall into one of the four merchant levels based on transaction
volume over a 12-month period. Transaction volume is based on the aggregate
number of transactions. In cases where a merchant has more than one Merchant
ID, the aggregate volume of all transactions stored, processed or transmitted
by the merchant is used determine the validation level.
In
addition to adhering to the PCI DSS, compliance validation is required for
Level 1, Level 2, and Level 3 merchants, and may be required for Level 4
merchants. The PCI DSS requires that all merchants with externally-facing IP
addresses perform quarterly external network scans to achieve compliance.
Acquirers may require submission of the quarterly scan reports and/or
questionnaires by level 4 merchants. Any merchant that has suffered a breach
that resulted in an account data compromise may be escalated to a higher
validation level.
|
Level / Tier
|
Criteria
|
|
|
1
|
6 million+ annual
transactions
|
•
Annual Report on Compliance
by Qualified Security Assessor
•
Quarterly network scan by
Approved Scan Vendor
•
Attestation of Compliance
Form
|
|
2
|
1 million to 6 million
annual transactions
|
•
Annual Self-Assessment
Questionnaire
•
Quarterly network scan by ASV
•
Attestation of Compliance
Form
|
|
3
|
20,000 to 1 million
annual transactions
|
•
Annual Self-Assessment
Questionnaire
•
Quarterly network scan by ASV
•
Attestation of Compliance
Form
|
|
4
|
1 to 20,000 annual
transactions
|
•
Annual Self-Assessment
Questionnaire
•
Attestation of Compliance
Form
|
Information provided
by VISA (http://usa.visa.com/merchants/risk_management/cisp_merchants.html.
Online Privacy
Policy: All Web sites that
host payment transaction applications must have an online privacy policy that
is easily located by the potential customer who visits the website. This
privacy policy must clearly state the limitations of use, retention, and
protection measures related to data that customers submit. It should also state
what, if any, electronic monitoring, and HTTP cookie use the UW intends to
perform with a visitor's electronic connection. The site must also provide
contact information for customers to ask questions about the privacy policy.
OWASP Standards: Open Web Application Security Project (OWASP)
secure coding standards are referenced in the PCI security standards for Web
application developers to use to avoid common coding vulnerabilities in the
software development process.
PCI Security
Standards: The information
security standards, published by the PCI, that all MCHs are required to adopt
and implement. Failure to comply may result in serious fines, penalties, and/or
restrictions on merchant account activity.
Transaction Service
Provider: The third party who
provides a secured processing connection with the MCH's transaction processing
bank.
3. Policy
- All WDI MCHs, both terminal and Web application-based, are
required to comply with and support PCI security standards. All WDI MCHs
are required once a year to submit to WDI Fiscal Services completed PCI
compliance surveys that will be sent to the MCH by WDI Fiscal Services.
- All WDI merchant contractual agreements must be obtained through
WDI Fiscal Services.
- All MCHs are required to use a WDI-preferred transaction service
provider.
- All MCHs that offer Internet-facing payment services must certify
that the security of their Web forms or applications meet OWASP standards
through secure code reviews and/or penetration testing.
- WDI internally hosted transaction service technology deployments
must comply with all relevant WDI security policies and standards in
addition to PCI security standards.
- An online privacy policy statement is required for Web sites that
host PCI-related transactions and should include the WDI's uniform content
language provided by WDI Fiscal Services.
- If any existing or
future WDI MCH has specific needs or operational requirements that are
exceptions to this policy, they must request a formal "exception"
with WDI Fiscal Services in writing. WDI Fiscal Services will review the
request and notify the requesting party if the exception is allowable and
whether there any specific conditions that must be honored as part of the
exception.
4. Applicability
All current and future WDI MCHs
or temporary transaction service setups to accept credit card transactions for
a specific activity or event are required to comply with this policy.
5. Enforcement
Failure to comply with this
policy may result in restrictions on use or closure of merchant account-related
services, and disciplinary action.
6. Additional
Information
For additional information,
contact
Attn: Marc Robinson
William Davidson Institute
724 East University Avenue
Wyly Hall, First Floor
Ann Arbor, Michigan 48109-1234
U.S.A.
|