[attach id=456346 size="medium"]Payment Card Industry Data Security Standard (PCI DSS) offers enhanced security on transactions.[/attach]
At checkouts and shop counters across Malta, customers instinctively bring out their debit or credit card of choice when it’s time to pay. But little do they realise that the whole payment system is backed up by an extraordinarily high level of security.
All merchants who accept card payments must achieve and maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS is a globally adopted industry standard that sets out the procedures to ensure the safe handling, storage, processing and transmission of payment card data. It outlines the security measures that each merchant must have in place to protect cardholders’ data wherever they store it –electronically or physically.
PCI DSS compliance is divided into four levels, identified either by transaction type and/or volumes as follows:
• Level 1 merchants deal with more than 6,000,000 MasterCard or Visa transactions a year.
• Level 2 merchants accept more than 1,000,000 MasterCard or Visa transactions a year.
• Level 3 merchants deal with more than 20,000 MasterCard or Visa ecommerce transactions a year.
• Level 4 comprises all other merchants.
Global Payments Ltd encourages merchants in Malta to maintain a list of the third-party service providers they use (for example, payment service providers and web hosting companies), and keep written agreements with service providers confirming that they’re responsible for the security of all cardholder data.
Merchants should also establish a process of proper due diligence prior to engaging with service providers, as well as monitoring their PCI DSS compliance on an annual basis.
Do use strong cryptography to make any cardholder data that you store unreadable
By visiting the PCI Security Standards Council website www.pcisecuritystandards.org/index.php, merchants in Malta can make sure that they are offering their customers not just a product or a service but also peace of mind that their information is safe with them.
Data Dos
Do understand where your card data flows for the entire transaction process, from when you accept the card to receiving payment for the transaction.
Do ensure that all cardholder data you store (if you have a legitimate business need to keep it) is securely protected.
Do verify that your card terminals comply with the PIN Entry Device (PED) security requirements. All terminals supplied by Global Payments meet these requirements.
Do verify that the third-party payment applications you use comply with the Payment Application Data Security Standard (PA-DSS).
Do use strong cryptography to make any cardholder data that you store unreadable, and use other layered security technologies to minimise the risk of it being exploited by criminals.
Do ensure that all third parties who process your customers’ card data or who can impact the security of the payment transaction comply with PCI DSS,
PED and/or PA-DSS as applicable. Do have clear access andpassword protection policies for your card processing equipment.
Data Don’ts
Don’t use PED devices that print out personally identifiable payment card data; all receipts must be truncated or masked.
Don’t store cardholder data unless it’s absolutely necessary.
Don’t store any payment card data in payment card terminals or other unprotected devices, such as PCs, laptops or smartphones.
Don’t locate servers or other payment card system storage devices outside of a locked, fully secured and access-controlled room.
Don’t permit any unauthorised people to access stored cardholder data.
Don’t store sensitive authentication data contained in the payment card’s storage chip or full magnetic stripe, including the printed three-four-digit card validation code on the front or back of the payment card after authorisation.
This article was prepared by Global Payments Ltd.