2.1 Merchants

Video Activity

Join over 3 million cybersecurity professionals advancing their career

Required fields are marked with an *

View all SSO options

Already have an account? Sign In »

PCI DSS: Payment Card Industry Data Security Standard

Course

Time

3 hours 37 minutes

Difficulty

Beginner

CEU/CPE

Video Transcription

00:00

welcome to the cyber ery demystifying P. C. I. D. S s complaints Course,

00:06

this module is about the different categories that merchants fall into and the requirements associated with

00:14

what are the different merchant types? How do you know which one you are?

00:19

The objective of this video is to discuss what is required of you by the P. C I s s see relative to your merchant category

00:28

now, therefore, merchant levels

00:31

levels one through four.

00:33

Each payment brand considers to be a level one versus a level two and so on. Convey very slightly.

00:39

These levels dictate what you must do in order to be considered. PC I compliant

00:45

Visa, MasterCard and Discover considers a level one merchant to be an entity. That process is over six million transactions a year.

00:53

American Express says that 2.5 million Amex transactions warrant the level one,

00:59

while J. C. B says it takes one million of their cards to be processed in order to be a level one

01:06

for Level two. American Express states that a merchant must possess process 5 50,000 to 2.5 million cards annually.

01:15

MasterCard, Visa and Discover says anything between one million and six million transactions makes you a level two

01:22

as J. C P only has two levels. Anything under one million transactions makes it the Merchant a Level two

01:30

merchants at Level three for MasterCard Visa and discover our organizations that process anywhere between 20,000 to 1 million transactions.

01:38

American Express says that a Level three is anything less than 50,000 transactions.

01:45

American Express only has three levels.

01:49

Level fours apply to all other merchants for Visa, MasterCard and discover.

01:53

It should be noted that all payment card brands may require a merchant to report as a level one of circumstances required.

02:00

A payment car brand may see that you are a level one. If there has been instances of security breaches in the past,

02:07

being a level one requires that your security practices be more heavily scrutinized.

02:13

So how do you know which level you fall into

02:15

this? Information should be provided to you by your acquiring bank.

02:21

Now,

02:22

why are these level designations important?

02:24

These levels dr What you must do in order to be able to continue to process transactions for the payment brands

02:30

you're level determines if you're allowed to conduct assessments internally or if you're required to have another certified company coming and evaluate your environment

02:38

to attest to the fact that you are doing the things that you need to do in order to be compliant.

02:46

Level one merchants are required to have a rock which stands for a report on compliance completed by a Q S. A qualified security assessor.

02:57

Quarterly network scans by an approved scanning vendor vendor or A S V,

03:02

an attestation of a compliance form

03:06

also completed by the que Essa

03:09

level to merchants can choose to complete an annual self assessment questionnaire,

03:15

but they must ensure that the staff engaged in the self assessment Attend a P C I s S e internal Security assessor or I s a training

03:24

to pass the Associated Accreditation program

03:28

in order to continue the option of self assessment for compliance validation

03:34

alternatively level to merchants may complete an annual onsite assessment conduct conducted by a P. C I s S C approved qualified security assessor

03:45

rather than complete annual self assessment questionnaire.

03:49

Level three and level four merchants must do an annual assessment that can be done by an outside vendor or by internal staff without any special training.

03:58

All merchants are required to have quarterly a SP scans.

04:05

So if you require says that you're a level 23 or four,

04:10

then what?

04:12

The p. C I s S c has provided a list of scenarios that guide you to which self assessment questionnaire you must fill out.

04:19

The self assessment questionnaire includes a series of yes, no questions for each applicability PC I data security Standard requirement.

04:29

If an answer is no, your organization is required to state the future remediation date and the associative actions.

04:35

If you go to this link listed here PC, I outlines which s a Q documents applies to which merchants

04:46

So s a Q or sack A

04:49

is for card, not present transactions.

04:54

Card, not presence means that the merchant doesn't ever physically come into contact with a credit card

05:00

card, not president. Merchants used e commerce or mail or telephone order

05:04

that they have fully outsourced all cardholder data functions to a P C. I. D. S s compliant third party service provider.

05:13

No electronic storage, processing or transmission of any cardholder data on the merchant systems or premise all into a sack. A.

05:24

So your company fully relies on 1/3 party to handle all of these functions

05:31

for a sec. E p.

05:33

Your company accepts on Li e commerce transactions.

05:38

All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a P C i. D. S s validated third party payment processor.

05:48

So your e commerce website does not receive any cardholder data but controls how the consumers or their cardholder data is redirected to a P C i. D. S s validate 1/3 party payment processor.

06:02

So a sack a e p company does not electronically store process or transmit any cardholder data on your system the premises, but relies entirely on third parties to handle these functions.

06:15

Any cardholder data your company retains is on paper, for example, printed reports or receipts, and these documents are not transmitted. Elektronik Lee

06:28

a sack B company uses only imprint machine and or use a standalone dial out terminals and these air connected via a phone line to your payment processor.

06:39

The stand alone dial out terminals are not connected to any other systems within your environment.

06:45

They're not connected to the Internet, and they don't transmit any cardholder data over a network which includes internal network or the Internet.

06:54

Any cardholder data your company retained is on paper, so again printed reports of receipts and these documents are not stored or transmitted electronically.

07:04

A sexy V T company,

07:09

Onley processes payments using a virtual payment terminal

07:13

access by Internet connected Web browser. So these virtual payment terminal solutions air provided by a P. C i. D. S s validated third party service provider

07:24

your company accesses the P. C. I. D. S s compliant virtual payment terminal solution via computer that has isolated on a single location

07:32

so it cannot be connected to other locations or systems within your environment.

07:38

That computer does not have software installed that cars is cardholder data to be stored in any way

07:44

sack CVT Companies do not otherwise receive or transmit cardholder data electronically through any channels.

07:53

Sac D is for merchants that our sack eligible merchants that don't meet any of the other criteria for Zach types.

08:03

Examples of merchant environments that would use sect e may include, but are not limited to, e commerce merchants who accept cardholder data on their website

08:11

merchants with electronic storage of cardholder data

08:16

merchants that don't store cardholders Elektronik Lee, but do not meet the criteria of other sack types.

08:24

Merchants with environments might meet the criteria other sack types, but have additional P. C. I. D. S s requirements applicable to their environment.

08:31

Zack de for service providers applies to all service providers divined by a payment brand as being sacked Eligible

08:41

Zach P to p E dash h w.

08:45

That's for merchants where all payment processing is conducted via validated P c i p to p e solution that has been approved Enlisted by the P C i s s e

08:56

The only systems in the merchant environment that store process transmit

09:01

account data are the point of interaction devices which are approved for use

09:05

for P to P E dash H w Your company does not otherwise receive or transmit cardholder data electronically.

09:16

So those were the reports needed for self assessments

09:20

for level one assessments The reports that the P C I S S C requires are the report on compliance or the rock and attestation of compliance or the AOC.

09:31

The attestation of compliance is a four page document that must be completed by the qualified security assessor

09:37

or merchant that the merchant performs an internal audit.

09:41

It serves as a declaration of merchants compliance status with the payment card industries. Data Security Standard.

09:48

It is a quick doc that asserts that the company is or isn't in compliance and provides the steps that are going to be taken if the company is moving towards complaints.

09:58

The report on Compliance is a much more detailed document that outlines all the steps taken to test each control mandated by the P. C I. For Level one merchants,

10:09

The Rock could be hundreds of pages long and explains all of the assessors findings.

10:13

The findings of the rock drive What's documented in the AOC.

10:18

These documents work together

10:20

and acquire a mayor may not require the rock be delivered with the sea.

10:26

So in this video we talked about how the merchant levels are defined,

10:31

the sacks