In the last issue of the TLQ, we commented on the absence of explicit statutory restrictions on credit card data that may be included on customer and merchant sales receipts in Canada. The main deterrent to businesses creating receipts that include complete credit card numbers has been the best practice policies of the provincial and federal Privacy Commissioners.
While there continues to be a dearth of statutory restrictions geared towards protecting Canadian consumers from credit card fraud and identity theft, Visa Inc. recently announced global deadlines for merchants, service providers and their agents to comply with the PCI DSS.
PCI DSS was developed by Visa and the four other founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International and MasterCard Worldwide. The standard was created to establish a comprehensive set of international security principles and requirements for enhancing payment account data security. The core principles identified in PCI DSS are:
- Build and Maintain a Secure Network;
- Protect Cardholder Data;
- Maintain a Vulnerability Management Program;
- Implement Strong Access Control Measures;
- Regularly Monitor and Test Networks; and
- Maintain an Information Security Policy.
These standards will be the compliance model for the industry.
With its recent announcement, Visa has created deadlines and validation requirements for merchants and other organizations that process credit card transactions. The requirements established in Visa’s global compliance mandate vary depending on factors such as transaction volume. Visa has identified four merchant levels and two service provider levels, and has established corresponding validation requirements for each level.
Merchant Validation Requirements
The first level or tier of merchants, those subject to the strictest validation requirements, encompasses all merchants processing more than six million Visa transactions annually or any global merchant that has been identified as a Level 1 merchant in another Visa country or region. In addition to the validation requirements facing Level 2, 3 and 4 merchants, Level 1 merchants must submit an Annual Report on Compliance by a Qualified Security Assessor. By contrast Level 2, 3 and 4 merchants must submit an Annual Self-Assessment Questionnaire.
Acquirers, that is, bankcard association members that initiate and maintain relationships with merchants that accept payment cards, are responsible for their merchant customers’ compliance. Visa requires acquirers to provide them with regular compliance status reports on their Level 1, 2 and 3 merchants at least twice a year.
Visa will also require acquirers to provide confirmation by September 30, 2009 that their Level 1 and 2 merchants do not retain sensitive payment card data after transaction authorization. Sensitive payment card data includes data such as the full magnetic stripe of a credit card, security codes and PIN data.
Finally, by September 30, 2010, acquirers must provide Visa with an Attestation of Compliance for each of their Level 1 merchants, confirming that they have validated full PCI DSS compliance.
Service Provider Validation Requirements
For the purposes of Visa’s PCI DSS validation requirements, service providers are those that store, process or transmit Visa cardholder data on behalf of acquirers, issuers and merchants. Visa has identified different levels of service providers and set out validation requirements that each level must comply with. Level 1 service providers are VisaNet processors or those that store, process and/or transmit over 300,000 transactions per year. Level 1 service providers that meet the validation requirements are included on Visa’s list of compliant service providers, whereas Level 2 service providers, those that store, process and/or transmit less than 300,000 transactions per year, are not included on the list unless they choose to comply with the Level 1 validation requirements.
McCarthy Tétrault Notes:
While PCI DSS principally targets the retail community, compliance is not restricted to retailers. PCI DSS applies to any entity that stores, processes and/or transmits cardholder data. Hospitals, educational institutions, government offices and any other organization that accepts or processes payment cards must comply with PCI DSS. Organizations that process Visa payment cards will be subject to Visa’s recently released compliance requirements, and should inform themselves of the scope of their obligation to validate compliance with PCI DSS and do so based on the level of merchant or service provider they fall under.