Risks from malware, email phishing, weak passwords, and lack of training are leading causes of payment card account data compromises. The PCI DSS is a mandatory information security standard designed with the controls and safeguards needed to protect payment card account data. Merchants of all sizes who accept, transact, process, store or have access to payment card account data must safeguard this data in accordance with the PCI DSS.

The success of the PCI DSS is based on a collaborative approach amongst payment industry players to meet the challenges of the evolving threat landscape to payment card account data. These players include the Payment Card Industry Security Standards Council (PCI SSC), the Payment Card Networks (American Express, Discover, JCB, Mastercard, UnionPay, Visa), payment processors such as Moneris, and merchants like you.

The PCI DSS is organized around six guiding principles, comprised of twelve security requirements. These twelve requirements outline the controls and practices required to safeguard payment card account data and comply with the PCI DSS. Complying with the PCI DSS means that your business has implemented all applicable controls and practices outlined within the twelve security requirements.

The PCI DSS and its security requirements can be found here: https://www.pcisecuritystandards.org/document_library/

Build and maintain a Secure Network
Requirement 1 Install and Maintain Network Security Controls.
Requirement 2 Apply Secure Configurations to All System Components.

Protect Cardholder Data
Requirement 3 Protect Stored Account Data.
Requirement 4 Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks.

Maintain a Vulnerability Management Program
Requirement 5 Protect All Systems and Networks from Malicious Software.
Requirement 6 Develop and Maintain Secure Systems and Software.

Implement Strong Access Control Measures
Requirement 7 Restrict Access to System Components and Cardholder Data by Business Need to Know.
Requirement 8 Identify Users and Authenticate Access to System Components.
Requirement 9 Restrict Physical Access to Cardholder Data.

Regularly Monitor and Test Networks 
Requirement 10 Log and Monitor All Access to System Components and Cardholder Data.
Requirement 11 Test Security of Systems and Networks Regularly.

Maintain an Information Security Policy
Requirement 12 Support Information Security with Organizational Policies and Programs.

Once your business has implemented the applicable controls and practices, the next step is to validate your business’ compliance with the PCI DSS using approved validation documents.

Compliance validation requirements will vary by business size and merchant level. Moneris assists its merchants with confirming their merchant level, the associated validation requirements, and support throughout their compliance journey. Completed PCI DSS validation documents are then submitted to Moneris for review.

Below is a general overview of the merchant levels, their criteria and validation requirements. These criteria and validation requirements may vary by Payment Card Network.

Merchant Level	Merchant Level Criteria	Minimum Validation Requirements
1	Merchants processing over six million transactions annually, on one card type.	Annual Report on Compliance (ROC), validated with a Qualified Security Assessor (QSA). Annual Attestation of Compliance (AOC). Quarterly Network Vulnerability Scans by an Approved Scanning Vendor (ASV).
2	Merchants processing over one million and under six million transactions annually, on one card type.	Annual Self-Assessment Questionnaire (SAQ) validated with an Information Security Assessor (ISA) or Qualified Security Assessor (QSA). Annual Attestation of Compliance (AOC). Quarterly Network Vulnerability Scans by an Approved Scanning Vendor (ASV).
3	Merchants processing over twenty thousand and under one million ecommerce transactions annually, on one card type.	Annual Self-Assessment Questionnaire (SAQ). Annual Attestation of Compliance (AOC). Quarterly Network Vulnerability Scans by an Approved Scanning Vendor (ASV).
4	Merchants processing under twenty thousand ecommerce and under one million other transactions annually, on one card type.	Annual Self-Assessment Questionnaire (SAQ). Annual Attestation of Compliance (AOC). Quarterly Network Vulnerability Scans by an Approved Scanning Vendor (ASV).

 

PCI DSS Compliance Validation Documents and References 

Approved PCI DSS compliance validation documents and references can be found below:

• The Report on Compliance (ROC), Self-Assessment Questionnaires (SAQs) and Attestation of Compliance (AOC) certification documents can be found here: https://www.pcisecuritystandards.org/document_library/
• A list of validated Qualified Security Assessors (QSAs) can be found here : https://listings.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors
• Additional Information on the Information Security Assessor (ISA) program can be found here: https://www.pcisecuritystandards.org/assessors_and_solutions/become_isa/
• A list of validated Approved Scanning Vendors (ASVs) can be found here: https://listings.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors

• Understand and document how your business transacts, collects, processes, stores and interacts with payment card account data. This is also referred to as scoping.
• If you do not need payment card account data, do not store it.
• Limit access to payment card account data and systems on a need-to-know basis.
• Limit the number of people, processes and technologies needed to complete payment card acceptance functions.
• Use and maintain strong passwords when accessing systems.
• Complete the applicable PCI DSS validation documents to demonstrate your business’ compliance.
• Physically inspect and secure payment terminals from unauthorized alterations or tampering.
• Ensure software is up to date with latest patches and versions.
• Work with PCI DSS compliant Third-Party Service Providers, Approved Scanning Vendors and Qualified Security Assessors. 
• Continuously educate employees on security best practices

Payment Card Account Data consists of the information available on a payment card. It is comprised of cardholder and sensitive authentication data.

Account Data
Cardholder Data (CHD) Primary Account Number (PAN), generally 16 digits Cardholder name Payment card expiration date Payment card service code	Sensitive Authentication Data (SAD) • Full track data (magnetic-stripe data or equivalent on a chip) • Card verification code • PINs/PIN blocks

 

Cardholder Data are the main identifiers of the payment card used to complete payments. Sensitive Authentication Data (SAD) are the data elements used by the payment card’s issuing bank to authenticate the customer.

The PCI DSS and its controls and practices apply to payment card Account Data, and the businesses that transact, process, store or have access to payment card account data. This includes the requirement to not retain or store Sensitive Authentication Data after authorization, even if encrypted.

Scoping is the process for determining and validating the people, processes and technologies which transact, process, store, access or may impact the security of payment card account data. Minimizing the number of people, processes and technologies needed to complete payment card acceptance functions is an effective way of minimizing risks to payment card account data.

Yes. Moneris maintains its PCI DSS compliant Level 1 service provider status and our compliance is reported to all major Payment Card Networks on an annual basis.

Moneris is a leading provider of payment processor solutions, offering a comprehensive suite of payment products and solutions. Our commitment to maintaining the highest level of security is demonstrated through our adherence to the PCI DSS requirements for both our products and underlying infrastructure.

Additional information about Moneris’ approach to PCI DSS security of its payment products and solutions, including a Responsibility Matrix can be found here: https://www.moneris.com/en/support/compliance-and-security/pci-responsibility-matrix

Additional information on PCI DSS compliant Third-Party Service Providers can be found through the Payment Card Networks listings below:

Mastercard: Merchants need to know (mastercard.ca)

Visa: Visa Global Registry of Service Providers - Search Results

In the event of a suspected compromise of payment card account data, we advise you contact Moneris as soon as possible, by phone 1-866-319-7450 or contact the Moneris PCI DSS Compliance team using the online form through the link below.

Additional information on PCI DSS can be found with the PCI SSC and the Payment Card Networks through the following links:

• PCI SSC:PCI Security Standards Council
• American Express: PCI Compliance and Data Security | American Express®
• Discover: PCI Compliance Overview | Discover Global Network
• Mastercard: Mastercard Site Data Protection (SDP) Program | PCI DSS Compliance
• Visa: Credit Card Fraud Security & Detection for Merchants | Visa

Additionally, if you have more questions on PCI DSS, you can reach out to Moneris’ merchant PCI DSS compliance team through the link below