PCI data security support
As a part of Chase, you have a team of data security experts ready to advise you, keep you informed of data security requirements and offer suggestions on how our payment solutions can help you meet them.
Why is payment card industry (PCI) data security important?
Providing customers with secure payment options not only gives them more incentives to patronize your business, but more importantly, it is also your responsibility. Failing to protect cardholder data could cost your company thousands of dollars in fines in addition to loss of business.
What are payment card industry data security standards (PCI DSS)?
As a merchant that accepts electronic payment cards, you are required to follow payment brand rules to protect cardholder data, using a set of common requirements adopted by all and collectively referred to as PCI DSS.
These requirements range from removing sensitive card data from your payment terminals and processing systems to implementing data security policies for your employees. Together, PCI DSS provide merchants with a unified approach to cardholder data security.
How do I ensure I maintain validation and reporting compliance?
Merchant responsibilities for maintaining security standards and validating/reporting compliance are based on transaction volume level and vary not only with volume but also with payment brand.
As is required by the payment brands, Chase assigned you a merchant level ranking that reflects the number of transactions you process in a one-year period within a single payment brand. Depending on that level, you may be required to validate and report your PCI DSS compliance to your acquirer.
The payment brands set their own levels for these requirements. While Visa® and Mastercard® levels are generally the same, American Express uses a separate set of criteria for establishing merchant levels and has different reporting requirements. Each payment brand also establishes its own criteria to determine merchant validation deadlines.
Could my data be compromised?
Data compromise is a constant threat that requires constant vigilance. Unfortunately, despite the most sophisticated system safeguards, data compromise events do happen. Exploiting system vulnerabilities is an obvious path for hackers, but many attacks can be attributed to credentials theft, phishing or botnets (malware).
A successful attack may go unnoticed for days, weeks or even months before detection. It is imperative that merchants have policies and procedures in place to discover possible system breaches and take the necessary steps to stop further damage and remedy the affected hacker entry points.
Stay on top of validating and reporting compliance
Identify, contain and limit exposure
Report & notify Chase and legal entities
Data compromise and common point of purchase FAQs
Explore these FAQs to understand more about data compromise, common point of purchase and the reporting process.
Cardholder data compromise occurs when a merchant’s payment system is breached and cardholder account information is stolen. When data compromise occurs, it is critical to contain the damage quickly to protect customer data and immediately identify the root cause of the event. Merchants must produce an accurate record of events for authorities.
Any suspicion of potential cardholder data compromise is reported to the payment brands (Visa® and Mastercard®) by law enforcement, issuing banks and/or you, the merchant. Security breaches can appear in different forms. Staying alert for the following suspicious activities can help identify potential risks:
- Unexpected outgoing Internet traffic
- Unexpected network traffic and IP addresses
- Unknown files, software and devices installed on your systems
- Antivirus programs malfunctioning or becoming disabled
- Unknown applications configured to launch automatically upon your system reboot
- Suspicious after-hours system activity
- Presence of .zip, .rar, .tar and other types of unidentified compressed files containing cardholder data
- Contain and limit the exposure – It is very important to preserve evidence and assist with the investigation to minimize risk. You should adhere to the following:
- Do not access or alter a compromised system
- Do not turn the compromised system off, but isolate it from the network
- Preserve logs and continue to log all actions taken
- If using a wireless network, change the access point
- Monitor all traffic on systems containing cardholder data
- Provide notification – You should contact your Incident Response Team (internal management and legal personnel) and provide an incident report to Chase Payment Solutions within 24 hours. Chase Payment Solutions will advise you of next steps and provide applicable notification to the payment brands (Visa and Mastercard). An incident report must contain the following information:
- Brief description of the business and merchant identification number
- Details of the data breach, including who, what, when and where
- Type of stored cardholder data, such as account number, secure code (CVV2, CVC2, etc.) and/or full content of magnetic stripes
- Steps taken to contain the incident
- Law enforcement notifications, if applicable
- Follow your legal requirements – In addition to your contractual obligations with Chase Payment Solutions, you should consult with its legal department to adhere to applicable federal, state and local law notification requirements.
- Forensic investigation: Upon review of an incident report, Visa or Mastercard may request that the merchant bring in a Qualified Incident Response Assessor (QIRA) to perform a forensic investigation within a specific time frame. Conducting a forensic investigation helps determine if there is evidence or risk of a compromise, and the time period of the compromise.
- Findings report: When the investigation is complete, the QIRA will provide a forensic report to the merchant and the report will be shared with Chase Payment Solutions, Visa and Mastercard. Chase Payment Solutions will coordinate a review of the findings and the required follow-up actions identified in the report.
- Accounts at risk: The QIRA and Chase Payment Solutions will provide Visa and Mastercard with the cardholder accounts that were processed during the at-risk time period. Visa and Mastercard will then notify the corresponding Issuers. Issuers are given a deadline to report any related fraud to the payment card brands.
- Validation of compliance with the Payment Card Industry Data Security Standard: Any entity that has suffered a hack or attack is required to validate PCI DSS compliance. The forensic investigation will not close until the merchant has provided a Report of Compliance or Self Assessment Questionnaire, in addition to Quarterly Network Scans.
- Expenses, fines and liabilities: The merchant is responsible for bringing in the QIRA, if required. Visa and Mastercard will assess separate fines for any lack of compliance that led to the breach. In some cases, there are also assessments for incremental fraud and for monitoring or re-issuing cardholder accounts.