Skip to main content
Chase for Business links to Chase for Business home

PCI data security

 

As a Chase merchant you have a team of data security experts ready to advise you, keep you informed of data security requirements and offer suggestions on how our payment solutions can help you meet them.

Overview

Providing customers with secure payment options not only provides them with more incentives to patronize your business – it is also your responsibility. In fact, failure to protect cardholder data could cost your company thousands of dollars in fines in addition to loss of business.

Payment card industry data security standards (PCI DSS)

 

All merchants that accept electronic payment cards are required to follow payment brand rules to protect cardholder data, using a set of common requirements adopted by all and collectively referred to as PCI DSS.

 

These requirements range from removing sensitive card data from your payment terminals and processing systems to implementing data security policies for your employees. Together, PCI DSS provide merchants with a unified approach to cardholder data security.

Compliance validation & reporting

 

Merchant responsibilities for maintaining security standards and validating/reporting compliance are based on transaction volume level and vary not only with volume but also with payment brand.

 

As is required by the payment brands, Chase annually assigns merchant level rankings that reflect the number of transactions each merchant processes in a one-year period within a single payment brand. Depending on that level, you may be required to validate and report your PCI DSS compliance to your acquirer.

 

Additional requirements may apply. For example, merchants with higher volumes are required to work with qualified security assessors (QSAs), internal security assessors (ISAs) and approved scan vendors (ASVs).

 

The payment brands set their own levels for these requirements. While Visa® and Mastercard® levels are generally the same, American Express uses a separate set of criteria for establishing merchant levels and has different reporting requirements. Each payment brand also establishes its own criteria to determine merchant validation deadlines.

 

The four merchant levels below provides a snapshot of each reporting level for Visa and Mastercard. Full details can be found on their respective websites.

Merchant level 1

 

Criteria:

Over 6 million Visa or Mastercard transactions in a 12-month period

 

Requirements:

  • Onsite Assessment and Report on Compliance (ROC) performed by QSA or ISA
  • Quarterly network scans by ASV

Merchant level 2

 

Criteria:

Between 1 and 6 million Visa or Mastercard transactions in a 12-month period

 

Requirements:

  • Onsite Assessment and either a ROC or Self-Assessment Questionnaire (SAQ) completed by QSA or ISA
  • Quarterly network scans by ASV

Merchant level 3

 

Criteria:

Between 20,000 and 1 million Visa or Mastercard ecommerce transactions in a 12-month period

 

Requirements:

  • Self-Assessment Questionnaire (SAQ)
  • Quarterly network scans

Merchant level 4

 

Criteria:

Less than 20,000 ecommerce or less than 1 million transactions with one card brand in a 12-month period

 

Requirements:

  • Self-Assessment Questionnaire (SAQ)
  • Quarterly network scans
  • Submission to acquirer not mandatory

Data compromise

 

A constant threat requires constant vigilance.

 

Unfortunately, despite the most sophisticated system safeguards, data compromise events do happen. Exploiting system vulnerabilities is an obvious path for hackers, but many attacks can be attributed to credentials theft, phishing or botnets (malware).

 

A successful attack may go unnoticed for days, weeks or even months before detection. It is imperative that merchants have policies and procedures in place to discover possible system breaches and take the necessary steps to stop further damage and remedy the affected hacker entry points.

Data compromise FAQs

Cardholder data compromise occurs when a merchant’s payment system is breached and cardholder account information is stolen. When data compromise occurs, it is critical to contain the damage quickly to protect customer data and immediately identify the root cause of the event. Merchants must produce an accurate record of events for authorities.

Any suspicion of potential cardholder data compromise is reported to the payment brands (Visa® and Mastercard®) by law enforcement, issuing banks and/or you, the merchant.

 

Security breaches can appear in different forms. Staying alert for the following suspicious activities can help identify potential risks:

  • Unexpected outgoing Internet traffic
  • Unexpected network traffic and IP addresses
  • Unknown files, software and devices installed on your systems
  • Antivirus programs malfunctioning or becoming disabled
  • Unknown applications configured to launch automatically upon your system reboot
  • Suspicious after-hours system activity
  • Presence of .zip, .rar, .tar and other types of unidentified compressed files containing cardholder data

  1. Contain and limit the exposure – It is very important to preserve evidence and assist with the investigation to minimize risk. You should adhere to the following:
    • Do not access or alter a compromised system
    • Do not turn the compromised system off, but isolate it from the network
    • Preserve logs and continue to log all actions taken
    • If using a wireless network, change the access point
    • Monitor all traffic on systems containing cardholder data
  2. Provide notification – Merchants should contact their Incident Response Team (internal management and legal personnel) and provide an incident report to Chase Payment Solutions within 24 hours. Chase Payment Solutions will advise a merchant of next steps and provide applicable notification to the payment brands (Visa and Mastercard). An incident report must contain the following information:
    • Brief description of the business and merchant identification number
    • Details of the data breach, including who, what, when and where
    • Type of stored cardholder data, such as account number, secure code (CVV2, CVC2, etc.) and/or full content of magnetic stripes
    • Steps taken to contain the incident
    • Law enforcement notifications, if applicable
  3. Follow your legal requirements – In addition to your contractual obligations with Chase Payment Solutions, you should consult with its legal department to adhere to applicable federal, state and local law notification requirements.

  1. Forensic investigation – Upon review of an incident report, Visa or Mastercard may request that the merchant bring in a Qualified Incident Response Assessor (QIRA) to perform a forensic investigation within a specific time frame. Conducting a forensic investigation helps determine if there is evidence or risk of a compromise, and the time period of the compromise.
  2. Findings report – When the investigation is complete, the QIRA will provide a forensic report to the merchant and the report will be shared with Chase Payment Solutions, Visa and Mastercard. Chase Payment Solutions will coordinate a review of the findings and the required follow-up actions identified in the report.
  3. Accounts at risk – The QIRA and Chase Payment Solutions will provide Visa and Mastercard with the cardholder accounts that were processed during the at-risk time period. Visa and Mastercard will then notify the corresponding Issuers. Issuers are given a deadline to report any related fraud to the payment card brands.
  4. Validation of compliance with the Payment Card Industry Data Security Standard – Any entity that has suffered a hack or attack is required to validate PCI DSS compliance. The forensic investigation will not close until the merchant has provided a Report of Compliance or Self Assessment Questionnaire, in addition to Quarterly Network Scans.
  5. Expenses, fines and liabilities – The merchant is responsible for bringing in the QIRA, if required. Visa and Mastercard will assess separate fines for any lack of compliance that led to the breach. In some cases, there are also assessments for incremental fraud and for monitoring or re-issuing cardholder accounts.

Common Point of Purchase (CPP)

Not all data compromise incidents are due to network intrusion. Some may be localized or “skimming” events, where cardholder data is stolen and then used for fraudulent purchases at other merchant locations. When multiple fraudulent transactions are determined to have originated from a common location, that location becomes the CPP and an investigation is initiated.

CPP locations are reported to the payment brands (Visa and Mastercard) by law enforcement and issuing banks. Once reported, the appropriate payment brand examines the claim to determine if a CPP or forensic investigation is necessary.

If your business is reported as a CPP location, Chase Payment Solutions will contact you. The payment brand involved will provide a questionnaire for you to complete and will include reported details to assist you with your own internal investigation. You will be given a deadline for submitting the questionnaire to Chase Payment Solutions.

Chase Payment Solutions will submit the completed questionnaire to the involved payment brand, which will then determine if a skimming event or potential network intrusion may have occurred.

Additional help

 

If you have a question or need general support for your existing processing account, you can email us at merchant.support@chase.com or call client services at 1-888-886-8869.

 

If you think you’re on the wrong page, explore other Chase for Business support topics at the link below.

See all support topics