Bankwise Unleash the Power

BankWise

Morrill & Janes Bank

PCI DATA SECURITY STANDARD

The Payment Card Industry Data Security Standard (PCI DSS) is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other protective measures. The PCI Security Standards Council (PCI SSC) is a forum comprised of members from each of the card companies, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa International.  The PCI DSS is intended to help organizations proactively protect customer account data, and provide a common standard with which the payment industry must adhere.

Morrill & Janes Bank would like to remind our customers, you must meet the requirements of PCI DSS by properly safeguarding cardholder data. It is critical your business adheres to the security requirements to ensure the highest standard of care to help keep sensitive cardholder data from hackers and fraudsters. The following highlights the 12 main standards of PCI DSS (please refer to the
 PCI SSC website for complete requirements):

Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data and sensitive information across open public networks

Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

Maintain an Information Security Policy
12. Maintain a policy that addresses information security

PCI Level Classification

All businesses will fall into one of four levels based on transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa, MasterCard and Discover transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (DBA). In cases where a corporation has more than one DBA, the aggregate volume of transactions stored, processed or transmitted by the corporate entity will be used to determine the validation level. Other restrictions and conditions may apply. Merchant levels are defined as:

Level

Description

Compliance Requirements

1

Any business-regardless of acceptance channel-processing over 6,000,000 Visa® or MasterCard® transactions per year.
Or at the discretion of the card associations.

  • Annual onsite assessment or ROC by a QSA
  • Quarterly scans by an ASV
  • CORA

2

Any business, regardless of acceptance channel, processing 1,000,000 to 6,000,000 Visa or MasterCard transactions per year.

  • Annual onsite assessment or ROC by a QSA 
  • Quarterly scans by an ASV
  • CORA

3

Any business processing 20,000 to 1,000,000 Visa or MasterCard e-commerce transactions per year.

  • Annual SAQ
  • Quarterly scans by an ASV

4

Any business processing fewer than 20,000 Visa or MasterCard e-commerce transactions per year, and all other businesses, regardless of acceptance channel, processing up to 1,000,000 Visa or MasterCard transactions per year.

  • Annual SAQ
  • Quarterly scans by an ASV
*Subject to change at any time by the card associations or PCI SSC.
**Any business involved in an account-data compromise breach may be escalated to a higher validation level

Compliance Requirements Defined

QSA - Qualified Security Assessor. QSAs are certified by the PCI SSC. A QSA serves as an advisor to businesses seeking or maintaining compliance with the PCI DSS.  Approved QSAs are listed on the PCI SSC web site.

ASV - Approved Scanning Vendor. ASVs are certified by the PCI SSC. ASVs complete the required quarterly network scans and serve as advisors on achieving compliance. Morrill & Janes Bank PCI compliance program provides unlimited scanning by an ASV for up to 5 IP addresses, when required.

ROC - Report on Compliance. Level 1 businesses must submit a ROC annually completed by a QSA.

SAQ - Self-Assessment Questionnaire. Annual SAQs must be submitted by businesses not required to submit a ROC.

Quarterly Vulnerability Scans - Scans must be done quarterly by either an ASV. 

CORA - Confirmation of Report Accuracy. Required annually for Level 1, 2 and 3 businesses.

Compliance Validation

Once a business has met the compliance requirements, compliance must be validated. Morrill & Janes Bank is required to provide (upon request) compliance status updates on our customers to the card associations. All Morrill & Janes Bank merchants should validate and maintain compliance through our PCI compliance program.

PCI DSS Requirements for Software & Hardware

Businesses using a vendor, payment application or third party software and/or hardware are required to use only compliant payment applications. Each card association and the PCI SSC provide educational programs including brochures and webinars on their web sites and lists of compliant service providers.

Additional information is available at:

 (when you click on these links you will be leaving the Morrill & Janes Bank website. These sites are not controlled by Morrill & Janes Bank, and we are not responsible for the content of, or products and services provided by this third party, nor do we guarantee the system availability or accuracy of information contained in the site. Please note that the third party site may have privacy and information and security policies that differ from those of Morrill & Janes Bank.)

What to do if compromised

In the event of a security incident, please contact Morrill & Janes Bank immediately. Members, businesses and service providers must take immediate action to investigate the incident, limit the exposure of cardholder data, and notify the card associations to report investigation findings. Guides are available to assist in the event of a breach at the web sites listed above.

Disclaimer: This document contains a compilation of information received from various sources. This information is presented solely for the convenience of the reader and should not be used as a substitute for your own research and reference to actual regulations and/or other official documents, or as a substitute for consulting your legal advisor. Morrill & Janes Bank and its parents and affiliates are not responsible for inaccurate, outdated, or incomplete information. All information contained herein is subject to change.