Tuesday, August 11, 2009

Handling Account, Cardholder, Transaction, and Merchant Information

Sale or Exchange of Account and Cardholder Information Prohibited

Merchant banks must not sell, purchase, provide, exchange or in any manner disclose card account number information to anyone other than its acquiring bank, to the Credit Card Association, or in response to a government request. This prohibition applies to card imprints, transaction receipts, carbon copies, mailing lists, tapes, or other media obtained as a result of a card transaction.

Fraudulent or Unauthorized Use of Account Information Prohibited

A merchant must not request or use card account number information for any purpose that it knows or should have known to be fraudulent or in violation of the card Association's standards, or for any purpose that the cardholder did not authorize.

Account, Cardholder and Transaction Data Must Be Kept Secure

Merchants must keep all systems and media containing card account, cardholder, or transaction information (whether physical or electronic) in a secure manner so as to prevent access by, or disclosure to any unauthorized party. Merchants must destroy all media not necessary to retain, in a manner that will render the data unreadable.

If an account compromise occurs, the following will apply:
  • The merchant must notify its acquiring bank immediately.
  • The acquiring bank must provide the affected Credit Card Association with complete information about the account compromise.
  • If the account compromise results from the merchant's failure to comply with this rule, the acquiring bank promptly must engage a data security firm to assess the vulnerability of the merchant systems and provide the results of such audit (or a forensics examination if required) promptly to the affected Credit Card Association.
  • If the acquiring bank fails to engage promptly the services of a data security firm or fails to promptly provide the findings of the audit, or any forensics examination, the acquiring bank may be assessed a fine by the Credit Card Association.
  • The acquiring bank must cooperate, and ensure that its merchant cooperates, with the investigation and resolution of the account compromise, including any forensic audit or other measure that the Credit Card Association deems necessary.
Account Information Must Not Be Recorded on a Mailer

A merchant must not ask a cardholder to record a card account number or other account information on the exterior of any order form or other similar device designed to be mailed.

Merchant Identification

A merchant must prominently and unequivocally inform the cardholder of the identity of the merchant at all points of sale so that the cardholder can distinguish the merchant from any other party such as a supplier of goods or services to the merchant.

Data Storage Entity (DSE) Identification

The merchant must inform the acquiring bank promptly of the identity of any DSE that engages, or proposes to engage, in the processing, storage, or both of card account data for the merchant, whether directly or indirectly, regardless of the manner or duration of such activities.

Storage of Account, Cardholder, and Transaction Data

A merchant and any DSE must not store in any system or in any manner, discretionary card-read data, CVC2 / CVV2 data, PIN data, Address Verification Service (AVS) data, or any other prohibited information as set forth in the Credit Card Associations' standards, except during the authorization process for a transaction, that is, from the time an authorization request message is transmitted and up to the time the authorization request response message is received. Storage is permitted of only the card account number, expiration date, cardholder name, and service code, in a secure environment to which access is limited, and then only to the extent that this data is required for bona fide purposes and only for the length of time that the data is required for such purposes.

No comments:

Post a Comment