Article originally published in McCarthy Tétrault
Co-Counsel: Technology Law Quarterly on February 12, 2009
last issue of the TLQ, we commented on the absence of explicit
statutory restrictions on credit card data that may be included on
customer and merchant sales receipts in Canada. The main deterrent
to businesses creating receipts that include complete credit card
numbers has been the best practice policies of the provincial and
federal Privacy Commissioners.
While there continues to be a dearth of statutory restrictions
geared towards protecting Canadian consumers from credit card fraud
and identity theft, Visa Inc. recently announced global deadlines
for merchants, service providers and their agents to comply with
the PCI DSS.
PCI DSS was developed by Visa and the four other founding
payment brands of the PCI Security Standards Council, including
American Express, Discover Financial Services, JCB International
and MasterCard Worldwide. The standard was created to establish a
comprehensive set of international security principles and
requirements for enhancing payment account data security. The core
principles identified in PCI DSS are:
Build and Maintain a Secure Network;
Protect Cardholder Data;
Maintain a Vulnerability Management Program;
Implement Strong Access Control Measures;
Regularly Monitor and Test Networks; and
Maintain an Information Security Policy.
These standards will be the compliance model for the
With its recent announcement, Visa has created deadlines and
validation requirements for merchants and other organizations that
process credit card transactions. The requirements established in
Visa's global compliance mandate vary depending on factors such
as transaction volume. Visa has identified four merchant levels and
two service provider levels, and has established corresponding
validation requirements for each level.
Merchant Validation Requirements
The first level or tier of merchants, those subject to the
strictest validation requirements, encompasses all merchants
processing more than six million Visa transactions annually or any
global merchant that has been identified as a Level 1 merchant in
another Visa country or region. In addition to the validation
requirements facing Level 2, 3 and 4 merchants, Level 1 merchants
must submit an Annual Report on Compliance by a Qualified Security
Assessor. By contrast Level 2, 3 and 4 merchants must submit an
Annual Self-Assessment Questionnaire.
Acquirers, that is, bankcard association members that initiate
and maintain relationships with merchants that accept payment
cards, are responsible for their merchant customers'
compliance. Visa requires acquirers to provide them with regular
compliance status reports on their Level 1, 2 and 3 merchants at
least twice a year.
Visa will also require acquirers to provide confirmation by
September 30, 2009 that their Level 1 and 2 merchants do not retain
sensitive payment card data after transaction authorization.
Sensitive payment card data includes data such as the full magnetic
stripe of a credit card, security codes and PIN data.
Finally, by September 30, 2010, acquirers must provide Visa with
an Attestation of Compliance for each of their Level 1 merchants,
confirming that they have validated full PCI DSS compliance.
Service Provider Validation Requirements
For the purposes of Visa's PCI DSS validation requirements,
service providers are those that store, process or transmit Visa
cardholder data on behalf of acquirers, issuers and merchants. Visa
has identified different levels of service providers and set out
validation requirements that each level must comply with. Level 1
service providers are VisaNet processors or those that store,
process and/or transmit over 300,000 transactions per year. Level 1
service providers that meet the validation requirements are
included on Visa's list of compliant service providers, whereas
Level 2 service providers, those that store, process and/or
transmit less than 300,000 transactions per year, are not included
on the list unless they choose to comply with the Level 1
McCarthy Tétrault Notes:
While PCI DSS principally targets the retail community,
compliance is not restricted to retailers. PCI DSS applies to any
entity that stores, processes and/or transmits cardholder data.
Hospitals, educational institutions, government offices and any
other organization that accepts or processes payment cards must
comply with PCI DSS. Organizations that process Visa payment cards
will be subject to Visa's recently released compliance
requirements, and should inform themselves of the scope of their
obligation to validate compliance with PCI DSS and do so based on
the level of merchant or service provider they fall under.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).