At checkouts and shop counters across Malta, customers instinctively bring out their debit or credit card of choice when it’s time to pay. But little do they realise that the whole payment system is backed up by an extraordinary high level of security. This begins as soon as the customer presents the merchant with their card, as all merchants in Malta who accept card payments, are mandated to achieve and maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS is a globally adopted industry standard that sets out the procedures that must be complied with to ensure the safe handling, storage, processing and transmission of payment card data. This particular industry standard helps to outline the security measures that each merchant must have in place to protect cardholders’ data wherever they store it electronically or physically.
PCI DSS compliance is divided into four levels, identified either by transaction type and/or volumes as follows:
Level 1 merchants are those who deal with more than 6,000,000 MasterCard or Visa transactions a year.
Level 2 merchants accept more than 1,000,000 MasterCard or Visa transactions in a year.
Level 3 merchants deal with more than 20,000 MasterCard or Visa ecommerce transactions a year.
Level 4 all other merchants.
In view of merchants’ requirements to comply with PCI DSS, Global Payments Ltd. Malta, encourages merchants in Malta to maintain a list of the third party service providers they use (for example, Payment Service Providers and web-hosting companies), and keep written agreements with service providers confirming that they’re responsible for the security of all cardholder data. It’s also recommended that merchants should establish a process for engaging with service providers to carry out proper due diligence prior to engaging with them, as well as monitoring their PCI DSS compliance on an annual basis.
By visiting the PCI Security Standards Council website http://www.pcisecuritystandards.org/index.php merchants in Malta can make sure that they are offering their customers not just a product or a service but also peace of mind that their information is safe with them.
Examples of “Dos” and “Don’ts” for the safe storage of data include:
Do understand where your card data flows for the entire transaction process, from when you accept the card to receiving payment for the transaction.
Do ensure that all cardholder data you store (if you have a legitimate business need to keep it) is securely protected.
Do verify that your card terminals comply with the PIN Entry Device (PED) security requirements. All terminals supplied by Global Payments meet these requirements.
Do verify that the third party payment applications you use comply with the Payment Application Data Security Standard (PA-DSS).
Do use strong cryptography to make any cardholder data that you store unreadable, and use other layered security technologies to minimise the risk of it being exploited by criminals.
Do ensure that all third parties who process your customers’ card data or who can impact the security of the payment transaction comply with PCI DSS, PED and/or PA-DSS as applicable.
Do have clear access and password protection policies for your card processing equipment.
Don’t use PED devices that print out personally identifiable payment card data; all receipts must be truncated or masked.
Don’t store cardholder data unless it’s absolutely necessary.
Don’t store any payment card data in payment card terminals or other unprotected devices, such as PCs, laptops or smart phones.
Don’t locate servers or other payment card system storage devices outside of a locked, fully secured and access-controlled room.
Don’t permit any unauthorised people to access stored cardholder data.
Don’t store sensitive authentication data contained in the payment card’s storage chip or full magnetic stripe, including the printed 3-4 digit card validation code on the front or back of the payment card after authorisation.