From merchants
Why were new security standards such as SDP and AIS necessary in the first place?
There have been cases in recent years in which unauthorized persons have hacked into large IT systems. Millions of bits of card data thereby fell into hands and were then to some extent misused for card fraud. This resulted in considerable losses for cardholders, merchants, card issuers and acquirers.
With the programs Account Information Security (AIS) from VISA and Site Data Protection (SDP) from MasterCard this greatly increasing threat is effectively countered on two levels:
- Cardholder data is better protected.
- Card-accepting merchants and their service providers who transmit, process and store card data are obligated to implement effective precautionary measures in regard to data security.
What do the programs SDP and AIS contain?
The programs SDP and AIS contain rules from the two leading card organizations MasterCard and VISA to provide security during the transmission, processing and storing of card data. The rules are based on the security standard PCI (Payment Card Industry Data Security Standard).
Who must comply with SDP and AIS?
All merchants and third parties authorized by them who transmit, process or store card data are obligated to comply with the SDP and AIS rules.
What is an assigned third-party?
Considered to be an “authorized third party” (DSE, Data Storage Entities) are, among others, payment service providers, Web shop operators and outsourcing partners for the operation of IT systems.
Must all merchants and authorized third parties also be certified?
In the interest of efficient compliance with the rules and increased concentration on the greater risks, a special certification is required as proof of compliance with the rules only from merchants who process more than 20,000 e-commerce transactions in a card system.
Merchants are in every case responsible for authorizing only third parties that are also SDP and AIS certified.
Service providers are generally obligated to be certified if they transmit, process or store card data in assignment for the merchant.
SIX Multipay or the security company can provide the details.
What does a merchant certification entail?
To be certified, merchants must prove that they comply with the security rules according to SDP and AIS. To do so, they must complete a security questionnaire and allow an accredited security company to carry out a security scan quarterly.
If a merchant does not store, process or transmit any card data, then this must be confirmed in writing to SIX Multipay. The merchant is then considered to be in compliance with SDP/AIS.
The requirements for the individual merchant categories are listed in the table below:
| Merchant category |
Type of certification |
| < 20,000 transactions in e-commerce and < 6 million transactions in all channels annually in a card system (VISA or MasterCard/Maestro) |
Recommended certification: - Completion of a security questionnaire
- 1 security scan each year
|
| between 20,000 and 6 million transactions in e-commerce annually in a card system (VISA or MasterCard/Maestro) |
Certification: - Completion of a security questionnaire
- Quarterly security scans by a security company
|
> 6 million transactions annually in all sales channels including e-commerce in a card system (VISA or MasterCard/Maestro) or: upon request by VISA or MasterCard |
Certification: - On-site security audit by a security firm or by means of an internal audit that is signed by one of the company’s authorized signatories
- Quarterly security scans by a security company.
|
Please note that if you are required to undergo certification, that you are only SDP-compatible when your acquirer has registered you with MasterCard as SDP-compatible. The fee is USD 200 per year.hanges required in the IT systems.
Who pays the certification costs?
The certification costs are covered by the merchant.
What happens if a merchant or authorized third party is not certified?
The failure to certify, or the authorization of a non-certified third-party, are serious infractions of the merchant obligations according to the GBC and SBC contained in the contracts with SIX Multipay and is a reason for instant contract termination. In addition, SIX Multipay reserves the right to make such merchants liable for all fines levied by the card organizations and claims for losses by the card issuer.
As a merchant where can I have certification carried out?
Basically, at a security company of your choice. You can find a directory of accredited security firms here.
How does the self-assessment questionnaire affect the security measures?
Merchants who wish to be certified must complete a comprehensive SDP/AIS security questionnaire. At least an hour is required to complete the questionnaire. For the certification the answers in the questionnaire must be assessed by a security company.
What is a security scan?
A security scan is a benign hacker attack by the authorized security company on the saved card data. Depending on the amount of turnover and number of transactions per year and card brand, the scans must be carried out annually or quarterly. The date for the security scan will be agreed upon with the merchant.
What is an on-site security audit?
For very large merchants –those with more than six million transactions in the presence and distance business per year and card brand – or for security-critical merchants as well as for authorized third parties (service providers), an on-site inspection will be made by a security company or by means of an internal audit.
What happens if problems are identified during the certification?
The problems must be solved by the merchant. Subsequent checks will be made by the security company and charged to the merchant.
Who can view the certification data?
Only the security company and the merchant have access to all information during the certification.
SIX Multipay only receives an overall assessment of the merchant from the security company.
The card organization only receives a statistical evaluation.
Which Payment Service Providers does SIX Multipay recommend?
Where can further information about AIS and SDP be obtained?
Further information about SDP and AIS can be obtained at www.secure-ecommerce.ch or on the Web site of the accredited security company.
