The Visa Member Letter EU 06/05 - Account Information Security Programme Update and MasterCard Global Security Bulletin No. 12, 15th December 2004 and No. 1, 14th January 2005, set out the credit card organizations’ certification requirements and deadlines for service providers:

Level 1:

Criteria:

All payment gateways and Internet payment service providers – regardless of transaction volume.

All third-party processors and data storage entities that store credit card data on behalf of Level 1 and Level 2 merchants (i.e. merchants with over 150,000 transactions per year).

Requirements:

Annual security assessment (Security Audit) and quarterly network inspection (Security Scan)

Deadline:

Certification by 30th June 2005

Level 2:

Criteria:

All service providers that are not Level 1 providers and process, forward or store over 1,000,000 transactions per year.

All data entities that store credit card data on behalf of Level 3 merchants (i.e. merchants with 20,000 – 50,000 transaction per year).

Requirements:

Annual security assessment (Security Audit) and quarterly network inspection (Security Scan)

Deadline:

Certification by 30th June 2005

Level 3:

Criteria:

All service providers that are not Level 1 service providers and process, forward or store fewer than 1,000,000 transactions per year.

All other data storage entities that are not covered by Level 1 or Level 2.

Requirements:

Annual PCI self-assessment questionnaire and quarterly network inspection (Security Scan)

Deadline:

Visa: certification by 30th June 2005 mandatory

MasterCard recommends certification

Service providers who have already been certified in accordance with Visa’s Account Information Security [AIS] and MasterCard’s Site Data Protection [SDP] security stan-dards will receive their statuses by 1st January 2006. Every service provider is required to observe the Payment Card Industry [PCI] Data Security Standard thereafter.

Service providers who are not currently certified should instigate the necessary measures as soon as possible to attain the necessary certifications before the above mentioned deadlines. Against this background, Pago recommends collaboration with SRC Security Research & Consulting GmbH as security vendor/qualified security assessor.