Pago Security Support includes professional security certification by MasterCard and Visa which is designed to curb theft and abuse of credit card data.

At the start of 2005, the leading card organizations also succeeded in agreeing on joint security requirements, the so-called Payment Card Industry [PCI] Data Security Standard. This sets out the card organizations’ common test processes, as well as the necessary documentation and security requirements. In this way, PCI enables the future adoption of uniform procedures for implementing obligatory security requirements of all credit card organizations.

It is undeniable that security testing cannot be seen as a one-time undertaking but as an ongoing process. Depending on the size of the business concerned, regular follow-up certifications are therefore needed to verify that the once-attained security standard is maintained and adapted to reflect the latest technological developments.

Further information is given in the form of FAQs here or for download as a PDF file in the right hand column under "documents".

1.1 What is the Payment Card Industry [PCI] Data Security Standard?

The credit card organizations have developed a uniform, global testing standard for both payment systems called the “Payment Card Industry (PCI) Data Security Standard”. While MasterCard’s SDP and Visa’s AIS programs will remain effective, the new PCI standard incorporates the testing requirements of both these programs.

1.2 What will change as a result of the new PCI testing standard?

PCI improves the efficiency of the certification process by standardizing the two leading credit card organizations’ security requirements for merchants and service providers.

1.3 What is the purpose of Visa’s AIS and MasterCard’s SDP programs?

The reputations of many merchants and e-commerce merchants have been severely damaged over the past years as it became known that cardholder data had been intercepted and in some cases used subsequently for fraudulent transactions. The AIS [Account Information Security] and SDP [Site Data Protection] programs help merchants and payment service providers who save, process, or forward card data on their own systems to identify potential security loopholes in their own systems and avoid possible ensuing damage.

1.4 Will all acquirers have their merchants and service providers certified for compliance with the credit card organizations’ Rules & Regulations?

Not only merchants, but also the credit card organizations themselves, and in particular the cardholders, pay the price for the potentially immense consequences of intercepted and fraudulently used credit card data. The credit card organizations have therefore meanwhile declared the certification of all acquirers, their merchants and service providers as mandatory. Acquirers must register all merchants and service providers with MasterCard and Visa, together with their certification statuses.

1.5 Are merchants/service providers obliged to engage a security auditor selected by Pago for the certification?

In principle, merchants/service providers can engage for the certification any security auditor which has been approved by both credit card organizations.

MasterCard accredited security vendors

Qualified Security Accessors approved by Visa

Our partner, SRC Security Research & Consulting GmbH in Bonn, has been approved by both organizations to perform the necessary certification.

1.6 Why should I, as a merchant or service provider, be certified?

Merchants and service providers are liable for any damage ensuing from the theft of confidential card data in their sphere of responsibility. Successful certification demonstrates that the merchant’s or service provider’s security standards comply with those of the card organizations. In this case, any ensuing damage will be borne by the card organizations.

1.7 Why am I, as a merchant or service provider, obliged to participate in the certification?

Merchants and service providers who handle credit card data negligently can not only cause damage to themselves, but also to the participating card-issuing banks, credit card companies and their customers, the cardholders.

The credit card organizations declared participation in the security program as a mandatory regulation for the sake of protecting all involved parties.

For the same reasons, the credit card acceptance agreement with Pago was also amended to include mandatory participation in the security programs.

1.8 What happens if merchants or service providers cannot, or refuse to, perform the certification?

Failure to comply with the certification requirement is a severe infringement of the terms of the merchant contract and can result in extraordinary termination.

1.9 What happens if the certification requirements are not fulfilled during the assessment?

The goal of the assessment is initially to identify possible shortfalls. After that, suitable measures are proposed, together with a binding deadline, for rectifying any identified deficiencies. If minor deficiencies are identified, the merchant or service provider is responsible for remedying them. Should serious deficiencies be detected, a reassessment will be carried out after the deficiency has been rectified.

2.1 In which form is the certificate issued? Which certificates are available?

The certificate is issued in writing by the engaged MasterCard security vendor or Visa qualified security assessor.

2.2 How long is the issued certificate valid?

Data security is an ongoing process. It is therefore expedient for merchants and service providers to have their organizational processes, access and logging systems, communication and data infrastructure and development and security management assessed regularly for compliance with the necessary requirements. The scope and frequency of the measures for attaining the certificate are classified depending on the type and scope of the merchant’s or service provider’s business operation.

2.3 How is Pago informed about the issuance of a certificate?

Pago has chosen SRC in Bonn as its partner for certification issues. Regardless of your preferred MasterCard security vendor or Visa qualified security assessor, registration with SRC – including the provision of SRC with the pertinent details of the engaged certification authority – is always necessary. SRC then informs Pago about the successful conclusion of the certification.

2.4 How is a merchant or service provider informed about the status of the certification?

SRC monitors the certification status of all registered merchants and service providers and informs these in good time about pending measures for obtaining or extending a certificate.

2.5 Where can merchants and service providers obtain further information from the credit card organizations about certifications?

Visa Europe and MasterCard International publish extensive information about their security programs on their websites:

Documents MasterCard International

Documents Visa Europe

2.6 Which companies are authorized to perform certifications?

> Overview of MasterCard-accredited security vendors

> Overview of Visa-accredited qualified security assessors

3.1 How can I have my company certified?

As a merchant or payment service provider, it is simplest to register online with SRC. All the subsequent, necessary steps ensue from this registration.

3.2 What is the purpose of registration?

To ensure that the certification effort remain reasonable in relation to the risk, all merchants and service providers are classified on the basis of the registration information and in accordance with their value enhancement and the risk potential derived therefrom. Based on the registration information, the next assessment steps are determined in accordance with the Payment Card Industry Data Security Standard.

3.3 How complex is the registration?

The registration consists of answering a short questionnaire and lasts about 15 minutes.

3.4 I do not store or process any confidential card data in my system. Do I still need to be certified?

If the card data are stored and processed exclusively by a service provider, the merchant generally does not have to proceed any further with the registration of the certification process.

3.5 The merchant uses one or more service providers to operate his platform. Does each service provider have to be registered separately?

A chain is only as strong as its weakest link. With each new party involved, the risk of damage by a third party due to the negligent handling of confidential data increases, also for the merchant/service provider. Consequently, third party providers are generally responsible for their own registration and certification. You, as a merchant or service provider (PSP), should therefore always additionally obligate third parties contractually to comply with the prescribed security standards.

3.6 How does the certification process proceed for the merchant/service partner?

The certification process is modular and can – depending on the merchant’s value enhancement depth and risk profile – require up to four part-assessments to check the system security.

a) Registration

b) Completion of online questionnaire for self-assessment (PCI Self-Assessment Questionnaire)

c) Monitored assessment of the merchant’s Internet connection using a spe-cial tool via the Web (Security Scan)

d) Performance of an on-site review of the merchant’s premises (Security Audit)

3.7 How long does a certification last?

The time needed for a certification depends on the circumstances, technical infrastructure and size of the merchant. The registration lasts around 15 minutes, completing the data security questionnaire about an hour.

3.8 How exact is the certification process and how is the merchant informed about the results of the individual steps of the assessment?

Companies certified by SRC can call up the current status online. SRC proactively informs the merchant/service partner about the conclusion of an assessment phase and the next steps.

3.9 Which certification measures are prescribed by the credit card organizations? By when does the certification have to be concluded?

Visa and MasterCard have different requirements for merchants and service providers and, within these groups, distinguish between the type and size of the business.

> Further Information for acquiers, payment service providers and data storage entities

> Further information for online merchants

3.10 How is my system checked over the Internet?

The MasterCard security vendor or Visa qualified security assessor inspects the architecture and configuration of your Internet connection for weaknesses which an attacker could use to infiltrate your system. In doing so, your system is accessed over the Internet both manually and by security scanners, and is analyzed for weaknesses.

3.11 Can the timing of the scan be agreed?

Yes. The scan schedule and plan of action can generally be agreed with the MasterCard security vendor or Visa qualified security assessor.

3.12 Does the scan involve an attempt to break into my system?

The scan technique used by SRC, rather than breaking into your system, simply attempts to obtain information which could be used to infiltrate the target system (Network Scan).

3.13 By when must weaknesses be resolved?

Insofar as testing identifies security deficits in a system, merchants should – above all in their own interests – implement the improvements immediately.

4.1 What will the overall total cost be?

Costs arise from the registration of the certification status with MasterCard and the actual security assessment services.

Pago will register with Visa and MasterCard after successful certification. MasterCard has a certification fee of US$ 200.00 for all merchants who save and/or process confidential credit card data in their own systems. Registration with Visa is cost-free.

4.2 How is the certification fee settled?

After the certification status has been registered with MasterCard, Pago will debit the certification fee in the framework of its merchant billing & settlement procedures.

4.3 When are the security assessment fees due and how are they settled?

The settlement of services in the SRC certification process is handled by Pago eTransaction Services GmbH on behalf of, and on the account of, SRC, Bonn. The costs will be debited in the Pago transaction invoice in the month in which a part-service is concluded.

If an alternative MasterCard security vendor or Visa qualified security assessors is engaged, the security auditor will bill the merchant or service provider directly in accordance with its own terms of business.

4.4 Who engages the security auditor with performing the certification?

The merchant is etirely free to engage a security auditor of his choice. The SRC registration process generates, among others, an order form which can then be used to requisition the necessary certification modules from SRC.

4.5 How should the SRC service packages described by Pago be interpreted?

The packages correspond to the certification modules, as prescribed by the credit card organizations. The merchant applies for the audits by means of an order form, possibly also individually.

4.6 Which costs will arise as a result of the certification?

Offers can vary from one provider to another. SRC will be offering the following service packages and conditions (all prices excluding VAT) for certifications on or after 01.05.2005:

Level 4 Merchant package: EUR 1,025.00

	Support in answering and analyzing the online questionnaire: cost-free
	Single security scan: EUR 1,025.00

Level 2/3 Merchant package / Level 3 Service Provider package: EUR 2,600.00

	Support in answering and analyzing the online questionnaire: cost-free
	Four security scans per year: EUR 650.00 per scan

Level 1 Merchant package / Level 1/2 Service Provider package: EUR 9,625.00 for 1 year (EUR 22,875.00 for 3 years)

	Support in answering and analyzing the online questionnaire: cost-free
	Four security scans per year: EUR 650.00 per scan
	One security audit per year: EUR 7,025.00 in year 1, EUR 4,025.00 in each of the following years. The price for performing a security audit (including security scan) in-cludes a visit to a merchant site.

The calculation of the prices for a period of three years assumes that no major changes are made to the audited infrastruture. This must be clarified between the merchant and SRC on a case-by-case basis.

The quoted prices are valid for security scans of up to 8 IP addresses. The scan price for a further 12 IP addresses is EUR 525.00.

The service includes one hour consulting and the support of the mer-chant on standard workdays between 09.00h – 17.00h CET. SRC’s experts are available for further consulting services at an hourly rate of EUR 151.00 plus traveling expenses and out of packet expenses (traveling time is billed at a rate of EUR 98.50 per hour).

4.7 How are the services of a single a package settled?

In the framework of the certification process, each rendered service will be settled individually after it has been called up.

 go directly to online registration at our partner SRC