Canada
US
You are now leaving our website and entering a third-party website over which we have no control.
TD Merchant Solutions data security
Ensure the safety of your cardholder data to help prevent theft
Staying current with industry standards
-
What is PCI DSS?
-
12 principle
requirements -
Why data
security matters -
Tips for protecting
your data -
For Merchants
Payment Card Industry Data Security Standard (PCI DSS)
The efforts of PCI DSS are designed to help you prevent the theft of confidential consumer cardholder data by assessing whether that data is secure within your organization and, if necessary, improving your level of security to meet or exceed industry standards.
We have included vital information below to help ensure you are informed about data security and provide direction on your role in maintaining cardholder data security.
Upholding the standard
PCI DSS requires any organization that collects, processes, transmits or stores cardholder data, to uphold and maintain the data security standards that are set by the payment industry worldwide, and which are managed by the PCI Security Standards Council (PCI SSC).
All merchants who handle cardholder data must comply with PCI DSS and the Payment Card Networks’ Compliance Programs. Merchants that don't comply may be subject to fines, fees or assessments and/or termination of their processing services.
Visa compliance program
Visa Canada’s Payment Application Compliance Program provides clear direction to acquirers in terms of timelines for ensuring their merchants (both new and existing) who use payment application software to process transactions, only use software that's been validated against PCI DSS requirements.
Learn more about Visa Canada’s Payment Application Compliance Program
More data security information
12 principles of PCI DSS
PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. The result is a comprehensive standard intended to help organizations protect consumer cardholder data.
Below are the twelve principle requirements of PCI DSS.
Build and maintain a secure network
-
Install and maintain a firewall configuration to protect cardholder data
-
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
-
Protect stored cardholder data
-
Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
-
Use and regularly update anti-virus software
-
Develop and maintain secure systems and applications
Implement strong access control measures
-
Restrict access to cardholder data by business need-to-know
-
Assign a unique ID to each person with computer access
-
Restrict physical access to cardholder data
Regularly monitor and test networks
-
Track and monitor all access to network resources and cardholder data
-
Regularly test security systems and processes
Maintain an information security policy
-
Maintain a policy that addresses information security
To find out more about PCI DSS and view related documentation, visit the PCI Security Standards Council website.
Why data security matters
The more frequently credit and debit cards are used by consumers the more cardholder account information is being processed and potentially kept on file.
The result is the increased potential for fraudulent use of this data if organizations do not take the necessary steps to proactively collect and store this data in a secure manner. The PCI DSS program provides these organizations consistent standards to follow to maintain the integrity of the consumer cardholder data being collected and stored.
Consider the following key benefits to your business that protecting cardholder data can provide.
1. Builds consumer trust
Many customers not only seek out merchants they feel they can trust, but are also likely to return to those businesses and tell others. In a 2006 Visa-sponsored survey that spanned 12 countries, consumers ranked the security of personal and financial information as their number one concern. These consumers also indicated that merchant data security practices can influence their desire to purchase products and services.
Complying with industry standards helps demonstrate your commitment to protect your customers’ confidential payment information. This security is essential to build and maintain consumer trust.
2. Strengthens security
The main goal of PCI DSS is to protect confidential data at all points in the payment system. Complying with the program improves awareness of data security and helps you strengthen security measures to minimize the possibility of data security attacks
3. Avoids unnecessary costs
Implementing a strong data security policy will help you prevent a security breach that could cost your business by damaging your reputation and your bottom line.
Data breaches resulting from weak security practices could make your business vulnerable to costly forensic review, litigation, penalties and an overall drain on your business operations.
By implementing effective data security standards, you can avoid these expenses and protect your business’s good name.
4. Maintains a positive image
Being compliant with PCI DSS goes a long way toward protecting your reputation in the eyes of your customers and the press, given growing public concerns about safeguarding personal data.
5. Gains a competitive edge
A strong data security policy can help you build a reputation for trustworthiness and reliability. When your customers are confident their confidential account information is safe with you, their repeat business will boost your bottom line and give you an advantage over the competition.
Keeping your customer data safe from hackers
Follow these helpful security tips to protect your cardholder's information, as well as your business:
-
Storage
Keep cardholder information storage to a minimum and never store the information contained in a credit or debit card’s magnetic stripe. -
Accounts
When you no longer need the account information, destroy it in a secure fashion. Never store the CVV, CVV2 or PIN. -
Network
Ensure that your payment card acceptance environment is properly separated from public networks such as the Internet, and test your company’s security systems on a regular basis.
-
Passwords
Change system passwords and security codes from those supplied originally by software manufacturers. -
Encryption
Encrypt all payment card information stored on the processor’s computers, as well as any card data transmitted over the Internet or other open public network. -
Access
Only provide employees with access to customer data on a need-to-know basis, and ensure they each receive a unique ID. You should also have an information security policy that spells out rules for employees who handle customer data.
Making compliance a priority in your business
- Software
Review software and update preferences (especially your anti-virus and operating system) to ensure account information is not being stored without your knowledge. Check to see if your software is PA-DSS compliant.
- Compliance
Comply with security audits according to the PCI requirements found at the PCI Security Standards Council website,which includes all third-party suppliers with access to cardholder data.
Compliance with the PCI DSS
All merchants that store, process, or transmit cardholder data must comply with PCI DSS and validate their compliance using the appropriate method.
Below are the descriptions of the merchant levels and the validation requirements for each level, as determined by Visa Canada.
Merchant levels and validation requirements
Below you'll find the descriptions and validation requirements for each merchant level, as determined by Visa Canada.
|
Description |
Validation Requirements |
Validated By |
|
|---|---|---|---|
|
Merchant Level 1 |
Any merchant processing over 6,000,000 Visa transactions annually |
|
|
|
Merchant Level 2 |
Any merchant processing between 1,000,000 and 6,000,000 Visa transactions annually |
|
|
|
Merchant Level 3 |
Any merchant processing between 20,000 and 1,000,000 Visa e-commerce transactions annually |
|
|
|
Merchant Level 4 |
Any merchant processing fewer than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1,000,000 Visa transactions annually. |
|
To help you meet your PCI compliance requirements, the PCI Security Standards Council offers resources for small Merchants.
For more information, please visit PCI Security Standards Council website. |
Ensure your information is secure and you're PCI-compliant
Service provider compliance
A service provider is defined as an organization that stores, processes, or transmits cardholder data on behalf of a merchant or other service providers. All service providers are required to comply with PCI DSS, including validating their compliance to PCI DSS through the services of a Qualified Security Assessor (QSA).
For more information regarding the compliance requirements for service providers and to see a list of service providers that have validated their compliance to PCI DSS please see:
Payment Application Data Security Standard
The Payment Application Data Security Standard (PA-DSS) is managed by the PCI SSC, and is intended to help software vendors develop secure third-party payment applications that support the PCI DSS standard.
All payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. Whereas applications that aren't intended for third parties are not subject to the PA-DSS – but they must still be secured in accordance with the PCI DSS.
Lastly, standalone point-of-sale terminals, database software and web server software are not applicable to the PA-DSS.
For more information on PA-DSS including a list of compliant payment applications, visit the PCI Security Standards Council website.