CyberSource PCI Program

With the constant threat of security breaches looming over your business, it is more critical now than ever to secure your payment processes and protect your customer account data. Starting is easy, the Payment Card Industry (PCI) Security Council developed a set of 12 comprehensive requirements called the PCI Data Security Standard or PCI DSS. All merchants must meet the set PCI DSS requirements to be in full compliance with their CyberSource Merchant Services Agreement.

All of our merchants must be PCI DSS compliant by July 30th, 2010. Non-compliant merchants shall be charged a fee of $25 per month effective July 30th 2010. This fee will be applied monthly until you validate your compliance with the PCI DSS. In addition CyberSource reserves the right to terminate your agreement if you fail to comply with PCI DSS.

Choose one of the following ways to validate your compliance with the PCI DSS:

  1. Engage the services of our partner Trustwave, who will provide you with tools to help you validate your PCI DSS compliance and industry best practices so that you can continue to protect your business in the long term. To get started, visit the secure portal at https://pci.trustwave.com/cybersource where you will be asked a series of questions about how you process payments, so that they may guide you down the compliance path best suited to your business. A monthly fee will be applied to your account if you choose to take advantage of the Trustkeeper® compliance portal service. If your business requires network scans to achieve compliance then a monthly fee of $9.99 will be applied to your account. If your business does not require network scans to achieve compliance then a monthly fee of only $3.99 will be applied to your account. All CyberSource merchants that sign up for the Trustwave services will receive a free Organization Validation (OV) SSL certificate.

  2. If you already completed your compliance process with a QSA (Qualified Security Assessor) or ASV (Approved Scanning Vendor) recognized by the PCI Security Council, you must upload your compliance documentation to the secure portal (https://pci.trustwave.com/cybersource). You are required to keep your compliance documentation current and will not be charged any fees for the upload.

  3. Perform a Self-Assessment and visit the PCI Security Council website (http://www.pcisecuritystandards.org) to find the appropriate Self Assessment Questionnaire. Then upload your compliance documentation to the secure portal (https://pci.trustwave.com/cybersource). You are required to keep the documentation current and will not be charged any fees for the upload. If you have difficulty with the self assessment, we highly recommend that you engage Trustwave as described in option #1 above.

PCI 101 Webinar

To learn more about PCI-DSS and how it affects you please watch our PCI-DSS 101 webinar.

The PCI Data Security Standard (PCI DSS)

For your convenience here is the set of 12 requirements developed by the PCI Data Security Council that all merchants must meet in order to be compliant with the PCI DSS. For more information about these requirements please visit the PCI Security Council website at http://www.pcisecuritystandards.org.

Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security

 



Trustwave is a leading provider of on-demand information security and compliance management solutions for merchants large and small. Trustwave is both a Qualified Security Assessor (QSA) and an Approved Scanning Vendor (ASV) for the card associations. CyberSource has partnered with Trustwave to help our merchants become PCI DSS compliant. All CyberSource merchants that sign up for Trustwave services will receive a free Organization Validation (OV) SSL Certificate. For more information about Trustwave and how they can help you become PCI DSS complaint, please visit https://pci.trustwave.com/cybersource.