Thursday, February 20, 2014

PCI DSS and PA-DSS Now in Nine Languages

WAKEFIELD, Mass., 20 February, 2014 —Today, the PCI Security Standards Council (PCI SSC), an open global forum for the development of payment card security standards, announced that the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS) 3.0 are now available in nine languages. Organizations worldwide can now benefit from increased understanding of PCI Standards in their native language.

PCI DSS and PA-DSS 3.0 were published in November 2013, with updates made based on feedback from the Council’s global constituents and response to market needs. More than 50% of this feedback came from outside of the U.S., emphasizing the Council’s active international membership base. Version 3.0 helps organizations worldwide make payment security part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility.
The PCI SSC website supports translated pages and PCI materials including the new PCI DSS v3.0 and PA-DSS v3.0 in the following languages: Chinese, French, German, Italian, Japanese, Portuguese, Russian and Spanish.

See the full news release here:

https://www.pcisecuritystandards.org/pdfs/14_02_20_PCI_DSS_IN_9_LANGUAGES.pdf

Wednesday, February 19, 2014

Accepting Unsigned Payment Cards

I received this question from one of our departments today regarding card acceptance procedures. I did some research to see if things had changed since I last looked, and thought some of you might find the following useful.

"Would you confirm whether or not PCI or the credit card industry requires a signature on the back of cards? Our current procedure requires that the card be signed and/or another form of ID is presented. While updating our procedures we thought we should confirm this."
 
All payment cards have words like "Not valid unless signed" adjacent to the signature panel on the back of the cards. It means exactly that, regardless of what a customer may have seen somewhere on the Internet or on TeeVee. The signature needs to be on the card even if the customer has written "See ID" on the back of their card. A payment card must be used according to the terms of the issuing bank (who actually owns the card) and the card brands. Those terms tell the customer they must sign the card or it is not valid for purchases.

The merchant is responsible for comparing the signature on the back of the card with the signature on the sales draft. This is a security check required by Visa, MasterCard and the other card brands. If the signatures don't match then call for authorization.

If the card is unsigned then you can ask the customer for government-issued photo ID and have them sign the card in your (the merchant's) presence. Then the purchase may be processed. If the customer refuses to sign the card it may not be accepted. Ask them for another form of payment.

This is addressed in each of the individual card brands' operating procedures. Here are some excerpts from the MasterCard and Visa programs.

MasterCard Rules


See http://www.mastercard.com/us/company/en/whatwedo/merchant_rules.html for MasterCard's merchant documents.

Transaction Processing Rules
See Merchant Acceptance Procedures on pages 3-1 to 3-3.

Unsigned Cards

If a MasterCard Card is presented to a Merchant representative and the Card is not signed, the Merchant representative must:

  1. Obtain an authorization from the Issuer,
  2. Ask the Cardholder to provide identification (but not record the Cardholder identification information); and
  3. Require the Cardholder to sign the Card.
The Merchant must not complete the Transaction if the Cardholder refuses to sign the Card.

Visa


See http://usa.visa.com/merchants/merchant-support/resources/library.jsp for a collection of documents for merchants.

Card Acceptance Guidelines for Visa Merchants
See Cardholder Verification and Identification p.32, 33

Unsigned Cards

While checking card security features, you should also make sure that the card is signed. An unsigned card is considered invalid and should not be accepted. If a customer gives you an unsigned card, the following steps must be taken:
  • Check the cardholder’s ID. Ask the cardholder for some form of official government identification, such as a driver’s license or passport. Where permissible by law, the ID serial number and expiration date should be written on the sales receipt before you complete the transaction.
  • Ask the customer to sign the card. The card should be signed within your full view, and the signature checked against the customer’s signature on the ID. A refusal to sign means the card is still invalid and cannot be accepted. Ask the customer for another signed Visa card.
  • Compare the signature on the card to the signature on the ID.

Please note: According to Visa, requiring a customer to provide a photo ID cannot be used as a condition for accepting payment cards, EXCEPT in the case where the card does not have a signature. Interestingly, this is different for MasterCard.

I strongly recommend reading the documents mentioned above. There many requirements and guidelines besides PCI DSS that merchants must follow. Don't rely on just the short snippets I provided here when updating your payment card handling procedures.