The security of payment card data is not the same as it was 10 or 15 years ago. The massification of EMV chips and contactless transactions, the use of tokenization, the implementation of P2PE controls and the deployment of payment terminals aligned with the PCI PTS POI standard make the security of the process optimized and the risk on the trade side declines. In that sense, payment brands have established certain rules so as not to have to submit PCI DSS compliance reports annually. Below, we list the exemption programs currently in place by major payment card brands.

Note:

The following exemption programs are for merchants (merchants). Does not apply to service providers.
These programs exempt from PCI DSS compliance reporting, but not from the implementation of controls.
Programmes may be limited to specific geographical areas. Check the detail.
Before applying for any exemption, it is important to contact the acquirer and/or payment brands for more information.

Mastercard Cybersecurity Incentive Program (CSIP)

Mastercard has implemented the Mastercard's Cybersecurity Incentive Program (Cybersecurity Incentive Program – CSIP), which provides for a number of exemptions from the reporting of compliance with PCI DSS for traders who meet specific requirements (use of EMV technologies, PCI SSC-listed solutions or use of a suite of risk management and security tools), in order to incentivise the use of security technologies. CISP is part of Mastercard's data protection program (Site Data Protection – SDP) and includes three categories: Risk-based Approach, Validation Exemption Program (VEP) y Compliance and Validation Exemption Program (C-VEP).

Risk-based approach (Risk-based Approach)

A Tier 1 or 2 trader who meets the requirements and is located outside the U.S. region can use the risk-based approach, reducing the trader’s compliance requirements to the validation of compliance with the first two of the six total milestones set out in the priority approach to achieving compliance with the PCI DSS standard (The Prioritized Approach to Pursue PCI DSS Compliance), as follows:

  • A Tier 1 trader must validate compliance through a PCI DSS assessment that results in the completion of an ROC performed by a PCI SSC-approved QSA or a PCI SSC-certified ISA;
  • A Tier 2 trader must validate compliance using a SAQ. Tier 2 traders completing SAQ A, SAQ A-EP or SAQ D must additionally engage a PCI SSC-approved QSA or PCI SSC-certified ISA for compliance validation; y
  • Each Tier 1 and Tier 2 trader should annually revalidate the fulfilment of milestones one and two using a SAQ.

To comply with the risk-based approach, a trader must satisfy all of the following requirements:

  • The trader must certify that it does not store confidential authentication data (Sensitive Authentication Data – SAD).
  • On an ongoing basis, the merchant must keep the "no card present" transaction environment completely separate (card-not-present – CNP) of the ‘face-to-face’ transaction environment (card present – CP). A face-to-face transaction requires the card, cardholder and merchant to be present together at the time and place of the transaction.
  • For a trader located in the Europe region, at least 95 % of the total annual Mastercard and Master Merchant present card transactions must be carried out on hybrid POS terminals.
  • For a trader located in the Asia/Pacific region, the Canada region, Latin America and the Caribbean Region, or the Middle East/Africa Region, at least 75 % The total annual count of the Mastercard and Maestro merchant transactions with card present must be performed on hybrid POS terminals.
  • The trader must not have experienced an event Account Data Compromise (ADC) or a potential ADC event in the last 3 years, including, but not limited to, pending liabilities or actions preventing the complete closure of the ADC event. At Mastercard's discretion, this and other criteria may be waived if the merchant validated full compliance with PCI DSS at the time of the ADC event or potential ADC event.
  • The merchant must annually establish and test an incident response plan in accordance with PCI DSS requirements.

Validation Waiver Program (Validation Exemption Program – VEP)

All traders (merchants) categorised as Level 1, 2, 3 and 4 that meet the requirements and use secure technologies, such as EMV chip technology, a PCI-listed point-to-point encryption solution (P2PE), a mobile POS acceptance solution (MPOS EMV) such as SPoC, CPoC or Mpocc, or EMV payment tokenisation, may participate in the Validation Waiver Program (VEP), exempting the trader from validating its compliance with PCI DSS on an annual basis, unless the trader’s involvement conflicts with the applicable law or regulation requiring such validation.
To participate in the VEP, a duly authorised and empowered official of the trader must certify in writing to the acquirer of the trader that the latter has complied with all of the following requirements:

  1. The merchant does not store confidential authentication data. The acquirer must notify Mastercard, by means of a compliance validation report, of the status of the merchant's storage of confidential authentication data.
  2. Mastercard must not have identified the merchant as being affected by an ADC incident or a potential ADC incident during the previous three years, including, but not limited to, outstanding liabilities or actions preventing the complete closure of the ADC incident;
  3. The trader has established and annually tests an incident response plan in accordance with the requirements of PCI DSS; y
  4. The trader has fulfilled one of the following requirements:
    a. At least 75 % of the total annual Mastercard and Maestro transactions acquired by the merchant is processed through hybrid POS terminals, as determined based on the merchant's transactions processed during the previous twelve (12) months through the Global Clearing Management System (GCMS) and/or the Single Message System. Transactions that have not been processed by Mastercard may be included in the annual count
    of transactions acquired if the data is readily available to Mastercard;
    b. The trader has implemented a P2PE solution listed on the PCI SSC website;
    c. The merchant has implemented an MPOS EMV acceptance solution, such as SPoC, CPoC or Mpocc, listed on the PCI SSC website; O
    d. At least 75 % the total annual count of Mastercard and Maestro transactions acquired by the merchant is processed using tokens TSP Mastercard compliant with the PCI Token Service Provider (PCI TSP) standard.

As a recommended practice, eligible traders are recommended to validate compliance with the PCI DSS standard in the twelve (12) months prior to joining the VEP.

The acquirer must retain all merchant eligibility certifications for VEP for a minimum of five (5) years. Upon Mastercard's request, the acquirer must provide a merchant's certification of eligibility for the VEP and any documentation and/or other information applicable to such certification. The acquirer is responsible for ensuring that each VEP certification is truthful and accurate.

A merchant who does not meet the VEP eligibility criteria, including any merchant whose transaction volume comes primarily from e-commerce that does not use EMV payment acceptance channels or mail/telephone (MO/TO) order acceptance channels, should continue to validate its compliance with the PCI DSS standard.

All merchants must maintain continuous compliance with the PCI DSS standard, regardless of whether annual validation of compliance is a requirement or not.

Compliance Exemption and Validation Programme (Compliance and Validation Exemption Program – C-VEP)

A trader that meets the level 3 or level 4 requirements and that integrates a cybersecurity and risk management toolkit may participate in the Compliance Waiver and Validation Program (C-VEP), which exempts the trader from complying with the PCI DSS and validating its compliance with Mastercard annually, unless the trader’s involvement conflicts with the applicable law or regulation requiring such compliance and validation.

In order to participate or continue to participate in the C-VEP, the acquirer and the trader must meet all of the following requirements:

  1. The merchant does not store confidential authentication data.
  2. The merchant has not been identified by Mastercard as being affected by an ADC event or potential ADC event (as defined in section 10.1 of this manual) during the previous three years, including, but not limited to, outstanding liabilities or actions preventing the complete closure of the ADC event;
  3. An incident response plan has been established and tested annually by the trader;
  4. The acquirer provides the trader with a set of cybersecurity and risk management tools that, at a minimum, includes each of the following elements:
    a. Continuous risk assessment and scoring;
    b. Web malware monitoring;
    c. Protection against identity theft, including:
    i. Dark web monitoring;
    ii. Monitoring of online social networks;
    iii. Credit supervision; y
    iv. Person-based identity theft repair service and security awareness education.
  5. The continuous assessment and scoring of the trader’s risk by the acquirer should identify the risks addressed by each of the following elements (together, the ‘correction tools’):
    a. Protection of terminals, including:
    i. Antivirus.
    ii. Monitoring the integrity of files.
    iii. Policy scan.
    iv. Detection of threats in terminals.
    b. Inventory and monitoring of website scripts;
    c. Authenticated vulnerability management enabling the detection of external and internal vulnerabilities with credential-based authentication for network assets;
    d. Detection and protection against network threats, including:
    i. Domain name system (DNS) security;
    ii. Protection against bots; y
    iii. Web application firewalls;
    e. Information management and security events (SIEM); y
    f. Data encryption management;
  6. The acquirer shall use a correction tool if the continuous risk assessment and scoring of the acquirer detects any vulnerability in a trader; y
  7. The acquirer shall perform continuous risk assessments and risk scores for the correction tools at least once a quarter, and without delay after the implementation of a correction tool for a trader.

The acquirer shall retain all merchant eligibility certifications for the C-VEP for a minimum of five (5) years. Upon Mastercard's request, the acquirer shall provide a merchant's certification of eligibility for the C-VEP and any documentation and/or other information applicable to such certification. The acquirer is responsible for ensuring that each C-VEP certification is truthful and accurate.

A merchant who does not meet the C-VEP eligibility criteria must continue to validate its compliance with the PCI DSS standard annually.

VISA Technology Innovation Program (TIP)

For its part, Visa has established the program Technology Innovation Program (TIP) to benefit those merchants in the United States have taken steps to help prevent counterfeit fraud by investing in secure technology. This program rewards eligible merchants by eliminating the requirement to verify compliance with the PCI DSS standard when at least 75 % of the annual transactions originate through EMV chip terminals, a validated point-to-point encryption solution or an industry-standard integrated tokenization solution that meets the EMVCo tokenization specification.

For be able to participate in the programme and benefit from its benefits, US traders must meet all of the following criteria:

  1. Confirm that confidential authentication data (i.e. full magnetic stripe content, card 2 verification value (CVV2) and PIN data) is not stored after transaction authorization as defined in the Payment Card Industry Data Security Standard (PCI DSS).
  2. Make sure that at least 75 % of all transactions originate through one of the following secure acceptance channels:
    – Chip-readable and operational terminals (US traders must meet volume criteria with contact/non-contact dual interface terminals). Chip-enabled terminals must have a valid and up-to-date EMV approval and pass the test requirements of the Acquirer Device Validation Toolkit (ADVT), the Contactless Assessment Toolkit (CDET) and the Visa payWave Test Tool (VpTT), as applicable.
    – Validated point-to-point encryption service: The point-to-point encryption solution must be included in the PCI Security Standards Council list of validated solutions or independently validated by a qualified PCI Security Standards Council point-to-point encryption company.
  3. Not be involved in the data breach of cardholders. A trader who has suffered a breach is eligible for TIP if he has subsequently validated compliance with the PCI DSS standard.

Merchants who do not meet the program's terminalization requirements, including merchants whose transaction volume comes primarily from e-commerce acceptance channels and mail/telephone (MO/TO) orders, remain required to validate compliance with the PCI DSS standard annually, in accordance with Visa's compliance programs.

American Express Security Technology Enhancement Program (STEP)

The Safety Technology Improvement Program (STEP) is a way for American Express to recognize merchants who implement additional security technologies to improve the security of cardholder data and sensitive authentication data.

In order to qualify for the Security Technology Improvement Program (STEP), there are several requirements that must be met:

  1. Current compliance with the PCI DSS standard.
  2. Absence of data-related incidents in the last 12 months.
  3. At least 75 % of transactions with your American Express card are made:
    o Through EMV-compatible terminals; or
    o Using a point-to-point encryption (P2PE) solution included in the List of PCI Security Standards Council, or
    o Using a peer-to-peer encryption solution approved by a qualified security evaluator (QSA).

In this case, only sending is required the STEP Annual Validation Form and annual PCI DSS compliance or ASV scans will not be required.

QSA recommendations

Although the exemption programs mentioned above were defined by payment brands as an incentive to use technologies that minimize risk in the management of payment card data, it is very important to establish the clear differences between Compliance and Security. In this case, the objective of these programs is to minimize the reporting of PCI DSS compliance, but not to exonerate merchants from the implementation of controls. PCI DSS controls must continue to be implemented, which changes is the need to submit compliance reports annually as part of the compliance chain.

In that sense, my recommendation as a QSA is that, if the entity meets the requirements required by the exemption programs, contact your acquirer and/or the payment brands and proceed. But again, this does not mean that PCI DSS standard controls are not implemented or no longer monitored. Simply, as there is a secure technology in the environment (transactions with EMV chips, P2PE solutions or tokenization), the risk exposure is lower and, therefore, there is more flexibility and confidence in the trader, which is an added value when using these technologies.

Posted by David Acosta

Qualified Security Assessor (QSA) for PCI DSS, PCI PIN, PCI 3DS, P2PE and PCI TSP. CISSP, CISA, CISM, CRISC, C|EH, C|HFI.

Leave to Reply