Security Rules and Procedures Merchant Edition 27 February 2020 SPME Contents Contents Chapter 1: Customer Obligations........................................................................ 8 1.1 Compliance with the Standards....................................................................................9 1.2 Conflict with Law.........................................................................................................9 1.3 The Security Contact.................................................................................................... 9 1.4 Connecting to Mastercard—Physical and Logical Security Requirements....................... 9 1.4.1 Minimum Security Requirements.........................................................................10 1.4.2 Additional Recommended Security Requirements................................................11 1.4.3 Ownership of Service Delivery Point Equipment.................................................. 11 1.4.4 Component Authentication................................................................................ 11 Chapter 2: Cybersecurity Standards and Programs..................................12 2.1 Cybersecurity Standards............................................................................................. 13 Cybersecurity Minimum Requirement.......................................................................... 13 Cybersecurity Best Practice.......................................................................................... 13 2.1.1 Payment Card Industry (PCI) Security Standards.................................................. 14 2.2 Mastercard Site Data Protection (SDP) Program...........................................................16 2.2.1 Customer Compliance Requirements.................................................................. 17 2.2.2 Merchant Compliance Requirements.................................................................. 17 Level 1 Merchants...................................................................................................18 Level 2 Merchants...................................................................................................18 Level 3 Merchants...................................................................................................19 Level 4 Merchants...................................................................................................19 2.2.3 Service Provider Compliance Requirements......................................................... 19 Level 1 Service Providers..........................................................................................20 Level 2 Service Providers..........................................................................................20 2.2.4 Mastercard Cybersecurity Incentive Program (CSIP)............................................. 20 Mastercard PCI DSS Risk-based Approach............................................................... 20 Mastercard PCI DSS Compliance Validation Exemption Program.............................. 21 2.2.5 SDP Program Noncompliance Assessments......................................................... 23 2.2.6 Mandatory Compliance Requirements for Compromised Entities........................ 24 2.4 PIN Security Standards................................................................................................24 2.4.1 PIN Entry Devices (PEDs) and Encrypting PIN Pads (EPPs)......................................25 Secure Deployment and Management of PEDs and EPPs......................................... 25 2.4.2 Software-based PIN Entry using PIN CVM Applications........................................26 Secure Deployment and Management of PIN CVM Applications..............................26 Chapter 3: Card and Access Device Design Standards............................ 28 3.11 Consumer Device Cardholder Verification Methods.................................................. 29 ©1991–2020 Mastercard. Proprietary. All rights reserved. Security Rules and Procedures—Merchant Edition • 27 February 2020 2 Contents 3.11.1 Mastercard Qualification of Consumer Device CVMs.........................................29 3.11.2 CDCVM Functionality....................................................................................... 29 3.11.3 Persistent Authentication..................................................................................31 3.11.4 Prolonged Authentication.................................................................................31 3.11.5 Maintaining Mastercard-qualified CVM Status.................................................. 31 3.11.7 Use of a Vendor................................................................................................32 3.12.4 Acquirer Requirements for CVC 2..........................................................................32 3.13 Service Codes...........................................................................................................32 3.13.2 Acquirer Information........................................................................................ 33 3.13.3 Valid Service Codes...........................................................................................33 3.13.4 Additional Service Code Information.................................................................34 Chapter 4: Terminal and PIN Security Standards....................................... 35 4.1 Personal Identification Numbers (PINs)........................................................................36 4.3 PIN Verification...........................................................................................................36 4.5 PIN Encipherment.......................................................................................................36 4.6 PIN Key Management.................................................................................................37 4.6.1 PIN Transmission Between Customer Host Systems and the Interchange System........................................................................................................................ 37 4.6.2 On-behalf Key Management...............................................................................38 4.7 Terminal Security Standards........................................................................................39 4.8 Hybrid Terminal Security Standards.............................................................................39 4.9 Triple DES Standards...................................................................................................40 Chapter 5: Card Recovery and Return Standards...................................... 41 5.1 Card Recovery and Return..........................................................................................42 5.1.1 Card Retention by Merchants............................................................................. 42 5.1.1.1 Returning Recovered Cards......................................................................... 42 5.1.1.2 Returning Counterfeit Cards....................................................................... 42 5.1.1.3 Liability for Loss, Costs, and Damages......................................................... 43 Chapter 6: Fraud Loss Control Standards...................................................... 44 6.2 Mastercard Fraud Loss Control Program Standards..................................................... 45 6.2.2 Acquirer Fraud Loss Control Programs................................................................ 45 6.2.2.1 Acquirer Authorization Monitoring Requirements........................................45 6.2.2.1.1 Additional Acquirer Authorization Monitoring Requirements for High-Risk Negative Option Billing Merchants...................................................... 45 6.2.2.2 Acquirer Merchant Deposit Monitoring Requirements................................. 46 6.2.2.3 Acquirer Channel Management Requirements............................................ 47 6.2.2.4 Recommended Additional Acquirer Monitoring...........................................47 6.2.2.5 Recommended Fraud Detection Tool Implementation..................................47 ©1991–2020 Mastercard. Proprietary. All rights reserved. Security Rules and Procedures—Merchant Edition • 27 February 2020 3 Contents 6.2.2.6 Ongoing Merchant Monitoring................................................................... 48 6.3 Mastercard Counterfeit Card Fraud Loss Control Standards........................................ 48 6.3.1 Counterfeit Card Notification..............................................................................48 6.3.1.2 Notification by Acquirer.............................................................................. 48 6.3.1.3 Failure to Give Notice..................................................................................49 6.3.2 Responsibility for Counterfeit Loss...................................................................... 49 6.3.2.1 Loss from Internal Fraud..............................................................................49 6.3.2.3 Transactions Arising from Unidentified Counterfeit Cards............................49 6.3.3 Acquirer Counterfeit Liability Program................................................................ 49 6.3.3.1 Acquirer Counterfeit Liability.......................................................................50 6.3.3.2 Acquirer Liability Period...............................................................................50