If you’re here, it’s because you have just found out that your business has been placed on The MATCH List. It can be confusing to understand how you got here because it is difficult actually to find out why. One of the most common reasons that businesses get placed on The MATCH List includes PCI Data Security Standard Noncompliance. Keep reading to learn more about PCI Data Security Standard Noncompliance, The MATCH List, and how you can get off the list early and successfully.
MATCH stands for Member Alert to Control High-Risk Merchants. The list is a powerful national database that contains information about merchants and their principals whose credit card processing privileges have been terminated for cause. MasterCard Worldwide created and maintains the MATCH list, which is also commonly referred to as the Terminated Merchant File (TMF).
It exists because it serves as an industry blacklist that identifies merchants whose payment processing services have previously been terminated for certain enumerated reasons. Acquirers consult this list when evaluating whether to take on a merchant’s business. For acquirers, Mastercard Alert To Control High-risk Merchants (MATCH) lets an acquiring partner look up whether another acquiring partner has terminated a merchant in the past and the reason for said termination, to help with an onboarding decision.
While it works great to help protect banks and credit card processors, it can be devastating for businesses. This is especially true because, often, the reason you’re on The MATCH List is due to no fault of your own, and there is no warning given to you when you are placed on The MATCH List.
The 13 reason codes for getting placed on the MATCH List, according to Mastercard, include:
As mentioned, one of the most common reasons that businesses are placed on The MATCH List is due to PCI Data Security Standard Noncompliance. It means that
According to Tokenex, the PCI DSS consists of 12 requirements, or demands, each made up of several more specific, related controls for a grand total of more than 300 security checks. For example, PCI Requirement 1 covers the construction and maintenance of a secure network infrastructure. Meeting this overall requirement entails confirming the presence of properly secured firewalls, routers, and other applications to prevent unauthorized access to the cardholder data environment.
Also according to Tokenex, the 12 requirements fall under six overarching categories. These six categories provide an overview of the security controls required for PCI compliance. The categories include:
1. Build and Maintain a Secure Network and Systems. This outlines requirements for network security. Specifically, it requires organizations to install and maintain firewalls and routers, and not to use vendor-supplied defaults. All of the controls in this category are about securing your network and implementing proper network security mechanisms.
2. Protect Cardholder Data. This is a data security category. It’s concerned with the protection of the data elements themselves, regardless of their form. That could be data in storage, in transit, in processing, or even in physical form, such as paper records like invoices or receipts. All of that data would be in scope, making tokenization and encryption appropriate measures for obfuscation.
3. Maintain a Vulnerability Management Program. This category is concerned with application security, so it details how an organization should protect its systems against malware, viruses, coding exploitations, and other items that affect application security. Potential solutions here could include antivirus software and security filters.
4. Implement Strong Access Control Measures. The first two requirements here address identity and access control measures. Identity refers to how to authenticate a user, and access control determines the user’s permission or access level to certain resources within your environment, specifically to cardholder data. The third aspect covers controls for physical access, such as requiring locks, cameras, etc., to prevent unauthorized physical access to a server room or data center.
5. Regularly Monitor Test Networks. This requirement is not so much concerned with implementing new security mechanisms as it is maintaining your existing ones and ensuring they are sufficient. You need to be able to monitor your own network and detect security incidents if and when they occur. You also need to test your security systems and coding to ensure they are secure and functional, update and patch applications, and keep up with threat management for malware and viruses.
6. Maintain an Information Security Policy. This is essentially a policy that sets the tone for your entire organization’s information security strategy. It needs to address all of your employees and reflect your attitude toward PCI compliance and overall data security. This includes training programs and continuing education to ensure proper practices.
If you are seeking early removal from The Match List and want to avoid ever being placed on it again in the future due to PCI Data Security Standard Noncompliance, you can follow this handy checklist.
If you have been placed on The MATCH List, you will have to wait a five-year waiting period to age out of the list. This means you cannot process credit cards for five years unless you find an expensive high-risk processor.
Luckily, you can seek early removal with the help of TMF Law.
If you have found yourself on the Match List, we can help you. The Law Offices of Theodore Monroe focuses on litigation and counseling in the areas of payments, credit card processing, e-commerce, direct response marketing, and Federal Trade Commission enforcement. Last year the firm got 100% of the people who came to us off the MATCH list.
Theodore F. Monroe, Founder of TFM Law, has successfully:
Before opening his firm, Mr. Monroe practiced law with Crosby, Heafey, Roach & May (now Reed Smith LLP) and Lewis, D’Amato, Brisbois & Bisgaard (now Lewis, Brisbois, Bisgaard & Smith), where he defended numerous accounting and law firms in professional liability actions, and insurance carriers in bad faith actions.
Before becoming a lawyer, Mr. Monroe worked as a forensic accountant at Coopers & Lybrand, which provided him a background in forensic accounting and financial analysis that is unique among litigators in Los Angeles. Mr. Monroe studied at Duke University Law School, achieved a BS with Honors, Accounting, University of Kentucky, and is a member of the California State Bar and the Kentucky State Bar.