What Is PCI Data Security Standard Noncompliance?
If you’re here, it’s because you have just found out that your business has been placed on The MATCH List. It can be confusing to understand how you got here because it is difficult actually to find out why. One of the most common reasons that businesses get placed on The MATCH List includes PCI Data Security Standard Noncompliance. Keep reading to learn more about PCI Data Security Standard Noncompliance, The MATCH List, and how you can get off the list early and successfully.
Understanding The MATCH List
MATCH stands for Member Alert to Control High-Risk Merchants. The list is a powerful national database that contains information about merchants and their principals whose credit card processing privileges have been terminated for cause. MasterCard Worldwide created and maintains the MATCH list, which is also commonly referred to as the Terminated Merchant File (TMF).
It exists because it serves as an industry blacklist that identifies merchants whose payment processing services have previously been terminated for certain enumerated reasons. Acquirers consult this list when evaluating whether to take on a merchant’s business. For acquirers, Mastercard Alert To Control High-risk Merchants (MATCH) lets an acquiring partner look up whether another acquiring partner has terminated a merchant in the past and the reason for said termination, to help with an onboarding decision.
While it works great to help protect banks and credit card processors, it can be devastating for businesses. This is especially true because, often, the reason you’re on The MATCH List is due to no fault of your own, and there is no warning given to you when you are placed on The MATCH List.
All The Reasons You Can Be Put On The MATCH List
The 13 reason codes for getting placed on the MATCH List, according to Mastercard, include:
- Account Data Compromise: An occurrence that results, directly or indirectly, in the unauthorized access to or disclosure of Account data.
- Common Point of Purchase (CPP): Account data is stolen at the Merchant and then used for fraudulent purchases at other Merchant locations.
- Laundering: The Merchant was engaged in laundering activity. Laundering means that a Merchant presented to its Acquirer Transaction records that were not valid Transactions for sales of goods or services between that Merchant and a bona fide Cardholder.
- Excessive Chargebacks: With respect to a Merchant reported by a Mastercard Acquirer, the number of Mastercard chargebacks in any single month exceeded 1% of the number of Mastercard sales Transactions in that month, and those chargebacks totaled USD 5,000 or more.
- With respect to a merchant reported by an American Express acquirer (ICA numbers 102 through 125), the merchant exceeded the chargeback thresholds of American Express, as determined by American Express.
- Excessive Fraud: The Merchant affected fraudulent Transactions of any type (counterfeit or otherwise) meeting or exceeding the following minimum reporting Standard: the Merchant’s fraud-to-sales dollar volume ratio was 8% or greater in a calendar month, and the Merchant effected 10 or more fraudulent Transactions totaling USD 5,000 or more in that calendar month.
- Fraud Conviction: There was a criminal fraud conviction of a principal owner or partner of the Merchant.
- Mastercard Questionable Merchant Audit Program: The Merchant was determined to be a Questionable Merchant as per the criteria set forth in the Mastercard Questionable Merchant Audit Program (refer to section 8.4 of this manual).
- Bankruptcy/Liquidation/Insolvency: The Merchant was unable or is likely to become unable to discharge its financial obligations.
- Violation of Standards: With respect to a Merchant reported by a Mastercard Acquirer, the Merchant was in violation of one or more Standards that describe procedures to be employed by the Merchant in Transactions in which Cards are used, including, by way of example and not Cardholders, minimum/maximum Transaction amount restrictions, and prohibited Transactions set forth in Chapter 5 of the Mastercard Rules manual.
- With respect to a merchant reported by an American Express acquirer (ICA numbers 102 through 125), the merchant was in violation of one or more American Express bylaws, rules, operating regulations, and policies that set forth procedures to be employed by the merchant in transactions in which American Express cards are used.
- Merchant Collusion: The Merchant participated in the fraudulent collusive activity.
- PCI Data Security Standard Noncompliance: The Merchant failed to comply with Payment Card Industry (PCI) Data Security Standard requirements.
- Illegal Transactions: The Merchant was engaged in illegal Transactions.
- Identity Theft: The Acquirer has reason to believe that the identity of the listed Merchant or its principal owner(s) was unlawfully assumed for the purpose of unlawfully entering into a Merchant Agreement.
Reason Code 11: PCI Data Security Standard Noncompliance
As mentioned, one of the most common reasons that businesses are placed on The MATCH List is due to PCI Data Security Standard Noncompliance. It means that the Merchant failed to comply with Payment Card Industry (PCI) Data Security Standard requirements. But, what are the requirements?
According to Tokenex, the PCI DSS consists of 12 requirements, or demands, each made up of several more specific, related controls for a grand total of more than 300 security checks. For example, PCI Requirement 1 covers the construction and maintenance of a secure network infrastructure. Meeting this overall requirement entails confirming the presence of properly secured firewalls, routers, and other applications to prevent unauthorized access to the cardholder data environment.
PCI Security Checklist
Also according to Tokenex, the 12 requirements fall under six overarching categories. These six categories provide an overview of the security controls required for PCI compliance. The categories include:
1. Build and Maintain a Secure Network and Systems. This outlines requirements for network security. Specifically, it requires organizations to install and maintain firewalls and routers, and not to use vendor-supplied defaults. All of the controls in this category are about securing your network and implementing proper network security mechanisms.
2. Protect Cardholder Data. This is a data security category. It’s concerned with the protection of the data elements themselves, regardless of their form. That could be data in storage, in transit, in processing, or even in physical form, such as paper records like invoices or receipts. All of that data would be in scope, making tokenization and encryption appropriate measures for obfuscation.
3. Maintain a Vulnerability Management Program. This category is concerned with application security, so it details how an organization should protect its systems against malware, viruses, coding exploitations, and other items that affect application security. Potential solutions here could include antivirus software and security filters.
4. Implement Strong Access Control Measures. The first two requirements here address identity and access control measures. Identity refers to how to authenticate a user, and access control determines the user’s permission or access level to certain resources within your environment, specifically to cardholder data. The third aspect covers controls for physical access, such as requiring locks, cameras, etc., to prevent unauthorized physical access to a server room or data center.
5. Regularly Monitor Test Networks. This requirement is not so much concerned with implementing new security mechanisms as it is maintaining your existing ones and ensuring they are sufficient. You need to be able to monitor your own network and detect security incidents if and when they occur. You also need to test your security systems and coding to ensure they are secure and functional, update and patch applications, and keep up with threat management for malware and viruses.
6. Maintain an Information Security Policy. This is essentially a policy that sets the tone for your entire organization’s information security strategy. It needs to address all of your employees and reflect your attitude toward PCI compliance and overall data security. This includes training programs and continuing education to ensure proper practices.
How to Avoid The MATCH List In The Future
If you are seeking early removal from The Match List and want to avoid ever being placed on it again in the future due to PCI Data Security Standard Noncompliance, you can follow this handy checklist.
- Do you have a firewall or similar security measure in place to safeguard the system(s) in which you store, process, or transmit cardholder data?
- Is that firewall regularly updated and maintained?
- Have you replaced default passwords and vendor-supplied security parameters with unique and sufficiently strong alternatives?
- Are those passwords protected and safely stored to minimize their risk of exposure?
- Do you have sufficient security controls in place to protect cardholder data stored within your internal systems?
- Are you securing cardholder data when it is in transit?
- Are you at least using an approved method of encryption to protect it?
- Is it being protected when traveling across open networks?
- Does your organization have antivirus software or other virus-prevention programs?
- Is that software or program up to date?
- Do you have regularly scheduled reviews of that software to ensure that you always have the most recent version?
- Is your organization using the most recent version?
- Does your organization have secure systems and applications?
- Are those systems and applications being maintained?
- If not, do you plan to develop secure systems and applications in compliance with the PCI DSS?
- Is access to cardholder data restricted within your internal systems?
- Is this restricted access based on an individual’s need to know or need to handle that data to complete everyday tasks?
- Does the need to complete those tasks outweigh the risk of giving the individual(s) in question access to that data?
- Does every person within your organization have a unique user ID for computer access?
- Are those unique IDs enabled with permissions/access-control measures managed by a system administrator?
- Are those permissions/access-controls consistent with business-need-to-know (e.g., marketing interns aren’t allowed to view the cardholder data of customers)?
- Does your organization restrict physical access to computers, servers, or other systems where cardholder data can be processed, stored, or transmitted?
- Do you have a system in place to log and monitor all visitors to facilities where cardholder data can be accessed?
- Is all media physically secured, safely stored, and not inappropriately distributed or accessible?
- Do you have a process for regularly reviewing your organization’s networks to prevent exploitation?
- Are these processes logged?
- Are these logs stored and secured to provide reliable audit trails?
- Are your systems frequently tested to discover any vulnerabilities?
- If vulnerabilities are discovered, are they being addressed and maintained over time?
- Do these tests occur any time new software is introduced or configurations are changed?
- Do these tests include internal and external network vulnerability scans and penetration testing at the required intervals?
- Are you monitoring critical system files to ensure they’re not illicitly accessed or modified?
- Does your company have an internal information security policy?
- Does this policy cover the requirements of the PCI DSS?
- Are those requirements being sufficiently addressed?
- Is your policy reviewed annually and/or whenever changes to your internal systems occur?
- Does this policy include measures for identifying and monitoring the PCI compliance responsibilities of service providers?
- Do you have an incident response plan that can be executed immediately in the instance of a breach?
Early Removal from The MATCH List with TFM Law
If you have been placed on The MATCH List, you will have to wait a five-year waiting period to age out of the list. This means you cannot process credit cards for five years unless you find an expensive high-risk processor.
Luckily, you can seek early removal with the help of TMF Law.
If you have found yourself on the Match List, we can help you. The Law Offices of Theodore Monroe focuses on litigation and counseling in the areas of payments, credit card processing, e-commerce, direct response marketing, and Federal Trade Commission enforcement. Last year the firm got 100% of the people who came to us off the MATCH list.
Theodore F. Monroe, Founder of TFM Law, has successfully:
- Represented merchants recovering funds from processors
- Structured processing relationships to comply with Card Brand requirements
- Drafted and negotiated contracts involving payment facilitators and ISOs
- Represented continuity merchants in compliance and litigation issues
- Fought for numerous companies in suits brought by the Federal Trade Commission and obtained excellent
- results for firms in the digital products, loan modification, government grant, and nutraceuticals industries
Before opening his firm, Mr. Monroe practiced law with Crosby, Heafey, Roach & May (now Reed Smith LLP) and Lewis, D’Amato, Brisbois & Bisgaard (now Lewis, Brisbois, Bisgaard & Smith), where he defended numerous accounting and law firms in professional liability actions, and insurance carriers in bad faith actions.
Before becoming a lawyer, Mr. Monroe worked as a forensic accountant at Coopers & Lybrand, which provided him a background in forensic accounting and financial analysis that is unique among litigators in Los Angeles. Mr. Monroe studied at Duke University Law School, achieved a BS with Honors, Accounting, University of Kentucky, and is a member of the California State Bar and the Kentucky State Bar.