Security Rules And Procedures—Merchant Edition SPME Entire Manual Public

2015-01-12

• Security Rules and Procedures—Merchant Edition
• Notices
• Table of Contents
• Chapter 1 Customer Obligations
  • 1.1 Compliance with the Standards
  • 1.2 Conflict with Law
  • 1.3 The Security Contact
• Chapter 2 Omitted
• Chapter 3 Card and TID Design Standards
  • 3.9 Card Validation Code (CVC)
    • 3.9.4 Acquirer Requirements for CVC 2
  • 3.10 Service Codes
    • 3.10.2 Acquirer Information
    • 3.10.3 Valid Service Codes
    • 3.10.4 Additional Service Code Information
  • 3.11 Transaction Information Documents (TIDs)
    • 3.11.1 Formset Contents
    • 3.11.2 POS Terminal Receipt Contents
    • 3.11.3 Standard Wording
    • 3.11.4 Primary Account Number Truncation and Expiration Date Omission
• Chapter 4 POI Terminal and PIN Security Standards
  • 4.1 Personal Identification Numbers (PINs)
  • 4.3 PIN Verification
  • 4.5 PIN Encipherment
  • 4.6 PIN Key Management
    • 4.6.1 PIN Transmission Between Customer Host Systems and the Interchange System
    • 4.6.2 On-behalf Key Management
  • 4.7 PIN at the POI for MasterCard Magnetic Stripe Transactions
  • 4.8 POI Terminal Security Standards
  • 4.9 Hybrid POI Terminal Security Standards
  • 4.10 PIN Entry Device Standards
  • 4.11 Wireless POS Terminals and Internet/Stand-alone IP-enabled POS Terminal Security Standards
  • 4.12 POS Terminals Using Electronic Signature Capture Technology (ESCT)
  • 4.13 Component Authentication
  • 4.14 Triple DES Migration Standards
• Chapter 5 Card Recovery and Return Standards
  • 5.1 Card Recovery and Return
    • 5.1.1 Card Retention by Merchants
      • 5.1.1.1 Returning Recovered Cards
      • 5.1.1.2 Returning Counterfeit Cards
      • 5.1.1.3 Liability for Loss, Costs, and Damages
• Chapter 6 Fraud Loss Control Standards
  • 6.2 MasterCard Fraud Loss Control Program Standards
    • 6.2.2 Acquirer Fraud Loss Control Programs
      • 6.2.2.1 Acquirer Authorization Monitoring Requirements
      • 6.2.2.2 Acquirer Merchant Deposit Monitoring Requirements
      • 6.2.2.3 Recommended Additional Acquirer Monitoring
  • 6.3 MasterCard Counterfeit Card Fraud Loss Control Standards
    • 6.3.1 Counterfeit Card Notification
      • 6.3.1.2 Notification by Acquirer
      • 6.3.1.3 Failure to Give Notice
    • 6.3.2 Responsibility for Counterfeit Loss
      • 6.3.2.1 Loss from Internal Fraud
      • 6.3.2.3 Transactions Arising from Unidentified Counterfeit Cards
    • 6.3.3 Acquirer Counterfeit Liability Program
      • 6.3.3.1 Acquirer Counterfeit Liability
      • 6.3.3.2 Acquirer Liability Period
      • 6.3.3.3 Relief from Liability
      • 6.3.3.4 Application for Relief
• Chapter 7 Merchant, Sub-merchant, and ATM Owner Screening and Monitoring Standards
  • 7.1 Screening New Merchants, Sub-merchants, and ATM Owners
    • 7.1.1 Screening Procedures
    • 7.1.2 Evidence of Compliance with Screening Procedures
    • 7.1.3 Retention of Investigative Records
    • 7.1.4 Assessments for Noncompliance with Screening Procedures
  • 7.2 Ongoing Monitoring
  • 7.3 Additional Requirements for Certain Merchant and Sub-merchant Categories
    • 7.3.1 Merchant Education
• Chapter 8 MasterCard Fraud Control Programs
  • 8.1 Presenting Valid Transactions
    • 8.1.1 Notifying MasterCard—Acquirer Responsibilities
    • 8.1.3 MasterCard Audit
      • 8.1.3.1 Initiation of MasterCard Audit
      • 8.1.3.2 Information Required by MasterCard
      • 8.1.3.3 Notification to Customers of Chargeback Period
  • 8.2 Global Merchant Audit Program
    • 8.2.1 Acquirer Responsibilities
    • 8.2.2 Tier 3 Special Merchant Audit
    • 8.2.3 Chargeback Responsibility
    • 8.2.4 Exclusion from the Global Merchant Audit Program
      • 8.2.4.1 Systematic Exclusions
      • 8.2.4.2 Exclusion after GMAP Identification
    • 8.2.5 Notification of Merchant Identification
      • 8.2.5.1 Distribution of Reports
    • 8.2.6 Merchant Online Status Tracking (MOST) System
      • 8.2.6.1 MOST Mandate
      • 8.2.6.2 MOST Registration
  • 8.3 Excessive Chargeback Program
    • 8.3.1 ECP Definitions
    • 8.3.2 Reporting Requirements
      • 8.3.2.1 Chargeback-Monitored Merchant Reporting Requirements
        • 8.3.2.1.1 CMM Report Contents
        • 8.3.2.1.2 Late CMM Report Submission Assessment
      • 8.3.2.2 Excessive Chargeback Merchant Reporting Requirements
        • 8.3.2.2.1 ECM Report Contents
        • 8.3.2.2.2 Late ECM Report Submission Assessment
    • 8.3.3 Assessments
      • 8.3.3.1 ECP Assessment Calculation
    • 8.3.5 Additional Tier 2 ECM Requirements
  • 8.4 Questionable Merchant Audit Program (QMAP)
    • 8.4.1 QMAP Definitions
    • 8.4.2 MasterCard Commencement of an Investigation
    • 8.4.4 MasterCard Notification to Acquirers
    • 8.4.5 Merchant Termination
    • 8.4.6 MasterCard Determination
    • 8.4.7 Chargeback Responsibility
    • 8.4.8 Fraud Recovery
    • 8.4.9 QMAP Fees
• Chapter 9 MasterCard Registration Program
  • 9.1 MasterCard Registration Program Overview
  • 9.2 General Registration Requirements
    • 9.2.1 Merchant Registration Fees and Noncompliance Assessments
  • 9.3 General Monitoring Requirements
  • 9.4 Additional Requirements for Specific Merchant Categories
    • 9.4.1 Telecom Merchants and Transactions
    • 9.4.2 Non-face-to-face Adult Content and Services Merchants
    • 9.4.3 Non–face-to-face Gambling Merchants
    • 9.4.4 Pharmaceutical and Tobacco Product Merchants
    • 9.4.5 State Lottery Merchants (U.S. Region Only)
    • 9.4.6 Skill Games Merchants (U.S. Region Only)
• Chapter 10 Account Data Protection Standards and Programs
  • 10.1 Account Data Protection Standards
  • 10.2 Account Data Compromise Events
    • 10.2.1 Policy Concerning Account Data Compromise Events and Potential Account Data Compromise Events
    • 10.2.2 Responsibilities in Connection with ADC Events and Potential ADC Events
      • 10.2.2.1 Time-Specific Procedures for ADC Events and Potential ADC Events
      • 10.2.2.2 Ongoing Procedures for ADC Events and Potential ADC Events
    • 10.2.3 Forensic Report
    • 10.2.4 Alternative Standards Applicable to Certain Merchants
    • 10.2.5 MasterCard Determination of ADC Event or Potential ADC Event
      • 10.2.5.1 Assessments for PCI Violations in Connection with ADC Events
      • 10.2.5.2 Potential Reduction of Financial Responsibility
      • 10.2.5.3 ADC Operational Reimbursement and ADC Fraud Recovery—MasterCard Only
      • 10.2.5.4 Operational Reimbursement (OR) Calculation—MasterCard Only
      • 10.2.5.5 Fraud Recovery (FR) Calculation—MasterCard Only
      • 10.2.5.6 Investigation and Other Costs
    • 10.2.6 Assessments and/or Disqualification for Noncompliance
    • 10.2.7 Final Financial Responsibility Determination
  • 10.3 MasterCard Site Data Protection (SDP) Program
    • 10.3.1 Payment Card Industry Data Security Standards
    • 10.3.2 Compliance Validation Tools
    • 10.3.3 Acquirer Compliance Requirements
    • 10.3.4 Implementation Schedule
      • 10.3.4.1 MasterCard PCI DSS Risk-based Approach
      • 10.3.4.2 MasterCard PCI DSS Compliance Validation Exemption Program
      • 10.3.4.3 Mandatory Compliance Requirements for Compromised Entities
  • 10.4 Connecting to MasterCard—Physical and Logical Security Requirements
    • 10.4.1 Minimum Security Requirements
    • 10.4.2 Additional Recommended Security Requirements
    • 10.4.3 Ownership of Service Delivery Point Equipment
• Chapter 11 MATCH System
  • 11.1 MATCH Overview
    • 11.1.1 System Features
    • 11.1.2 How does MATCH Search when Conducting an Inquiry?
      • 11.1.2.1 Retroactive Possible Matches
      • 11.1.2.2 Exact Possible Matches
      • 11.1.2.3 Phonetic Possible Matches
  • 11.2 MATCH Standards
    • 11.2.1 Certification
    • 11.2.2 When to Add a Merchant to MATCH
    • 11.2.3 Inquiring about a Merchant
    • 11.2.6 MATCH Record Retention
  • 11.4 Merchant Removal from MATCH
  • 11.5 MATCH Reason Codes
    • 11.5.1 Reason Codes for Merchants Listed by the Acquirer
• Chapter 12 Omitted
• Chapter 13 Fraud Management Program (FMP)
  • 13.1 About FMP
    • 13.1.2 FMP Level 2 Non-Customer Reviews
• Appendix A Omitted
• Appendix B Formset Specifications
  • B.1 MasterCard Formset Specifications
    • B.1.1 Formset Physical Dimensions
    • B.1.2 Number of Copies and Retention Requirements
    • B.1.3 Paper Stock Characteristics
    • B.1.4 Color of Interchange Copy
    • B.1.5 Carbon
    • B.1.6 Registration Mark
      • B.1.6.1 Registration Mark Location
    • B.1.7 Formset Numbering
      • B.1.7.1 Formset Number Location
    • B.1.8 Information Slip Specifications
  • B.2 Formset Printing Standards
    • B.2.1 Financial Transaction Formsets
    • B.2.2 Information Slip Formsets
    • B.2.3 Imprinters
• Appendix C Omitted
• Appendix D Best Practices Guides
  • D.1 Acquirers’ Best Practices Guide
• Appendix E Omitted
• Definitions
  • Access Device
  • Account
  • Acquirer
  • Activity(ies)
  • Affiliate Customer, Affiliate
  • Association Customer, Association
  • Automated Teller Machine (ATM)
  • ATM Owner Agreement
  • ATM Terminal
  • ATM Transaction
  • Card
  • Cardholder
  • Chip Card (Smart Card, Integrated Circuit Card, IC Card, or ICC)
  • Chip Transaction
  • Cirrus Access Device
  • Cirrus Account
  • Cirrus Card
  • Cirrus Customer
  • Cirrus Payment Application
  • Contact Chip Transaction
  • Contactless Chip Transaction, Contactless Transaction
  • Contactless Payment Device
  • Corporation
  • Cross-border Transaction
  • Customer
  • Data Storage Entity (DSE)
  • Digital Wallet Operator (DWO)
  • Digital Wallet Operator Mark, DWO Mark
  • Domestic Transaction
  • Dual Interface Hybrid POS Terminal
  • Hybrid ATM Terminal
  • Hybrid MPOS Terminal
  • Hybrid PIN-based In-Branch Terminal
  • Hybrid POI Terminal
  • Independent Sales Organization (ISO)
  • Interchange System
  • Interregional Transaction
  • Intracountry Transaction
  • Intraregional Transaction
  • Issuer
  • License, Licensed
  • Maestro
  • Maestro Access Device
  • Maestro Account
  • Maestro Card
  • Maestro Customer
  • Maestro Payment Application
  • Maestro Transaction
  • Manual Cash Disbursement Transaction
  • Marks
  • MasterCard
  • MasterCard Access Device
  • MasterCard Account
  • MasterCard-branded Application Identifier (AID)
  • MasterCard Card
  • MasterCard Customer
  • MasterCard Europe
  • MasterCard Incorporated
  • MasterCard Payment Application
  • MasterCard PayPass Magnetic Stripe Profile Transaction
  • MasterCard PayPass-M/Chip Transaction
  • MasterCard Transaction
  • Member, Membership
  • Merchant
  • Merchant Agreement
  • Mobile Payment Device
  • Mobile POS (MPOS) Terminal
  • Participation
  • Pass-through Digital Wallet
  • Pass-through Digital Wallet Operator (DWO)
  • Payment Application
  • Payment Facilitator
  • PIN-based In-Branch Terminal
  • PIN-based In-Branch Terminal Transaction
  • Point of Interaction (POI)
  • POI Terminal
  • Portfolio
  • Point-of-Sale (POS) Terminal
  • POS Transaction
  • Principal Customer, Principal
  • Program
  • Program Services
  • Region
  • Rules
  • Service Provider
  • Service Provider Registration Facilitator
  • Settlement
  • Settlement Date
  • Sponsor, Sponsorship
  • Staged Digital Wallet
  • Staged Digital Wallet Operator (DWO)
  • Standards
  • Stand-In Parameters
  • Stand-In Processing Service
  • Sub-merchant
  • Terminal
  • Third Party Processor (TPP)
  • Transaction
  • Volume