Transcription of Security Rules and Procedures—Merchant Edition
1 Security Rules andProceduresMerchant Edition14 February 2019 SPMEC ontentsChapter 1: Customer Compliance with the Conflict with The Security 2: 3: Card and Access Device Design Consumer Device Cardholder Verification Mastercard Qualification of Consumer Device CDCVM Persistent Prolonged Maintaining Mastercard-qualified CVM Use of a Acquirer Requirements for CVC Service Acquirer Valid Service Additional Service Code 4: Terminal and PIN Security Personal Identification Numbers (PINs).. PIN PIN PIN Key PIN Transmission Between Customer Host Systems and the On-behalf Key PIN at the Point of Interaction (POI) for Mastercard Magnetic Stripe Terminal Security Hybrid Terminal Security PIN Entry Device Wireless POS Terminals and Internet/Stand-alone IP-enabled POS TerminalSecurity POS Terminals Using Electronic Signature Capture Technology (ESCT).
2 Component Triple DES Migration 1991 2019 Mastercard. Proprietary. All rights Rules and Procedures Merchant Edition 14 February 20192 Chapter 5: Card Recovery and Return Card Recovery and Card Retention by Returning Recovered Returning Counterfeit Liability for Loss, Costs, and 6: Fraud Loss Control Mastercard Fraud Loss Control Program Acquirer Fraud Loss Control Acquirer Authorization Monitoring Acquirer Merchant Deposit Monitoring Acquirer Channel Management Recommended Additional Acquirer Recommended Fraud Detection Tool Ongoing Merchant Mastercard Counterfeit Card Fraud Loss Control Counterfeit Card Notification by Failure to Give Responsibility for Counterfeit Loss from Internal Transactions Arising from Unidentified Counterfeit Acquirer Counterfeit Liability Acquirer Counterfeit Acquirer Liability Relief from Application for 7.
3 Merchant, Submerchant, and ATM Owner Screeningand Monitoring Screening New Merchants, Submerchants, and ATM Required Screening Retention of Investigative Assessments for Noncompliance with Screening Ongoing Merchant Additional Requirements for Certain Merchant and Submerchant 42 Contents 1991 2019 Mastercard. Proprietary. All rights Rules and Procedures Merchant Edition 14 February 20193 Chapter 8: Mastercard Fraud Control Notifying Acquirer Global Merchant Audit Acquirer Tier 3 Special Merchant Chargeback Exclusion from the Global Merchant Audit Systematic Exclusion After GMAP Notification of Merchant Distribution of Merchant Online Status Tracking (MOST) MOST MOST Excessive Chargeback ECP Reporting Chargeback-Monitored Merchant Reporting Excessive Chargeback Merchant Reporting ECP Assessment Additional Tier 2 ECM Questionable Merchant Audit Program (QMAP).
4 QMAP Mastercard Commencement of an Mastercard Notification to Merchant Mastercard Chargeback Fraud QMAP 9: Mastercard Registration Mastercard Registration Program General Registration Merchant Registration Fees and Noncompliance General Monitoring Additional Requirements for Specific Merchant Non-face-to-face Adult Content and Services 65 Contents 1991 2019 Mastercard. Proprietary. All rights Rules and Procedures Merchant Edition 14 February Non face-to-face Gambling Pharmaceutical and Tobacco Product Government-owned Lottery Government-owned Lottery Merchants ( Region Only).. Government-owned Lottery Merchants (Specific Countries).. Skill Games High-Risk Cyberlocker Recreational Cannabis Merchants (Canada Region Only).. High-Risk Securities Cryptocurrency 10: Account Data Protection Standards and Account Data Protection Account Data Compromise Policy Concerning Account Data Compromise Events and Potential AccountData Compromise Responsibilities in Connection with ADC Events and Potential ADC Time-Specific Procedures for ADC Events and Potential ADC Ongoing Procedures for ADC Events and Potential ADC Forensic Alternative Standards Applicable to Certain Merchants or Other Mastercard Determination of ADC Event or Potential ADC Assessments for PCI Violations in Connection with ADC Potential Reduction of Financial ADC Operational Reimbursement and ADC Fraud Recovery Mastercard Determination of Operational Reimbursement (OR).
5 Determination of Fraud Recovery (FR).. Assessments and/or Disqualification for Final Financial Responsibility Mastercard Site Data Protection (SDP) Payment Card Industry Security Compliance Validation Acquirer Compliance Implementation Mastercard PCI DSS Risk-based Mastercard PCI DSS Compliance Validation Exemption Mandatory Compliance Requirements for Compromised Connecting to Mastercard Physical and Logical Security Minimum Security Additional Recommended Security Ownership of Service Delivery Point 109 Contents 1991 2019 Mastercard. Proprietary. All rights Rules and Procedures Merchant Edition 14 February 20195 Chapter 11: MATCH MATCH System How does MATCH Search when Conducting an Inquiry?.. Retroactive Possible Exact Possible Phonetic Possible MATCH When to Add a Merchant to Inquiring about a MATCH Record Merchant Removal from MATCH Reason Reason Codes for Merchants Listed by the Privacy and Data 12: 13: Global Risk Management About the Global Risk Management Service Provider Risk Management 122 Appendix A: B: C: D: MATCH Privacy and Data Protection Acknowledgment of Mastercard and Customer Data Data 131 Contents 1991 2019 Mastercard.
6 Proprietary. All rights Rules and Procedures Merchant Edition 14 February Security Confidentiality of Personal Personal Data Breach Notification Personal Data Breach Cooperation and Documentation Data Protection and Security Applicable Law and Termination of MATCH Invalidity and E: 1991 2019 Mastercard. Proprietary. All rights Rules and Procedures Merchant Edition 14 February 20197 Chapter 1 Customer ObligationsThis chapter describes general Customer compliance and Program obligations relating toMastercard Card issuing and Merchant acquiring Program Compliance with the Conflict with The Security Obligations 1991 2019 Mastercard. Proprietary. All rights Rules and Procedures Merchant Edition 14 February Compliance with the StandardsThis manual contains Standards. Each Customer must comply fully with these of the Standards in this manual are assigned to noncompliance category A under thecompliance framework set forth in Chapter 2 of the Mastercard Rules manual ( thecompliance framework ), unless otherwise specified in the table below.
7 The noncomplianceassessment schedule provided in the compliance framework pertains to any Standard in theSecurity Rules and Procedures manual that does not have an established compliance Corporation may deviate from the schedule at any NumberSection Security with CardRegistration of Conflict with LawA Customer is excused from compliance with a Standard in any country or region of a countryonly to the extent that compliance would cause the Customer to violate local applicable lawor regulation, and further provided that the Customer promptly notifies the Corporation, inwriting, of the basis for and nature of an inability to comply. The Corporation has theauthority to approve local alternatives to these The Security ContactEach Customer must have a Security Contact listed for each of its Member IDs/ICA numbers inthe Company Contact Management application on Mastercard Connect.
8 Customer Compliance with the Standards 1991 2019 Mastercard. Proprietary. All rights Rules and Procedures Merchant Edition 14 February 20199 Chapter 2 OmittedOmitted 1991 2019 Mastercard. Proprietary. All rights Rules and Procedures Merchant Edition 14 February 201910 Chapter 3 Card and Access Device Design StandardsThis chapter may be of particular interest to Issuers and vendors certified by Mastercard responsiblefor the design, creation, and control of Cards. It provides specifications for all Mastercard, Maestro,and Cirrus Card Programs Consumer Device Cardholder Verification Mastercard Qualification of Consumer Device CDCVM Persistent Prolonged Maintaining Mastercard-qualified CVM Use of a Acquirer Requirements for CVC Service Acquirer Valid Service Additional Service Code and Access Device Design Standards 1991 2019 Mastercard.
9 Proprietary. All rights Rules and Procedures Merchant Edition 14 February Consumer Device Cardholder Verification MethodsConsumer authentication technologies used on consumer devices, such as personalcomputers, tablets, mobile phones, and watches, are designed to verify a person as anauthorized device user based on one or more of the following: Something I know Information selected by and intended to be known only to thatperson, such as a passcode or pattern Something I am A physical feature that can be translated into biometric informationfor the purpose of uniquely identifying a person, such as a face, fingerprint, or heartbeat Something I have Information intended to uniquely identify a particular consumerdeviceAny such consumer authentication technology must be approved by Mastercard as a Mastercard-qualified CVM before it may be used as a Consumer Device CardholderVerification Method (CDCVM) to process a Mastercard Qualification of Consumer Device CVMsBefore a Customer (such as an Issuer or Wallet Token Requestor)
10 May use, as a CDCVM, aconsumer authentication technology in connection with the payment functionality of aparticular Access Device type (of a specific manufacturer and model), the technology must besubmitted to Mastercard by the Customer for certification and and testing of a proposed CDCVM is performed by or on behalf of Mastercard, inaccordance with Mastercard requirements and at the expense of the Customer or third party,as applicable. Certification requires both successful Security and functional the completion of certification and testing, Mastercard, in its discretion, may approve aproposed consumer authentication technology as a Mastercard-qualified CVM. Summaryreport information about such certification and testing results and the successful completionof certification testing may be disclosed to Customers by Mastercard or a third party thatconducts certification and testing on Mastercard s behalf.
