Maestro Global Rules (PDF) - MasterCard

More documents

Recommendations

Info

Security 8.9 Account Data Compromise Events that could result in the alteration or loss of any such files, forensic data sources, including firewall and event log files, or other information. 3. Respond fully and promptly, in a manner prescribed by the Corporation, to any questions or other requests (including follow-up requests) from the Corporation with regard to the ADC Event or Potential ADC Event and the steps being taken to investigate and remediate same. 4. Authorize and require the QIRA to respond fully, directly, and promptly to any written or oral questions or other requests from the Corporation, and to so respond in the manner prescribed by the Corporation, with regard to the ADC Event or Potential ADC Event, including the steps being taken to investigate and remediate same. 5. Consent to, and cooperate with, any effort by the Corporation to engage and direct a QIRA to perform an investigation and prepare a forensic report concerning the ADC Event or Potential ADC Event, in the event that the Customer fails to satisfy any of the foregoing responsibilities. 6. Ensure that the compromised entity develops a remediation action plan, including implementation and milestone dates related to findings, corrective measures and recommendations identified by the QIRA and set forth in the final forensic report. 7. Monitor and validate that the compromised entity has fully implemented the remediation action plan, recommendations and corrective measures. 8.9.3 Forensic Report The responsible Customer (or its Agent) must ensure that the QIRA retain and safeguard all draft forensic report(s) pertaining to the ADC Event or Potential ADC Event and, upon request of the Corporation, immediately provide to the Corporation any such draft. The final forensic report required under Rule 8.9.2.1 must include the following, unless otherwise directed in writing by the Corporation: 1. A statement of the scope of the forensic investigation, including sources of evidence and information used by the QIRA. 2. A network diagram, including all systems and network components within the scope of the forensic investigation. As part of this analysis, all system hardware and software versions, including POS applications and versions of applications, and hardware used by the compromised entity within the past twelve months, must be identified. 3. A payment card transaction flow depicting all points of interaction associated with the transmission, processing and storage of Account data and network diagrams. 4. A written analysis explaining the method(s) used to breach the subject entity’s network or environment as well as method(s) used to access and exfiltrate Account data. ©1993–2012 MasterCard. Proprietary. All rights reserved. Maestro Global Rules • 9 November 2012 8-13
Security 8.9 Account Data Compromise Events 5. A written analysis explaining how the security breach was contained and the steps (and relevant dates of the steps) taken to ensure that Account data is no longer at risk of compromise. 6. An explanation of investigative methodology as well as identification of forensic data sources used to determine final report findings. 7. A determination and characterization of Account data at risk of compromise, including number of Accounts and at risk data elements (magnetic stripe data—track 1 and track 2, Cardholder name, PAN, expiration date, CVC 2, PIN and PIN block). 8. The location and number of Accounts where restricted Account data (magnetic stripe, track 1 and track 2, Cardholder name, PAN, expiration date, CVC 2, PIN, or PIN block), whether encrypted or unencrypted, was or may have been stored by the entity that was the subject of the forensic investigation. This includes restricted Account data that was or may have been stored in unallocated disk space, backup media and malicious software output files. 9. A time frame for Transactions involving Accounts determined to be at risk of compromise. If Transaction date/time is not able to be determined, file-creation timestamps must be supplied. 10. A determination of whether a security breach that exposed payment card data to compromise occurred. 11. On a requirement-by-requirement basis, a conclusion as to whether, at the time the ADC Event or Potential ADC Event occurred, each applicable PCI Security Standards Council requirement was complied with. For the avoidance of doubt, as of the date of the publication of these Standards, the PCI Security Standards include Payment Card Industry Data Security Standards (PCI DSS), PIN Entry Device Security Requirements (PCI PED), and Payment Application Data Security Standards (PA-DSS). The Corporation may require the Customer to cause a QIRA to conduct a PCI GAP analysis and include the result of that analysis in the final forensic report. The Customer must direct the QIRA to submit a copy of the preliminary and final forensic reports to MasterCard via Secure Upload. ©1993–2012 MasterCard. Proprietary. All rights reserved. 8-14 9 November 2012 • Maestro Global Rules
Page 1 and 2:
Maestro Global Rules 9 November 201
Page 3 and 4:
Summary of Changes This document re
Page 5 and 6:
Table of Contents Definitions .....
Page 7 and 8:
Table of Contents 3.12 Contact Info
Page 9 and 10:
Table of Contents 6.2.4 Mobile Paym
Page 11 and 12:
Table of Contents 7.8 Eligible POI
Page 13 and 14:
Table of Contents 8.6.1 Account Pro
Page 15 and 16:
Table of Contents 9.9.3 Noncomplian
Page 17 and 18:
Table of Contents 14.1 Service Prov
Page 19 and 20:
Table of Contents 7.23 ATM Access F
Page 21 and 22:
Table of Contents 2.3 Area of Use .
Page 23 and 24:
Table of Contents 7.2 Additional Ac
Page 25 and 26:
Table of Contents 9.15 Clearing and
Page 27 and 28:
Table of Contents 6.4 PIN and Signa
Page 29 and 30:
Table of Contents 6.4 PIN and Signa
Page 31 and 32:
Table of Contents 7.1.8 Card Accept
Page 33 and 34:
Table of Contents D.8.1 Corresponde
Page 35 and 36:
Activity(ies) The undertaking of an
Page 37 and 38:
Control As used herein, Control has
Page 39 and 40:
Gateway Transaction Any ATM transac
Page 41 and 42:
Maestro Word Mark The Maestro Word
Page 43 and 44:
Payment Transaction A Payment Trans
Page 45 and 46:
Settlement Obligation A financial o
Page 47 and 48:
Chapter 1 Participation This chapte
Page 49 and 50:
Participation 1.2 Eligibility to be
Page 51 and 52:
Participation 1.2 Eligibility to be
Page 53 and 54:
Participation 1.4 Interim Participa
Page 55 and 56:
Participation 1.7 Termination of Li
Page 57 and 58:
Participation 1.7 Termination of Li
Page 59 and 60:
Chapter 2 Licensing and Licensed Ac
Page 61 and 62:
Licensing and Licensed Activities 2
Page 63 and 64:
Licensing and Licensed Activities 2
Page 65 and 66:
Chapter 3 Customer Obligations This
Page 67 and 68:
3.1 Standards Customer Obligations
Page 69 and 70:
3.1.2.1.3 Category C—Efficiency a
Page 71 and 72:
3.1.2.4 Review Process Customer Obl
Page 73 and 74:
3.3 Choice of Laws Customer Obligat
Page 75 and 76:
3.7 Provision and Use of Informatio
Page 77 and 78:
3.7.3 Use of Corporation Informatio
Page 79 and 80:
3.9.2 Photographs Customer Obligati
Page 81 and 82:
3.11.2 Card Count Reporting Procedu
Page 83 and 84:
Customer Obligations 3.18 Expenses
Page 85 and 86:
3.22 Data Protection—Europe Regio
Page 87 and 88:
4.1 Right to Use the Marks Marks 4.
Page 89 and 90:
4.4 Review of Solicitations 4.5 Dis
Page 91 and 92:
4.7.1 Global Minimum Branding Requi
Page 93 and 94:
Chapter 5 Special Issuer Programs T
Page 95 and 96:
Special Issuer Programs 5.1 Special
Page 97 and 98:
Special Issuer Programs 5.2 Affinit
Page 99 and 100:
Special Issuer Programs 5.4 A/CB Ca
Page 101 and 102:
5.6.2 Categories of Prepaid Card Pr
Page 103 and 104:
Special Issuer Programs 5.6 Prepaid
Page 105 and 106:
Special Issuer Programs 5.7 Chip-on
Page 107 and 108:
Issuing 6.4.2 Use of the PIN.......
Page 109 and 110:
Issuing 6.2 Card Standards and Spec
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Issuing 6.4 PIN and Signature Requi
Page 121 and 122:
Issuing 6.5 Transmitting, Processin
Page 123 and 124:
Issuing 6.8 Mobile Remote Payment T
Page 125 and 126:
Issuing 6.9 Electronic Commerce 6.9
Page 127 and 128:
Issuing 6.11 MasterCard MoneySend P
Page 129 and 130:
Issuing 6.14 Fraud Reporting 6.13.1
Page 131 and 132:
Issuing 6.19 Recurring Payments—E
Page 133 and 134:
Acquiring 7.2 Additional Acquirer O
Page 135 and 136:
Acquiring 7.18.2.2 Disposition of C
Page 137 and 138:
Acquiring 7.1 Acquirer Obligations
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152: Acquiring 7.1 Acquirer Obligations
Page 153 and 154: Acquiring 7.2 Additional Acquirer O
Page 155 and 156: Acquiring 7.3 Additional Acquirer O
Page 157 and 158: Acquiring 7.5 Acquiring Payment Tra
Page 159 and 160: Acquiring 7.6 Acquiring MoneySend P
Page 161 and 162: Acquiring 7.7 Acquiring Mobile Remo
Page 163 and 164: Acquiring 7.9 POS Terminal and Term
Page 165 and 166: Acquiring 7.9 POS Terminal and Term
Page 167 and 168: Acquiring 7.11 Additional Requireme
Page 169 and 170: Acquiring 7.12 Additional Requireme
Page 171 and 172: Acquiring 7.14 POI Terminal Transac
Page 173 and 174: Acquiring 7.15 Requirements for Tra
Page 175 and 176: Acquiring 7.16 POS Terminal and Ter
Page 177 and 178: Acquiring 7.17 Connection to the In
Page 179 and 180: Acquiring 7.18 Card Capture NOTE 7.
Page 181 and 182: Acquiring 7.20 Merchandise Transact
Page 183 and 184: Acquiring 7.23 ATM Access Fees 7.23
Page 185 and 186: Acquiring 7.23 ATM Access Fees 1. t
Page 187 and 188: Acquiring Compliance Zones Rule Num
Page 189 and 190: Security 8.10.4 Acquirer Compliance
Page 191 and 192: Security 8.3 Customer Compliance wi
Page 193 and 194: Security 8.5 PIN Entry Device Issue
Page 195 and 196: Security 8.6 POS Terminal Communica
Page 197 and 198: Security 8.9 Account Data Compromis
Page 201: Security 8.9 Account Data Compromis
Page 207 and 208: Security 8.10 Site Data Protection
Page 215 and 216: Security 8.11 Algorithms 8.11 Algor
Page 217 and 218: Chapter 9 Processing Requirements T
Page 219 and 220: Processing Requirements 9.12 Floor
Page 221 and 222: Processing Requirements 9.2 POS Tra
Page 229 and 230: Processing Requirements 9.3 Termina
Page 231 and 232: Processing Requirements 9.4 Special
Page 233 and 234: Processing Requirements 9.4 Special
Page 235 and 236: Processing Requirements 9.5 Process
Page 237 and 238: Processing Requirements 9.7 Process
Page 239 and 240: Processing Requirements 9.8 Authori
Page 241 and 242: Processing Requirements 9.8 Authori
Page 243 and 244: Processing Requirements 9.9 Perform
Page 245 and 246: Processing Requirements 9.12 Floor
Page 247 and 248: Processing Requirements 9.13 Ceilin
Page 253 and 254:
Processing Requirements 9.13 Ceilin
Page 255 and 256:
Processing Requirements 9.13 Ceilin
Page 257 and 258:
Processing Requirements 9.15 Cleari
Page 259 and 260:
10.1 Definitions 10.2 Settlement Se
Page 261 and 262:
Settlement and Reconciliation 10.4
Page 263 and 264:
Settlement and Reconciliation 10.7
Page 265 and 266:
10.8.2 Intraregional Fees Settlemen
Page 267 and 268:
The Customer must: Settlement and R
Page 269 and 270:
Content Relocated to Chargeback Gui
Page 271 and 272:
Content Relocated to Chargeback Gui
Page 273 and 274:
Liabilities and Indemnification 13.
Page 275 and 276:
13.6 Proprietary Card Mark Liabilit
Page 277 and 278:
Page 279 and 280:
Page 281 and 282:
Chapter 14 Service Providers This c
Page 283 and 284:
14.1 Service Provider Categories Se
Page 285 and 286:
14.1.1 Independent Sales Organizati
Page 287 and 288:
Service Providers 14.3 General Obli
Page 289 and 290:
Service Providers 14.3 General Obli
Page 291 and 292:
14.3.10 Fees Service Providers 14.3
Page 293 and 294:
14.3.15 No Endorsement of the Corpo
Page 295 and 296:
14.4.3 Access to Documentation Serv
Page 297 and 298:
Service Providers 14.6 Service Prov
Page 299 and 300:
Service Providers 14.8 Confidential
Page 301 and 302:
Chapter 15 Asia/Pacific Region This
Page 303 and 304:
Overview Definitions Asia/Pacific R
Page 305 and 306:
1.7 Termination of License Asia/Pac
Page 307 and 308:
6.13 Issuer Responsibilities to Car
Page 309 and 310:
Asia/Pacific Region 7.18 Card Captu
Page 311 and 312:
Asia/Pacific Region 7.23 ATM Access
Page 313 and 314:
Asia/Pacific Region 9.2 POS Transac
Page 315 and 316:
Technical Specifications Compliance
Page 317 and 318:
Canada Region 9.3.1 Issuer Requirem
Page 319 and 320:
Canada Region 6.17 Additional Rules
Page 321 and 322:
Canada Region 7.17 Connection to th
Page 323 and 324:
Canada Region 7.23 ATM Access Fees
Page 325 and 326:
Canada Region 9.8 Authorizations 9.
Page 327 and 328:
Canada Region Section 16a—Canada
Page 329 and 330:
Canada Region 7.1 Acquirer Obligati
Page 331 and 332:
Chapter 17 Europe Region This chapt
Page 333 and 334:
Europe Region 6.4.2.1 Chip Cards...
Page 335 and 336:
Europe Region 8.4 PIN and Key Manag
Page 337 and 338:
Europe Region Technical Specificati
Page 339 and 340:
Overview Definitions Europe Region
Page 341 and 342:
Europe Region 1.1 Types of Customer
Page 343 and 344:
2.3 Area of Use Europe Region 2.3 A
Page 345 and 346:
Europe Region 2.3 Area of Use In al
Page 347 and 348:
The intra-European Maestro Rules, i
Page 349 and 350:
3.4 Examination and Audits The foll
Page 351 and 352:
3.22 Data Protection Europe Region
Page 353 and 354:
Europe Region 4.2 Protection and Re
Page 355 and 356:
Europe Region 5.1 Special Issuer Pr
Page 357 and 358:
6.1 Eligibility Europe Region 6.1 E
Page 359 and 360:
6.2.2 Embossing and Engraving Stand
Page 361 and 362:
6.9 Electronic Commerce Europe Regi
Page 363 and 364:
Croatia Malta Turkey Cyprus Moldova
Page 365 and 366:
6.14 Fraud Reporting Europe Region
Page 367 and 368:
Europe Region 6.19 Recurring Paymen
Page 369 and 370:
7.1.5 Acquiring Transactions Europe
Page 371 and 372:
Europe Region 7.3 Additional Acquir
Page 373 and 374:
7.9.2 Manual Key-entry of PAN Europ
Page 375 and 376:
Europe Region 7.12 Additional Requi
Page 377 and 378:
Europe Region 7.13 Additional Requi
Page 379 and 380:
Europe Region 7.15 Requirements for
Page 381 and 382:
7.15.6 PAN Truncation Requirements
Page 383 and 384:
7.23.1.1 Transaction Field Specific
Page 385 and 386:
Europe Region 7.27 Identification o
Page 387 and 388:
Europe Region 8.13 Signature-based
Page 389 and 390:
Bosnia and Herzegovina Kosovo Slova
Page 391 and 392:
Europe Region 9.2 POS Transaction T
Page 393 and 394:
9.2.2.2 Optional Online POS Transac
Page 395 and 396:
Europe Region 9.2 POS Transaction T
Page 397 and 398:
9.3.2 Acquirer Requirements Europe
Page 399 and 400:
Europe Region 9.4 Special Transacti
Page 401 and 402:
Page 403 and 404:
9.4.7.4 CVC 2/AVS Checks Europe Reg
Page 405 and 406:
Country Code Country Country Code C
Page 407 and 408:
9.8.7 Authorization Response Time 9
Page 409 and 410:
Europe Region 9.9 Performance Stand
Page 411 and 412:
10.2.2 Assessment for Late Settleme
Page 413 and 414:
Europe Region 10.11 Customer Insolv
Page 415 and 416:
13.13 Additional Liabilities 13.13.
Page 417 and 418:
Europe Region Compliance Zones Rule
Page 419 and 420:
Definitions Europe Region Definitio
Page 421 and 422:
7.9 POS Terminal and Terminal Requi
Page 423 and 424:
9.4 Special Transaction Types Europ
Page 425 and 426:
9.4.9 Internet Stored Value Wallets
Page 427 and 428:
Page 429 and 430:
Europe Region 3.6 Non-discriminatio
Page 431 and 432:
Europe Region 6.4 PIN and Signature
Page 433 and 434:
Chapter 18 Latin America and the Ca
Page 435 and 436:
Overview Definitions Latin America
Page 437 and 438:
4.5 Display on Cards Latin America
Page 439 and 440:
6.4.2 Use of the PIN Latin America
Page 441 and 442:
Latin America and the Caribbean Reg
Page 443 and 444:
Page 445 and 446:
9.2.2 Acquirer Online POS Transacti
Page 447 and 448:
Page 449 and 450:
Chapter 19 South Asia/Middle East/A
Page 451 and 452:
South Asia/Middle East/Africa Regio
Page 453 and 454:
South Asia/Middle East/Africa Regio
Page 455 and 456:
Chapter 20 United States Region Thi
Page 457 and 458:
United States Region 7.25.7 Deposit
Page 459 and 460:
United States Region 3.15 Integrity
Page 461 and 462:
United States Region 6.2 Card Stand
Page 463 and 464:
United States Region 6.10 Selective
Page 465 and 466:
United States Region 6.17 Additiona
Page 467 and 468:
United States Region 7.4 Acquiring
Page 469 and 470:
United States Region 7.4 Acquiring
Page 471 and 472:
United States Region 7.10 Hybrid PO
Page 473 and 474:
United States Region 7.17 Connectio
Page 475 and 476:
United States Region 7.23 ATM Acces
Page 477 and 478:
United States Region 7.25 Shared De
Page 479 and 480:
United States Region 7.25 Shared De
Page 481 and 482:
United States Region 9.2 POS Transa
Page 483 and 484:
United States Region 9.2 POS Transa
Page 485 and 486:
United States Region 9.8 Authorizat
Page 487 and 488:
United States Region 10.2 Settlemen
Page 489 and 490:
United States Region Compliance Zon
Page 491 and 492:
Overview Maestro PayPass Overview S
Page 493 and 494:
7.1 Acquirer Obligations and Activi
Page 495 and 496:
7.15 Requirements for Transaction R
Page 497 and 498:
A.1 Asia/Pacific Region Geographica
Page 499 and 500:
• Cyprus • Czech Republic • D
Page 501 and 502:
• Estonia • Finland • France
Page 503 and 504:
• Puerto Rico • St. Kitts-Nevis
Page 505 and 506:
• Qatar • Reunion • Rwanda
Page 507 and 508:
Maestro Merchant Operating Guidelin
Page 509 and 510:
Maestro Merchant Operating Guidelin
Page 511 and 512:
Signage, Screen, and Receipt Text D
Page 513 and 514:
Page 515 and 516:
Page 517 and 518:
Page 519 and 520:
Page 521 and 522:
Page 523 and 524:
Page 525 and 526:
Page 527 and 528:
Page 529 and 530:
Page 531 and 532:
Page 533 and 534:
Page 535 and 536:
Page 537 and 538:
Page 539 and 540:
Page 541 and 542:
Page 543 and 544:
Page 545 and 546:
Page 547 and 548:
Page 549 and 550:
Page 551 and 552:
Page 553 and 554:
Page 555 and 556:
Page 557 and 558:
Page 559 and 560:
Glossary Glossary Glossary This sec
Page 561 and 562:
usiness day Glossary Glossary A “
Page 563 and 564:
data encryption standard (DES) Glos
Page 565 and 566:
global bank holding company Glossar
Page 567 and 568:
offline Glossary Glossary An operat
Page 569 and 570:
PIN verification Glossary Glossary
Page 571 and 572:
scrip Glossary Glossary A printed r
Page 573 and 574:
terminal response time Glossary Glo
show all

Maestro Global Rules (PDF) - MasterCard

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?