PCI Data Security Standards for ARC and ARC Agents
A little about PCI
American Express®, Discover Financial Services®, JCB®, MasterCard Worldwide®, and Visa International®, were founding members of the Payment Card Industry (PCI) Security Standards Council with the mission to enhance payment account security by fostering broad adoption of the PCI Data Security Standard for merchants and processors handling sensitive credit card information.
Compliance and validation requirements for PCI DSS vary according to the number of transactions handled by the merchant or merchant service provider. Generally, there are four levels defined, with level 1 having the highest, and level 4 the least number of transactions. Common to all four levels is the understanding that you store, process, or transmit credit card data.
PCI and ARC
ARC, as both a merchant and the processor on behalf of many merchants, is regarded as a top level processor handling enormous volumes of credit card data and is thus subject to strict requirements which are being met. In fact, ARC was very pleased to be the first level 1 entity in the travel industry to be PCI Compliant, and we actively participate in the PCI Security Standards Council (see http://www.visa.com/cisp/ for PCI compliant service providers). ARC is a resource available to assist other entities in the industry to become similarly compliant.
PCI and the ARC Agent - What, if any, action is recommended?
If you have your own agreement with a bank card processor or an acquiring bank, you should contact your merchant representative to confirm your merchant level and recommended compliance validation requirements (Self assessment questionnaire and/or quarterly scanning).
If you are an ARC accredited agent and do not have your own credit card merchant agreement(s), you should still be exercising caution with respect to your handling of your customers' credit card information, e.g., where you record it, how you store it, etc. This means treating your clients' credit card data in a secure and confidential manner. Moreover, in this age of increasing office automation, securing your computer equipment against electronic intrusion is just as important as locking up information on paper.
ARC strongly recommends that you make use of tools available such as the option that permits you to mask credit card account numbers when using ARC Document Retrieval Service. As a helpful reference, please note the PCI DSS group of 12 principles appearing in the FAQ linked below.
We all share a common interest to keep our customers' private information secure. ARC has invested in keeping the credit card data secure in our systems and will be happy to assist you with any further questions or concerns with the resources below. Should you have any questions after reviewing the additional documentation available to you, please contact ARC's Customer Support Center at firstname.lastname@example.org.