FFIEC Retail Payment Systems Booklet and PCI DSS

April 6, 2010

In February 2010, the Federal Financial Institutions Examination Council (FFIEC) issued an updated Retail Payment Systems Booklet as guidance for examiners, financial institutions, and technology service providers on the risks associated with retail payment systems. The Booklet provides guidance on the risks and risk-management practices applicable to financial institutions’ retail payment systems activities, including checks, electronic payments related to credit cards and debit cards, and the automated clearing house (ACH).

We find the new guidance regarding Payment Card Industry Data Security Standards (PCI DSS) to be of particular importance to our clients. Institutions that participate in payment card systems are now required to develop a process to ensure compliance with PCI DSS. Acquiring financial institutions are given ultimate responsibility for any risks posed to the payment system by their sponsored merchants and third-party providers. Additionally, the Board of Directors and Management must have a clear understanding of the risks associated with acquiring activities and must understand the obligations under credit card association rules.

The FFIEC Retail Payment Systems Booklet states,

The credit card associations require acquiring banks to ensure that their merchants and third-party service providers comply with the Payment Card Industry Data Security Standards (PCI DSS). For third-party service providers and large merchants, PCI DSS compliance validation must be performed annually by a Qualified Security Assessor that has been approved by the PCI Security Standards Council. Smaller merchants must validate compliance annually through completion of a self-assessment questionnaire. It is not uncommon within the industry for a large number of merchants, and even some third party service providers, to be in noncompliance with PCI DSS, potentially exposing their acquiring bank to reputation risk and financial loss from fraud, lawsuits, and fines.

Additionally, issuing banks that use third-party service providers for transaction processing are required by the card associations to ensure that their providers are in compliance with PCI DSS.

PCI DSS was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. International. The purpose is to provide consistent data security measures for cardholder information.

Similar to guidance followed by TrustCC in GLBA IT Audits, PCI DSS requirements are provided for security management, policies, procedures, network architecture, software design, and other critical protective measures.

The core of PCI DSS is a group of 6 principles and an accompanying 12 requirements:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

Requirement 3: Protect stored cardholder data.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program

Requirement 5: Use and update regularly anti-virus software.

Requirement 6: Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know.

Requirement 8: Assign a unique ID to each person with computer access.

Requirement 9: Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data.

Requirement 11: Test security systems and processes regularly.

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security.

For additional information and guidance, see the FFIEC IT Examination Handbook series, available at http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html.

Additional information regarding PCI DSS can be found at https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml.

If you have a questions, feel free to contact us at  info@trustcc.com.

– TrustCC



  1. Great post and links. Thanks for the PCI info!

  2. Great Post. This post gives more guidance from the FFIEC Information Security Handbook on financial industry best practices.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: