The use of credit and debit card payments allows for the transfer, storage, and processing of payment card data — personal banking information that is sensitive to individuals and highly sought after by cybercriminals. That’s why Mastercard, Visa, American Express, and other credit card companies created certain security requirements for merchants and service providers who work with payment card data. These requirements are known as the PCI DSS standard.
What is PCI DSS exactly?
The Payment Card Industry Data Security Standard or “PCI DSS”, is a card payment standard for security mandated by the major card brands. The Payment Card Industry Security Standards Council’s founding members — Visa, Mastercard, American Express, JCB International, and Discover Financial Services — agreed to adopt a common security standard as part of the technical requirements for each of their data security compliance programs. In addition, each founding member recognizes Qualified Security Assessors (QSA) and approved scanning service providers (Approved Scanning Vendors, ASV).
Who needs PCI DSS certification?
Everyone who works with customers’ credit card information or in ways that affect the security of payment card data is subject to PCI compliance regulations including:
- Payment processors.
- Financial institutions.
- Trading and service companies of any size.
PCI DSS standards apply to an organization regardless of its size or the number of transactions it accepts, transfers or processes. Basically, if you store sensitive cardholder information, or if your business process includes the handling of the security of payment cards, you are also required to comply.
PCI DSS requirements.
PCI DSS certification requires compliance with 12 sections of comprehensive requirements for ensuring the security of information about the owners of payment cards. Adoption of these security measures must be made at each step of the payment process, from data transfer to its storage in your databases.
PCI DSS certification levels.
There are four PCI certification levels for merchants, which are based on the number of credit, debit, and prepaid card transactions a business accepts over the course of 12 months.
Why do you need to be PCI compliant?
Entities that store, process, or transmit the card data of payment systems (Visa, Mastercard, American Express, etc.) are required to comply with the PCI DSS standard. Payment systems determine the frequency and form of confirmation of compliance with the requirements of the standard, as well as sanctions for their failure to perform and any compromise of payment card data due to a data breach.
To help organizations meet the requirements of the standard, companies offer various compliance services that consider the tasks and specifics of each unique client. Some of these services include:
- Becoming PCI DSS compliant — this service involves bringing the level of security of a business in line with the requirements of the PCI DSS standard from scratch including:
- A preliminary audit with the development of a compliance plan.
- A initial certification audit.
- Maintaining PCI DSS compliance.
- Providing to organizations that already have a PCI DSS certificate of conformity and are interested in its next confirmation.
- Certification audit PCI DSS.
- The service is intended for organizations that have independently implemented the required PCI DSS security measures and are only interested in a final conformity assessment.
- Software certification for PA-DSS.
- In 2008, the Payment Card Industry Security Council (PCI SSC) adopted the Payment Application Data Security Standard (PA-DSS), a payment application security standard aimed at supporting compliance with PCI DSS requirements. According to the requirements of Visa and Mastercard, all “boxed” applications involved in the processing of authorization transactions or settlements with payment cards must be certified according to the PA-DSS standard.
- PA-DSS compliance applications — these can only be certified by an auditor with PA-QSA status.
- Maintaining software compliance with PA-DSS.
- Changes to PA-DSS certified payment applications are subject to review and, in some cases, entail a mandatory recertification process. The scope and reporting documents of the ongoing certification depends on the type of change.
- Information Protection audits by certified auditors with experience in shaping release policies to take into account the requirements of the standard and the realities of the vendor, conducting recertification for all types of changes defined by the standard and coordinating final documents with PCI SSC.
- Scanning PCI ASV, scanning WEB applications.
- A certified (certificate No. 4159-01-08) provider of PCI ASV scans can help. PCI ASV scanning provides compliance with clause 11.2.2 of the PCI DSS standard. In addition to formal compliance with the standard, PCI ASV scanning allows you to evaluate the security of your external network perimeter, identify vulnerabilities, and incorrect configurations.
- Comprehensive PCI DSS penetration tests.
- The service includes a practical assessment of the possibility of unauthorized access to payment card data or network resources that process payment card data (requirement of clause 11.3 PCI DSS).
- The development of a merchant program for PCI DSS requirements for acquiring banks. According to the requirements of international payment systems, acquiring banks are responsible for fulfilling the requirements of the PCI DSS standard by their merchants. As part of the service, a program is being developed to monitor the compliance of merchants with the requirements of the PCI DSS standard based on the security programs of international payment systems.
- PCI DSS self-assessment questionnaires (SAQs)t.
- These are documents that are used as a validation tool by merchants and service providers to demonstrate PCI compliance. At NAB, our PCI Plus Program removes this requirement for many merchants.
As you can see, there’s a lot that goes into becoming and maintaining PCI compliance. That’s why it’s so important that you partner with a payments technology company who can help you fulfill the requirements of the PCI DSS standard, reduce the risks of compromising the data of payment cards, and minimize your liability.