Payment Card Industry Validation
This section provides details of PCI DSS compliance requirements and describes options for getting your business validated for PCI compliance.
Why Is PCI DSS Important?
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle credit or debit cards from the major card schemes such as Visa, Mastercard, American Express, Discover, and JCB.
PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).
PCI DSS is a mandatory requirement for any business that collects or stores customer card details. There are several levels of compliance, which vary depending on the size and transaction volume of the business (the larger the business, the more stringent the requirements). The standards are updated and revised frequently. If you are not PCI DSS compliant your business could be held responsible for any losses that occur through fraud, and you could also face considerable fines and loss of reputation to your business.
It is much easier to achieve compliance if your business model does not require storing payment card data. According to Visa, you can increase your data security and reduce the risk of compromises by using a PCI DSS–compliant service provider and a secure payment application. Paysafe has been fully compliant with Level 1 of the PCI DSS since 2001.
With our Hosted Payments API, you can use Paysafe to process and store all sensitive customer card or bank account information.
How Is PCI Compliance Validated?
The PCI DSS includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures intended to proactively protect customer account data. Each card scheme has its own programs that help merchants attain compliance with the PCI DSS.
There are six categories of security requirements.
Build and Maintain a Secure Network
Install and maintain a firewall, and use unique, high-security passwords, with special care to replace default passwords.
Protect Cardholder Data
Whenever possible, do not store cardholder data. If there is a business need, you must protect this data. You must also encrypt any data passed across public networks, including your shopping cart and Web-hosting providers.
Maintain a Vulnerability Management Program
Use anti-virus and keep it up to date. Develop and maintain secure operating systems and payment applications. Ensure the applications you use are PCI DSS compliant.
Implement Strong Access Control Measures
Access to both electronic and physical cardholder data should be on a "need-to-know" basis. Ensure those people with access have a unique ID and password. Do not share login information.
Regularly Monitor and Test Networks
Track and monitor all access to networks and cardholder data. Ensure you have a regular testing schedule for security systems and processes such as firewalls, patches, and anti-virus.
Maintain an Information Security Policy
It is critical that your organization has a resource for how data security is handled at your business. Ensure you have a policy and that it is disseminated and updated regularly.
There are two main components of validation:
- Completing the Self-Assessment Questionnaire (SAQ)
- Undergoing quarterly Vulnerability Scans performed by an Approved Scanning Vendor
The PCI SAQ is a list of questions used to assess your compliance with the requirements of the PCI DSS. The PCI SCC released four versions of the questionnaire to account for different merchant environments.
|SAQ A|| |
Addresses requirements applicable to merchants who have outsourced all cardholder data storage, processing, and transmission.
|SAQ AE-P||Applicable to e-commerce merchants who outsource all payment processing and who have a website that does not directly receive cardholder data, but that can impact the security of the payment transaction.|
|SAQ B|| |
Created to address requirements pertinent to merchants who process cardholder data via imprint machines or standalone dial-up terminals only.
|SAQ B-IP||Addresses merchants using only standalone, PTS approved terminals with an IP connection|
|SAQ C|| |
Constructed to focus on requirements applicable to merchants whose payment application systems are connected to the Internet.
|SAQ C-VT||Required for merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal|
|SAQ P2PE||Created to address merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC listed P2PE solution|
|SAQ D|| |
Designed to address requirements relevant to all service providers defined by a payment brand as eligible to complete an SAQ and those merchants who do not fall under the types addressed by the descriptions above
For more information on the questionnaire, and to determine which one is right for your business, please Contact Us.
The Network Vulnerability Scan is an automated, non-intrusive scan that assesses your network and Web applications from the Internet (on the external-facing IPs). The scan will identify any vulnerabilities or gaps that may allow an unauthorized or malicious user to gain access to your network and potentially compromise cardholder data.
Many times this scan will discover vulnerabilities that need to be resolved in order to maintain compliance. Once you resolve these vulnerabilities, a directed scan can be run upon your request to verify that you have resolved any compliance issues. You may also run a directed scan after you have made changes to your network to ensure that the changes have not affected your compliance status.
To help your business meet your PCI DSS compliance requirements and to facilitate the validation process, Paysafe has teamed up with SecurityMetrics, Sysnet, and Aperia, accredited Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV). Their vulnerability assessment and compliance management solution provides the following benefits:
- Scanning engine that tests for more than 3,000 vulnerabilities
- Online Self-Assessment Questionnaire
- Detailed compliance status reporting
- Vulnerability prioritization
- Remediation services to address security vulnerabilities and achieve compliance more quickly
- Comprehensive online support resources
- Multi-lingual help desk support
More information about SecurityMetrics can be found at www.securitymetrics.com or at 801-724-9600.
More information about Aperia can be found at www.aperia.com or at 888-302-0296.
More information about Sysnet can be found at https://sysnetgs.com/ or at +353 (0)1 495 1300.