PCI Data Security Standard Compliance

The PCI Security Standards Council is a global forum for the ongoing development, enhancement, storage, dissemination, and implementation of security standards for account data protection. The Standards Council was established by the major credit card associations (Visa, MasterCard, American Express, Discover, JCB) as a separate organisation to define appropriate practices that merchants and service providers should follow to protect cardholder data. It is this council of companies that created the Payment Card Industry (PCI) Data Security Standards (DSS).

PCI DSS is a set of network security and business best practices guidelines adopted by the PCI Security Standards Council to establish a “minimum security standard” to protect customers’ payment card information. The scope of the PCI DSS includes all systems, networks, and applications that process, store, or transmit cardholder data, and also systems that are used to secure and log access to the systems in scope.

 

The PCI Security Standards Council includes every major payment card company. Businesses that take Visa, MasterCard, Discover, American Express, or JCB are expected to comply with PCI DSS, and they can be fined or penalised if they don’t.

The datacenters undergo an annual third-party audit to certify individual products against the PCI DSS. This means that these services provide an infrastructure that customers may build their own services or applications which store, process, or transmit cardholder data.

 

It is important to note that customers are still responsible for ensuring that their applications are PCI DSS compliant.

TypeHow do you accept payment cards?
ACard-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.
A-EPE-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
Applicable only to e-commerce channels.
B

Merchants using only:
Imprint machines with no electronic cardholder data storage; and/or
Standalone, dial-out terminals with no electronic cardholder data storage.

Not applicable to e-commerce channels.

B-IPMerchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.
Not applicable to e-commerce channels.
C-VTMerchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.
Not applicable to e-commerce channels.
CMerchants with payment application systems connected to the Internet, no electronic cardholder data storage.
Not applicable to e-commerce channels.
P2PE-HWMerchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.
Not applicable to e-commerce channels.
DFor Merchants: All merchants not included in descriptions for the above types.
DFor Service Providers: All service providers defined by a payment card brand as eligible to complete a Self-Assessment Questionnaire.

View and download the SAQ (self assessment questionnaire) from the PCI Security Standards Council here: https://www.pcisecuritystandards.org/document_library?category=saqs#results

Definitions

This guide uses many unique phrases. Here are several of the most common. For more information, refer to the PCI DSS Glossary https://www.pcisecuritystandards.org/pci_security/glossary

 

CDE: Acronym for cardholder data environment. This acronym refers to any part of your app that holds or transfers any cardholder data, including the payment account number or any personally identifiable information related to the card.

 

Compensating controls: Alternate solutions to any given requirement that meet the intent and rigour of the original requirement and that provide a similar level of defence. The official definition says that compensating controls must be “above and beyond” other PCI DSS requirements and must be commensurate with the additional risk imposed by not adhering to the original requirement.

 

PAN: Acronym for primary account number and also referred to as an account number. It is the unique payment card number that identifies the issuer and the cardholder account.

 

QSA: Acronym for Qualified Security Assessor. QSAs are qualified by the PCI Security Standards Council (SSC) to perform PCI DSS on-site assessments. Refer to the QSA Qualification Requirements https://www.pcisecuritystandards.org/documents/QSA_Qualification_Requirements_v2.1.pdf for details about requirements for QSA companies and employees.

 

SAQ: Acronym for Self-Assessment Questionnaire, the reporting tool that is used to document self-assessment results from an entity’s PCI DSS assessment.

 

Scope: The systems, procedures, and people to be included in a PCI DSS assessment.

 

Tokenisation: A process that replaces the primary account number (PAN) with a surrogate value called a token. The PAN is then stored in a secure lookup. De-Tokenisation is the reverse process of looking up a PAN by its token. A token can either be a hash or an assigned value https://www.pcisecuritystandards.org/documents/Tokenization_Guidelines_Info_Supplement.pdf

Background

PCI DSS provides a list of requirements designed to enhance cardholder security. These requirements are divided into twelve major numbered parts and many subparts. This document references these part numbers to add context, but the section references are not an exhaustive list of applicable requirements.

 

Your PCI DSS compliance requirements vary depending on how your company handles payment card transactions (type) and how many transactions it performs each year (level).

 

As your number of transactions increases, your PCI DSS merchant level increases, and the PCI DSS compliance guidelines become stricter. At the highest merchant level, Level 1, PCI DSS requires an audit. Levels vary by the card brand. Level 1 is defined by American Express as 2.5 million annual transactions, and by Visa, Mastercard, and Discover as 6 million annual transactions. Each card brand has additional level requirements that are beyond the scope of this document. Ensure that your payment-processing environment is audited to support your merchant level.

 

Because the data centers are Level 1 PCI DSS 3.2–compliant service provider, it can support your PCI DSS compliance needs no matter what your company’s merchant level is.

Validating your environment

After your environment is implemented, but before any production traffic flows through it, you must have the environment validated:

 

 

Want To Know More​

Need further information or require a quotation?

All calls are recorded for security, training and quality purposes

Our lines are open Monday to Friday from 9am to 5.30pm. Dialling an 0330 number costs the same to dial as a call to a geographic (local) number. They cost the same to call from a landline or mobile and are included in mobile call packages.

You are calling our Network Operations Centre based in London, United Kingdom.

Just so you know, we are not able to accept telesales or telemarketing calls and can't be transferred.

Working proudly with skilled teams of people knowing we push the boundaries staying ahead of the curve producing high performance results.