This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here

Hide
Jump to navigation

PCI DSS (Payment Card Industry Data Security Standard)

PCI QSA | PCI Toolkit | PCI Consultancy | PCI Scanning | PCI for Small Businesses | PCI Training

The Payment Card Industry Data Security Standard (PCI DSS) is administered by the PCI Security Standards Council. The purpose of the Standard is to decrease payment card fraud across the internet and increase credit card data security. Organisations that store, transmit or process card holder data must comply with PCI DSS. Compliance is regulated and enforced by the 'acquiring bank' with which every organisation must have a merchant account. IT Governance Ltd is an authorised PCI QSA, supplying the full range of PCI QSA audit and consultancy services.

What is on this page:


Introduction to PCI DSS

The currently applicable version of PCI DSS is version 3.0, published in November 2013; download it here.

The PCI Security Standards Council (PCI SSC) has released Version 3 of both the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). Publication on 7 November 2013 marks the end of one lifecycle and the start of the next three-year cycle for the standard. The changes will help companies make PCI DSS part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility. Find out more about PCI DSS v3.0 here >>>

Organisations are given a 14-month grace period to transition from Version 2 to Version 3 until PCI DSS v3.0 becomes mandatory on 1 January 2015. As an approved QSA company, IT Governance is ideally positioned to help organisations comply with both versions and help them transition to v3.0 in due course. For more information call us on +44 (0)845 070 1750 or email: servicecentre@itgovernance.co.uk.



Applicability of PCI DSS

The PCI DSS applies to any organisation that processes, transmits or stores cardholder data.

If you are a merchant, the PCI DSS applies to you. Even if you have subcontracted all PCI DSS activities to a third party, you have the responsibility for ensuring all the contracted parties are compliant with the standard.

If you are a service provider, including a software developer, the PCI DSS applies to you if you process, transmit or store cardholder data, or your activities affect the security of the cardholder data as it is being processed, transmitted or stored.

IT Governance can advise on the applicability of the PCI DSS to your organisation.


Scope of PCI DSS

The PCI DSS can apply across the whole of your organisation, or to a subset of your organisation if you have correctly compartmentalised the processing, transmission or storage of cardholder data away from the rest of your organisation.

It applies to all people, processes and technologies that are involved in the processing, transmission or storage of cardholder data. It is not just the electronic systems but includes all systems including paper records such as receipts, mail order forms etc., and recordings of phone conversations if they capture cardholder data being read out to call centre operators. IT Governance can advise on the scoping the cardholder data environment within your organisation.


PCI DSS Compliance Requirements

The Standard basically requires all applicable merchants and member service providers (MSPs) who are involved with the storage, processing or transmitting of cardholder data to:

  • Build and maintain a secure IT network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

PCI DSS Compliance Criteria and PCI levels

Compliance is driven from the payment brands (Visa, American Express, MasterCard, etc.) downwards. The payment brands look for acquiring banks to be compliant and all their merchants to be compliant too. The acquiring banks will ask all of their merchants to become compliant, and as part of that process merchants will ask their service providers to be compliant.

The criterion that a merchant or service provider has to meet is set by the individual payment brands. Each payment brand has its own compliance programme and sets criteria for compliance based upon the volume of transactions undertaken by a merchant or service provider. In general there are four merchant levels and two levels of service provider; however, this is payment brand-dependent.


Achieving Compliance with PCI DSS

Compliance with PCI DSS is achieved by the Merchant or Service Provider demonstrating its compliance through successful completing an audit of the cardholder data environment against the standard. The type of audit depends on the compliance requirements of the payment brand and the level of the merchant or service provider as defined by the payment brand. The types of audit are:

  • Report on Compliance (RoC) completed by a PCI QSA organisation or by an ISA
  • A Self-Assessment Questionnaire (SAQ) signed by an officer of the organisation
  • External Vulnerability Scan conducted by an Approved Scanning Vendor (ASV)

The PCI DSS compliance procedure can take anything from a day to many weeks, depending on what is uncovered by the vulnerability assessment scan and the audit. Organisations that currently have a good level of information security are likely to achieve compliance quicker than those that don't. The starting point for all organisations that need to comply is to download the Payment Card Industry Data Security Standard and to contact a PCI Approved Scanning Vendor (ASV).

The initial starting point should be your own copy of the manual on PCI Compliance: PCI DSS: A Practical Guide to Implementation. It is a good investment!

Those wishing to develop their understanding of the PCI DSS may also be interested in our PCI Foundation and PCI Implementation training pathway.


PCI Compliance Requirements – IT Governance Services

As a general rule of thumb, the criteria below is based on those from Visa and MasterCard as these are the predominant brands of payment that card merchants will process. IT Governance provides the following services in each of the various compliance categories:

Merchants/ Service providers Annual Onsite Audit Self-Assessment Questionnaire (SAQ) Quarterly* External Vulnerability Scan Quarterly* Internal Vulnerability Scan Annual** Penetration Test Quarterly WLAN Analysis
* Or after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades)
** Or after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment)
# Only required for testing network segmentation if any is present
+ Only external penetration test required
ROC IT Governance Ltd N/A IT Governance Ltd IT Governance Ltd IT Governance Ltd   IT Governance Ltd
SAQ D for Merchants N/A IT Governance Ltd IT Governance Ltd IT Governance Ltd IT Governance Ltd   IT Governance Ltd
SAQ D for Service Providers N/A IT Governance Ltd IT Governance Ltd IT Governance Ltd IT Governance Ltd   IT Governance Ltd
SAQ C N/A IT Governance Ltd IT Governance Ltd IT Governance Ltd IT Governance Ltd # IT Governance Ltd
SAQ C-VT N/A IT Governance Ltd N/A N/A N/A N/A
SAQ P2PE-HW N/A IT Governance Ltd N/A N/A N/A N/A
SAQ B-IP N/A IT Governance Ltd IT Governance Ltd N/A N/A N/A
SAQ B N/A IT Governance Ltd N/A N/A N/A N/A
SAQ A-EP N/A IT Governance Ltd IT Governance Ltd IT Governance Ltd IT Governance Ltd + N/A
SAQ A N/A IT Governance Ltd N/A N/A N/A N/A

The PCI Report on Compliance

A Report on Compliance (ROC) is a form that must be completed by all qualifying merchants and service providers undergoing a PCI DSS (Payment Card Industry Data Security Standard) audit. The ROC is used to verify that the organisation being audited is compliant with the PCI DSS standard. The ROC must be filled out by the PCI Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA) who has audited the organisation. The form is then submitted to the merchant's acquiring bank for acceptance. Once the merchant's acquiring bank has accepted the ROC, it sends the document on to payment brand for compliance verification.


The PCI Self-Assessment Questionnaire (SAQ)

All merchants and their service providers are required to comply with the PCI DSS in its entirety. In February 2014, the PCI Security Standards Council introduced the new Self-Assessment Questionnaire (and Attestation of Compliance) which is a validation tool intended to assist all qualifying merchants and service providers in self-evaluating their compliance with the PCI DSS.


SAQ

    Description
A

Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.

This SAQ is designed to cover the now common situation of e-commerce merchants that outsource their payment processing but not the administration of the website that links to it and so need to protect this properly.

B

Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage.

This SAQ addresses the scenario of a merchant that uses standalone PED’s that are connected not via a phone line but via an IP connection to the processor as is more prevalent in SME’s these days.

Merchants using only web-based virtual terminals, no electronic cardholder data storage.

C

Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.

D
(Merchant)
D
(Service Provider)

All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ.

Merchants with Only Hardware Payment Terminals included in a Validated, PCI SSC-listed P2PE Solution, no Electronic Cardholder Data Storage


Payment Brand PCI Compliance Programmes

While the PCI DSS is a common standard, each payment brand has its own compliance programme. Note that there may be regional variations for VISA (e.g. USA and Canada), while MasterCard has a single global standard, and that acquiring banks (not the payment brands) are usually responsible for enforcement. All detailed compliance enquiries should therefore be directed to one's acquiring bank. Here are the PCI DSS Compliance programs for each of the five founding members of the PCI DSS Council:


PCI DSS and ISO/IEC 27001

While the PCI Standard was not written to map specifically to ISO27001, ISO17799, COBIT® or any other existing framework, it sits clearly within the ISO27002 framework and organisations that have implemented an ISO27002 ISMS should be able, with minor additional work, to also demonstrate their conformance with the PCI standard.

Subscribers can access additional guidance on using ISO27001 as a PCI DSS management framework. Nine Steps to Success describes how ISO27001 can be implemented to provide an overarching best practice information security management framework that will encompass the requirements of PCI DSS.


Enforcement of PCI DSS (FAQs below from the PCI DSS website)

What are the consequences to my business if I do not comply with the PCI DSS?
"The PCI Security Standards Council encourages all businesses that store payment account data to comply with the PCI DSS to help lower their brand and financial risks associated with account payment data compromises. The PCI Security Standards Council does not manage compliance programs and does not impose any consequences for non-compliance. Individual payment brands, however, may have their own compliance initiatives, including financial or operational consequences to certain businesses that are not compliant."

How long does a merchant have to become compliant with PCI DSS version 3.0?
"Compliance is required by January 2015, however certain elements of version 3 which are more complex, require compliance by July 2015."

Can an entity be fined if it is compliant with the original PCI DSS but not version 3.0?
"All compliance programs including but not limited to fines are managed individually and distinctly by the payment brands".

Are there any plans to make compliance easier for small to medium sized merchants?
"All merchants must comply with the same standard to be considered compliant with PCI DSS version 3.0. Approaches for validation of compliance differ based upon merchant size and are determined based upon levels set individually by the payment brands. The PCI Security Standards Council will support future work efforts intended to build technical guidance and other tools into the self-assessment questionnaire."

This all means that each payment provider will take whatever action it thinks it can make stick, commercially, to enforce the PCI DSS. There are no standardised penalties across all the payment brands, and the PCI council has no plans to create any. Each brand will require separate evidence of compliance and, given that the original dates for compliance have now all passed, is likely to set different dates for different levels and different entities to demonstrate compliance. The acquiring bank is usually the best channel through which to discuss compliance deadlines and penalties, which are all imposed by means of the payment brand/acquiring banks contract with the merchant.


PCI DSS Resources

Requirements and Security Assessment Procedures – version 3
QSA Validation Requirements
To be recognised as a QSA by PCI SSC, QSAs must meet or exceed the requirements described in this document and execute the QSA Agreement with PCI SSC attached to this document as Appendix A.
PCI Qualified Security Assessor (QSA) Agreement
QSA Feedback Form

ASV Validation Requirements
Recognition as an ASV by PCI SSC requires the ASV, its employees, and its scanning solution to meet or exceed the described requirements and execute the “PCI ASV Compliance Test Agreement” attached as Appendix A with PCI SSC. The companies that qualify are then identified on PCI SSC’s ASV list on PCI SSC’s web site in accordance with the Agreement.
PCI ASV Compliance Test Agreement
Sample ASV Feedback Form

ASV Programme Guide
This document provides guidance and requirements applicable to ASVs in the framework of the PCI DSS and associated payment brand data protection programs. Security scanning companies interested in providing scan services as part of the PCI program must comply with the requirements in this document and must successfully complete the PCI Security Scanning Vendor Testing and Approval Process.

PCI DSS Approved Scanning Vendors
This list is updated on a regular basis. Any ASV that carries out a scan must be on the list at the point that the scan is carried out.


Verified by Visa (Payer Authentication Service/3D-Secure)

Verified by Visa (VbV) is a security protocol introduced in 2005 by Visa, for Internet-based (i.e. not for mail order or telephone purchases) transactions only. VbV provides additional security for both the shopper and the merchant by enabling the cardholder to input a password to validate their transaction. While a cardholder may proceed with a transaction even if they have not entered a password, the mere availability of VbV shifts the chargeback liability from the merchant to the card issuer. MasterCard have a similar scheme, called SecureCode which applies to MasterCards and to Maestro Cards.

For full details of Visa VbV, go to: http://www.visaeurope.com/personal/onlineshopping/verifiedbyvisa/main.jsp

For full details of MasterCard SecureCode, go to http://www.mastercard.com/us/merchant/security/what_can_do/SecureCode/index.html

Book

BUY Books


PCI DSS A Pocket Guide


Buy now

+44 (0) 845 070 1750
live chat support software