PCI DSS Compliance

PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. These standards are intended to protect cardholder data and reduce credit card fraud. The most applicable version of PCI DSS can be found at the office PCI SCC website: https://www.pcisecuritystandards.org/document_library/.

PCI DSS Merchant Levels

Merchants are categorised into four levels based on the volume of card transactions they process annually:

Level 1:

  • Criteria: Merchants processing over 6 million transactions annually.
  • Requirements:
    • Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA).
    • Quarterly network scan by an Approved Scanning Vendor (ASV).
    • Attestation of Compliance (AOC) form.

Level 2:

  • Criteria: Merchants processing 1 to 6 million transactions annually.
  • Requirements:
    • Annual Self-Assessment Questionnaire (SAQ). 
    • Quarterly network scan by an ASV. 
    • AOC form. 

Level 3

  • Criteria: Merchants processing 20,000 to 1 million e-commerce transactions annually. 
  • Requirements: 
    • Annual SAQ. 
    • Quarterly network scan by an ASV. 
    • AOC form. 

Level 4

  • Criteria: Merchants processing fewer than 20,000 e-commerce transactions annually or up to 1 million total transactions annually. 
  • Requirements: 
    • Annual SAQ. 
    • Quarterly network scan by an ASV. 
    • AOC form. 

SAQ Types for Merchants 

The Self-Assessment Questionnaire (SAQ) is a validation tool for merchants and service providers to demonstrate compliance with PCI DSS. The SAQ has different types based on the manner in which merchants process card transactions:

  • SAQ A: For merchants with card-not-present (e-commerce or mail/telephone-order) transactions, all cardholder data functions outsourced. 
  • SAQ A-EP: For e-commerce merchants using a third-party service provider for payment processing. 
  • SAQ B: For merchants using only imprint machines or standalone, dial-out terminals. 
  • SAQ B-IP: For merchants using only standalone, PTS-approved payment terminals. 
  • SAQ C-VT: For merchants processing cardholder data via virtual terminals on computers connected to the internet. 
  • SAQ C: For merchants with payment applications connected to the internet. 
  • SAQ D: For all other merchants not covered in the above categories. 

PCI DSS Documentation for Service Providers 

Service providers must provide comprehensive documentation to demonstrate PCI DSS compliance. This includes: 

  • Attestation of Compliance (AOC): A document signed by a QSA or the service provider indicating compliance with PCI DSS. 
  • Report on Compliance (ROC): A detailed report produced by a QSA documenting the service provider’s compliance status. 
  • Self-Assessment Questionnaire (SAQ) D for Service Providers: For certain service providers, this self-assessment questionnaire may be used instead of the ROC and AOC. 
  • Quarterly Network Scans: Conducted by an ASV to ensure network security. 
  • Internal Security Policies: Policies and procedures demonstrating adherence to PCI DSS requirements. 

Ensuring PCI DSS Compliance with PAYSTRAX 

PAYSTRAX, a leading payment service provider, ensures PCI DSS compliance through a robust security framework that adheres to all 12 requirements of PCI DSS across all processes involving the processing, transmission, and storage of cardholder data. The key executives and their responsibilities in maintaining this compliance include: 

  • Chief Security and Risk Officer (CSRO): Responsible for overseeing the company’s overall security strategy and risk management. 
  • Information Security Specialist: Manages and implements security measures to protect cardholder data and ensures compliance with PCI DSS standard. 
  • Chief Technology Officer (CTO): Leads the development and implementation of technology solutions that adhere to PCI DSS requirements. 
  • Chief Financial Officer (CFO): Ensures that all financial transactions and reporting comply with PCI DSS standards and oversees the financial implications of compliance efforts. 

Working with Qualified Security Assessors (QSAs) 

For large merchants (Level 1) who store credit card data or have a more complex payment flow, it is often necessary to work with a PCI QSA. QSAs are qualified security professionals who can help organisations navigate the complexities of PCI DSS compliance. There are more than 350 QSA companies around the world that can assist with compliance validation and provide the necessary reports and attestations. 

Conclusion 

PCI DSS compliance is crucial for safeguarding cardholder data and maintaining the trust of customers. Merchants and service providers must understand their specific requirements and take the necessary steps to ensure compliance. All PCI DSS requirements needing full implementation, it’s important to stay up-to-date with the latest standards and best practices. PAYSTRAX stands out by not only ensuring its own compliance but also enforcing strict standards for its service providers, thereby creating a secure and reliable payment ecosystem.