The Payment Card Industry Data Security Standard (PCI DSS) was created by the Payment Card Industry Security Standards Council (PCI SSC) which is governed by the following payment brands:
The recommended route to compliance provided by the PCI SSC is often referred to as the “Prioritized Approach”, which is designed to advise organizations on where to start and how to reduce risk early on their journey. It is important to note that PCI DSS compliance should not just be treated as a project, with a beginning and an end; rather the goal should be to implement the 12 requirements of PCI DSS into the organization’s ‘business as usual’ processes and procedures when handling cardholder data.
PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. Any organization involved in payment card processing which includes the storing, processing or transmitting of cardholder data (CHD) is usually contractually required to be PCI DSS compliant. Failure to do so could result in penalty fines to the organization.
Cardholder data is the following information on credit/debit cards:
Sensitive Authentication Data is the following information on credit/debit cards:
Note: This data must never be stored, even if encrypted.
The Cardholder Data Environment (CDE) is comprised of the people, processes and technologies that store, process or transmit cardholder data or sensitive authentication data. System components may include network devices, servers, computing device and applications.
Examples of people and system components within a CDE could be:
PCI DSS applies roles to each entity involved in payment card processing. It is vital you understand what role your organization, and those of other entities you use, play.
Such entities include:
All merchants and service providers are categorized into different levels depending on the volume of card payment transactions the organization processes per year. There are four levels into which an organization can be categorized, with level one being the highest and level four being the lowest.
However, the volume of transactions per year that determines the categorization level of your organization also varies between the Payment Brands (Visa, MasterCard, American Express, Discover, and JCB). Therefore, it is highly recommended you confirm your organization’s transaction volume and categorization level with your acquiring bank. Once you have determined your level you will know what validation methods are required for PCI DSS compliance.
Once the organization is coming towards the end of its compliance journey you will need to start thinking about submitting the appropriate documentation to your acquiring bank. We suggest you start with contacting your acquiring bank to obtain their preferred method of submitting the compliance documents. Some banks ask them to email you the relevant documents, whilst other offer portals to log into and upload them.
If your organization falls with the definition of Level one for merchants and service providers you are required to submit compliance documents produced by a Qualified Security Assessor (QSA). These companies are independent security organizations that have been accredited by the PCI Security Standards Council to validate an organization’s adherence to PCI DSS. A list of QSA companies can be found on the PCI DSS website.
Completed by a QSA and only required by Level one Merchants and Service Providers, a Report on Compliance (RoC) provides a comprehensive summary of all 12 PCI DSS requirements undertaken by the organization and all activities and information collected during the assessment. The report should also clearly describe how the organization validates these activities and the resultant findings.
Depending on the level of the organization, a Self-Assessment Questionnaire (SAQ) may be all that is required to be completed and submitted. SAQs are validation tools designed to assist organizations in self-evaluating their compliance with PCI DSS. There are multiple types of SAQs corresponding to the different ways card payment processing is achieved. It is important the organization selects the appropriate SAQ(s) applicable to them. Following section three of this document will give you a good idea about this, but we strongly recommend that you refer to the PCI DSS website for further information to select the SAQ(s) best applied to your organization.