Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you request to download our free implementation guide, we use your name, company name (which is optional) and your email address to email you a link to download the requested document. We may also email you after your download in order to follow up on your interest in our products and services. We will do this based on our legitimate interest in marketing to prospects for our products and services. Your name and email address are stored on our website which is hosted with Digital Ocean. Your personal data is stored for one year after you requested your download, after which it is deleted.

Reveal Menu

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) was created by the Payment Card Industry Security Standards Council (PCI SSC) which is governed by the following payment brands:

  • MasterCard
  • VISA
  • American Express
  • JCB
  • Discover Financial Services

The recommended route to compliance provided by the PCI SSC is often referred to as the “Prioritized Approach”, which is designed to advise organizations on where to start and how to reduce risk early in their journey. It is important to note that PCI DSS compliance should not just be treated as a project, with a beginning and an end; rather the goal should be to implement the 12 requirements of PCI DSS into the organization’s ‘business as usual’ processes and procedures when handling cardholder data.

Who needs PCI DSS?

PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. Any organization involved in payment card processing which includes the storing, processing or transmitting of cardholder data (CHD) is usually contractually required to be PCI DSS compliant. Failure to do so could result in penalty fines to the organization.

The 12 requirements of PCI DSS

PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. These requirements are broken down into 12 areas:

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for employees and contractors

What is Cardholder Data (CHD)?

Cardholder data is the following information on credit/debit cards:

  • Primary Account Number (PAN) – The long 16-digit number across the card.
  • Cardholder Name – The name of the person(s) associated with the card.
  • Expiration Date – The date the card expires.
  • Service Code – A code indicating in which country or countries the card can be used.

What is Sensitive Authentication Data (SAD)?

Sensitive Authentication Data is the following information on credit/debit cards:

  • Full Track Data – Magnetic strip on the back of the card or the chip on the front of the card.
  • CAV2/CVC2/CVV2/CID – The three or four-digit value, typically on the back of the card, next to the signature section.
  • PIN/PIN BLOCK – Personal identification number entered by a cardholder during a card-present transaction, and/or encrypted PIN block present within the transaction message.

Note: This data must never be stored, even if encrypted.

What is the Cardholder Data Environment (CDE)?

The Cardholder Data Environment (CDE) is comprised of the people, processes and technologies that store, process or transmit cardholder data or sensitive authentication data. System components may include network devices, servers, computing device and applications.

Examples of people and system components within a CDE could be:

  • A cashier attendant using a till/checkout in a shop.
  • An ecommerce website on the Internet. The web server hosting this website would be a system component.
  • A PIN Entry Device (PED, also known as a Chip and Pin Device) in a supermarket.

What are the roles within PCI DSS?

PCI DSS applies roles to each entity involved in payment card processing. It is vital you understand what role your organization, and those of other entities you use, play.

Such entities include:

  • Merchant – an entity that accepts payment cards bearing the logos of any of the payment brands as payment for goods and/or services.
  • Acquirer – an entity, typically a financial institution (for example, a bank) that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Also referred to as “merchant bank”, “acquiring bank”, or “acquiring financial institution”.
  • Processor – an entity engaged by a merchant or other entity to handle payment card transactions on their behalf. While payment processors typically provide acquiring services, payment processors are not considered acquirers unless defined as such by a payment card brand.
  • Issuer – an entity that issues payment cards or performs, facilitates or supports issuing services including, but not limited to, issuing banks and issuing processors. Also referred to as “an issuing bank” or “issuing financial institution”.
  • Service provider – a business entity that is not a payment brand, but is directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, intrusion detection systems and other services, as well as hosting providers.

Merchant and service provide levels

All merchants and service providers are categorized into different levels depending on the volume of card payment transactions the organization processes per year. There are four levels into which an organization can be categorized, with level one being the highest and level four being the lowest.

However, the volume of transactions per year that determines the categorization level of your organization also varies between the payment brands (Visa, MasterCard, American Express, Discover, and JCB). Therefore, it is highly recommended you confirm your organization’s transaction volume and categorization level with your acquiring bank. Once you have determined your level you will know what validation methods are required for PCI DSS compliance.

Submitting compliance

Once your business is nearing the end of its compliance journey you will need to start thinking about submitting the appropriate documentation to your acquiring bank. Depending on your merchant level, you will either have to submit a Self-Assessment Questionnaire or submit a Report on Compliance produced by a Qualified Security Assessor.

Qualified Security Assessor and Report on Compliance

If your organization falls with the definition of level one for merchants and service providers you are required to submit a Report on Compliance produced by a Qualified Security Assessor (QSA). These companies are independent security organizations that have been accredited by the PCI Security Standards Council to validate an organization’s adherence to PCI DSS. A list of QSA companies can be found on the PCI DSS website.

A Report on Compliance provides a comprehensive summary of all 12 PCI DSS requirements undertaken by the organization and all activities and information collected during the assessment. The report should also clearly describe how the organization validates these activities and the resultant findings.

Self-Assessment Questionnaire

Depending on the level of the organization, a Self-Assessment Questionnaire (SAQ) may be all that is required to be completed and submitted. SAQs are validation tools designed to assist organizations in self-evaluating their compliance with PCI DSS. There are multiple types of SAQs corresponding to the different ways card payment processing is achieved. It is important the organization selects the appropriate SAQ(s) applicable to them. We recommend that you refer to the PCI DSS website for further information to select the SAQ(s) best applied to your organization.

Annual certification

Once your business is certified as PCI DSS compliant, you will receive a certificate that we recommend adding to your website to improve customer trust and credibility. As with many compliance standards, it is all about continual development, and you will need to submit annually to your acquiring bank to renew your certification.

How can CertiKit help?

Written by a CISSP-qualified audit specialist, together with a technical expert working at the sharp end of PCI DSS compliance, our PCI DSS toolkit includes all the policies, controls, processes, procedures, checklists and other documentation you need to keep cardholder data safe and meet the requirements of PCI DSS.

Download our PCI DSS implementation guide

Learn more about the PCI DSS standard by downloading our free implementation guide:

  • Privacy Policy

    X

    When you request to download our free implementation guide, we use your name, company name (which is optional) and your email address to email you a link to download the requested document. We may also email you after your download in order to follow up on your interest in our products and services. We will do this based on our legitimate interest in marketing to prospects for our products and services. Your name and email address are stored on our website which is hosted with Digital Ocean. Your personal data is stored for one year after you requested your download, after which it is deleted.

Over 3000 businesses have purchased our toolkits

Testimonials

The documents are excellent in covering a vast number of key areas in terms of ISO. I particularly like the layout and the comprehensive nature of the documents provided.

Senior Manager
GTI Group, UK

View all Testimonials