Understanding PCI DSS Compliance: A Guide to Secure Payment Processing
The Fundamentals of PCI DSS: What Every Business Needs to Know
Key Requirements of PCI DSS Payment Solutions
At Gala Technology we are regularly asked about PCI DSS – What does it stand for? What does it mean for my business? How can we comply? What are the costs?
As a multi-award-winning PCI compliant payment processor, we would like to think that we are well placed to advise you on all the above questions and more.
This short guide on PCI Compliance will give you an understanding of some of the terminologies and requirements, but should you need to dive deeper, please do not hesitate to reach out directly.
PCI DSS is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.
Back to top
2. What does PCI DSS stand for?
PCI DSS is an acronym which stands for the Payment Card Industry Data Security Standard. PCI DSS is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.
Back to top
3. What is the purpose of PCI DSS?
PCI DSS is a set of requirements for protecting payment account data security. These standards were developed by the PCI Security Standards Council (PCI SSC), an organisation founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa International, to facilitate industry-wide adoption of consistent data security measures on a global basis.
Simply put it means that everyone involved in the payment process, whether that be the merchant or a Third Party Service Provider (TPSP) has a requirement to ensure that the Cardholders sensitive information is kept safe and secure.
Sounds simple enough, right? But PCI compliance can pose a major challenge to organisations if they’re not equipped with the proper knowledge and tools.
Back to top
4. Who does PCI DSS apply to?
The PCI DSS applies to ANY organisation, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
Back to top
5. Where can I find the PCI Data Security Standard (PCI DSS)?
6. If I only accept card payments over the phone, does PCI DSS still apply to me?
Absolutely. The PCI DSS applies to ANY organisation, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data regardless of the channel (telephone, e-commerce, face to face etc).
Back to top
7. How does taking card payments by phone work with PCI?
The PCI SSC released some supportive documentation regarding PCI DSS compliant payments over the telephone. You can find the supplement here: Protecting_Telephone_Based_Payment_Card_Data_v3-0_nov_2018.pdf (pcisecuritystandards.org). For extra peace of mind a Secure & Compliant solution such as SOTpay would make thing so much easier.
Back to top
8. What are the PCI DSS compliance levels?
PCI DSS Compliance is divided into four levels, based on the annual number of credit or debit card transactions that a business might process. The classification level determines what an organisation needs to do in order to remain PCI DSS compliant.
Level 1: Applies to merchants processing more than six million real-world credit or debit card transactions annually. Conducted by an authorised PCI auditor, they must undergo an internal audit once a year. In addition, once a quarter they must submit to a PCI scan by an Approved Scanning Vendor (ASV).
Level 2: Applies to merchants processing between one and six million real-world credit or debit card transactions annually. They’re required to complete an assessment once a year using a Self-Assessment Questionnaire (SAQ). Additionally, a quarterly PCI scan may be required.
Level 3: Applies to merchants processing between 20,000 and one million e-commerce transactions annually. They must complete a yearly assessment using the relevant SAQ. A quarterly PCI scan may also be required.
Level 4: Applies to merchants processing fewer than 20,000 e-commerce transactions annually, or those that process up to one million real-world transactions. A yearly assessment using the relevant SAQ must be completed and a quarterly PCI scan may be required.
9. What does a Small/Medium/SME business (Level 4 merchant) have to do in order to satisfy the PCI DSS requirements?
To satisfy the requirements of PCI, a merchant must complete the following steps:
Determine which self-assessment Questionnaire (SAQ) your business should use to validate compliance.
Complete the self-assessment Questionnaire according to the instructions it contains.
Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). Note scanning does not apply to all merchants. It is required for SAQ A-EP, SAQ B-IP, SAQ C, SAQ D-Merchant and SAQ D-Service Provider.
Complete the relevant Attestation of compliance in its entirety (located in the SAQ tool).
Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of compliance, along with any other requested documentation, to your acquirer.
10. What is a PCI DSS Self-Assessment Questionnaire (SAQ)?
A PCI Self-Assessment Questionnaire (SAQ) is a merchant’s statement of PCI compliance. It is your evidence to show that you're taking the security measures needed to keep cardholder data secure at your business.
Back to top
11. Which PCI DSS SAQ does my business need to complete?
There are 9 different SAQs a merchant can choose from. This will ultimately be determined by how your business processes and handles cardholder data.
For example, if all your products are sold online through a third party, you probably qualify for SAQ A or SAQ A-EP. If you process credit cards through the Internet and you also store customer credit card data you will probably fall into the SAQ D category.
SAQ-A is for e-commerce/mail/telephone-order (card-not-present) merchants that have fully outsourced all cardholder data functions. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
SAQ-A-EP is for e-commerce-only merchants that use a third-party service provider to handle their card information and who have a website that doesn’t handle card data, but could impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
SAQ-B is for merchants that use imprint machines and/or standalone, dial-out terminals, and have no electronic cardholder data transmission, processing, or storage. Not for e-commerce environments.
SAQ-B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, and that have no electronic cardholder data storage. Not for e-commerce environments.
SAQ-C-VT is for merchants that use a virtual terminal on one computer dedicated solely to card processing. No electronic cardholder data storage. Not for e-commerce environments.
SAQ-C is for any merchant with a payment application connected to the Internet, but with no electronic cardholder data storage.
SAQ-P2PE is for merchants using approved point-to-point encryption (P2PE) devices, with no electronic card data storage.
SAQ-D (merchants) is for merchants that do not outsource their credit card processing or use a P2PE solution, and may store credit card data electronically.
SAQ-D (service providers) is for service providers deemed eligible to complete an SAQ.
12. If my business only processes transactions through an e-commerce website, which SAQ do I need to complete?
This can depend on how your website and shopping cart are configured and managed.
The helpful chart below should help you choose which SAQ to use, but you may wish to double check with your acquiring partner too.
Back to top
13. If my business does not store any card data, does PCI still apply?
Absolutely. The PCI DSS applies to ANY organisation, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data regardless of the channel (telephone, e-commerce, face to face etc). Gala Technology would always recommend that you do not store card data as it leaves you exposed to a potentially costly data breach. It can also add to the complexities when trying to evidence PCI DSS compliance.
Back to top
14. Does PCI compliance apply to debit card transactions?
In-scope cards include any debit, credit, commercial and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC – American Express, Discover, JCB, MasterCard, and Visa International.
Back to top
15. Does having an SSL certificate for my website mean we are PCI compliant?
No. SSL certificates can help evidence that "A secure connection between the customer’s browser and the web server" and act as a "Validation that the website operators are a legitimate, legally accountable organisation" but there are other steps to achieve PCI compliance, depending on the SAQ/Compliance level required.
Back to top
16. What is the definition of 'Cardholder Data'
Cardholder data is defined on the PCI SSC website here: Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards . The PCI SSC state that the Primary Account Number (PAN) - the long card number across the front of the card or the full PAN alongside any of the following are classed as 'Cardholder Data'.
Cardholder Name
Expiry Date
Service Code - the digits on the back of the card
Sensitive Authentication Data (SAD) must also be protected. SAD is Security-related information (including but not limited to card validation codes/values, full track data (from the magnetic stripe or equivalent on a chip), PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions.
Back to top
17. What are the requirements of PCI DSS?
There are six categories to consider when making your business PCI Compliant, which are staggered over twelve individual steps. The twelve steps to achieving PCI Compliance are:
Secure your network:
Protect your system with firewalls.
Configure passwords and settings.
Secure Cardholder Data:
Protect stored cardholder data.
Encrypt transmission of cardholder data across open, public networks.
Vulnerability Management:
Use and regularly update anti-virus software.
Regularly update and patch systems.
Access Control:
Restrict access to cardholder data to business need to know.
Assign a unique ID to each person with computer access.
Restrict physical access to workplace and cardholder data.
Network Monitoring and Testing:
Implement logging and log management.
Conduct vulnerability scans and penetration tests.
Documentation and risk assessments.
Each SAQ includes a list of security standards that businesses must review, follow and adhere too. PCI SAQs do vary in length. For example, the Self-Assessment Questionnaire known as SAQ A is the shortest, containing only 22 questions. The longest, SAQ D, contains an incredible 329 questions.
18. What happens if my business is not PCI DSS compliant?
If you do not comply with the security requirements of card associations or the PCI Security Standards Council, then you, your business, and your customers are at severe risk of payment card compromise, which can be catastrophic. Data breaches are becoming more and more frequent, and the reputational damage they can cause to a business can be irreparable. You will also be liable for the cost of the required forensic investigations, fraudulent purchases and the cost of re-issuing cards. You may also lose your card acceptance privileges.
In addition, as mentioned above, if you do not evidence PCI compliance on an annual basis to your acquiring partner, you can also incur additional merchant service charges costly the business hundreds or thousands of pounds.
Back to top
19. What are the penalties for data breaches?
Data breaches are known by varying names. Visa refer to them as Account Data Compromise (ADC), whereas Mastercard call them Operational Reimbursement (OR) and Fraud Reimbursement (FR). Penalties vary by card schemes and by the state of compliance at the point of breach.
Visa Europe, for example, suggest that a 3000€ penalty would apply for each ADC, which could be followed by a PFI (PCI Forensic Investigation) for Level 1-3 merchants, or for Level 4 merchants who process more than ten thousand Visa cards. Each card then deemed at risk (PAN and CVV2 details) then carries a penalty of 18€
There are hidden costs associated with an Account Data Compromise event too, including the cost of a full compliance report by engaging a QSA (Qualified Security Assessor) that meets specific information security education requirements, and has taken the appropriate training from the PCI Security Standards Council, as well as the further migration and development costs to outsourced solutions.
It should also be noted than information such as the Primary Account Number (PAN) also known as the ‘long card number’ on the front of the payment card can be classed as Personal Identifiable Information (PII) under GDPR, which means that your business can be hit twice with costly penalties for breach.
Back to top
20. What is the definition of a 'merchant' under PCI?
For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.
If your business excepts card payments then you would be classed as a 'merchant' by your acquiring partner.
Back to top
21. What is the definition of a 'service provider' under PCI?
The PCI SSC defines a Service Provider as:
“Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data."
These are sometimes also referred to as a Third-Party-Service-Provider or TPSP for short.
Back to top
22. If I use a third party service provider (TPSP) do I need to be PCI Compliant?
Yes. When using a third-party company to support your payment processing, it does not mean that you can ignore PCI DSS. It still applies. By using a TPSP, it can reduce a business risk exposure and the effort required to validate compliance. When selecting a TPSP to work with you should ensure that they can evidence their own compliance with either an attestation of compliance (AOC) or report on compliance (ROC).
Back to top
23. What is a payment application under PCI?
The term payment application has a very broad meaning in regards to PCI. A payment application is anything that stores, processes, or transmits card data electronically, which could include a physical card machine for face to face payments, to e-commerce shopping carts and payment gateways and virtual terminals for telephony payments. You could define a payment application as 'any piece of software that has been designed to touch credit card data'
Back to top
24. What is a PCI compliant payment gateway?
We are all familiar with using card terminals in physical locations, such as a retail shop, so the easiest way to think about a PCI compliant payment gateway is as a 'virtual' card machine for your website. These are sometimes referred to as a PSP (Payment Service Processer) or an e-commerce gateway. You can find lots of helpful information about payment gateways and how they work here: SOTpay - What is a Payment Gateway Back to top
25. What is a vulnerability scan and how often do I need to run then?
An essential requirement of the Payment Card Industry Data Security Standard (PCI DSS) is 11.2, also known as the PCI vulnerability scanning requirement. This requirement requires companies to perform internal and external vulnerability scans four times a year in three months and after any significant network changes, irrespective of its size. An internal or external PCI DSS vulnerability scan checks the configuration of specific devices and software through internal or external IP addresses, such as ports and services, to check for vulnerabilities which could be exploited. PCI vulnerability scanners provide different tools and scripts designed for vulnerability testing but alert the business that their sensitive information may be at risk.
Back to top
26. Is PCI DSS law?
No, PCI DSS is not law.
PCI DSS is a set of requirements for protecting payment account data security. These standards were developed by the PCI Security Standards Council (PCI SSC), an organisation founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa International, to facilitate industry-wide adoption of consistent data security measures on a global basis.
PCI DSS is designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment and although it is not law, it is a contractual agreement between the merchant and their Acquirer.
If you are not PCI DSS complaint, then it exposes your organisation to potentially expensive penalties if a data breach should occur.
Back to top
27. Is my small business really a target for hackers trying to get card data?
Yes, small businesses are often an 'easy target' for criminals looking to steal sensitive card information or personal identifiable information as usually have less resources at their disposal. The impact of a data breach and business fraud can be dramatic, particularly for small or medium-sized enterprises (SMEs), where the losses can ruin them.
Back to top
LATEST NEWS FROM GALA TECHNOLOGY
Your Gun Shop Merchant Firearms Dealership’s Best Shot at Security