Introduction to PCI DSS
The Payment Card Industry Data Security Standards (PCI DSS) is a set of global security standards managed by the Payment Card Industry Security Standards Council (PCI SSC). The aim of the Standard is to protect cardholder data from misuse and fraud. Visa, Mastercard, American Express, Discover and JCB (also referred as Payment Brands) formed the PCI SSC to administer and manage security standards that are applicable to all merchants who offer these cards as payment options to their customers.
PCI DSS defines a set of technical and operational requirements that helps to protect cardholder data, reduce fraud and data breaches across the entire payment ecosystem. Complying with the requirements helps you to maintain your customer’s trust.
PCI DSS applies to all entities involved in payment card processing (including merchants, processors, acquirers, issuers, and service providers), and any entity that stores, processes, or transmits cardholder data (CHD) and/or sensitive authentication data (SAD).
PCI DSS Levels - What level of compliance do you need to meet?
The PCI Security Standards Council has established compliance levels for merchants based on the number of payment card transactions you process annually. The more transactions you process the higher the standard of compliance and assurance required. Detailed below are the four levels:
Level 1: >6 million card transactions annually.
Level 2: 1 to 6 million transactions annually.
Level 3: 20,000 to 1 million transactions annually.
Level 4: Up to 20,000 transactions annually.
The Acquirer will seek to determine your PCI DSS level at the time of onboarding, however this level may change over time.
PCI DSS Compliance and Validation Requirements
Merchants have an obligation to protect card data, to assess their PCI DSS compliance on an annual basis and provide regular updates to the Acquirer on their compliance activities.
You can validate your compliance by:
- Level 1 Merchant - Engage a Qualified Security Assessor (QSA) to complete a Report on Compliance (RoC) for you.
- Level 2 Merchant: Complete a Self-Assessment Questionnaire (SAQ).
- Level 3 and 4 Merchant: Complete a Self-Assessment Questionnaire (SAQ) OR Start by considering the Prioritised Approach made available by the PCI SSC.
|
|
Level 1 |
Level 2 |
Level 3 and 4 |
|
Type of Assessment |
Onsite Assessment |
Self-Assessment |
Determined by payment brand or acquirer |
|
Reporting Requirements |
ROC and ASV scan report |
SAQ and ASV scan report |
Determined by payment brand or acquirer |
Please Note: This is a summarised overview only - Merchants should consult with their acquirer or payment brand directly to understand each brand's validation criteria and reporting requirements.
Results of the PCI DSS compliance assessment must be captured in an official PCI validation document and then provided to the acquirer.
PCI DSS Requirements
The PCI DSS is a set of comprehensive requirements for enhancing security of payment card account data. You can view/download PCI DSS requirements document/s from here.
Below is a high-level overview of the 12 PCI DSS requirements.
|
Goals |
PCI DSS Requirements |
|
Build and Maintain a Secure Network and Systems |
1. Install and maintain a firewall configuration to protect cardholder data |
|
Protect Cardholder Data |
3. Protect stored cardholder data |
|
Maintain a Vulnerability Management Program |
5. Protect all systems against malware and regularly update anti-virus software or programs |
|
Implement Strong Access Control Measures |
7. Restrict access to cardholder data by business need to know |
|
Regularly Monitor and Test Networks |
10. Track and monitor all access to network resources and cardholder data |
|
Maintain an Information Security Policy |
12. Maintain a policy that addresses information security for all personnel |
Acquirer and merchant’s role in meeting PCI DSS compliance
Compliance with the PCI DSS requires ongoing activity and investment. When you use the acquirer’s payment services, you will be outsourcing most of the PCI DSS responsibilities to the acquirer thereby reducing the compliance burden to your business. However, as you accept card payments, there will be some PCI DSS requirements within your scope.
The acquirer is responsible for the security of cardholder data as soon as the acquirer receives it. After the acquirer receives cardholder data, it is managed in the acquirer's PCI DSS Level 1 Service Provider Cardholder Data Environment. The acquirers PCI DSS compliance is assessed by an independent QSA annually.
The acquirer is required to report to payment schemes/brands on the compliance status of its merchants (Level 1- 3, and Account Data Compromise - ADC) on a twice-yearly basis. No reporting is required for Level 4 merchants currently (risk-based approach will be taken).
Reporting submissions are due before 31st March and 30th September.
You are required to provide your up-to-date PCI compliance status update to the acquirer, at least one week before each due date.
You are responsible for making sure that cardholder data is secure and protected before the data reaches the acquirer.
You should also review and understand the PCI Security Standards. Understand the compliance validation and reporting requirements. Validate and report compliance to the acquirer or payment brands as applicable. Maintain ongoing compliance, not just during assessment. Read and incorporate communications from the payment brands, acquirers, and the PCI SSC throughout the year.
Implications of non-compliance with PCI DSS
If a business does not comply with PCI standards, it could be at risk for:
- Payment brands can fine the merchant.
- The bank can terminate the relationship with the merchant, ending the ability for the merchant to process card payments.
- The bank can increase its transaction fees.
- Data breaches.
- Brand damage and more...
PCI DSS Version 4.0
PCI SSC had released a new version of PCI DSS requirement (PCI DSS v4.0) in March 2022. Current active PCI DSS v3.2.1 will retire on 31st March 2024. All merchants assessing for PCI DSS after 31st March 2024 will need to get assessed against PCI DSS v4.0 requirements.
For a summarised view on PCI DSS v4.0, you can access the document ‘PCI DSS v4.0 At a Glance’.
PCI DSS Resources
The PCI Security Standards Council (PCI SSC) website contains several resources to assist organizations with their PCI DSS assessments and validations, including:
- Document Library (link)
- Frequently Asked Questions (FAQs)
- Resources for Merchants (link)
- PCI training courses and informational webinars (link)
- List of Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs)
- List of PTS approved devices (link) and PA-DSS validated payment applications (link)