The PCI SSC (Payment Card Industry Security Standard Council) is a governing organization and open global firm responsible for the development, management, education, and awareness of the PCI security standards including PCI DSS and PA DSS. It consists of 5 major payment brand: Visa, Master Card, American Express, Discover, JCB. The PCI DSS (payment card industry data security standard) is a set of standards for companies of any size, that accepts card payments. Ensuring PCI compliance helps companies to keep sensitive personal data of customers secure. For details information about PSI DSS, you may visit their official site.
PCI DSS Certification
PCI certification assures the security of card data at your business through a set of conditions established by the PCI SSC. These include a number of commonly known best practices, such as:
Installation of firewalls
Encryption of data transmissions
Use of anti-virus software
PCI DSS Requirements
Maintain a Secure Network 1. Companies should create their own firewall configuration policy. 2. Should not use vendor-supplied defaults for system password and security parameters. Protect Cardholder Data 3. Transmission of cardholder data across the open, public network is always done in an encrypted manner. 4. Protect the stored cardholder data. Vulnerability Management Program 5. Use antivirus software and also ensure that it is regularly updated. 6. Companies should opt for security systems and applications. Implement Access Control Measures 7. Restrict access to cardholder data to a limited number of employees 8. Assign a unique ID to each person, who have computer access. 9. Restrict physical access ( provides an opportunity for persons to access or remove devices, data, systems, etc) to cardholder data. Regularly Monitor or Test Network 10. To Track and monitor all access to network resources and cardholder data. 11. Security systems and processes need to be regularly tested. Maintain Information Security Policy 12. Companies should maintain a concrete information security policy, which should include all the acceptable uses of technology, all annual risk analysis processes, operational security procedures, etc.
PCI DSS Compliance levels
Level 1: Any merchant that processes over 6 million card transaction per year. Submission of annual Report On Compliance (ROC) by a Qualified Security Assessor (QSA) or by an internal auditor – if signed by the officer of the company. PCI QSA is a designation conferred by PCI security standard Council. PCI QSA is hired to conduct a PCI assessment or advise the organization, how to achieve PCI compliance. Secure a regular network by an Approved Scanning Vendor (ASV). PCI ASV is a company that has been qualified and officially certified by a PCI security standard council (SSC) to perform an external vulnerability assessment. Complete an attestation of compliance (AOC) Level 2: Any merchant that processes 1milion – 6 million card transaction per year. Secures a regular network by ASV. Do an annual self-assessment questionnaire. (SAQ).Complete an association of compliance (AOC) Level 3: Any merchant that processes 20,000 – 1 million card transaction per year. Secure a regular network by ASV. Do an annual self-assessment questionnaire. Complete an association of compliance (AOC) Level 4: Any merchant that processes fewer than 20,000 card transaction per year. Secures a regular network by ASV. Do an annual self-assessment questionnaire. Complete an assertation of compliance (AOC)
Self Assessment Questionaire (SAQ)
SAQ A: ( card-not-present merchants, all cardholder data fully outsourced )
The company accepts only card-not-present (e-commerce or mail/telephone order) transactions.
All processing of cardholder data is entirely outsourced to a PCI DSS validated third-party service providers.
Company doesn’t electronically stores, process, or transmit any cardholder data on system or premises but relies entirely on the third party to handle all these functions.
The company must confirm that third-party handling storage, processing and other transmissions of cardholder data are PCI DSS compliant the cardholder data, that the company retains is on paper ( eg: reports, receipts, etc )
This SAQ would not be applicable to face to face channels
SAQ EP: ( partially outsourced e-commerce merchants, using third party website for payment processing)
The company accepts only e-commerce transactions.
SAQ EP merchants are e-commerce merchants who partially outsource their payment channels to a PCI DSS validated the third party.
All processing of cardholder data except payment page is entirely outsourced to a PCI DSS validated third-party payment processor.
Involves merchants that don’t receive cardholder data, but control how cardholder data is restricted to a PCI DSS validated third-party payment processor.
The company do not electronically stores, process and transmit any cardholder data on system premises.
Any cardholder data that the company retains is on paper. ( i.e. printed reports and receipts)
The company must confirm that third-party handling storage, processing and other transmissions of cardholder data are PCI DSS compliant
SAQ B: (merchants with only imprint machines or only standalone, dial-out terminals. No electronic cardholder data storage)
The SAQ B should be filled by the businesses that only process the credit cards via imprint machines or via standalone dial-out terminal.
Imprint machines are a non-electronic, manually operated machine that makes the imprint of the face of the credit card, whereas, the standalone terminal is the electronic point of sale device where customers insert their payment cards to pay for goods.
The dial-out terminal connects directly to the phone line i.e. each time the card is processed, the terminal makes the call to the processor and transmits the information.
Dial-out terminals are not connected to any other computer, network, and internet.
Company does not store cardholder data in electronic format
Cardholder data, the company retains is on paper.
SAQ B-IP: ( Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) terminals, No Electronic Cardholder Data Storage)
This SAQ is for merchants who use regular terminals that connect via IP (not dial-up phone line) i.e. they have ethernet cables that connect to a router or modem which in turn connect to an internal network or internet service provider.
Applicable for brick and mortar or mail/telephone order merchants
No electronic storage of card data.
SAQ C-VT: ( merchants with web-based virtual terminals, no electronic cardholder data storage)
Applicable to the merchants who processed cardholder data only thorough isolated virtual payment terminal on a PC connected to an internet
The virtual payment terminal is a web-browser-based to an acquirer, processor or a third party service provider website to authorize payment card transactions, where merchant manually enters payment card data through a securely connected web browser.
Virtual payment terminal solution is given and hosted by a PCI DSS validated third-party service provider
Does not store data in electronic format
Cardholder data, the company retains is on paper.
SAQ C: (Merchants with Payment Application Systems Connected to the internet)
No Electronic Cardholder Data Storage
Merchants process cardholder data via point of sales (POS) systems, that are connected to the internet but don’t store any cardholder data
Merchant stored cardholder data including legacy data
Stores card data electronically and do not use the P2PE certified POS system
E-commerce merchants who accept cardholder data on their website
Covers all 12 requirements.
How to Get More Information
To make compliance easier, If you want more extensive information concerning the processing of PCI DSS compliance, you may read our use case based on how we build " Credit Fraud Detection" analytics platform for a leading bank. We help organizations—from large companies to startups and small and medium enterprises who wish to become PCI DSS compliant can contact us to discuss their requirements. We would be happy to assist you.