PCI-DSS

 

What is PCI-DSS?

The Payment Card Industry Security Standards Council is an open global forum, launched in 2006 that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI-DSS), which is based on security best practices. If your business takes credit/debit card payments of any kind, this international standard applies to you and you may be subject to fines and penalties up to $100,000/month and the revocation of your merchant ID which permits you to process payments.

The Compliance Process Overview:

1. Identify the appropriate Self-Assessment Questionnaire (SAQ)
2. Complete the applicable SAQ documentation (SAQ & Prioritized Approach Tool until fully compliant)
3. Inventory all in-scope resources (devices & people)
4. Implement all applicable controls until full compliance is achieved
5. Maintain compliance through continuous effort and annual attestation

1.  Identify the appropriate Self-Assessment Questionnaire (SAQ)

Identifying which PCI-DSS requirements apply to your business begins with a thorough understanding of all payment card transaction processes and solutions employed throughout your organization. Compare your card processing practices to the information below and determine which ones apply.

SAQ	Description	Eligibility Criteria
A	Card-not-present merchants that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.   (Not applicable to face-to-face)	Your company accepts only card-not-present (e-commerce or mail/telephone-order) transactions; All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service providers; Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions; Your company has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically. Additionally, for e-commerce channels: All elements of all payment pages delivered to the consumer’s browser originate only and directly from a PCI DSS validated third-party service provider(s)
A-EP	E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that does not directly receive cardholder data, but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.   (Applicable only to e-commerce)	Your company accepts only e-commerce transactions; All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a PCI DSS validated third-party payment processor; Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor; If merchant website is hosted by a third-party provider, the provider is validated to all applicable PCI DSS requirements (e.g., including PCI DSS Appendix A if the provider is a shared hosting provider); Each element of the payment page(s) delivered to the consumer’s browser originates from either the merchant’s website or a PCI DSS compliant service provider(s); Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions; Your company has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically
B	Merchants using only: 1) Imprint machines with no electronic cardholder data storage or 2) standalone dial-out terminals with no electronic cardholder data storage.   (Not applicable to e-commerce)	Your company uses only an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line to your processor) to take your customers’ payment card information; The standalone, dial-out terminals are not connected to any other systems within your environment; The standalone, dial-out terminals are not connected to the Internet; Your company does not transmit cardholder data over a network (either an internal network or the Internet); Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically; and Your company does not store cardholder data in electronic format
B-IP	Merchants using only standalone PTS-approved payment terminal with an IP connection to the payment processor with no electronic cardholder data storage.   (Not applicable to e-commerce)	Your company uses only standalone, PTS-approved point-of-interaction (POI) devices (excludes SCRs) connected via IP to your payment processor to take your customers’ payment card information; The standalone, IP-connected POI devices are validated to the PTS POI program as listed on the PCI SSC website (excludes SCRs); The standalone, IP-connected POI devices are not connected to any other systems within your environment (this can be achieved via network segmentation to isolate POI devices from other systems); The only transmission of cardholder data is from the PTS-approved POI devices to the payment processor; The POI device does not rely on any other device (e.g., computer, mobile phone, tablet, etc.) to connect to the payment processor; Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically; and Your company does not store cardholder data in electronic format.
C-VT	Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider with no electronic cardholder data storage.   (Not applicable to e-commerce)	Your company’s only payment processing is via a virtual payment terminal accessed by an Internet-connected web browser; Your company’s virtual payment terminal solution is provided and hosted by a PCI DSS validated third-party service provider; Your company accesses the PCI DSS-compliant virtual payment terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment (this can be achieved via a firewall or network segmentation to isolate the computer from other systems); Your company’s computer does not have software installed that causes cardholder data to be stored (for example, there is no software for batch processing or store-and-forward); Your company’s computer does not have any attached hardware devices that are used to capture or store cardholder data (for example, there are no card readers attached); Your company does not otherwise receive or transmit cardholder data electronically through any channels (for example, via an internal network or the Internet); Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically; and Your company does not store cardholder data in electronic format
C	Merchants with payment application systems connected to the Internet with no electronic cardholder data storage.   (Not applicable to e-commerce)	Your company has a payment application system and an Internet connection on the same device and/or same local area network (LAN); The payment application system/Internet device is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate payment application system/Internet device from all other systems); The physical location of the POS environment is not connected to other premises or locations, and any LAN is for a single store only; Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically; and Your company does not store cardholder data in electronic format.
P2PE	Merchants using only hardware payment terminals that are included in and managed via a validated PCI SSC-listed P2PE solution with no electronic cardholder data storage.   (Not applicable to e-commerce)	All payment processing is via a validated PCI P2PE solution approved and listed by the PCI SSC; The only systems in the merchant environment that store, process or transmit account data are the Point of Interaction (POI) devices which are approved for use with the validated and PCIlisted P2PE solution; Your company does not otherwise receive or transmit cardholder data electronically. There is no legacy storage of electronic cardholder data in the environment; Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically; and Your company has implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider
D	All merchants not included in descriptions for the above SAQ types.	SAQ D for Merchants applies to SAQ-eligible merchants not meeting the criteria for any other SAQ type

In order to limit organizational risk and reduce compliance burden, businesses are strongly encouraged to employ card processing solutions designed according to SAQs as high on the list as possible (SAQ A being the easiest to comply with) while still meeting the needs of the business.

2.  Complete the applicable SAQ documentation

This information serves to track progress toward full compliance and is required for reporting to the card brands (i.e. Visa, MasterCard, AMEX) and acquiring banks.

3.  Inventory all in-scope resources (people & equipment) 

In order to satisfy certain ongoing requirements, certain information must be gathered and maintained.

• Download our PCI Inventory template.

• Complete the “System Inventory” worksheet if SAQ A-EP, B-IP, C, P2PE, or D apply to your division. This information may be used to support vulnerability scans (6.1, 11.2), network penetration testing (11.3), and web application testing (6.5.7-6.5.10) of card processing IT devices on the business network.

• Complete the “Personnel List” worksheet if SAQ A-EP, B, B-IP, C-VT, C, P2PE, or D apply to your business. This information may be used to ensure that all personnel who have any responsibility in regards to payment card transactions, reporting, or support of card processing IT resources are enrolled in required security awareness training (Req. 12.6)

4.  Implement all applicable controls until full compliance is achieved

Until you are fully compliant with all applicable requirements as outlined in the SAQ, you must complete the Prioritized Approach Tool to track and attest to your compliance efforts.

5.  Support continuous efforts

Be sure your Information Security team can provide the necessary tools and support to perform some of the required ongoing activities.

Vulnerability Scans:

Internal and external vulnerability scanning should be performed at least quarterly for all card processing environments. Vulnerability details including recommended solutions should be made available to all appropriate personnel for mitigation purposes and required quarterly reports to the applicable card brands and banks will be submitted as applicable.

Network Penetration Testing (Annual):

An annual network penetration test is required for all public IP addresses associated with any card processing environment on the business network. Much like vulnerability scanning, results should be made available to all appropriate personnel for mitigation purposes and must be performed by qualified personnel or third-party.

Update System Inventory & Personnel List:

Keeping Information Security informed of changes to the card processing environment and personnel supporting it is critical to ensuring the ongoing success of the following efforts.

• Vulnerability scanning
• Penetration testing
• PCI security awareness
• Patching notifications

Annual PCI Security Awareness Training:

PCI-DSS awareness training is required for individuals involved in payment card processing if SAQ A-EP, B, B-IP, C-VT, C, P2PE, or D apply.  The exact content of such a course is not specifically defined. Therefore, you may choose to design your own and manually facilitate and record completion. You may also choose to simply incorporate it as a module in your existing annual information security awareness training.

Third-Party Services and Products

If you engage any third-party services or payment devices/applications, it is assumed that you are using ONLY validated solutions in order to be compliant. In addition, you must contractually establish responsibility with the vendor if they are expected to satisfy any applicable "merchant" requirements.

Validated Payment Applications:

All payment applications must be PCI validated and listed on the Validated Payment Applications registry. If it's not listed, demand the vendor provide evidence of their attestation of compliance for the specific application.

Validated Service Providers:

All service providers must be assessed by a third-party Qualified Security Assessor (QSA) to attest their PCI-DSS compliance on an annual basis.  If a vendor is not listed, request a signed up-to-date Attestation of Compliance (AOC) from them as it's possible the following registries are not quite up-to-date.

• VISA Service Provider Registry
• MasterCard Service Provider Registry
• American Express Service Provider Registry

Validated Point-to-Point Encryption (P2PE) Solutions:

• Point-to-Point Encryption Solutions

Approved PIN Transaction Security (PTS) Devices:

• PTS validated payment security devices