PCI awareness temp

PCI DSS Merchant Information

Payment Card Industry Data Security Standard (PCI DSS)

All merchants accepting card payments and service providers that could impact the security of the cardholder data environment must comply with the security requirements defined in the Payment Card Industry Data Security Standard (PCI DSS).

It is regulated in the terms and conditions of the Nets acceptance agreement that a merchant is required to be PCI DSS compliant at all times and to present according documentation on request.

This information provides for technical and organisational guidance in line with relevant requirements and the acceptance agreement.

What is PCI DSS about?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of technical and operational requirements aiming to secure the payment ecosystem in general and protecting card data in particular against global security threats.

It was developed by the Payment Card Industry Security Standards Council (PCI SSC) – a global forum of industry stakeholders facilitated by the leading payment brands – to fight increased card data theft and subsequent fraudulent use of stolen card data, thus addressing related evolving industry risks including financial liability for all parties involved and prevent loss of consumer trust.

PCI DSS is the security best practice framework to protect merchants, cardholders and industry stakeholders, adopting to evolving threats and supporting safe payments worldwide.

Broadly speaking, PCI DSS is about protecting card data and building card holder trust as the foundation of our industry ecosystem.

What does PCI DSS Compliance mean?

PCI DSS Compliance is meeting PCI DSS requirements at all times and having valid documentation as proof thereof.

Valid PCI DSS compliance documents are either a correctly completed PCI DSS Self-Assessment Questionnaire (SAQ) or Attestation of Compliance (AoC) / Report on Compliance (ROC), which might have to be accompanied by clean ASV scan reports.

PCI DSS validation must be renewed annually. Further ongoing security measures (e.g. quarterly ASV scans, regular software patching, network monitoring, change of passwords, etc.) are to be managed by the merchant or their assigned service providers.

In case any security requirement is not met, the merchant is required to instantly apply appropriate remediation measures to meet the security standards.

Who needs to be PCI DSS compliant?

The PCI DSS standard applies to all organisations that accept, store, process, or transmit cardholder data and/or sensitive authentication data or that could impact the security of the cardholder data environment. This includes all entities involved in payment card account processing and relevant environment — including merchants, processors, acquirers, issuers, and other service providers.

It is a crucial responsibility for merchants accepting credit card payments to be PCI DSS compliant at all times and ensuring that all relevant service providers engaged by them are PCI compliant, too.

PCI DSS compliance validation is also required for organisations that have fully outsourced all cardholder data functions to PCI compliant service providers.

Why is PCI DSS compliance relevant for me as a merchant?

PCI DSS compliance is promoted through the card associations (payment brands) who have mandated security programs as a core requirement in their regulations (e.g. Visa AIS, Mastercard SDP) which comprise PCI compliance monitoring, reporting and sanctions. Based on this, the merchant agreement determines PCI DSS compliance as prerequisite for card acceptance with according liabilities.

Protecting payment and customer data as a main asset of the merchant business prevents from severe financial and reputational risks and is also crucial for building customer trust as a foundation for prospering sustainable business.

Recognised as a global standard beyond the payments industry, PCI DSS certification is acknowledged by further instances, insurance companies and industry bodies (e.g. IATA), and consumers, to demonstrate compliance with up-to-date data security standards and might exclude gross negligence.

What are the advantages of being PCI DSS compliant?

Advantages of PCI DSS compliance are

Securing your business assets and customer data

Ensuring flawless uninterrupted payment processing

Maintaining secure systems based on focussed best practice industry framework

Application of efficient defence against data breaches

Preventing loss of revenue, financial liabilities and sanctions by defending data theft

Protecting your company reputation and brand

Promoting data security and trust to customers and third parties (e.g. card associations and acquirers, insurances, IATA)

Adhering to contractual commitments

How do I validate PCI DSS compliance

Validation requirements for entities subject to PCI DSS compliance vary depending on the nature of the business, complexity and scope of the environment, and numbers of transactions processed by the merchant.

Three main tools for PCI DSS compliance validation are

Self-Assessment Questionnaire (SAQ)¹ Requires completion and confirmation of applicable self-assessment questionnaire

On-Site Audit³ PCI DSS compliance assessed on-site by PCI SSC approved Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) providing for and signing official PCI compliance validation document Report on Compliance (ROC) / Attestation of Compliance (AoC)

ASV Network Scan⁵ Network scan for vulnerabilities on quarterly basis conducted by PCI SSC Approved Scanning Vendor (ASV)

While PCI DSS compliance has to be maintained at all times, attesting to it is an annual exercise.

PCI DSS compliance is valid for the specific environment attested to. Relevant changes impacting the card data environment, e.g. software, terminals, website, service providers, might require renewal of the attestation. I

For details to PCI DSS merchant validation requirements see table below “What PCI DSS validation requirements apply to a merchant?”

Who takes the cost for PCI DSS compliance

All costs related to merchant PCI DSS compliance are to be borne by the merchant. This includes validation measures and amendments required to address deficiencies and vulnerabilities.

Also, all costs related to merchant PCI DSS noncompliance and data breaches are to be borne by the merchant.

What is the risk of being non-compliant to PCI standards?

Impacts and severe risks of being PCI noncompliant include by way of example (non-comprehensive list)

Breach of contractual duty which might result in noncompliance fees, fines and further sanctions for PCI noncompliance

Security gaps providing for potentially underestimated risk of

Unintended exposure or loss of sensitive data

Accidental or fraudulent exploitation of organisational or system vulnerabilities

Malicious manipulation of payment infrastructure (devices, system environment, organisation)

Cyber breaches

facilitating card data theft, ransomware attacks, and GDPR violations

Business risks and liabilities resulting from data breach (financial, reputational, operational impact), e.g.:

Abrupt suspension of card processing and thus loss of sales revenue after data breach

Unscheduled remediation works to fix vulnerabilities

Enforcement of ad-hoc forensic investigation and PCI DSS onsite audit by QSA

Increased fees, fines and recovery costs from card associations related to breach

Reputational damage and media attention

Public reporting requirements and financial sanctions from regulators

Loss of consumer trust as foundation of your business, the industry ecosystem and stakeholders

* Note: Question is not whether your business will be target of a data security incident by but rather when it will happen. Be prepared.

What are the core technical and organisational requirements of PCI DSS?

For a high level baseline of technical and operational requirements of PCI DSS see table below:

PCI DSS requirements apply to all system components. In the context of PCI DSS, “system components” are defined as any network component, server or application that is included in, or connected to, the cardholder data environment. “System components” also include any virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. The cardholder data environment is comprised of people, processes and technology that handle cardholder data or sensitive authentication data. (extract from Navigating PCI DSS: Understanding the Intent of the Requirements, PCI Security Standards Council LLC)

For further information to the current version of the standard refer to the PCI SSC’s website www.pcisecuritystandards.org.

What PCI validation requirements apply to a merchant?

Card Associations have outlined what validations measures are required for proof of PCI DSS compliance and what according documents must be provided as defined for the merchant’s PCI level.

Classification criteria for merchant PCI levels are the merchant’s processing environment and the number of transactions processed. Merchants classified as Level 1 or Level 2 are required to validate PCI DSS compliance through assessment by an approved QSA or ISA. Merchants classified as Level 3 or Level 4 may confirm PCI DSS compliance via the applicable PCI Self-Assessment Questionnaire (SAQ)¹.

Nets may request the merchant to provide current PCI DSS validation documents via upload to its PCI portal. In case, self-assessment is completed using the Nets Merchant PCI portal’s guided service, no further upload of external SAQ/AoC or ROC document is required.

¹ Details on qualifying criteria and pre-requirements for the different types of SAQs are available on the PCI Security Standard Council’s (PCI SSC) website. Qualified Security Assessor (QSA) companies are listed, if support was required to identify and complete the applicable SAQ. Alternatively, Nets provides for a guided merchant PCI validation service via the Merchant PCI portal (Security Center) including rich help functions and expert helpdesk support via phone and online. (Request for merchant PCI portal via nets-helpdesk@securitycenter.concardis.com) ²Number of merchant transactions to comprise all merchant card acceptance agreements; qualifying total numbers to be based on card brand (i.e. Visa or cumulated for Mastercard and Maestro as one brand) ³ On-site audit to be performed by Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) ⁴ SAQ for Level 2 merchants to be certified by approved ISA or QSA, especially if SAQ A, A-EP or D ⁵ Network Scan, i.e. vulnerability scanning performed by Approved Scanning Vendor (ASV), if applicable due to internet-facing system components