PCI DSS Guide

PCI DSS Overview

If you accept card payments from your customers, PCI DSS rule set applies to you and to all the parties you choose to help you in this process, from software developers to payment processors. It’s important to bear in mind that all entities involved in the process must scope their cardholder data environment (CDE), which includes identifying all system components that are located within or connected to it. Managing PCI compliance throughout the year often requires involvement from various teams and departments within a company. Proactive and collaborative behaviour is key for a business to ensure its adherence to the regulation.

According to PCI Security Standard Council, “Merely using a third-party company does not exclude a company from PCI DSS compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore the PCI DSS”. Judopay will help, but it can’t make you compliant.

There are three actions every company handling cardholder data should constantly perform:

  • Assess, identifying all locations of cardholder data, taking an inventory of your IT assets and business processes for payment card processing.
  • Repair, fixing identified vulnerabilities, securely removing any unnecessary cardholder data storage, and implementing secure business processes.
  • Report, documenting assessment and remediation details, and submitting compliance reports to the acquiring bank and card brands you do business with (or other requesting entity if you’re a service provider).

In addition to this, Judopay is always ready to support its merchants with PCI guidance, compliance advices best practices recommendations and regulation updates.

PCI DSS Documentation

Evidence of compliance on the merchant’s side is provided in various ways according to how payments are taken and the volume of transactions per annum.

There are 9 different Self-Assessment Questionnaires designed from the PCI Standard Security Council for merchants that do not process more than 6 million transactions annually.

The Self-Assessment Questionnaire includes a series of yes or no questions for each applicable PCI Data Security Standard requirement. Please find an explanatory guide below:

Self-assessment questionnaire (SAQ) Description
A Card-not-present merchants (e-commerce or mail/telephone order), that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.
A-EP E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of cardholder data on merchant’s systems or premises. Applicable only to e-commerce channels.
B Merchants using only: Imprint machines with no electronic cardholder data storage, and/or Standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels.
B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor with no electronic cardholder data storage. Not applicable to e-commerce channels.
C-VT Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based, virtual payment terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.
C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels.
P2PE Merchants using only hardware payment terminals included in and managed via a validated, PCI SSC-listed Point-to-Point Encryption (P2PE) solution, with no electronic cardholder data storage. Not applicable to e-commerce merchants.
D SAQ D FOR MERCHANTS: All merchants not included in descriptions for the above SAQ types. SAQ D FOR SERVICE PROVIDERS: All service providers defined by a payment brand as eligible to complete an SAQ.

Payment Brand Specifics

Specific questions about compliance validation levels and what merchants must do to validate should be directed to the acquiring financial institution or payment card brand. Links to card brand compliance programs include:

The Payment Card Industry Data Security Standard (PCI DSS) is a set of technical and operational security requirements that can help merchants to protect customer card data.

Visa, Mastercard, American Express, Discover, and JCB are the payment brands members of the Payment Security Standard Council (PCI SSC).

Before 2006, these companies had separate standard security standards programs, which were unified in one global standard policy, the PCI DSS.

The PCI DSS standards apply to all entities that are somehow involved in payment card processing to reduce monetary losses for companies and consumers and protect consumers from identity theft.

Quick References

The Standard – https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
Supporting Documents – https://www.pcisecuritystandards.org/document_library
Glossary – https://www.pcisecuritystandards.org/documents/PCI_DSS_Glossary_v3-2.pdf
PCI Security Standards Council Website – https://www.pcisecuritystandards.org/
FAQs – www.pcisecuritystandards.org/faqs
PCI DSS Blog – https://blog.pcisecuritystandards.org/