PCI DSS Guide - Judopay

PCI DSS Guide

PCI DSS Overview

If you accept card payments from your customers, PCI DSS rule set applies to you and to all the parties you choose to help you in this process, from software developers to payment processors. It’s important to bear in mind that all entities involved in the process must scope their cardholder data environment (CDE), which includes identifying all system components that are located within or connected to it. Managing PCI compliance throughout the year often requires involvement from various teams and departments within a company. Proactive and collaborative behaviour is key for a business to ensure its adherence to the regulation.

9 million card records have been breached between 2005 and 2018*. The possible implications of a data breach for a company are legal actions, reputation damage to the business and heavy fines that range from $5,000 to $100,000 per month for the non-compliant company.

According to PCI Security Standard Council, “Merely using a third-party company does not exclude a company from PCI DSS compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore the PCI DSS”. Judopay will help, but it can’t make you compliant.

There are three actions every company handling cardholder data should constantly perform:

  • Assess, identifying all locations of cardholder data, taking an inventory of your IT assets and business processes for payment card processing.
  • Repair, fixing identified vulnerabilities, securely removing any unnecessary cardholder data storage, and implementing secure business processes.
  • Report, documenting assessment and remediation details, and submitting compliance reports to the acquiring bank and card brands you do business with (or other requesting entity if you’re a service provider).
How Judopay help merchants with PCI Compliance

Judopay takes PCI compliance very seriously. A yearly assessment is performed to confirm 100% compliance in all processes. Judopay is recognised by the main payment brands as a Service Provider and this can be confirmed on the brands Compliant Registered Service Provider List.

As a third-party provider processing payment for its Merchants, Judopay is able to provide, at any time, evidence of it’s PCI DSS compliance via its Attestation of Compliance. Judopay takes a lot of the burden of PCI DSS requirements from its merchants by offering solutions to accept and store card payments, some of them are below:

  • Hosted payment sites and/or mobile SDKs so merchants are able to collect sensitive card information from their consumer without this data touching their server.
  • Storing sensitive card information in a secure PCI compliant card vault offering its merchant a tokenised version for them to reference and store on their system for future card on file payments.

In addition to this, Judopay is always ready to support its merchants with PCI guidance, compliance advices best practices recommendations and regulation updates.

PCI DSS Documentation

Evidence of compliance on the merchant’s side is provided in various ways according to how payments are taken and the volume of transactions per annum.

There are 9 different Self-Assessment Questionnaires designed from the PCI Standard Security Council for merchants that do not process more than 6 million transactions annually.

The Self-Assessment Questionnaire includes a series of yes/or/no questions for each applicable PCI Data Security Standard requirement. Please find an explanatory guide below:

Self-Assessment Questionnaire
(SAQ)
DESCRIPTION
A Card-not-present merchants (e-commerce or mail/telephone order), that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
Not applicable to face-to-face channels.
A – EP E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of cardholder data on merchant’s systems or premises.
Applicable only to e-commerce channels.
B Merchants using only: Imprint machines with no electronic cardholder data storage, and/or Standalone, dial-out terminals with no electronic cardholder data storage.
Not applicable to e-commerce channels.
B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor with no electronic cardholder data storage.
Not applicable to e-commerce channels.
C-VT Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based, virtual payment terminal solution that is provided and hosted by a PCI DSS validated
third-party service provider. No electronic cardholder data storage.
Not applicable to e-commerce channels.
C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
Not applicable to e-commerce channels.
P2PE Merchants using only hardware payment terminals included in and managed via a validated, PCI SSC-listed Point-to-Point Encryption (P2PE) solution, with no electronic cardholder data
storage.
Not applicable to e-commerce merchants.
D Merchants using only hardware payment terminals included in and managed via a validated, PCI SSC-listed Point-to-Point Encryption (P2PE) solution, with no electronic cardholder data
storage.
Not applicable to e-commerce merchants.
PCI DSS Requirements

PCI DSS consists of steps that mirror best practices for security advised by the Security
Standard Council:

GOALS
PCI DSS REQUIREMENTS
Build and Maintain a Secure Network System
  • Install and maintain a firewall configuration to protect cardholder data.
  • Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
  • Protect stored cardholder data.
  • Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
  • Protect all systems against malware and regularly update antivirus software.
  • Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
  • Restrict access to cardholder data by business need to know.
  • Identify and authenticate access to system components.
  • Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.
Maintain an Information Security Policy
  • Maintain a policy that addresses information security for all personnel
Payment Brand Specifics

Specific questions about compliance validation levels and what merchants must do to validate should be directed to the acquiring financial institution or payment card brand. Links to card brand compliance programs include:

The Payment Card Industry Data Security Standard (PCI DSS) is a set of technical and operational security requirements that can help merchants to protect customer card data.

Visa, Mastercard, American Express, Discover, and JCB are the payment brands members of the Payment Security Standard Council (PCI SSC).

Before 2006, these companies had separate standard security standards programs, which were unified in one global standard policy, the PCI DSS.

The PCI DSS standards apply to all entities that are somehow involved in payment card processing to reduce monetary losses for companies and consumers and protect consumers from identity theft.

Quick References

The Standardhttps://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf

Supporting Documentshttps://www.pcisecuritystandards.org/document_library

Glossaryhttps://www.pcisecuritystandards.org/documents/PCI_DSS_Glossary_v3-2.pdf

PCI Security Standards Council Websitehttps://www.pcisecuritystandards.org/

FAQswww.pcisecuritystandards.org/faqs

PCI DSS Bloghttps://blog.pcisecuritystandards.org/

 

*According to the Privacy Rights Clearinghouse: https://www.privacyrights.org/data-breaches

 

Download the full document here.
Justpark

JustPark brings paying for parking into the digital age

An out-of-date industry CyberSource and Judopay are helping businesses embrace digital payments. As consumers move to mobile, and retailers and merchants are realising the opportunity, merchants can count on the latest payment technolo...

Are we ready for a cashless society?

As a society we are increasingly becoming cashless. Why ? Because there are better ways to pay. Card payments are king in most markets and consumers are now using their mobile to make payments. And using apps to buy more and more. ...

A cashless society needs to be accessible to everyone

As a society we are increasingly becoming cashless. Why ? Because there are better ways to pay. Card payments are king in most markets and consumers are now using their mobile to make payments. And using apps to buy more and more. ...

Would you feel safe in a cashless society?

As a society we are increasingly becoming cashless. Why ? Because there are better ways to pay. Card payments are king in most markets and consumers are now embracing using their mobile to make payments. There are still challenges of...

What are the benefits of a cashless society?

As a society we are increasingly becoming cashless. Why? Because there are better ways to pay. Whether it’s for a cup of coffee, a ride in a taxi. To have a meal out or to get a meal in. Today’s consumers are using their mobile devi...

Google Cloud Platform

Why did you take on this project? Judopay is going through a significant period of growth and we wanted to update our infrastructure to support this business expansion and create a flexible, agile platform for the future. Judopay ar...

We Change how
People Pay

We’re providing innovative payment solutions that allow your customers to buy at a time and place convenient for them. You run the business, we run the payments.

Safe, seamless, simple payments.

Get In Touch

020 3503 0600