PCI Compliance
Written by Gary Conroy on Mar 25, 2011 | 0 Comments
We continue to get a lot of queries about PCI. Below are our answers to some of the questions we have been asked…
What is PCI-DSS?
The Data Security Standard is a minimum set of requirements put in place in order to protect the cardholder’s information, which must be adhered to by all organisations that transmit, process or store payment card data.
Do I have to comply with PCI-DSS?
PCI-DSS is not law but an obligation enforced by the payment schemes i.e. VISA, MasterCard, Amex, Diners, JCB. The schemes enforce PCI-DSS through the acquiring banks, by means of fines or other restrictions.
Who owns the standard?
The Payment Card Industry Data Security Standards Council evolved because VISA, MasterCard, Amex, Diners and JCB had their own individual standards. Five standards caused confusion not clarity, so a harmonised standard (PCI – DSS) was created by the card schemes mentioned, which is regulated by the PCI Council.
How do I comply?
You comply by meeting the requirements in the standard. The Data Security Standard is made up of 12 requirements grouped around the following headings:
▪ Build and Maintain a Secure Network
▪ Protect Cardholder Data
▪ Maintain a Vulnerability Management Program
▪ Implement Strong Access Control Measures
▪ Regularly Monitor and Test Networks
▪ Maintain an Information Security Policy.
Download the full standard from the website
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
How do I get assessed against the PCI-DSS standard?
There are different requirements depending on the volume of traffic that you process. These levels are dictated by the card schemes. Let’s take the example of VISA (http://usa.visa.com/merchants/risk_management/cisp_merchants.html):
PCI Compliance
Okay, so now you know what you need to do to be assessed, where can you get more information on the Validation Requirements:
1) Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) – The list of approved QSAs is available from the PCI-DSS website. Engage and select one to perform your PCI audit, the output of which will be the ROC. https://www.pcisecuritystandards.org/approved_companies_providers/qsa_companies.php
2) Network scan by Approved Scan Vendor (ASV) – The list of approved ASVs is available from the PCI-DSS website. Engage and select one to perform your scan. https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php
3) Attestation of Compliance Form – These are included as part of the SAQ or there is a separate form that your QSA will provide as part of an onsite audit
4) Compliance validation requirements set by acquirer – Speak to your acquirer to see if any of these apply to you.
Note you will have to figure out which Self-Assessment Questionnaire (SAQ) to fill out. Which SAQ applies depends on the type of transactions you process and how you process them. Note that by using Realex Payments hosted solutions, you will have to fill out the less onerous SAQs. To learn more about the different integration methods with the Realex Payments Service, check out our reference guide http://www.realexpayments.co.uk/integration-methods. See the table below for details of the SAQ Validation Type associated with your Realex integration.
Are Realex Payments PCI compliant?
Yes. Realex is fully PCI compliant to the highest level of PCI, and was one of the first PSP’s in Europe to deliver this with Level 1 certification achieved in October 2003.