The Payment Card Industry Security Standards Council (PCI SSC) has been established by the leading international card organizations Visa, Mastercard, Amex, Diners, Discovery, JCB. The PCI SSC has developed the PCI DSS rules and documents to regulate and lay down the card security principles and policies. Payment security guidance must be followed by all entities (including banks, merchants, payment processors) which store, process or transmit cardholder data. These rules set the technical and operational requirements for organizations accepting or processing payment transactions.
Please see the latest version of requirements and standards here
All merchants that store, process or transmit cardholder data must be PCI DSS compliant.
Card data and sensitive authentication data elements:
|
Data Element |
Storage Permitted |
Render Stored Data Unreadable |
|
Primary Account Number (PAN) |
Yes |
Yes Standard requires that the PAN must be rendered unreadable |
|
Cardholder Name |
Yes |
No |
|
Service Code |
Yes |
No |
|
Expiration Date |
Yes |
No |
|
Full Track Data Full track data from the magnetic stripe, equivalent data on the chip, or elsewhere |
No |
Prohibited |
|
CVV2/CVC2 The three or four-digit value printed on the front or back of a payment card |
No |
Prohibited |
|
PIN/PIN Block Personal Identification Number entered by cardholder during a transaction, and/or encrypted PIN block present within the transaction message |
No |
Prohibited |
How to be sure that you are compliant with PCI DSS requirements?
We inform merchants once per year via e-mail what kind of action must be taken to comply with the PCI DSS. The requirements are presented in the table below.
Merchants are categorized into 4 levels based on the annual number of card payment transactions by one card brand (i.e. Mastercard, VISA, Amex etc.). We require Level 1 - Level 3 merchants to notify us of their compliance status after the required action has been taken. Level 4 merchants must notify us of their compliance status by sending a completed Self-Assessment Questionnaire (SAQ).
Merchant level |
Merchants transaction criteria |
Required actions from merchants |
Frequency |
Level 1 |
Merchants with 6 million and more annual transactions in total by Mastercard or VISA |
External security audit made by Qualified Security Assessor(QSA) |
once per year |
Network Scan conducted by an Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) |
once per quarter |
Level 2 |
Merchants with 1 to 6 million annual transactions in total by Mastercard or VISA |
Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) |
once per year |
1. Merchants completing the SAQ A, A-EP or D are required to engage a QSA or ISA for annual compliance validation. 2. Merchants completing the SAQ B, B-IP, C-VT, C or P2PE may now self-assess without the use of a QSA or ISA for compliance validation. |
once per year |
Network Scan conducted by an Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) |
once per quarter |
Level 3 |
E-commerce merchants with 20 000 to 1 million annual transactions in total by Mastercard or VISA |
Compleating annual self-assessment (SAQ) form required by the bank |
once per year |
Network Scan conducted by an Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) |
once per quarter |
Level 4 |
All other merchants |
Annual Self-Assessment Questionnaire (SAQ) at merchant’s discretion |
Recommended once per quarter |
Network Scan conducted by an Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) |
Recommended once per year |
Keep in mind, that you’ll need to perform:
- Security audit by a certified auditor acting as Qualified Security Assessor (QSA) at the legal entities that are presented on the official PCI DSS website.
- Scanning of the network by a qualified net scanning vendor acting as Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA). ASV can conduct a scanning procedure for in-store and online merchants but have no rights to perform annual audits.
- Internal audit, during which questions in SAQ (Self Assessment Questionnaire) have to be answered. The questionnaire content depends on technical solution.
PCI DSS requirements and goals
The 12 requirements and goals in the table below will help you to understand what important actions must be performed to be compliant wiht PCI DSS rules.
Goals |
PCI DSS Requirements |
Build and maintain a secure network and system |
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
|
Protect cardholder data |
3. Protect the stored cardholder data.
4. Encrypt transmission of cardholder data across open public networks.
|
Maintain a vulnerability managemenet program |
5. Protect all systems against malware and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
|
Implement strong access control measures |
7. Restrict access to cardholder data under business need-to-know.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
|
Regularly monitor and test networks |
10. Track and monitor all access to network resources and cardholder data.
11. Test security systems and processes on a regular basis.
|
Maintain an information security policy |
12. Maintain a policy that addresses information security for all personnel. |
For more information please visit https://www.pcisecuritystandards.org/