PCI DSS compliance frequently asked questions

May 28, 2021 Maxpay Blog
PCI DSS compliance frequently asked questions

Dealing with electronic payments online and in retail leads the business to new opportunities and markets, but it also does bring responsibility. Operations with credit and debit cards must be secured to guard the sensitive customers’ data. One of the major secure certifications is the PCI DSS. In this article Maxpay‘s team will answer the most frequent question about the standard, how to be compliant with it, and why does it exist in the first place. 

What is the PCI DSS certification?

PCI DSS is the Payment Card Industry Data Security Standard. It is a set of obligations for organizations that process, store or transmit the cardholder data. These obligations are meant to secure the cardholder data in the world of electronic payments and online payment processing. The compliance with PCI DSS is evidence of the company’s responsibility and legitimacy towards the sensitive information of the customer. 

Why does PCI DSS exist?

PCI DSS was established by major card associations like Visa, MasterCard, Discover Financial, American Express, and JCB International in 2004. Before each organization had its own set of rules to comply with, which was quite out of the order for businesses, no matter the case of the retail electronic transaction or website payment processing. The goal of PCI DSS is to offer strong and united protection of the cardholder data from abuse, fraud, and hacker attacks. The PCI DSS does manage the protection on a significant level. 

To whom does PCI DSS apply?

PCI DSS applies to any business that deals with processing, storing, and transmitting the cardholder data with no exclusion. Even companies that just take the credit card information by phone or do not store credit card data still must be PCI compliant.

How to become PCI DSS compliant?

The compliance with PCI DSS has 12 requirements to follow. This set of rules is not a one-time action. It is a maintenance of the whole process within the company regarding processing, storing, and transmitting the cardholder data during transactions and payment processing. The simple answer about what is PCI compliance is that it provides technical and software requirements designed for data protection.

  1. Protect the system with firewalls. Secure and strengthen the network, and protect the inbound and outbound traffic within it.
  2. Configure passwords and settings. Do not use vendor-provided passwords and any other security measurements.
  3. Protect stored cardholder data. Encrypt and guard the sensitive data at rest.
  4. Encrypt transmission of cardholder data across open, public networks. Defense and secure data operating within open or public networks.
  5. Use and regularly update anti-virus software. Protect the environment with anti-virus and anti-malware software.
  6. Regularly update and patch systems. Obtain up-to-date security patches to secure the cardholder data environment. 
  7. Restrict access to cardholder data by business need-to-know. Establish an authorization protocol among the personnel.
  8. Assign a unique ID to each person with computer access. Implement the order of user IDs and passwords to secure the environment from unauthorized actions.
  9. Restrict physical access to workplace and cardholder data. Establish physical security measures.
  10. Implement logging and log management. Follow all users’ activities in the environment by establishing the logging system.
  11. Conduct vulnerability scans and penetration tests. Test for vulnerabilities and supervise the defense of the environment. 
  12. Documentation and risk assessments. Maintain the strategy to address data protection for the personnel members.

For more detailed information about each requirement and how to meet it, you can read in the article “The Requirements For PCI DSS Compliance”

What happens if the organization is not compliant with PCI DSS?

There are negative consequences. First of all, non-PCI DSS compliant business is not very well protected from fraud and hacker attacks. This means that customers’ private data is not protected enough, and so the trust towards the whole company can be seriously questioned. 

The second penalty is fees and charges. The major card brands like Visa, MasterCard, Discover Financial, American Express, and JCB International may fine the acquiring bank $5,000 to $100,000 per month for the violation of the PCI DSS standards. This fine would be redirected down to the merchant. Charges of these amounts can cause severe damage for the medium and small businesses in payment processing. The big business can be threatened with higher transaction fees or even termination of the relations with the acquiring bank.

What are QSA, ISA, and SAQ?

 QSA or Qualified Security Assessor are independent companies that are qualified by the PCI Security Standards Council to validate the business’s compliance with PCI DSS. The term QSA can be applied to an individual qualified to execute electronic payment card industry compliance auditing and consulting regarding the PCI regulations. QSA Employees are persons who are employed by a QSA Company and have met and continue to meet the QSA Requirements along with certain information security learning requirements and have taken the validated training from the PCI Security Standards Council.

ISA is the Internal Security Assessor. It is a program that teaches business owners how to implement inner evaluations for the company. The Internal Security Assessor recommends solutions to upgrade the environment related to PCI DSS compliance. Assessors are sponsored by their companies. When the business gets the qualification it is eligible to collaborate with outer PCI auditors and regulate interactions with a Qualified Security Assessor or QSA.

SAQ or a Self-Assessment Questionnaire is a self-validation tool to evaluate security for cardholder data. It is specially designed for small businesses and merchants. The Self-Assessment Questionnaire includes a set of simple positive or negative answered questions for each relevant PCI Data Security Standard requirement. In the case when the answer is no, the business might be required to provide the future upgrade date and accorded actions.

What is PA-DSS?

PA-DSS or the Payment Application Data Security Standard is provided by the PCI Security Standards Council to regard the essential issue of payment application security. The requirements of the PA-DSS are created to prove that vendors offer items that support merchants’ efforts to follow the PCI-compliant rules.

The main goal of PA-DSS is to facilitate software vendors and other parties to develop secure payment applications which do not store forbidden data, such as full magnetic stripe, CVV2, or PIN data, and guarantee that their payment applications are PCI DSS compliant.

What is an Approved Scanning Vendor?

Approved Scanning Vendor is an organization with various security services and tools which is also sometimes called “ASV scan solution”. The goal of the ASV scan solution is to manage external vulnerability scanning services to validate compliance with the external scanning regulations of PCI DSS Requirement. The performing scanning vendor’s ASV scan solution is verified and validated by PCI SSC in advance, so an ASV could be implemented to PCI SSC’s List of Approved Scanning Vendors.

Maxpay is the payment gateway service provider that is compliant with PCI DSS. We can also help merchants reach the PCI DSS compliance requirements.

The company offers merchant accounts opening, fraud prevention tools, chargeback alerts, and other services.  To find the best service for your business, please follow the link.