PCI DSS
Data breaches inflicted a significant financial toll in 2022, averaging $4.35 million in costs. These figures underscore the urgent need for robust data security measures, particularly within organizations handling payment card information.
The Payment Card Industry Data Security Standard (PCI DSS) is a pivotal framework for fortifying data security, especially concerning payment cards. It comprises a set of well-recognized policies and procedures geared toward enhancing the security of credit, debit, and cash card transactions while safeguarding cardholders’ personal information.
Under the governance of the Payment Card Industry Security Standards Council (PCI SSC), which is a consortium comprising major credit card companies, PCI DSS has a central goal of reducing the risk of cybersecurity breaches concerning sensitive data and mitigating the potential for fraud within organizations that handle payment card information. This collection of standards holds vital importance for various entities, including service providers and merchants, involved in card data processing, storage, or transmission.
Why Choose Accorian For Your PCI DSS Compliance?
Accorian holds the prestigious distinction of having a team of highly Qualified PCI QSAs (Qualified Security Assessors) specializing in assessing PCI compliance, particularly emphasizing network infrastructure. We are also CREST accredited and an ASV (Approved Scan Vendor). Our PCI accreditations underline our expertise and credibility in cybersecurity and PCI DSS compliance.
Our potential client industry includes sectors such as banking, financial services, credit unions, eCommerce, and SaaS that must adhere to payment card industry DSS requirements.
Accorian is PCI QSA
Our certified QSAs play a pivotal role in safeguarding cardholder data. They conduct on-site and remote assessments of security controls, offering valuable insights and recommendations for improvement. They also support developing and implementing essential security policies and procedures.
Accorian is PCI ASV
As ASV, we conduct comprehensive vulnerability assessments and penetration testing, helping organizations fortify their security measures. We meticulously define the scope of PCI compliance by evaluating critical components like firewalls, routers, and switches. This assessment also identifies programs, subnets, and network segments for handling cardholder data.
PCI DSS Transition
from v3.2 to v4.0
In March 2022, the Payment Card Industry Security Standards Council unveiled the latest iteration of PCI DSS, marking a significant transition from v3.2 to v4.0. This update provides a more defined vision of the future payment security landscape.
Four Key Motivations to Drive the Revision:
Our Methodology
Scoping Assessment
Determine the applicable scope, with or without the inheritance of controls and card flow
Readiness/Gap Assessment
Assist in understanding your current readiness concerning PCI DSS compliance
vSecurity Team Support
Streamline PCI DSS requirements by providing remediation guidance, aiding in evidence collection, providing program management, and augmenting your team to assist in remediation efforts
Policy & Procedure Development
Assist in developing or updating your security framework and policies
Pre- Audit
Conduct a readiness audit to ascertain that you meet the PCI requirements
Assisted SAQ Filling
Help complete and submit your Self-Assessment Questionnaire (SAQ)
PCI Audit & RoC
Perform a final audit with reporting conducted by our Qualified Security Assessor (QSA)
PCI ASV Scanning
Conduct the mandatory quarterly PCI Approved Scanning Vendor (ASV) network scans
Applicability of PCI DSS
PCI standards have a broader impact on the payment card industry, encompassing all companies that handle credit card transactions and have access to cardholder data (CHD) or sensitive authentication data (SAD). This standard also extends to service provider companies involved in credit card processing, whether directly or indirectly, due to the influence of their Third-Party Risk Management Strategy.
As a result, payment card industry compliance is a benchmarking security standard for various organizations, irrespective of their size, transaction volume, or how they collect information (directly or indirectly).
- Directly accept credit card/account information
- Indirectly accept credit card/account information
- Service Providers/Vendors to companies who directly/indirectly take credit card/account information
What Data Does
PCI DSS Impact?
CARDHOLDER DATA INCLUDES
- Primary Account Number (PAN)
- Cardholder Name
- Expiration Date
- Service Code
SENSITIVE AUTHENTICATION DATA INCLUDES
- Full Track Data (magneitic stripe data or equivalent on a chip)
- Card Verification Code
- PINs/PIN Blocks
12 PCI DSS Requirements
PCI DSS companies must adhere to 12 fundamental PCI DSS compliance requirements to handle credit card data securely. Non-compliance of which elevates the risk of data breaches and fraud.
Install a firewall to protect cardholder data
Protect stored cardholder data
- Install a firewall to protect cardholder data
- Protect stored cardholder data
- Suitable password protection
- Use cryptography to protect cardholder data while being transmitted over open, and public networks
- Defend all networks and systems against harmful malware
- Create and maintain secure software and systems
- Limit system access and cardholder data only for business purposes
- Individual identifiers given to those with data access
- Physical access to cardholder data should be restricted
- Access to system components and cardholder data should be logged and monitored
- Frequent testing of systems and network security
- Organizational policies and programs should support information security
PCI DSS Merchant Level Classification
The PCI DSS categorizes companies into four merchant levels based on the volume of transactions they process yearly.
The 4 Levels of PCI Compliance
MERCHANT LEVEL 1
Level 1 merchants are subject to audits by PCI QSAs (Qualified Security Assessors). This audit has more stringent requirements than other levels, creating a PCI RoC (Report on Compliance). This report uncovers findings by reviewing the organization’s security policies, procedures, and controls to protect cardholder and account data. The audit also encompasses an on-site assessment and an evaluation of any compensatory controls.
The audit takes place annually or when there’s a change in the environment. Complying with PCI Level 1 and RoC requirements demands meeting a high number of criteria, substantial implementation efforts, significant time costs, and a rigorous approach. Once RoC is obtained through assessment by a PCI QSA, the company is eligible to display the PCI Compliant logo.
MERCHANT LEVEL 2, 3, 4
Companies must submit their SAQs (Self-Assessment Questionnaires) for all three merchant levels. There are 9 types of SAQs, each with varying requirements, ranging from 24 to 370.
Furthermore, non-level 1 merchants may be required to undergo a PCI RoC audit in certain instances due to their crucial role in the supply chain. This is decided by the acquirer or, sometimes, requested by end clients.
Choosing The Right PCI DSS SAQ
Choosing the right SAQ (Self-Assessment Questionnaire) ensures that your organization complies with the relevant PCI DSS requirements.
PCI DSS
SAQ TYPE
Eligibility Criteria
No. of Questions
SAQ A
For e-commerce/mail/telephone-order (card-not-present) merchants who have completely outsourced all cardholder data functions. The merchant must not have electronic storage, processing, or transmission of any cardholder data on his systems or premises.
24
PCI DSS SAQ TYPE – SAQ A
Eligibility Criteria
For e-commerce/mail/telephone-order (card-not-present) merchants who have completely outsourced all cardholder data functions. The merchant must not have electronic storage, processing, or transmission of any cardholder data on his systems or premises.
No. of Questions – 24
SAQ A-EP
For e-commerce-only merchants that rely on third-party service providers to handle card information and have a website that doesn’t process credit card data but could impact the security of the payment transaction. The merchant must not have electronic storage, processing, or transmission of any cardholder data on his systems or premises.
192
PCI DSS SAQ TYPE – SAQ A-EP
Eligibility Criteria
For e-commerce-only merchants that rely on third-party service providers to handle card information and have a website that doesn’t process credit card data but could impact the security of the payment transaction. The merchant must not have electronic storage, processing, or transmission of any cardholder data on his systems or premises.
No. of Questions – 192
SAQ B
For merchants who utilize imprint machines and/or standalone dial-out terminals and do not transmit, process, or store electronic cardholder data. This does not apply to e-commerce activities.
41
PCI DSS SAQ TYPE – SAQ B
Eligibility Criteria
For merchants who utilize imprint machines and/or standalone dial-out terminals and do not transmit, process, or store electronic cardholder data. This does not apply to e-commerce activities.
No. of Questions – 41
SAQ B-IP
For merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor and who do not store electronic cardholder data. This does not apply to e-commerce activities.
87
PCI DSS SAQ TYPE – SAQ B-IP
Eligibility Criteria
For merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor and who do not store electronic cardholder data. This does not apply to e-commerce activities.
No. of Questions – 87
SAQ C-VT
For merchants who utilize a virtual terminal on one computer dedicated solely to card processing and who do not store electronic cardholder data. This does not apply to e-commerce activities.
161
PCI DSS SAQ TYPE – SAQ C-VT
Eligibility Criteria
For merchants who utilize a virtual terminal on one computer dedicated solely to card processing and who do not store electronic cardholder data. This does not apply to e-commerce activities.
No. of Questions – 161
SAQ C
For any merchant who utilizes a payment application connected to the internet without electronic cardholder data storage.
84
PCI DSS SAQ TYPE – SAQ C
Eligibility Criteria
For any merchant who utilizes a payment application connected to the internet without electronic cardholder data storage.
No. of Questions – 84
SAQ P2PE
For merchants who utilize approved point-to-point encryption (P2PE) devices with no electronic cardholder data storage.
34
PCI DSS SAQ TYPE – SAQ P2PE
Eligibility Criteria
For merchants who utilize approved point-to-point encryption (P2PE) devices with no electronic cardholder data storage.
No. of Questions – 34
SAQ D for Merchants
For all SAQ-eligible merchants who don’t meet the criteria for other types. For merchants who do not outsource their credit card processing or use a P2PE solution, they may store credit card data electronically.
328
PCI DSS SAQ TYPE – SAQ D for Merchants
Eligibility Criteria
For all SAQ-eligible merchants who don’t meet the criteria for other types. For merchants who do not outsource their credit card processing or use a P2PE solution, they may store credit card data electronically.
No. of Questions – 328
SAQ D for Service Providers
For service providers deemed eligible to complete an SAQ
370
PCI DSS SAQ TYPE – SAQ D for Service Providers
Eligibility Criteria
For service providers deemed eligible to complete an SAQ
No. of Questions – 370
For level 2-4 merchants, it’s crucial to complete the SAQ by providing answers to all questions, indicating compliance, or stating specific requirements as “not applicable.” Even if a single question is left unanswered, the merchant will be considered non-compliant and must promptly address and mitigate the associated risks.
Each SAQ includes an expected testing column that offers guidance to merchants, describing the testing activities necessary to demonstrate PCI DSS compliance.
After finishing the SAQ, an Attestation of Compliance (AoC) is required, which must be completed by the merchants and signed by
the company’s CISO or officer.
Resources:
Ready to Start?
Drop your CVs to joinourteam@accorian.com
Interested Position