PCI DSS
Data breaches usually cost an average of $4.35 million, highlighting the critical need for organizations to adopt PCI DSS – a global framework for securing payment, card transactions, and cardholder data, managed by the PCI Security Standards Council (PCI SSC).
The Payment Card Industry Data Security Standard (PCI DSS) is a key framework that not only secures payment card transactions but also protects cardholders’ data. Managed by the Payment Card Industry Security Standards Council (PCI SSC), it outlines policies designed to reduce cybersecurity risks and fraud. Moreover, compliance is essential for any organization that processes, stores, or transmits payment card information.
Accorian is PCI QSA
Our certified QSAs play a pivotal role in safeguarding cardholder data. Through on-site and remote assessments of security controls, we not only evaluate compliance but also provide valuable insights and recommendations for improvement. Additionally, we support the development and implementation of essential security policies and procedures.
Accorian is PCI ASV
As an ASV, we conduct comprehensive vulnerability assessments and penetration testing, helping organizations not only identify risks but also fortify their security measures. In doing so, we meticulously define the scope of PCI compliance by evaluating critical components like firewalls, routers, and switches. Furthermore, this assessment identifies programs, subnets, and network segments responsible for handling cardholder data.
PCI DSS Transition From v3.2 to v4
In March 2022, the Payment Card Industry Security Standards Council unveiled the latest iteration of PCI DSS, marking a significant transition from v3.2 to v4.0. This update provides a more defined vision of the future payment security landscape.
Four key motivations to drive the revision…
Ensuring the ongoing alignment of the standard with the evolving security demands of the payments industry
Fostering the idea of security as a continuous dynamic process
Enhancing the methods and procedures for validation
Expanding the framework's flexibility and strategies to achieve robust security in the payment card industry
Access Our All-In-One PCI DSS Brochure
Accorian’s PCI DSS Methodology
Applicability of PCI DSS
PCI standards have a broader impact on the payment card industry as they encompass all companies that handle credit card transactions and have access to cardholder data (CHD) or sensitive authentication data (SAD). Moreover, this standard also extends to service provider companies involved in credit card processing, whether directly or indirectly.
Therefore, payment card industry compliance serves as a benchmarking security standard for various organizations, regardless of their size, transaction volume, or how they collect information (directly or indirectly).
Directly accept credit card/account information
Indirectly accept credit card/account information
Service Providers/Vendors to companies who directly/indirectly take credit card/account information
What Data Does PCI DSS Impact?
Cardholder Data includes information required for transaction processing, while Sensitive Authentication Data refers to sensitive details used for authentication, such as PINs or CVVs. While Cardholder Data can be stored if encrypted, Sensitive Authentication Data, on the other hand, must never be stored after authorization to effectively minimize the risk of fraud.
Card Holder Data & Sensitive Authentication Data
- Primary Account Number (PAN)
- Cardholder Name
- Expiration Date
- Service Code
Sensitive Authentication Data Includes
- Full Track Data
- Card Verification Code
- PINs/PIN Blocks
PCI DSS Requirements & Controls
PCI DSS Merchant Level Classification
The PCI DSS categorizes companies into four merchant levels based on the volume of transactions they process yearly.
The 4 Levels of PCI Compliance
- 6m+ transactions/year
- 1-6m+ transactions/year
- 20k-1m transactions/year
- <20k transactions/year
Choosing The Right PCI DSS SAQ
Choosing the right SAQ (Self-Assessment Questionnaire) ensures that your organization complies with the relevant PCI DSS requirements.
| PCI DSS SAQ TYPE | Eligibility Criteria | No. of Questions |
|---|---|---|
| SAQ A | For e-commerce/mail/telephone-order (card-not-present) merchants who have completely outsourced all cardholder data functions. The merchant must not have electronic storage, processing, or transmission of any cardholder data on his systems or premises. | 24 |
| SAQ A-EP | For e-commerce-only merchants that rely on third-party service providers to handle card information & have a website that doesn’t process credit card data but could impact the security of the payment transaction. The merchant must not have electronic storage, processing, or transmission of any cardholder data. | 192 |
| SAQ B | For merchants who utilize imprint machines and/or standalone dial-out terminals and do not transmit, process, or store electronic cardholder data. This does not apply to e-commerce activities. | 41 |
| SAQ B-IP | For merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor and who do not store electronic cardholder data. This does not apply to e-commerce activities. | 87 |
| SAQ C-VT | For merchants who utilize a virtual terminal on one computer dedicated solely to card processing and who do not store electronic cardholder data. This does not apply to e-commerce activities. | 161 |
| SAQ C | For any merchant who utilizes a payment application connected to the internet without electronic cardholder data storage. | 84 |
| SAQ P2PE | For merchants who utilize approved point-to-point encryption (P2PE) devices with no electronic cardholder data storage. | 34 |
| SAQ D for Merchants | For all SAQ-eligible merchants who don’t meet the criteria for other types. For merchants who do not outsource their credit card processing or use a P2PE solution, they may store credit card data electronically. | 328 |
| SAQ D for Merchant Providers | For service providers deemed eligible to complete an SAQ. | 370 |
For level 2-4 merchants, it’s crucial to complete the SAQ by providing answers to all questions, indicating compliance, or stating specific requirements as “not applicable.” Even if a single question is left unanswered, the merchant will be considered non-compliant, requiring immediate action to address and mitigate the associated risks.
Each SAQ includes an expected testing column that offers guidance to merchants, describing the testing activities necessary to demonstrate PCI DSS compliance.
After finishing the SAQ, an Attestation of Compliance (AoC) is required, which must be completed by the merchants, and signed by the company’s CISO or officer.
Why Choose Accorian?
Accorian holds the prestigious distinction of having a team of highly Qualified PCI QSAs (Qualified Security Assessors) who specialize in assessing PCI compliance, with a particular emphasis on network infrastructure. In addition, we are CREST-accredited and an ASV (Approved Scan Vendor). These PCI accreditations underline our expertise and credibility in cybersecurity and PCI DSS compliance.
Furthermore, our potential client industry includes sectors such as banking, financial services, credit unions, eCommerce, and SaaS, all of which must adhere to payment card industry DSS requirements.
Penetration testing isn't just about finding vulnerabilities; it's about empowering organizations to fortify their defenses against evolving cyber threats. Through meticulous analysis and simulated attacks, we uncover weaknesses before malicious actors do, ensuring your digital assets remain resilient in the face of adversity.
Recipients can either scan the code on a phone or tablet to access the form