Contact
Site: US UK AU |

What is PCI DSS compliance?

What is PCI DSS compliance?

Overview
PCI DSS compliance refers to the minimum set of security standards all merchants must meet in order to allow their customers to make credit card purchases. This article serves as an introductory guide to those standards, with an emphasis on the merchant's responsibilities.

Contents

Purpose 

The Payment Card Industry Data Security Standards (PCI DSS) are a minimum set of requirements created by the PCI Security Standards Council. The purpose is to protect credit card data handled by merchants and service providers. The full specifications of PCI DSS are available at the PCI Standards Security Council website

The PCI Council is responsible for the classification of merchants as well as validation of merchant compliance. It was founded by the five major card brands: VISA, MasterCard, American Express, Discover, and JCB. 

As a merchant, you are responsible for the security of cardholder data and must be careful not to store certain types of data on your systems or the systems of your third-party service providers. You are also responsible for any damages or liability occurring as a result of a data security breach or other non-compliance with the PCI Data Security Standard.

This is not intended to be an all-inclusive guide to obtaining PCI DSS compliance. PCI DSS is a complicated and potentially confusing minimum standard that nonetheless must be understood and followed to achieve proper data security. The purpose of this guide is to provide an outline of the steps you must take to become a PCI DSS-compliant merchant.

Nexcess is a PCI DSS-compliant-hosting-provider. This means Nexcess has taken steps necessary to meet the security standards for its infrastructure as outlined in PCI DSS. This does not mean simply by hosting with Nexcess, your store will instantly become PCI DSS-compliant. Many items of PCI DSS compliance fall directly onto you and they must be followed to ensure full compliance of your store. If you are accepting payments via credit cards, PCI DSS compliance is not optional. It is mandatory.

In terms of shared PCI DSS responsibility, certain parts of the requirements fall under scope of us as the hosting provider, some parts fall under you as the merchant, and some parts apply to both. A hosting provider's compliance reports will outline exactly the hosting provider's and merchant's responsibilities regarding PCI DSS. A PCI DSS guide for merchants is available at the PCI Security Standards website

Remember, compliance is not a one-time requirement. Being compliant reflects an ongoing commitment to performing periodic tasks at the correct intervals based on both the DSS and your merchant classification level. Compliance and security must constantly be monitored and, when necessary, enhanced in your operational policies and procedures.

General requirements

A basic outline of the steps required to become PCI DSS-compliant is listed as follows:

  1. Read and understand the PCI Data Security Standards.
  2. Host with a PCI DSS-compliant hosting provider.
  3. Request a PCI-compliance information package from your hosting provider to learn your responsibilities regarding PCI compliance.
  4. Make sure all third parties who have access to, or communicate with, your systems are also PCI DSS-compliant.
  5. Take the necessary steps on your part as a merchant to meet PCI compliance as outlined by the DSS, then validate those steps. Your validation steps will depend on your merchant level.

Merchant classification levels

As an online merchant, you will fall into one of four merchant levels determined by your acquirer. Your classification level primarily depends on the amount of credit card transactions you process annually, among other criteria. Your merchant level will determine the steps you will take  to begin the process of PCI DSS compliance. 

Each credit card company has its own criteria for classifying merchant levels; VISA and MasterCard are two of the most common and are listed below:

Level

Criteria

1

Any merchant,regardless of acceptance channel that meets one of the following conditions:

  • Processes over 6 million Visa or MasterCard transactions per year
  • Has suffered a hack or an attack that resulted in an account data compromise
  • Visa or MasterCard determines should meet the Level 1 merchant requirements
  • Has been identified by any other payment card brand as Level 1

2

Any merchant that processes 1 million to 6 million Visa or MasterCard transactions per year, regardless of acceptance channel

3

Any merchant that processes 20,000 to 1 million Visa or MasterCard e-commerce transactions per year

4

Any merchant that processes fewer than 20,000 Visa or MasterCard transactions online or processes fewer than 1 million Visa or MasterCard transactions across all payment types

Table 1. Table of Visa and MasterCard classification criteria.
 
Your first step as a merchant will be implementing all necessary requirements,  policies, and procedures outlined within the PCI DSS.

Once you have made the necessary changes, PCI DSS requires you to perform a self-assessment to validate those changes. Most merchants will need an annual self-assessment, which consists of  the Self-Assessment Questionnaire (SAQ), the Attestation of Compliance (AOC),  and an independent vendor performing a quarterly network scan on your store. Most third-party vendors will bundle these items into a package, providing you the questionnaire along with the necessary network scans. If you are classified as a level 1 merchant, additional steps are required, including an on-site assessment.

The following table outlines the necessary validation actions for each merchant level:

Merchant Level

Validation Actions

Validated By

1

Annual on-site PCI Data Security Assessment by a Qualified Data Security Company 

Quarterly Network Scan

Attestation of Compliance (AOC)

Qualified-Independent- Approved-Scanning-Vendor (ASV)

Qualified-Security-Assessor (QSA)

2

Annual PCI Self-Assessment Questionnaire (SAQ) 

Quarterly Network Scan

Attestation of Compliance (AOC)

Qualified-Independent Approved-Scanning-Vendor(ASV)

Merchant's Acquirer

3

Annual PCI Self-Assessment Questionnaire (SAQ)

Quarterly Network Scan

Attestation of Compliance (AOC)

Qualified-Independent Approved-Scanning-Vendor(ASV)

Merchant's Acquirer

4

Annual PCI Self-Assessment Questionnaire (SAQ)

Quarterly Network Scan

Attestation of Compliance (AOC)

Qualified-Independent Approved-Scanning-Vendor(ASV)

 

Table 2. List of validation actions by merchant level.

Simply answering “Yes” to every question in the SAQ does not make you PCI DSS-compliant. You must back those questions up with actual controls, procedures, and policies detailing your efforts to meet those requirements. The SAQ is a checklist outlining the requirements set by the PCI council.

After finishing the SAQ, you must then complete the Attestation of Compliance (AOC) The AOC is a self-certification asserting you are both eligible to perform and have actually performed a PCI DSS self-assessment.

Specific requirements

There are twelve requirements falling into six categories, here is a basic summary of those categories:

  • Build and maintain a secure network. 
    • Install and maintain a firewall.
    • Use unique, high-security passwords with special care to replace default passwords.
  • Protect cardholder data. 
    • Whenever possible, do not store cardholder data. 
    • If there is a business need to store cardholder data, then you must protect this data. 
    • Encrypt any data passed across public networks, including data passed between your shopping cart, your Web-hosting provider, and your customers.
  • Maintain a vulnerability management program. 
    • Use an antivirus software program and keep it up-to-date.
    • Develop and maintain secure operating systems and payment applications.
    • Ensure your antivirus software applications are compliant via Visa's website regarding merchant payment applications. 
  • Implement strong access control measures. 
    • Access to cardholder data, both electronic and physical, should be on a need-to-know basis. 
    • Ensure those people with electronic access have a unique ID and password.
    • Do not allow people to share login credentials. 
    • Educate yourself and your employees on data security, and specifically the PCI Data Security Standard (DSS).
  • Regularly monitor and test networks. 
    • Track and monitor all access to networks and cardholder data. 
    • Ensure you have a regular testing schedule for security systems and processes, including: firewalls, patches, web servers, email servers, and antivirus.
  • Maintain an information security policy. 
    • Establish a clear and thorough organizational data security policy. 
    • Disseminate and update this policy regularly.

These are only basic requirements. The actual requirement categories are divided into several hundred specific requirements that must be met by all parties who have access to your store.

Division of responsibilities between service provider and merchant

As a hosting provider, Nexcess has taken the necessary steps to make its infrastructure PCI DSS-compliant.

Specifically, the policies and procedures include:

  • The physical security of our data centers containing the merchant cardholder environments.
  • The network security of our network infrastructure and own employee accounts.
  • The server security of our systems including system-level security patches.
  • A yearly on-site assessment to validate our compliance. The results of this assessment are outlined in our final reports.
As a merchant, you are responsible for certain other aspects of PCI DSS. Your hosting provider's compliance information will contain specifics, but you are typically responsible for:
  • The application and everything associated with it
    • Because the application's code changes whenever you change or update your site, it is impossible for a hosting provider to keep track and audit all of its changes. 
    • Most of PCI DSS Requirement 6, ensuring code integrity and periodic code audits, is your responsibility. This applies to any software or third-part extensions that has access to your store.
  • All administrative users and accounts used to maintain your store. This includes:
    • Creating unique users for every user (Requirement 8.5.1).
    • Using proper password length and complexity (Requirements 8.5.10 and 8.5.11).
    • Changing passwords every 90 days (Requirement 8.5.9).
  • The security of all local computers and devices you use to access and manage your business. 
    • If someone compromises any of your local computers or devices, that individual can access sensitive data, including your email and any information you send through your Web browser.
    • Remember: anything and anyone that accesses your online store falls within scope of PCI DSS compliance.

The actual PCI DSS are considerably more detailed and thorough than the above list. It is therefore imperative that you read, understand, and comply with all PCI DSS, including all measures of proper validation.

Frequently asked questions

Do I have to be PCI DSS-compliant?

Yes. Any merchants or service providers who store, process, or transmit cardholder data must comply with the PCI DSS. The requirements apply to anyone who accepts credit cards as a payment method.

Can I store cardholder data?

Storing cardholder data is possible under PCI DSS, provided you meet numerous additional requirements. These include, but are not limited to, using Payment Application Data Security Standard (PA-DSS)-compliant applications and only storing specific portions of the stripe data. Usually, your best option is to not store cardholder data unless absolutely necessary.

I ran network scan on my store and it failed. What do I do?

If you are hosted by Nexcess, submit the report to our Support Team, who will analyze and correct any reported issues. Once the issues are corrected, rerun the scan.

I do not understand the some of the requirements listed in PCI DSS. Where can I find help?

The PCI Standards Security Council website has a detailed breakdown of the requirements. For specific questions, you can seek assistance from a third party, who will provide you with a questionnaire. Your hosting provider can also answer your questions related to overlapping responsibility.

Can I be fined if my cardholder data is compromised?

Yes. Credit card associations such as Visa and MasterCard may levy fines resulting from cardholder data breaches. Their application and amount will vary according to the size of the breach and other criteria.

What should I do if I suspect I have been compromised?

You must act immediately and accurately. Refer to the Visa website for the proper procedure.


For 24-hour assistance any day of the year, contact our Support Team by email or through the Client Portal.

Article Rating (No Votes)
Rate this article
  • Icon PDFExport to PDF
  • Icon MS-WordExport to MS Word
 
Attachments Attachments
There are no attachments for this article.
Related Articles RSS Feed
Why do I need ModSecurity?
Added on Fri, Feb 24, 2017