What is PCI DSS compliance?
Article Number: 1383 | Rating: Unrated | Last Updated: Mon, Aug 19, 2019 at 4:20 PM
What is PCI compliance?
The Payment Card Industry Data Security Standards (PCI DSS) are a minimum set of requirements created by the PCI Security Standards Council. The purpose is to protect credit card data handled by merchants and service providers. The full specifications of PCI DSS are available at the PCI Standards Security Council website.
The PCI Council is responsible for the classification of merchants as well as validation of merchant compliance. It was founded by the five major card brands: VISA, MasterCard, American Express, Discover, and JCB.
As a merchant, you are responsible for the security of cardholder data and must be careful not to store certain types of data on your systems or the systems of your third-party service providers. You are also responsible for any damages or liability occurring as a result of a data security breach or other non-compliance with the PCI Data Security Standard.
This is not intended to be an all-inclusive guide to obtaining PCI compliance. PCI DSS is a complicated and potentially confusing minimum standard that nonetheless must be understood and followed to achieve proper data security. The purpose of this guide is to provide an outline of the steps you must take to become a PCI-compliant merchant.
Nexcess is a PCI-compliant hosting provider. This means we have taken steps necessary to meet the security standards for its infrastructure as outlined in PCI DSS. This does not mean simply by hosting with Nexcess, your store will instantly become PCI-compliant. Many items of PCI DSS compliance fall directly onto you and they must be followed to ensure full compliance of your store. If you are accepting payments via credit cards, PCI compliance is not optional. It is mandatory.
In terms of shared PCI DSS responsibility, certain parts of the requirements fall under scope of us as the hosting provider, some parts fall under you as the merchant, and some parts apply to both. A hosting provider's compliance reports will outline exactly the hosting provider's and merchant's responsibilities regarding PCI DSS. A PCI DSS guide for merchants is available at the PCI Security Standards website.
Remember, compliance is not a one-time requirement. Being compliant reflects an ongoing commitment to performing periodic tasks at the correct intervals based on both the DSS and your merchant classification level. Compliance and security must constantly be monitored and, when necessary, enhanced in your operational policies and procedures.
A basic outline of the steps required to become PCI-compliant is listed as follows:
As an online merchant, you will fall into one of four merchant levels determined by your acquirer. Your classification level primarily depends on the amount of credit card transactions you process annually, among other criteria. Your merchant level will determine the steps you will take to begin the process of PCI compliance.
Each credit card company has its own criteria for classifying merchant levels; VISA and MasterCard are two of the most common and are listed below:
Your first step as a merchant will be implementing all necessary requirements, policies, and procedures outlined within the PCI DSS.
Once you have made the necessary changes, PCI DSS requires you to perform a self-assessment to validate those changes. Most merchants will need an annual self-assessment, which consists of the Self-Assessment Questionnaire (SAQ), the Attestation of Compliance (AOC), and an independent vendor performing a quarterly network scan on your store. Most third-party vendors will bundle these items into a package, providing you the questionnaire along with the necessary network scans. If you are classified as a level 1 merchant, additional steps are required, including an on-site assessment.
The following table outlines the necessary validation actions for each merchant level:
Table 2. List of validation actions by merchant level.
Simply answering “Yes” to every question in the SAQ does not make you PCI-compliant. You must back those questions up with actual controls, procedures, and policies detailing your efforts to meet those requirements. The SAQ is a checklist outlining the requirements set by the PCI council.
After finishing the SAQ, you must then complete the Attestation of Compliance (AOC) The AOC is a self-certification asserting you are both eligible to perform and have actually performed a PCI DSS self-assessment.
There are twelve requirements falling into six categories, here is a basic summary of those categories:
These are only basic requirements. The actual requirement categories are divided into several hundred specific requirements that must be met by all parties who have access to your store.
As a hosting provider, we have taken the necessary steps to make its infrastructure PCI-compliant.
Specifically, the policies and procedures include:
As a merchant, you are responsible for certain other aspects of PCI DSS. Your hosting provider's compliance information will contain specifics, but you are typically responsible for:
The actual PCI DSS are considerably more detailed and thorough than the above list. It is therefore imperative that you read, understand, and comply with all PCI DSS, including all measures of proper validation.
Do I have to be PCI-compliant?
Yes. Any merchants or service providers who store, process, or transmit cardholder data must comply with the PCI DSS. The requirements apply to anyone who accepts credit cards as a payment method.
Can I store cardholder data?
Storing cardholder data is possible under PCI DSS, provided you meet numerous additional requirements. These include, but are not limited to, using Payment Application Data Security Standard (PA-DSS)-compliant applications and only storing specific portions of the stripe data. Usually, your best option is to not store cardholder data unless absolutely necessary.
I ran network scan on my store and it failed. What do I do?
If you are hosted by Nexcess, submit the report to our Support Team, who will analyze and correct any reported issues. Once the issues are corrected, rerun the scan.
I do not understand the some of the requirements listed in PCI DSS. Where can I find help?
The PCI Standards Security Council website has a detailed breakdown of the requirements. For specific questions, you can seek assistance from a third party, who will provide you with a questionnaire. Your hosting provider can also answer your questions related to overlapping responsibility.
Can I be fined if my cardholder data is compromised?
Yes. Credit card associations such as Visa and MasterCard may levy fines resulting from cardholder data breaches. Their application and amount will vary according to the size of the breach and other criteria.
What should I do if I suspect I have been compromised?
You must act immediately and accurately. Refer to the Visa website for the proper procedure.
There are no attachments for this article.
Why do I need ModSecurity?
Added on Fri, Feb 24, 2017