Do your customers pay you with their credit cards? Then the PCI DSS standard is for you!

The origin of the standard :

Before PCI DSS, credit card companies (Visa, MasterCard, etc.) had their own independent security programs.

These security programs, which differed from one organization to another, are still in place today, but since the 2000s, they have been modified and merged with those of other payment networks, in order to have a uniform standard and approach for their respective customers.

This standard is called PCI DSS for Payment Card Industry Data Security Standard.

Links here: https://www.pcisecuritystandards.org/document_library

The aim of the standard is to reduce the risk of credit card fraud and identity theft, and to offer merchants a better (simplified) security organization.

The latest version of the PCI DSS standard is 3.2.1

But the organization responsible for maintaining the standard (PCI) has been promising a version 4.0 for around 2 years. Estimated for March 2022.

But who are the players ?

**Acquirer **: This is the bank that issues bank authorization requests for merchants and makes bank deposits. It is responsible for the security of card data for its environment and the merchants with whom agreements are signed.

**Cardholder **: The person who owns the credit card, the user of the credit system, who has signed a contract with the issuer.

**Issuer **: The credit card holder’s bank.

**Payment networks **: Visa, Mastercard, American Express, Discover Card and JCB have agreements with card issuers.

**Merchant **: A person who agrees to carry out a transaction with a credit card for a fee. He signs a contract with the acquirer. He is responsible for the safety of his environment and his service providers, unless they are also certified.

**Service provider **: Plays a versatile role in the payments ecosystem. Such as data center hosts, payment gateways and related services such as paper shredding and information equipment.

These suppliers can offer their services to any player.

QSA – Qualified Security accessor: This is the assessor you can hire to check your compliance.

This standard is for :

The standard applies to all the players listed above, who store, process, transmit or affect the security of systems.

Note that organizations that may affect card data security are subject to interpretation.

For example, Company A processes credit cards, its servers are hosted by Hosting Company B, which hires Company C to manage its firewalls and Company D to maintain the air conditioning.

So Companies A, B and C have to go through the PCI DSS process, but not Company D, since its intervention does not directly affect credit card systems, insofar as Company B ensures that Company D cannot in any way impact security, such as no physical or logical access.

But the most important aspect of the PCI DSS standard: Defining the scope

This is the most important step in the entire compliance process. This is where we determine what is included in the scope of applicable controls, and also what would be out of scope. (Such as Company D in our example above).

The assessment rules are defined in the standard (and not in the controls themselves), and this work is carried out upstream of the controls.

The procedure for assessing scope is to first identify the systems that have a link with credit cards. (They process, store and transmit this data).

These systems are identified as “red”. Similar to sick and contagious!

These red systems will contaminate all the systems around them if there is no filter or cut-off (segmentation by firewall, for example).

So the ” **red **” systems included in the scope can easily explode and contaminate all the systems of the company and its suppliers.

Since a second “red” system can also in turn contaminate those further down the line. Without segmentation, this dramatically increases compliance costs and the risk of fraud.

Afterwards, security systems such as Firewall and SIEM are automatically in scope, but are not contagious – Named ” **Yellow **“.

Beware, system administrators who access security tools are also at risk, as individuals since they can have an impact on credit card security.

The rest of the systems are identified as ” **green **“, i.e. neither contaminated nor contagious.

How do I become PCI DSS certified?

It is the payment networks that dictate the certification rules for their business partners. They have established 4 levels for merchants and 2 levels for service providers.

For merchants :

  • Level 1) More than 6 million transactions per year
  • Level 2) between 1 and 6 million transactions per year
  • Level 3) between 20,000 and 1 million transactions
  • Level 4) Less than 20,000 transactions

For service providers

  • Level 1) Over 300,000 customer transactions
  • Level 2) Less than 300,000 customer transactions.

When you’re a merchant – your acquirer, who is the one who frames you, must also inform you of their control requirements in your contract. This makes you responsible for security, and therefore PCI DSS compliance, in your environment.

If you’re a service provider, you should have an information security liability agreement with your PCI DSS-covered customers.

This is the classic trigger for a need for compliance

If you sell products on the Web and orders are processed by PayPal, Moneris, Stripe or Square, then you are a PCI-DSS merchant.

Check the contract with your credit card processor, as they dictate their requirements. Some will even fill out the compliance form (SAQ-A) for you.

On the other hand, they manage their risk by charging you a service fee of 3 to 5% for each transaction.

Obtaining PCI DSS certification could help you reduce the costs associated with transactions, and it could be well worth the effort.

SAQ, AOC and ROC

When we are asked to be PCI DSS compliant after determining the scope, we need to determine the level of compliance required (see levels 1 to 4 above).

For level 1, a conformity assessment by an auditor (QSA) is mandatory.

For levels 2, 3 and 4, the company can complete and submit a Self-Assessment Questionnaire (SAQ).

There are 9 types of SAQ – Self-assessment questionnaire:

  • SAQ-A – 24 questions – If ***all ***functions are outsourced;
  • SAQ-A-EP -192 questions -Online business only with pick-up responsibility;
  • SAQ-B – 41 questions -marchant avec terminal point de vente, physique seulement, et connexion, ligne téléphonique; (analogue ou LTE)
  • SAQ-B-IP – 87 questions – working with point-of-sale terminal, but connected to IP network;
  • SAQ-C – 161 questions – merchant with internet payment application;
  • SAQ-C-VT – 84 questions – merchant with virtual payment terminal over the internet;
  • SAQ-P2PE – 34 questions – walking with PCIDSS P2PE compliant terminal;
  • SAQ-D – 328 questions for *merchants *and 370 for service providers – all those not meeting the other criteria above.

A service provider always uses the 370-question SAQ-D.

Compliance result

AOC: Attestation of compliance

This is the public circulation document, which is provided to third parties to demonstrate your compliance with the PCI DSS standard.

Each SAQ is accompanied by a corresponding AOC form enabling self-declaration of compliance with the standard.

The AOC is signed by the merchant to self-declare compliance, and could also be co-signed by a QSA – Qualified Security accessor – to give it added credibility.

ROC: Report on compliance

This is a comprehensive report written by the Qualified Security Accessor (QSA).

The AOC (Attestation of compliance) document is supplied with the ROC, and both are signed by the QSA auditor.

Of course, this is only a brief introduction to the PCI DSS standard, and there are many exceptions and nuances to be considered.

The PCIDSS standard has changed the dynamics of the credit card payment market and will continue to do so, especially with the release of the next version of the standard (PCI-DSS version 4.0).

To be continued!