Compliance Image

PCI DSS compliance explained

Unsure about what PCI DSS compliance is all about? Need to complete a ‘SAQ' but aren’t sure where to begin? You’re not alone. Here’s an overview to help you understand compliance and complete your self-assessment.

Overview of PCI DSS compliance


What’s PCI DSS?

PCI DSS stands for Payment Card Industry Data Security Standard.

It’s a set of security requirements. It details the minimum standards required of anyone who collects, stores, processes, or transmits cardholder data.

If you accept or process payment cards, PCI DSS applies to you.

PCI DSS sets the global standard in safeguarding payment card data - to protect your customers and your business from security risks, account threats, and financial harm.

In the world of online payments, organisations must meet these security requirements in order to continue operating.

Side note: The Payment Card Industry Security Standards Council (PCI SSC) was founded in 2006 by the major card schemes – including Mastercard, Visa, and American Express. The council established the PCI DSS to help protect the integrity and security of cardholder data. Learn more in the official PCI Security Standards Council website.


Why PCI DSS is important for you

The objective for PCI DSS is to protect card data from threats.

It helps minimise the risks of data breaches to merchants of all sizes.

When payment card data or customer data is stolen or compromised it can lead to brand damage, litigation, or fraud. All of these outcomes can be extremely damaging to consumer confidence. They can make it hard for you to attract and keep customers - even if it wasn't your business at fault.

As mandated by the card schemes, every merchant that accepts credit card payments has to comply with PCI DSS requirements.

Even though PCI DSS is not part of any law, the standard is applied globally. It comes with significant penalties and costs for organisations that don’t comply with the requirements.

(These financial consequences include non-compliance assessment fees, legal costs, and costs for forensic investigations, onsite QSA assessments, and security updates.)

The PCI DSS has been introduced to reduce your risk, and protect the integrity of cardholder information. Compliance with the standard is essential.

Why do I have to validate PCI DSS compliance if Flo2Cash is already PCI DSS compliant?

You and your organisation are responsible for making sure that cardholder data is secure and protected before the data reaches Flo2Cash.

When you use our solutions, you are outsourcing most PCI DSS responsibilities to Flo2Cash.

However, because you accept credit card payments on your website, your app, or in your physical store, your integration with Flo2Cash does not completely eliminate your PCI scope.

Rest assured, as your payment service provider, Flo2Cash is PCI DSS 3.2.1 compliant as a Level 1 Service Provider - which is the highest, most stringent level of certification possible in the global payments industry.

We’re 100% committed to providing you with a secure environment to continue accepting payments.


In a nutshell, PCI DSS…

  • applies to all merchants that collect, processes, store, or transmit cardholder data.
  • requires that you do a self-assessment to check your compliance - but the scope of your assessment depends on what solutions you use and how you operate your business.
  • is made up of 12 key requirements within 6 core goals.


PCI DSS requirements

The standard consists of 12 basic requirements grouped into 6 categories for establishing and maintaining a reliable and secure payment processing environment.

Categories / Goals

Requirements

1. Build and maintain a secure network

1. Install and maintain a firewall configuration to protect data.

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

2. Protect cardholder data

3. Protect stored cardholder data.

4. Encrypt transmission of cardholder data and sensitive information across open public networks.

3. Maintain a vulnerability management program

5. Use and regularly update anti-virus software.

6. Develop and maintain secure systems and applications.

4. Implement strong access control measures

7. Restrict access to cardholder data by business need to know.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data.

5. Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data.

11. Regularly test security systems and processes.

6. Maintain an information security policy

12. Maintain a policy that addresses information security.


Step-by-step guide to PCI DSS compliance

Step 1. Identify the PCI DSS level of your business.

All merchants need to demonstrate PCI DSS compliance every year.

You need to work out which PCI compliance level applies to your organisation, based on the number of transactions your organisation processes.

Your PCI compliance level will then determine the type of PCI validation tools your organisation needs to complete.

How many card transactions do you process annually?

This means your PCI DSS level is…

…and you’ll need to do the following to be validated for PCI DSS compliance.

More than 6 million card transactions per annum (any type of transaction)

1

  • On-site assessment completed by a qualified security assessor (QSA) (annually)
  • Report on Compliance (RoC) completed by a QSA (annually)
  • Network vulnerability scans performed by an approved scanning vendor (ASV) (quarterly)

More than 1 million but less than 6 million transactions per annum (any type of transaction)

2

More than 20,000 but less than 1 million transactions per annum (e-commerce transaction)

3

  • Self-assessment questionnaire (SAQ) (annually)
  • Network vulnerability scans performed by an ASV (quarterly)

All other merchants

4

  • Self-assessment questionnaire (SAQ) (annually)
  • Network vulnerability scans performed by an ASV (quarterly)


Step 2. Choose a Qualified Security Accessor and Approved Scanning Vendor

Depending on your PCI DSS level, you may need to appoint a Qualified Security Accessor (QSA) to complete your annual PCI validation.

A QSA is a data security firm that is qualified by the PCI Security Standards Council to perform on-site assessments and validate self-assessment questionnaires.

View a list of qualified security assessors (QSA).

An Approved Scanning Vendor (ASV) is a data security firm using a scanning solution to determine whether or not a customer meets the PCI DSS external vulnerability scanning requirement.

ASVs are qualified by the PCI Security Standards Council to perform external network and system scans as required by the PCI DSS.

View a list of approved scanning vendors (ASV).


Step 3. Scope out a PCI DSS assessment.

Once you've defined your merchant level, it's time to begin scoping your assessment!

Scoping must occur at least annually and prior to the annual assessment.

You must identify all system components that are located within or connected to the cardholder data environment. (Remember, such an environment is comprised of people, processes, and technology that handle cardholder data or sensitive authentication data.)

This is to ensure all applicable system components are included in your scope for PCI DSS.

All types of systems and locations should be considered as part of the scoping process, including backup / recovery sites and fail-over systems.

Side note: It's easier to remove items from scope later, so try to include everything that's part of your payment lifecycle. Trying to increase scope during the review or remediation stage will cause issues with funding, resources, and your compliance timeline.


Step 4. Complete a Self-Assessment Questionnaire (SAQ).

The Self-Assessment Questionnaire (SAQ) is a self-validation tool.

It helps you determine whether or not you’re PCI DSS compliant.

It’s for eligible organisations who self-assess their PCI DSS compliance and who are not required to submit a Report on Compliance (ROC).

The SAQ includes a series of yes-or-no questions for each applicable PCI DSS requirement. (If an answer is no, the organisation may be required to state the future remediation date and associated actions.)

If you have a large number of requirements you are unsure about, it might be beneficial to contact a qualified security assessor (QSA) to assist.

There are different SAQs available depending on how you handle cardholder data. If you're unsure of your payment processing method(s), please contact our compliance team for assistance.

The table below can help you determine which category you fall under.

You can then download the SAQ document that applies to you.

Which best applies to your organisation?

Your SAQ form is therefore…

Card-not-present merchants (e-commerce or mail / telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.

A

E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
Applicable only to e-commerce channels.

A-EP

Merchants using only:

  • Imprint machines with no electronic cardholder data storage; and/or
  • Standalone, dial-out terminals with no electronic cardholder data storage.

Not applicable to e-commerce channels.

B

Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.
Not applicable to e-commerce channels.

B-IP

Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.
Not applicable to e-commerce channels.

C-VT

Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
Not applicable to e-commerce channels.

C

Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.
Not applicable to e-commerce channels.

P2PE-HW

For merchants: All merchants not included in descriptions for the above types.

D

For service providers: All service providers defined by a payment card brand as eligible to complete a Self-Assessment Questionnaire.

D


Step 5. Complete a network vulnerability scan.

Network vulnerability scanning is an automated process of proactively identifying networks, applications, and security vulnerabilities to make sure your systems are operating with a level of protection.

Depending on your PCI DSS level, network vulnerability scans must be performed and passed quarterly in order for you to achieve PCI compliance. These scans must be by an approved scanning vendor (ASV).

While quarterly scanning is the minimum requirement (if applicable to your organisation), we strongly encourage you to perform scans more frequently than every quarter.

These vital scans will alert you to weaknesses within your business environment. They can provide you with an opportunity to remedy them before somebody else compromises your data and environment.


Step 6. Remediate all issues identified.

Now that you've completed your SAQ and network vulnerability scans, you’ll need to remediate any non-compliant requirements or implement compensating controls.

Remediation timeframes differ from business to business, depending on initial compliance status and the complexity of the cardholder data environment.


Step 7. Complete an Attestation of Compliance (AOC).

Once you've completed any remediation, you'll need to complete the attestation of compliance (AOC).

The AOC needs to be signed by your CEO, CIO, or equivalent, such as an Information Security Manager. Please ensure you've completed all relevant pages within the applicable questionnaire.

Download the AOC document that applies to you.


Step 8. Maintain PCI DSS compliance.

Validating your compliance is not the end!

PCI DSS requires an annual confirmation of compliance.

To make sure that security controls continue to be properly implemented, PCI DSS should be implemented into business-as-usual activities as part of your organisation’s overall security strategy.

This enables you to monitor the effectiveness of your security controls on an ongoing basis. It also means you can continuously maintain a PCI DSS compliant environment.

Remember - annual compliance validation is your responsibility - to help protect your organisation, your people, and your customers.

Your annual self-assessment, network scan results, and AOC can be emailed to our Compliance team.


Data breaches and risks

The PCI DSS has been introduced to reduce your risk and protect the integrity of cardholder information.

Compliance with the standard is essential.

A cardholder data breach (or an Account Data Compromise [ADC]) is when a person or group gains unauthorised access to cardholder data (in electronic or physical form) from within your business environment. It refers to unauthorised access, theft, or loss of sensitive cardholder data.

Data compromises are always a risk. They can result in bad publicity, your customers taking their business elsewhere, and additional costs to your business.

Our financial regulators (card schemes, acquirers, or other governing bodies) will inform Flo2Cash if there's a confirmed (or suspected) data breach on your account.

Flo2Cash will then notify you immediately.

You are required to follow the steps prescribed by the regulators. This may involve conducting a network vulnerability scan, an application penetration test, appointing a qualified security accessor (QSA) and completing an on-site PCI assessment.

If you suffer a data breach that results in an account data compromise, you may be escalated to a higher level of compliance.

Any data compromises or non-compliance fines received by Flo2Cash from card schemes may be passed on to you, as stated in your Payment Service Agreement. The fines can be up to USD $100,000 per day of non-compliance and may include a fine for each card affected by the breach.

Furthermore, Flo2Cash may have no choice but to terminate your merchant account if PCI DSS compliance isn't achieved by any date communicated to you.

Remember - PCI DSS compliance is mandatory for all organisations that collect, store, process, and / or transmit cardholder data. It's essential to ensure your business complies with the PCI DSS.

If you suspect your organisation may have suffered an account data compromise, you must contact the Flo2Cash Compliance team immediately.


We’re here to help!

Achieving PCI DSS compliance doesn’t have to be complicated, scary, or difficult.

If you have any questions, or need some guidance around becoming PCI-compliant, we’re here for you.

Flo2Cash strongly advises that all merchants consult a QSA firm for further guidance on PCI requirements and to develop a better understanding your obligations.

If you would like a recommendation, please ask our team.

You can always reach our dedicated support team.


PCI DSS glossary

AOCAttestation of Compliance | A form to attest the results of a PCI DSS assessment, as documented in a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC).

ASVApproved Scanning Vendor | A company approved by the PCI SSC to conduct external vulnerability network scanning services.

CDE – Cardholder Data Environment | The people, processes, and technology that collect, store, process or transmit cardholder data.

CHD – Cardholder Data | At minimum, cardholder data consists of the full PAN (Personal Account Number), optionally accompanied by the cardholder name, expiration date, and / or service code.

PCI DSSPayment Card Industry Data Security Standards.

PCI SSCPayment Card Industry Security Standards Council.

QSAQualified Security Assessor | A company which is qualified by the PCI SSC to perform PCI DSS onsite assessments.

ROCReport on Compliance | A report documenting detailed results from an entity’s PCI DSS assessment.

SAD – Sensitive Authentication Data | Security-related information used for authentication or authorisation. SAD may refer to the 3- or 4-digit values on a card used to verify card-not-present transactions such as CAV2, CVC2, CID, and CVV2.

SAQSelf Assessment Questionnaire | A reporting tool used to document self-assessment results from an entity’s PCI DSS assessment.


More reading