The Payment Card Industry Data Security Standard

From the world's largest corporations to small Internet stores, compliance with the PCI Data Security Standard (PCI DSS) is vital for all merchants who accept credit cards, online or offline, because nothing is more important than keeping your customer's payment card data secure.

The PCI DSS was developed to encourage and enhance cardholder data security and facilitates the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing - including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks.

The PCI DSS applies wherever Account Data is stored, processed or transmitted. Our consultancy team will assist you in determining where and how cardholder data is processed within your organisation, and how the PCI DSS affects you.

Compliance Reporting Methods

Is your organisation a large Payments Processor with thousands of active customer accounts on file? Or are you a local retailer, processing only a handful of card transactions per day? The size and nature of your business will determine the number of compliance requirements that must be met within the PCI DSS. In general the reporting requirements for organisations processing card payments are determined by the number of transactions processed, however this can vary by payment card brand. For example, Visa Europe have the following requirements:

  • Level 1 - Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.
  • Level 2 - Merchants processing one million to six million Visa transactions annually via all channels.
  • Level 3 - Merchants processing 20,000 to one million Visa e-commerce transactions annually.
  • Level 4 - E-Commerce Merchants processing fewer than 20,000 Visa e-commerce transactions annually. Non E-Commerce Merchants processing up to one million Visa transactions annually.

Visa Europe require all Level 1 Merchants to complete a Report on Compliance (ROC) following an on-site audit by a Qualified Security Assessor (QSA). All other levels of merchants may complete a Self Assessment Questionnaire (SAQ) to document their level of compliance to the PCI DSS.

Selection of the appropriate SAQ for your business

Our consultants will review your business processes at the initial point of assessment to determine the level of SAQ required for payment processing activities within your organisation. This initial assessment takes into consideration the transactions paths of card payments, the business processes associated with acquiring, processing and storing cardholder data, and the technical characteristics of your information processing environment.

The completion of the Self Assessment Questionnaire is based upon the number of transactions processed by the organisation, and the way in which card payments are processed. In addition the storage or transmission of cardholder data is taken into account, and the appropriate type of SAQ is selected.

Types of SAQ
SAQ Description
A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial- out terminal merchants with no electronic cardholder data storage
C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage
C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage
D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ.

PCI DSS Gap Analysis Services

At 24 Security we have extensive experience in performing PCI DSS Gap Analysis exercises in many types of organisations, from large-scale Tier-1 Payment Processors to smaller Retail and Distribution businesses. Once the card payment transaction processes have been mapped out, we work with technical and business teams to determine the scope of your Cardholder Data Environment and therefore the PCI DSS controls which will be applicable to you.

Our experience with multiple Operating System enviornments, complex communications networks and assessment of both off-the-shelf and in house applications mean that we can streamline your compliance process, ensuring that you gain visibility of problem areas and can focus your remediation efforts. Our reports contain information on your environment, with written and graphical representations of your compliance level across each PCI DSS requirement. In addition, we provide ongoing advice and guidance to our customers to help them prioritise progress and develop controls which are fit for purpose and integrate into the business processes of their organisation.

Contact our PCI DSS Compliance Team on secure@24sec.co.uk or phone 0203 411 4954 for a no-obligations discussion.

24 Security PadlockStandards compliance need not be a headache - talk to us about the compliance goals for your business.

Our experience in taking large organisations through PCI DSS compliance from start to finish can help you to meet your business objectives and build real value from standards compliance.

Our PCI DSS Compliance Services include:

  • Scoping of the Cardholder Data Environment (CDE)
  • Analysis of your environment against PCI DSS controls
  • Assistance with completion of an SAQ / AOC
  • Security Testing using our ASV Approved Service