Visa and MasterCard have lately started requiring merchants and service providers working with card data to be PCI DSS compliant. In this regard, the issue of the requirements of this standard becomes important not only for the major players in the market, but also for small merchants and service providers.
PCI DSS was developed by the PCI SSC (Payment Card Industry Security Standards Council) and regulates a certain list of requirements for payment card data security (PCI DSS) that affect both technical and organizational sides of organizations.
First of all, the standard defines requirements to the organizations in whose information infrastructure payment card data are stored, processed or transmitted, as well as to the organizations that can influence the security of this data. Starting from the middle of 2012 all organizations involved in storing, processing and transferring payment card data must comply with the requirements defined in the PCI DSS, and companies in the Russian Federation are no exception.
To understand if your company needs to be PCI DSS compliant, you need to answer two basic questions: is payment card data stored, processed, or transmitted within your organization? And can your organization’s business processes affect the security of those payment cards? If the answer to both questions is no, there is no need for PCI DSS certification.
Obviously, in order to comply with the standard certain requirements must be met, here are some of them: protection of the computing network, access control to cardholder data, configuration of information infrastructure components, authentication mechanisms, physical protection of information infrastructure, protection of transmitted cardholder data, and so on. In total, the standard requires the passing of about 440 verification procedures.
There are different ways to confirm PCI DSS compliance, which are external audit (QSA), internal audit (ISA) or self-assessment (SAQ).
The QSA is externally audited by an organization certified by the PCI Security Council. During the audit, auditors collect evidence of compliance with the requirements of the standard and retain it for a period of three years.
The ISA internal audit is performed by an internal, trained and PCI SSC-certified auditor. As for the SAQ self-assessment, it is performed independently by completing a self-assessment sheet. In this case, the collection of evidence of compliance with the requirements of the standard is not required.
To answer the question of which situation requires an external audit and which needs an internal audit, and whether it is worth doing at all, you need to look at the type of organization and assess the number of transactions processed per year. There is a classification according to which there are two types of organizations: trade and service enterprises and service providers.
A merchant is an organization that accepts payment cards for goods and services (stores, restaurants, online stores and others).
A service provider, on the other hand, is an organization that provides services in the payment card industry related to transaction processing (these are data centers, hosting providers, international payment systems, and others).
Depending on the number of transactions processed per year, merchants and service providers can be categorized into different tiers. For example, a merchant processes up to 1 million e-commerce transactions per year.
According to Visa and MasterCard classification the organization will be categorized as Level 3. Therefore, to confirm PCI DSS compliance, quarterly external vulnerability scanning of the ASV (Approved Scanning Vendor) information infrastructure components and annual SAQ self-assessment are required.
In terms of service providers, the number of services offered by cloud providers is growing every year. Therefore, for organizations using cloud infrastructure, becomes relevant issue of PCI DSS hosting.
PCI DSS hosting is service that provides secure processing of payment cards for organizations that host their infrastructure on the side of a PCI DSS certified hosting provider, within which payment card data is stored, processed or transmitted.
By choosing this service, the organization automatically closes a significant part of the PCI DSS requirements – this means that the provider takes care of some of the requirements, such as physical protection of hosted servers and administration of operating systems.
As you know, outsourcing solves many problems, making life easier and simpler for organizations. While many companies used to deploy information infrastructure in their own server rooms and meet all compliance requirements on their own, many now outsource these tasks to certified service providers, thereby increasing the level of security of the card data processing environment and reducing the risk of financial losses from possible information security incidents.
Any organization which uses its own card processing service sooner or later faces the necessity of PCI DSS certification. Contacting certified service providers helps greatly simplify the certification process for merchants and ensures the proper level of payment card data protection.
P.S. Other interesting material from our blog on Habra :