PAYMENT CARD INDUSTRY
The payment card industry (PCI) created a Security Standards Council (SSC) to formulate regulations compatible with all major credit card companies. Although laws and regulations from the Council change regularly, I’ve put together the following current and hopefully helpful information. If your bank or acquirer tells you something different, follow their instructions. For official documentation, see www.pcisecuritystandards.org.
All e-commerce businesses that accept payment cards are required to do two things: Quarterly PCI Scanning on all external-facing IP addresses, and a Report on Compliance or Self-Assessment Questionaire concerning PCI SSC Compliance and the PCI DSS.
Currently, PCI Security Standards Council specifies 12 requirements for PCI compliance, organized into six related categories, called “control objectives.” To learn more about them, see my PCI Compliance Table.
SECURITY STANDARDS COUNCIL
The PCI Security Standards Council was founded by the five major credit card companies, (American Express, Discover, JCB, MasterCard, and Visa) in order to create a uniform set of security standards for companies to follow when processing credit card transactions. Until the PCI council was organized, each of these companies had their own standards that were similar to each other but not uniform. Usually, when people use the term PCI, they are talking about the industry and the Security Standards Council.
The Payment Card Industry Security Standards Council has 12 main security requirements. The extent to which the 12 requirements need to be met depend on the number of transactions that a company processes in a year. Companies are separated into four levels based on volume of credit/debit card transactions.
REPORT ON COMPLIANCE
Report On Compliance is a report that e-commerce owners submit to their acquirers to show them that they are compliant. An acquirer is typically the company whom e-commerce business owners initially sign up with that allows them to process credit cards. This could be a third-party service provider or a bank. The type of report varies depending on the merchant level businesses fall into.
TRUST GUARD PROVIDES PCI COMPLIANT VULNERABILITY SCAN REPORTS
HELPFUL HINT:
If credit cards are stored with your Payment Gateway Provider like Authorize.net, LinkPoint, PayPal, etc., the SAQ is easy. If e-commerce sites store credit cards on their own server, then the SAQ gets much more complicated. This is because of the website owner’s increased potential for identity/credit card information theft.
DATA SECURITY STANDARDS
PCI DSS stands for Payment Card Industry Data Security Standards which are the official security standards created by the Council to reduce payment card fraud. These standards are part of a e-commerce website’s merchant agreement that is signed when companies decide to accept payment cards (credit, debit, etc.).
And whether website owners are aware of it or not, they are ultimately financially responsible if someone steals their customer’s credit cards and they are found not in compliance with the PCI Data Security Standards.
PAYMENT APPLICATION DATA SECURITY STANDARDS
PA DSS stands for Payment Application Data Security Standards, (which is a completely separate but related set of standards from PCI DSS above) which apply specifically to companies that develop or operate Payment Applications that e-commerce merchants use to process transactions, such as shopping carts.
The PA DSS are in place so that each website’s shopping cart’s payment application software processes their client’s credit cards using the proper security specifications, to protect against vulnerabilities. In other words, e-commerce owners need to ensure that their site is complaint with the PCI DDS and that their shopping cart companies are compliant with the PCI PA DDS.
