You are here:

Standard PCI

Contact us

free consultation

PCI DSS

Payment Card Industry Security Standard Council (PCI SSC) is an independent organization founded by major card brands (Visa, Mastercard, American Express, Diners Club and JCB) with the aim to create and maintain information security standard (PCI DSS) to reduce payment card fraud and enhance payment card security.

Payment Card Industry Data Security Standard (PCI DSS) is a global standard that provides a baseline of technical and operational requirements designed to protect account data. PCI DSS is a set of requirements and best practices developed on basis of the best industry guidelines, technology development and to address most recent security threats.


SC2labs provides the PCI DSS audit service, as accredited by the PCI SSC

PCI QSA auditor


Published on March 2022 the new version 4.0 of the PCI Data Security Standard (PCI DSS) replaces version 3.2.1 to address emerging threats and technologies and enable innovative methods to combat new threats.


The PCI DSS as a global standart applies to any entity worldwide regardless of size or number of transactions, that stores, processes or transmits credit cardholder data. Any organization that needs to be PCI compliant must definitely prove its compliance with standards and practices in place.

PCI DSS provides several compliance validation tools, such as:


  • On-site Annual Security Audit. A detailed on-site compliance assessment is performed by a PCI SSC certified QSA (Qualified Security Assessor) or by a certified ISA (Internal Security Assessor). The Audit is a detailed review of an organization’s card data environment that results in a RoC (Report on Compliance) and AoC (Attestation of Compliance).


  • Self Assessment Questionnaire (SAQ). Validation tool primarily used by merchants and service providers not required to undergo on-site assessment in self-evaluating their compliance with the PCI DSS.


  • External Vulnerability Scan. External network vulnerability scanning is performed quarterly by a PCI SSC Approved Scanning Vendor (ASV) of all Internet-facing system components that are a part of or provide a path to the cardholder data environment.


    SC2labs provides PCI DSS audit service, SAQ filing support and

performs PCI ASV scans.

Levels

PCI DSS compliance is verified according to the merchant/service provider level. The main criterion is the number of transactions. 

Merchant Levels:

Level Criteria Requirements Validation
1
  • Merchant processing over 6 milion transactions annually
  • Merchant that suffered a security breach, resulting in an account compromise
  • Individual payment brand decision
  • On-site Annual Security Audit
  • Quarterly Network Scan
  • QSA or ISA
  • ASV
2
  • Merchant processing 1 mln to 6 milion transactions annually
  • Annual SAQ
  • Quarterly Network Scan
  • ASV
3
  • Merchant processing over 20000 to 1 milion e-commerce transaction annually
  • Annual SAQ
  • Quarterly Network Scan
  • ASV
4
  • Merchant processing less than 20000 to 1 milion e-commerce transaction annually
  • all other merchants processing up to 1 milion transactions annually
  • Annual SAQ
  • Quarterly Network Scan
  • ASV


Service Providers Levels:

Level Criteria Requirements Validation
1
  • All Third Party Processors (TPPs)
  • All Data Storage Entities (DSE) with more than 300 000 total combined MC/Visa transactions annually
  • On-site Annual Security Audit
  • Quarterly Network Scan
  • QSA
  • ASV
2
  • All DSE’s with 300,000 or less combined MC/Visa transactions annually
  • Annual SAQ
  • Quarterly Network Scan
  • ASV


Requirements

The PCI DSS version 3.2.1 encompasses requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. Standard consists of 12 requirements grouped thematically into six major categories; each of the requirements consists of a number of specific points.

Goal PCI DSS Requirements
  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an Information
  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security   parameters
  • Protect sensitive data
  • Encrypt transmission of cardholder data across open, public networks
  • Use and regularly update anti-virus software
  • Develop and maintain secure systems and applications
  • Restrict access to cardholder data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
  • Maintain a policy that addresses Information security

  • PCI QSA Audit - an examination of IT systems, organisational documents, policies, procedures, and employee interviews performed at the client's premises for compliance with the PCI DSS standard.

  • PCI ASV Audit - PCI ASV scan - services to check the security level of external information systems in accordance with the requirements of the PCI DSS standard.

  • GAP Audit - testing the degree of compliance of the client's system with the requirements of the PCI DSS standard.

  • PCI QSA - Payment Card Industry Qualified Security Assessor - an accredited auditor, certified by the PCI SSC, qualified to verify information systems for compliance with the PCI DSS standard.PCI ASV - Payment Card Industry.

  • Approved Scanning Vendor - an accredited auditor, certified by PCI SSC, with the authority to verify information systems for compliance with the PCI DSS standard.

  • Attestation of Scan Compliance (AoSC) - a document confirming passing or failing a PCI ASV scan (issued after PCI ASV scanning as a part of the report) with PCI DSS requirement 11.2.

  • Report on Compliance (RoC) – large document (over 300 pages) that is completed during PCI QSA on-site audit. This document is usually only shared with card organizations (such as VISA/Mastercard)

  • Attestation of Compliance (AoC) - a formal document confirming compliance with PCI DSS. It is completed either by Merchant/Service Provider (if they are eligible to fill SAQ) or by PCI QSA at the end of the PCI QSA on-site audit.

  • Issuer - a bank or other organisation issuing a card under the authority of a payment organisation, e.g. VISA or MC.

  • Acquirer - a bank or organisation that the merchant uses to process payment card payments. Receives authorisation requests and sends to the issuer (Issuer) for acceptance. Provides services in the processes: authorization, clearing, settlement for the merchant. Acquirer usually is:

    •  Merchant bank,

    •  Settlement agent,

    •  Service provider (sometimes),

    •  Card organisation (JCB, Discover, Amex),

    •  Never VISA or MC.

  • SAQ – Self Assessment Questionnaire – the form of self-check for merchants and service providers with low transaction volume (see compliance levels) if they are compliant with PCI DSS.

  • CoC Certificate of Compliance – issued by SC2labs for marketing and PR purposes. This is not a formal confirmation of compliance (AoC is a formal document).

  • Merchant - an organisation that accepts credit card payments at the time of purchase.

  • Service Provider - transaction Processor.