What is PCI DSS and why this certificate says a lot about you as a payment market participant

The security issue is fundamental for the payment market participants. And PCI DSS Data Security Standard plays a crucial role here. 12 high-level requirements developed by international payment systems Mastercard, Visa, American Express, JCB and Discover are the basis for the work of banks, processing centers and other companies related to the storage, processing and transmission of cardholder data. The established rules ensure the payment data security and include most of the world’s best practices for maintaining an appropriate security level. As a big Ukrainian payment service provider, we certainly need it. Today I want to discuss PCI DSS implementation complexity and why its level tells of the company level more than you think.

PCI DSS for banks and processing centers

Mastercard, Visa, American Express, etc. lay down their own strict operating rules to ensure the security of payments. Banks and processing centers are directly connected to international payment systems and must comply with all the requirements established by them. PCI DSS is one of them. Neither banks nor processing centers are able to work without the standard compliance. And this is obvious, because a data leak can lead to a trust decrease in the entire industry and appalling financial losses. That is why the PCI DSS requirements compliance is that important and bounden. With the growth of the industry globally, the security issue is becoming more and more urgent. Consequently, the versions of the standard are constantly updated, with the necessary requirements added or unnecessary ones taken out. For example, version 3.2.1 is an improved version of 3.2. It doesn’t include exclusively new requirements or changes.

Who else is required to meet the standard?

In addition to banks and processing companies, all companies that somehow affect the security of cardholder data need to comply with the requirements of the standard. That regards, for example, the gaming services. It’s no secret that the gaming industry is growing incredibly fast, generating billions of dollars. Nowadays there are a variety of functions in games, including purchasing virtual currency or in-game items for real money. Accordingly, all video game digital distribution services that store cardholder data for one-click payments have this certificate. This also regards data centers, although they aren’t directly related to the processing of cardholder data. But their clients can be direct payment market participants, who, in turn, will cooperate with reliable partners. The largest data centers are PCI DSS certified.

PCI DSS levels

Depending on the number of transactions processed per year payment market participants are divided into merchant and service provider levels according to the criteria set by Visa and Mastercard. Accordingly, the requirements for participants at different levels are also different. PCI DSS certification defines 4 merchant levels and 2 service provider levels (payment systems, data centers, hosting providers, etc.).According to the type of organization and classification by the number of transactions, PCI DSS compliance is demonstrated by three types of audit:

● A QSA (Qualified Security Assessor) audit is carried out by an external audit organization qualified by the PCI SSC Council.

● An ISA (Internal Security Assessor) is prepared by an eligible internal security audit professionals who have received special PCI DSS training and is designated by the PCI SSC.

● A SAQ (Self Assessment Questionnaire) is signed off by a company officer who reports the results of their PCI DSS self-assessment.

Merchant levels:

Level 1 is suitable for merchants that process more than 6 million transactions per year or whose data has previously been compromised. These companies require a quarterly scan by an ASV and an annual external QSA or an ISA internal audit.

Level 2 is for merchants that process 1 million to 6 million transactions per year. These companies are required a quarterly scan by an ASV, as well as an annual SAQ signed by a company officer (Visa requirements) or an annual external QSA or an internal ISA (as required by Mastercard).

Level 3 is designed for merchants that process 20,000 to 1 million transactions per year. They need a quarterly ASV scan and a SAQ self-assessment every year.

Level 4 is suitable for merchants that process fewer than 20,000 transactions per year or all other merchants. They’re required for a quarterly scan by an ASV and a SAQ self-assessment annually.

Service provider levels:

In this case, the service provider validation criteria and the requirements don’t depend on a specific certain payment system.

Level 1 applies to all processing centers and service providers that process, transmit and/or store more than 300,000 transactions per year. Such companies need to conduct a vulnerability scanning ASV quarterly and an annual QSA audit.

Level 2 is designed for service providers that process, transmit and/or store data fewer than 300,000 transactions per year. They need a quarterly ASV scan and an annual SAQ safety self-assessment.