PCI Compliance

PCI Compliance

What is PCI DSS?

The Payment Card Industry Data Security Standard is a set of comprehensive requirements for enhancing payment account data security.

It was developed by the founding payment brands of the PCI Security Standards Council, including VISA, American Express, Discover Financial Services, JCB International and MasterCard, to help facilitate the broad adoption of consistent global data security measures.

 

Who needs to be compliant with PCI DSS?


All organisations that store, process or transmit payment card data are mandated by VISA, MasterCard and the other payment brands to achieve compliance with the PCI DSS Standard.
 

This includes Banks, Payment Service Providers, online merchants, face-to-face merchants and any other organisation involved in the payments process.

 

As a Technology Partner how do the PCI DSS standards affect me?


Any partner must assess their responsibilities under the PCI DSS standard to the same extent as any other party involved in the payments process.  This includes if you host a Payments Page, store credit card data electronically (even if only momentarily), or transmit Payment Card Data via an API link. 
 

If you do not have a direct relationship with an acquiring bank your MasterCard Payment Gateway Services Account Manager will be able to provide you with a Qualified Security Assessor and Approved Scan Vendor contact who will be able to assist.

 

What are the deadlines for complying with PCI DSS?


Compliance is mandated by the payment card brands and not by the PCI Security Standards Council. However, for most merchants, the deadlines for validating compliance with the PCI DSS have already passed.
 

You should confirm with your acquirer and/or merchant bank if any specific deadlines apply to you, based on merchant transaction volume as determined by the card payment brands.

All entities that transmit, process or store payment card data must be compliant with PCI DSS
.

 

What do I need to do next?


Depending upon your organisation size and type, either complete a PCI DSS Self Assessment Questionnaire or have a Formal Assessment by a Qualified Security Assessor.

You will also need to have quarterly vulnerability scanning and send your acquirer a clean scan report every quarter.

 

Who needs to have an annual Formal Assessment?


Currently it is Merchants who do more than 6 million transactions, Payment Service Providers and most Banks.

 

If we don’t need a Formal Assessment, what Self Assessment Questionnaire (SAQ) should we complete and what do we do with it?


Your acquirer can help you decide which of the SAQ forms, A, B, C or D you will need to complete, however instructions can be found below, and on the PCI Security Council website at:
https://www.pcisecuritystandards.org/saq/instructions_dss.shtml#instructions
.
 

Once you have completed the SAQ this needs to be sent to your acquiring organisation/Bank.

 

Why do I need to have quarterly network scanning and how does it work?


The other requirement of the PCI DSS Standards, as mandated by VISA & MasterCard, is for an Approved Scan Vendor to conduct quarterly network scans for you. This is if you host a Payment Page, store Credit Card data electronically (even if it is only momentarily), or transmit Payment Card Data via an API link.
 

Network security scans are non-intrusive inspections that evaluate an organisation’s network perimeter for information security vulnerabilities. A clean external network scan must be achieved and the requisite report presented to the relevant acquiring Bank before PCI DSS compliance can be awarded.

 

Who carries out the scan?


The external network scan needs to be carried out by an ‘Approved Scan Vendor’

 

Are the any other tasks mandated by the Payment Brands as part of the PCI DSS Standard?


Yes, organisations completing SAQ D or having annual Formal Assessments will need to have Penetration Testing of their Network and Internal Scanning of devices connected to the internet.

 

Contact Our Information Security Team:


For more information or questions regarding MasterCard Payment Gateway Services Information Security processes and to obtain a copy of our PCI certificate please contact:
compliance_programpci@mastercard.com

 

MasterCard Payment Gateway Services delivers secure
Read more >>
GATEKEEPER:2.0 DEMO
View it here!
Read more >>

Get in touch now