What is PCI DSS?
The Payment Card Industry Data Security Standard is a set of comprehensive requirements for enhancing payment account data security.
It was developed by the founding payment brands of the PCI Security Standards Council, including VISA, American Express, Discover Financial Services, JCB International and MasterCard, to help facilitate the broad adoption of consistent global data security measures.
The service provided by DataCash is fully PCI DSS compliant. DataCash commits and will contract to maintain its PCI DSS compliance for the lifetime of any contract with a Merchant.
A copy of DataCash’s PCI DSS certificate can be viewed here:
All organisations that store, process or transmit payment card data are mandated by VISA, MasterCard and the other payment brands to achieve compliance with the PCI DSS Standard.
This includes Banks, Payment Service Providers, online merchants, face-to-face merchants and any other organisation involved in the payments process.
Any partner must assess their responsibilities under the PCI DSS standard to the same extent as any other party involved in the payments process. This includes if you host a Payments Page, store credit card data electronically (even if only momentarily), or transmit Payment Card Data via an API link.
If you do not have a direct relationship with an acquiring bank your DataCash Account Manager will be able to provide you with a Qualified Security Assessor and Approved Scan Vendor contact who will be able to assist.
Compliance is mandated by the payment card brands and not by the PCI Security Standards Council. However, for most merchants, the deadlines for validating compliance with the PCI DSS have already passed.
You should confirm with your acquirer and/or merchant bank if any specific deadlines apply to you, based on merchant transaction volume as determined by the card payment brands.
All entities that transmit, process or store payment card data must be compliant with PCI DSS.
Depending upon your organisation size and type, either complete a PCI DSS Self Assessment Questionnaire or have a Formal Assessment by a Qualified Security Assessor.
You will also need to have quarterly vulnerability scanning and send your acquirer a clean scan report every quarter.
Currently it is Merchants who do more than 6 million transactions, Payment Service Providers and most Banks.
Your acquirer can help you decide which of the SAQ forms, A, B, C or D you will need to complete, however instructions can be found below, and on the PCI Security Council website at:
Once you have completed the SAQ this needs to be sent to your acquiring organisation/Bank.
The other requirement of the PCI DSS Standards, as mandated by VISA & MasterCard, is for an Approved Scan Vendor to conduct quarterly network scans for you. This is if you host a Payment Page, store Credit Card data electronically (even if it is only momentarily), or transmit Payment Card Data via an API link.
Network security scans are non-intrusive inspections that evaluate an organisation’s network perimeter for information security vulnerabilities. A clean external network scan must be achieved and the requisite report presented to the relevant acquiring Bank before PCI DSS compliance can be awarded.
The external network scan needs to be carried out by an ‘Approved Scan Vendor’
Yes, organisations completing SAQ D or having annual Formal Assessments will need to have Penetration Testing of their Network and Internal Scanning of devices connected to the internet.
Yes, SecuriCentrix (http://securicentrix.com/) are one of the leading Qualified Security Assessors (QSA) for the Payment Card Industry Data Security Standards (PCI DSS), including for the DataCash Group itself.
One of the reasons they have become successful in this field is due to their Vendor Neutral’ status which means that they can independently advise on the effectiveness of your systems and applications.
Gap Analysis Report against the PCI DSS
Assist you in completing your PCI Self Assessment Questionnaire
(Level 2, 3, 4, Merchants)
Pre-assessment in advance of Formal Assessment
(Level 1 Merchants and Payment Service Providers)
Quarterly Vulnerability Scans and Annual Penetration Testing of your network
Independent and vendor neutral Remediation Advice to support your project
Formal Assessment and Report on Conformance with the PCI DSS & Issue PCI Certificate (Level 1 Merchants and Service Providers)
To find out more about PCI DSS and SecuriCentrix please contact your DataCash Account Manager or email: firstname.lastname@example.org.