Is DataCash PCI DSS compliant?

The service provided by DataCash is fully PCI DSS compliant. DataCash commits and will contract to maintain its PCI DSS compliance for the lifetime of any contract with a Merchant.

A copy of DataCash’s PCI DSS certificate can be viewed here:

Who needs to be compliant with PCI DSS?

All organisations that store, process or transmit payment card data are mandated by VISA, MasterCard and the other payment brands to achieve compliance with the PCI DSS Standard.
 

This includes Banks, Payment Service Providers, online merchants, face-to-face merchants and any other organisation involved in the payments process.

As a Technology Partner how do the PCI DSS standards affect me?

Any partner must assess their responsibilities under the PCI DSS standard to the same extent as any other party involved in the payments process.  This includes if you host a Payments Page, store credit card data electronically (even if only momentarily), or transmit Payment Card Data via an API link. 
 

If you do not have a direct relationship with an acquiring bank your DataCash Account Manager will be able to provide you with a Qualified Security Assessor and Approved Scan Vendor contact who will be able to assist.

What are the deadlines for complying with PCI DSS?

Compliance is mandated by the payment card brands and not by the PCI Security Standards Council. However, for most merchants, the deadlines for validating compliance with the PCI DSS have already passed.
 

You should confirm with your acquirer and/or merchant bank if any specific deadlines apply to you, based on merchant transaction volume as determined by the card payment brands.

All entities that transmit, process or store payment card data must be compliant with PCI DSS.

What do I need to do next?

Depending upon your organisation size and type, either complete a PCI DSS Self Assessment Questionnaire or have a Formal Assessment by a Qualified Security Assessor.

You will also need to have quarterly vulnerability scanning and send your acquirer a clean scan report every quarter.

Who needs to have an annual Formal Assessment?

Currently it is Merchants who do more than 6 million transactions, Payment Service Providers and most Banks.

If we don’t need a Formal Assessment, what Self Assessment Questionnaire (SAQ) should we complete and what do we do with it?

Your acquirer can help you decide which of the SAQ forms, A, B, C or D you will need to complete, however instructions can be found below, and on the PCI Security Council website at:
https://www.pcisecuritystandards.org/saq/instructions_dss.shtml#instructions.
 

Once you have completed the SAQ this needs to be sent to your acquiring organisation/Bank.

Why do I need to have quarterly network scanning and how does it work?

The other requirement of the PCI DSS Standards, as mandated by VISA & MasterCard, is for an Approved Scan Vendor to conduct quarterly network scans for you. This is if you host a Payment Page, store Credit Card data electronically (even if it is only momentarily), or transmit Payment Card Data via an API link.
 

Network security scans are non-intrusive inspections that evaluate an organisation’s network perimeter for information security vulnerabilities. A clean external network scan must be achieved and the requisite report presented to the relevant acquiring Bank before PCI DSS compliance can be awarded.

Who carries out the scan?

The external network scan needs to be carried out by an ‘Approved Scan Vendor’

Are the any other tasks mandated by the Payment Brands as part of the PCI DSS Standard?

Yes, organisations completing SAQ D or having annual Formal Assessments will need to have Penetration Testing of their Network and Internal Scanning of devices connected to the internet.

Can you suggest a leading Qualified Security Assessor and Approved Scan Vendor that we can contact?

Yes, SecuriCentrix (http://securicentrix.com/) are one of the leading Qualified Security Assessors (QSA) for the Payment Card Industry Data Security Standards (PCI DSS), including for the DataCash Group itself.
 

One of the reasons they have become successful in this field is due to their Vendor Neutral’ status which means that they can independently advise on the effectiveness of your systems and applications.

SecuriCentrix can help in any of the following areas:

• Gap Analysis Report against the PCI DSS

• Assist you in completing your PCI Self Assessment Questionnaire
  (Level 2, 3, 4, Merchants)

• Pre-assessment in advance of Formal Assessment
  (Level 1 Merchants and Payment Service Providers)

• Quarterly Vulnerability Scans and Annual Penetration Testing of your network

• Independent and vendor neutral Remediation Advice to support your project

• Formal Assessment and Report on Conformance with the PCI DSS & Issue PCI Certificate (Level 1 Merchants and Service Providers)

To find out more about PCI DSS and SecuriCentrix please contact your DataCash Account Manager or email: sales@datacash.com.