PCI

Compliance across many points counts

Learn how to stay compliant with PCI DSS, PA DSS, and PIN Transaction Security regulations. Here’s an overview of requirements:

PCI DSS

Merchants like you have important data security responsibilities. If you process, store, or transmit cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS). If you do not comply, you could lose your ability to offer payment services.

With PCI DSS compliance, there is no arguing the facts. It’s your responsibility to achieve it, maintain it, and validate it.

Not sure how to comply and validate your compliance? We can help.

The PCI DSS is an evolving framework designed to protect cardholder data. This multi-faceted security standard outlines the minimum requirements that must be in place to:

  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

Compliance and validation

As a merchant accepting card payment, you must comply with the PCI DSS at all times and annually validate your compliance. Validation requirements will vary depending on your PCI Validation level, but typically include:

  • Annual Self -Assessment Questionnaire or Annual On-Site Assessment
  • Quarterly Vulnerability Scans

Visit the PCI Security Standards Council for more information.


PA DSS

The Payment Application Data Security Standard (PA DSS) is a set of security requirements applicable to applications developed by third parties. Both Visa and MasterCard mandate that merchants only use PA DSS compliant payment applications to help ensure that their processing software does not inhibit their PCI DSS compliance status.

Not sure how to comply with the payment application mandate? We can help.

Overview

All software vendors must comply with the PA DSS when developing software and point of sale applications for general resale.

The PA DSS standard does not apply to a merchant-proprietary application that has been developed internally for the merchant’s own use. Merchants using proprietary applications must secure those applications in accordance with the PCI DSS, and include them within the scope of their annual PCI DSS validation efforts.

Compliance and validation

Merchants should take the following steps to comply with the payment application mandates:

  • Review lists of validated applications to help ensure your specific application version is compliant. Both the application name and version number should be listed.
  • Install and use the application in a PCI DSS compliant environment and in accordance with the vendor specifications.

Visit www.pcisecuritystandards.org for more details.


PIN Transaction Security

The PIN Transaction Security Program is an evaluation program designed to ensure that all PIN Entry Devices (PEDs) meet the same minimum-security requirements. The PCI Security Standards Council is responsible for the administration of the evaluation program, as well as managing the approval process of all PEDs for compliance with the PIN Transaction Security (PTS) requirements.

A list of Council-approved PEDs is available at the PCI Security Standard Council (PCI SSC).

All PEDs used for acceptance of PIN debit transactions must be validated as compliant with PIN Transaction Security (PTS) requirements. Not sure how to ensure your device is validated? We can help.

Merchants should take the following steps to ensure their PED is PTS compliant:

  • Review lists of approved PEDs to help ensure your device (including the hardware, firmware, and application version) are compliant.
  • Keep a screen print of the listing of the PED device from the PCI SSC website with the PED purchase order.
  • When possible, purchase PEDs that have been validated against the latest version of the PTS Standard.