PCI Compliance
Learn what is PCI compliance and how to be compliant.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information, maintain a secure environment. It was launched in 2006 to manage PCI security standards and improve account security throughout the transaction process. An independent body created by Visa, MasterCard, American Express, Discover, and JCB, the PCI Security Standards Council (PCI SSC) administers and manages the PCI DSS. Interestingly, the payment brands and acquirers are responsible for enforcing compliance, rather than the PCI SSC.
PCI DSS requirements
PCI DSS comprises twelve security requirements. Organizations are considered to be PCI compliant if they comply with the following requirements:
- Install an up-to-date firewall to protect cardholder data.
- Change default system passwords and settings for security-related parameters.
- Ensure that saved cardholder data is protected.
- Always use encryption when transferring cardholder data over public networks.
- Use antivirus software and make sure this is updated regularly.
- Maintain your systems and applications regularly in compliance with all security aspects.
- Ensure that the only employees who can access cardholder data are the ones who absolutely need to.
- Only grant access to system components using unequivocal authentication.
- Restrict access to cardholder data in the physical form.
- Ensure that all access requests to network resources and cardholder data are recorded and monitored.
- Regularly test your security systems and processes.
- Draft a company policy on the topic of information security that all employees observe and follow.
Advantages
PCI DSS with its binding rules for IT security is intended to put a stop to fraud crime.
When you process payment card data in accordance with PCI, you have the following advantages:
- Increased data security and protection of your customers’ information
- Increased customer confidence and thus an increase in credit card use and turnover
- Greater protection against financial losses and compensation due to security breaches
- Protection of the corporate image
- Assessment of the security protection of systems for storage, processing, or transmission of the cardholder data
- Data minimization and avoidance result in reduction of corporate risk
- Network structuring reduces the cost of maintenance of PCI compliance
When is PCI compliance mandatory?
Every company that accepts credit card payments must comply with the security requirements of the credit card organizations and thus with the PCI DSS. The size of the company and the number of credit card transactions per year are irrelevant for the company’s obligation to provide proof of PCI compliance.
Criteria for your PCI DSS compliance
Your PCI DSS compliance level is determined by the extent to which you meet the security requirements applicable to your sector. These requirements result from the type of your technical integration and how you handle sensitive credit card details. Several requirements are also based on your size and your risk potential.
The main criteria for classification of a company are the number of credit card transactions processed per year and credit card organization, and the distribution channel used.
The following table offers you an overview of which requirements apply to which merchants.
| Merchant category | Compliance obligation against acquirer | Security requirements | |||
|---|---|---|---|---|---|
| Mastercard, Maestro | Visa, V Pay | Self- assessment- questionnaire | Merchant network security scan | On-site securing screening | |
| Category 1: > 6.000,000 transactions per year All distribution channels (POS, e-commerce, MOTO) | Yes | Yes | Required1 + AoC2 | Required3 | Per year4 |
| Category 2: > 1.000,000 transactions per year All distribution channels (POS, e-commerce, MOTO) | Yes | Yes | Required1 + AoC2 | Required3 | Per year4 |
| Category 3: > E-commerce-merchant > 20.000 transactions per year | Yes | Yes | Required1 + AoC2 | Required3 | Optional |
| Category 4: > E-commerce-merchant < 20.000 transactions per year | Yes | Yes | Required1 + AoC2 | Required3 | Optional |
| Category 5: > All other merchants < 1.000,000 transactions per year | Optional | Optional | Optional | Optional | Optional |
- PCI DSS compliance must be revalidated every year.
- AoC (Attestation of Compliance form); only required for Visa acceptance points
- Required if cardholder data is processed, saved or transferred out of the merchant POS terminal environment.
- The SAQ is to be completed by an accredited ISA (Internal Security Auditor) at the company, or an on-site audit is to be performed by an accredited QSA (Qualified Security Assessor)
PCI DSS SAQ
The PCI Data Security Standard Self-Assessment Questionnaire (PCI SAQ) is a validation tool designed for merchants and service providers that allow them to self-evaluate their compliance with the Payment Card Industry Data Security Standard (PCI DSS). Different questionnaires will apply to different businesses, and each one is a series of yes-or-no questions. The questionnaires are available on the PCI Security Standards Council website. Merchants are encouraged to contact their bank or payment brand for eligibility requirements to identify the appropriate SAQ version for their organization.
Most common SAQ versions
The following is a list of the most common SAQ versions in relation to Unzer integration types. Choosing your integration type is the first step to determine your SAQ version.
| Unzer integration type | SAQ version | Definition |
|---|---|---|
| Payment Pages, Plugins, UI Components | SAQ A | Applicable for card-not-present merchants, when all cardholder data functions are outsourced to a PCI-compliant payment processor. Eligible e-commerce implementations: when merchant website is entirely hosted and administered by a compliant third-party payment processor, or provides an iframe to a PCI-compliant third-party payment processor or contains a URL link redirecting consumers from merchant web site to a PCI-compliant payment processor. |
| Virtual terminal (MOTO) | SAQ C-VT | Applicable for merchants using only web-based virtual terminals, without electronic cardholder data storage. |
| Server side-only integration | SAQ D | All other merchants not covered by any SAQ and all service providers defined by a payment brand as eligible to complete an SAQ. |
How to be PCI compliant
Unzer supports you in the process of checking and meeting PCI compliance requirements.
Step 1
During your onboarding with Unzer, we send you an individualized link to register on our internet-based PCI platform. The registration can be completed in minutes.
Step 2
Fill the self-assessment questionnaire (SAQ) available on the platform. The responses in the questionnaire can then be used to determine which requirements you still need to meet in order to be PCI compliant. Your contact at Unzer will assist you in completing the process.