What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard, which sets the requirements for organizations to safely and securely accept, store, process and receive/transmit cardholder data to prevent fraud and data breaches.
The PCI Standard is mandated by the card schemes (Visa, Mastercard, American Express, etc.) and is administered by PCI Security Standards Council (PCI SSC).
What is Cardholder data (CHD) and Sensitive Authentication data (SAD)?
At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.
Sensitive Authentication Data including but not limited to card validation codes/values (CAV2/CVC2/CVV2/CID), full track data (from the magnetic stripe or equivalent on a chip), PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions.
Who has to comply with PCI DSS?
PCI DSS applies to any Organisation, regardless of size or number of transactions, that accepts the transmission, processes and/or stores any cardholder and/or sensitive authentication data.
Even if the Organisation stores or receives/transmits card data using secure method (like hashing or encryption), PCI DSS will still apply.
PCI DSS Exceptions
If the Organisation does not store, process and/or receive/transmit any card information from Contis and/or directly from card holders then the Organisation is out of scope of PCI DSS and do not need to be PCI DSS. (If Card holder name and Expiry date present without 16-digit PAN then PCI DSS would not apply to those elements.)
How many Contis API exposes card data and/or sensitive authentication data?
Any of Contis client access below API methods must comply with PCI DSS. If card holder name and Expiry date API method is accessed without Full PAN then those elements are out of PCI DSS.
API Method includes:
Card_ActivateCard
Card_GetSpecificVirtualCard
Card_GetVirtualCardCVV
Card_LinkPreissuedCard
Card_ViewPin
Card_AddVirtualCard
What are the PCI compliance Levels for Contis clients and how are they determined?
As per PCI DSS, service provider is “Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data.” Contis clients are classified as co-issuer or service using issuer and fall into Service Provider Levels as they involve in Processing, Storage or transmission of card data. There are two level of PCI DSS and client shall determine appropriate level based on below criteria:
- Level-1: Processors or any service provider that stores, processes and/or receives/transmits over 300,000 transactions annually.
- Level-2: Processors or any service provider that stores, processes and/or receives/transmits less than 300,000 transactions annually.
How to get PCI DSS Compliance?
PCI DSS compliance needs to maintain on yearly basis. On the basis of PCI DSS level, you can go for it:
- For PCI DSS Level-1 Compliant, Contis client must engage PCI SSC approved QSA organisation to assess the environment and provide the ROC and AOC.
- For PCI DSS Level-2 Compliant, Contis client can appoint any PCI SSC approved QSA to complete and verify the PCI DSS SAQ-D service provider.
OR
Submit the SAQ-D service provider along with other evidence like Approved Scanning Vendor passed scan, Internal Vulnerability Scan, Penetration testing, Policies, procedures, and other reference documents to Contis. In this case Contis can take appointment of their QSA to validate the completed SAQ along with evidence. The QSA fee will need to be borne by client.
Note: Organisation needs to be PCI DSS compliant before go live.
PCI DSS document library and other information:
https://www.pcisecuritystandards.org/document_library
https://www.visa.co.uk/partner-with-us/pci-dss-compliance-information.html
Acronyms:
PCI DSS: Payment Card Industry Data Security Standard
PCI SSC: Payment Card Industry Security Standards Council
QSA: Qualified Security Assessor
SAQ: Self-Assessment Questionnaire
PAN: Primary Account Number
CAV2: Card Authentication Value 2
CVC2: Card Validation Code 2
CVV2: Card Verification Value 2
CID: Card Identification Number
PIN: Personal Identification Number
ROC: Report on Compliance
AOC: Attestation of Compliance