Information about PCI DSS
Background
Merchants accepting card payments and service providers that could affect the security of the cardholder data environment, must comply with the security requirements defined in the Payment Card Industry Data Security Standard (PCI DSS).
Loomis Pay regulates this in the terms and conditions. A merchant is required to be PCI DSS compliant at all times and accordingly present documentation on request.
To expand on the details, below information provides a more technical and organisational guidance, in line with relevant requirements and the acceptance agreement.
Loomis Pay regulates this in the terms and conditions. A merchant is required to be PCI DSS compliant at all times and accordingly present documentation on request.
To expand on the details, below information provides a more technical and organisational guidance, in line with relevant requirements and the acceptance agreement.
What is PCI DSS about?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of technical and operational requirements aiming to secure the payment ecosystem in general and protecting card data in particular against global security threats. PCI DSS is the security best practice framework to protect merchants, cardholders and industry stakeholders, adopting to evolving threats and supporting safe payments worldwide.
Broadly speaking, PCI DSS is about protecting card data and building cardholder trust as the foundation of our industry ecosystem.
Broadly speaking, PCI DSS is about protecting card data and building cardholder trust as the foundation of our industry ecosystem.
Where does it emerge from?
It was developed by the Payment Card Industry Security Standards Council (PCI SSC) – a global forum of industry stakeholders facilitated by the leading payment brands with the aim to fight increased card data theft and subsequent fraudulent use of stolen card data, thus addressing related evolving industry risks including financial liability for all parties involved and prevent loss of consumer trust.
What does PCI DSS Compliance mean?
PCI DSS Compliance is meeting PCI DSS requirements at all times and having valid documentation as proof thereof.
Valid PCI DSS compliance documents are either a correctly completed PCI DSS Self-Assessment Questionnaire (SAQ) or Attestation of Compliance (AoC) / Report on Compliance (ROC), which might have to be accompanied by clean Approved Scanning Vendor (ASV) scan reports.
PCI DSS validation must be renewed annually. Further ongoing security measures (e.g. quarterly ASV scans, regular software patching, network monitoring, change of passwords, etc.) are to be managed by the merchant or their assigned service providers.
In case any security requirement is not met, the merchant is required to instantly apply appropriate remediation measures to meet the security standards.
Valid PCI DSS compliance documents are either a correctly completed PCI DSS Self-Assessment Questionnaire (SAQ) or Attestation of Compliance (AoC) / Report on Compliance (ROC), which might have to be accompanied by clean Approved Scanning Vendor (ASV) scan reports.
PCI DSS validation must be renewed annually. Further ongoing security measures (e.g. quarterly ASV scans, regular software patching, network monitoring, change of passwords, etc.) are to be managed by the merchant or their assigned service providers.
In case any security requirement is not met, the merchant is required to instantly apply appropriate remediation measures to meet the security standards.
Who needs to be PCI DSS compliant?
The PCI DSS standard applies to all organisations that accept, store, process, or transmit cardholder data and/or sensitive authentication data or that could impact the security of the cardholder data environment (including merchants, processors, acquirers, issuers, and other service providers.
➔ It is an important responsibility for merchants accepting credit card payments to be PCI DSS compliant at all times and ensuring that all relevant service providers engaged by them are PCI compliant, too.
➔ PCI DSS compliance validation is also required for organisations that have fully outsourced all cardholder data functions to PCI compliant service providers.