Information about PCI DSS

Background

Merchants accepting card payments and service providers that could affect the security of the cardholder data environment, must comply with the security requirements defined in the Payment Card Industry Data Security Standard (PCI DSS). 
Loomis Pay regulates this in the terms and conditions. A merchant is required to be PCI DSS compliant at all times and accordingly present documentation on request. 
To expand on the details, below information provides a more technical and organisational guidance, in line with relevant requirements and the acceptance agreement.

What is PCI DSS about?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of technical and operational requirements aiming to secure the payment ecosystem in general and protecting card data in particular against global security threats. PCI DSS is the security best practice framework to protect merchants, cardholders and industry stakeholders, adopting to evolving threats and supporting safe payments worldwide.
Broadly speaking, PCI DSS is about protecting card data and building cardholder trust as the foundation of our industry ecosystem.

Where does it emerge from?

It was developed by the Payment Card Industry Security Standards Council (PCI SSC) – a global forum of industry stakeholders facilitated by the leading payment brands with the aim to fight increased card data theft and subsequent fraudulent use of stolen card data, thus addressing related evolving industry risks including financial liability for all parties involved and prevent loss of consumer trust.

What does PCI DSS Compliance mean?

PCI DSS Compliance is meeting PCI DSS requirements at all times and having valid documentation as proof thereof. 
Valid PCI DSS compliance documents are either a correctly completed PCI DSS Self-Assessment Questionnaire (SAQ) or Attestation of Compliance (AoC) / Report on Compliance (ROC), which might have to be accompanied by clean Approved Scanning Vendor (ASV) scan reports.
PCI DSS validation must be renewed annually. Further ongoing security measures (e.g. quarterly ASV scans, regular software patching, network monitoring, change of passwords, etc.) are to be managed by the merchant or their assigned service providers.
In case any security requirement is not met, the merchant is required to instantly apply appropriate remediation measures to meet the security standards.

Who needs to be PCI DSS compliant?

The PCI DSS standard applies to all organisations that accept, store, process, or transmit cardholder data and/or sensitive authentication data or that could impact the security of the cardholder data environment (including merchants, processors, acquirers, issuers, and other service providers.

➔ It is an important responsibility for merchants accepting credit card payments to be PCI DSS compliant at all times and ensuring that all relevant service providers engaged by them are PCI compliant, too.

➔ PCI DSS compliance validation is also required for organisations that have fully outsourced all cardholder data functions to PCI compliant service providers.

Why is PCI DSS compliance relevant for a merchant?

PCI DSS compliance is promoted through the card associations (payment brands) who have mandated security programs as a core requirement in their regulations (e.g. Visa AIS, Mastercard SDP) which comprise PCI compliance monitoring, reporting and sanctions.

Protecting payment and customer data prevents from severe financial and reputational risks and is also crucial for building customer trust as a foundation for prospering sustainable business.

Recognised as a global standard beyond the payments industry, PCI DSS certification is acknowledged by further instances, insurance companies and industry bodies (e.g. IATA), and consumers, to demonstrate compliance with up-to-date data security standards and might exclude gross negligence.

How do I validate PCI DSS compliance?

Validation requirements for entities subject to PCI DSS compliance vary depending on the nature of the business, complexity and scope of the environment, and numbers of transactions processed by the merchant. 
The main tool used by Loomis Pay for PCI DSS compliance validation is a: Self-Assessment Questionnaire (SAQ). This tool requires completion and confirmation of applicable self-assessment questionnaire. The PCI DSS compliance is valid for the specific environment attested to. Relevant changes done after the assessment, impacting the card data environment, e.g. software, terminals, website, service providers, might require renewal of the attestation.

Who takes the cost for PCI DSS compliance?

All costs related to merchant PCI DSS compliance are to be borne by the merchant. This includes validation measures and amendments required to address deficiencies and vulnerabilities. Also, all costs related to merchant PCI DSS non-compliance and data breaches are to be borne by the merchant.

What is the risk of being non-compliant to PCI standards?

Impacts and severe risks of being PCI noncompliant include by way of example (non-comprehensive list):

➔ Breach of contractual duty which might result in noncompliance fees, fines and further sanctions for PCI noncompliance

➔ Security gaps providing for potentially underestimated risk of unintended exposure or loss of sensitive data

➔ Accidental or fraudulent exploitation of organisational or system vulnerabilities

➔ Malicious manipulation of payment infrastructure (devices, system environment, organisation)

➔ Cyber breaches 

➔ Facilitating card data theft, ransomware attacks, and GDPR violations

➔ Business risks and liabilities resulting from data breach (financial, reputational, operational impact)

➔ Unscheduled remediation works to fix vulnerabilities

➔ Enforcement of ad-hoc forensic investigation and PCI DSS onsite audit by QSA

➔ Increased fees, fines and recovery costs from card associations related to breach

➔ Reputational damage and media attention

➔ Public reporting requirements and financial sanctions from regulators

➔ Loss of consumer trust as foundation of your business, the industry ecosystem and stakeholders

What are the core technical and organisational requirements of PCI DSS?

PCI DSS requirements apply to all system components. In the context of PCI DSS, “system components” are defined as any network component, server or application that is included in, or connected to, the cardholder data environment. “System components” also include any virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. The cardholder data environment is comprised of people, processes and technology that handle cardholder data or sensitive authentication data. (extract from Navigating PCI DSS: Understanding the Intent of the Requirements, PCI Security Standards Council LLC)

For further information to the current version of the standard refer to the PCI SSC’s website www.pcisecuritystandards.org

What PCI validation requirements apply to a merchant?

Card Associations have outlined what validations measures are required for proof of PCI DSS compliance and what according to documents must be provided as defined for the merchant’s PCI level.

PCI DSS Merchant Compliance Levels
PCI DSS Merchant Levels
PCI DSS Merchant Level 1	> 6M Transactions / Year
PCI DSS Merchant Level 2	1 - 6M Transactions / Year
PCI DSS Merchant Level 3	20K - 1M Transactions / Year

PCI-DSS-v4-0-1-SAQ-B-IP.pdf

Classification criteria for merchant PCI levels are the merchant’s processing environment and the number of transactions processed. Merchants are required to validate PCI DSS compliance through assessment by the applicable PCI Self-Assessment Questionnaire (SAQ)

Loomis Pay may request the merchant to provide current PCI DSS validation documents.