Skip to content | Go to main menu

Back to legal

Information about PCI DSS

What does PCI DSS Compliance mean?

PCI DSS Compliance is meeting PCI DSS requirements at all times and having valid documentation as proof thereof. 
Valid PCI DSS compliance documents are either a correctly completed PCI DSS Self-Assessment Questionnaire (SAQ) or Attestation of Compliance (AoC) / Report on Compliance (ROC), which might have to be accompanied by clean Approved Scanning Vendor (ASV) scan reports.
PCI DSS validation must be renewed annually. Further ongoing security measures (e.g. quarterly ASV scans, regular software patching, network monitoring, change of passwords, etc.) are to be managed by the merchant or their assigned service providers.
In case any security requirement is not met, the merchant is required to instantly apply appropriate remediation measures to meet the security standards.

Who needs to be PCI DSS compliant?

The PCI DSS standard applies to all organisations that accept, store, process, or transmit cardholder data and/or sensitive authentication data or that could impact the security of the cardholder data environment (including merchants, processors, acquirers, issuers, and other service providers.

➔ It is an important responsibility for merchants accepting credit card payments to be PCI DSS compliant at all times and ensuring that all relevant service providers engaged by them are PCI compliant, too.

➔ PCI DSS compliance validation is also required for organisations that have fully outsourced all cardholder data functions to PCI compliant service providers.

Why is PCI DSS compliance relevant for a merchant?

PCI DSS compliance is promoted through the card associations (payment brands) who have mandated security programs as a core requirement in their regulations (e.g. Visa AIS, Mastercard SDP) which comprise PCI compliance monitoring, reporting and sanctions.

Protecting payment and customer data prevents from severe financial and reputational risks and is also crucial for building customer trust as a foundation for prospering sustainable business.

Recognised as a global standard beyond the payments industry, PCI DSS certification is acknowledged by further instances, insurance companies and industry bodies (e.g. IATA), and consumers, to demonstrate compliance with up-to-date data security standards and might exclude gross negligence.

How do I validate PCI DSS compliance?

Validation requirements for entities subject to PCI DSS compliance vary depending on the nature of the business, complexity and scope of the environment, and numbers of transactions processed by the merchant. 
The main tool used by Loomis Pay for PCI DSS compliance validation is a: Self-Assessment Questionnaire (SAQ). This tool requires completion and confirmation of applicable self-assessment questionnaire. The PCI DSS compliance is valid for the specific environment attested to. Relevant changes done after the assessment, impacting the card data environment, e.g. software, terminals, website, service providers, might require renewal of the attestation.

Who takes the cost for PCI DSS compliance?

All costs related to merchant PCI DSS compliance are to be borne by the merchant. This includes validation measures and amendments required to address deficiencies and vulnerabilities. Also, all costs related to merchant PCI DSS non-compliance and data breaches are to be borne by the merchant.

What is the risk of being non-compliant to PCI standards?

Impacts and severe risks of being PCI noncompliant include by way of example (non-comprehensive list):

➔ Breach of contractual duty which might result in noncompliance fees, fines and further sanctions for PCI noncompliance

➔ Security gaps providing for potentially underestimated risk of unintended exposure or loss of sensitive data

➔ Accidental or fraudulent exploitation of organisational or system vulnerabilities

➔ Malicious manipulation of payment infrastructure (devices, system environment, organisation)

➔ Cyber breaches 

➔ Facilitating card data theft, ransomware attacks, and GDPR violations

➔ Business risks and liabilities resulting from data breach (financial, reputational, operational impact)

➔ Unscheduled remediation works to fix vulnerabilities

➔ Enforcement of ad-hoc forensic investigation and PCI DSS onsite audit by QSA

➔ Increased fees, fines and recovery costs from card associations related to breach

➔ Reputational damage and media attention

➔ Public reporting requirements and financial sanctions from regulators

➔ Loss of consumer trust as foundation of your business, the industry ecosystem and stakeholders

What are the core technical and organisational requirements of PCI DSS?

PCI DSS requirements apply to all system components. In the context of PCI DSS, “system components” are defined as any network component, server or application that is included in, or connected to, the cardholder data environment. “System components” also include any virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. The cardholder data environment is comprised of people, processes and technology that handle cardholder data or sensitive authentication data. (extract from Navigating PCI DSS: Understanding the Intent of the Requirements, PCI Security Standards Council LLC)

For further information to the current version of the standard refer to the PCI SSC’s website www.pcisecuritystandards.org

PCI – How It Affects You

Depending on how many card transactions your company processes per year and the environment in which the transactions take place, different actions are required for PCI (the “Payment Card Industry Data Security Standard,” commonly referred to simply as PCI). The requirements for PCI are the same for all companies, but the difference lies in how each company verifies that it complies with the standard.

For larger companies

If you have a store with at least 1 million card transactions per year, we will contact you when necessary to ensure that you comply with the PCI requirements.

The table below shows how often different types of reviews need to be conducted for different types of companies.

Level Criteria On-site Audit Self-Assesment External Network Scan 
1 Companies with more than 6 million card transactions per year from Visa or Mastercard  Anually Not required Quarterly 
2 Companies with between 1 and 6 million card transactions per year from Visa or Mastercard  Anually Not required  Quarterly 
3 Level 3 (E-commerce) does not apply to our customers, as Loomis Pay does not provide e-commerce services  -
4 Other companies Not required Recommended anually  Recommended anually 

 

  • We only use the B-IP form, and e-commerce is not applicable to our operations.

  • Certain Level 4 companies in specific industries may still be required to complete a certification and will be contacted by us if applicable.

 

PCI-DSS-v4-0-1-SAQ-B-IP.pdf

Loomis Pay may request the merchant to provide current PCI DSS validation documents. 


Menu

Support

Company

Language:

Copyright © 2024 Loomis Digital Solutions. Headquarters: Stockholm, Sweden. All rights reserved. Loomis Digital Solutions AB. Drottninggatan 82, 111 36 Stockholm. Organization number: 556961-5312. Loomis Pay offers personalized payment solutions. We do not issue loans or provide financial advice.