This site requires javascript to be enabled.

PCI DSS

Results for

Results for search.results.searching

The Payment Card Industry Data Security Standard (PCI DSS) outlines mandatory security measures for all organizations handling cardholder data, ensuring the safe storage, processing, and transmission of this sensitive information.

This policy is essential for processing credit card transactions through Worldline. To do this, achieving and maintaining PCI DSS compliance is necessary. The policy guides you on how to:

  • Become compliant
  • Remain compliant and demonstrate it to Worldline
  • Understand the different validation levels
  • Select the suitable Self-Assessment Questionnaire (SAQ)
  • Respond to a card data breach

Scope

You must annually report your compliance with the Payment Card Industry Data Security Standard (PCI DSS). Our goal is to simplify your path to achieving and sustaining this compliance, safeguarding your business and customers from the repercussions of a card data breach. Compliance is obligatory for all entities accepting credit cards, including various payment methods such as in-store, mail/telephone orders, and e-commerce.

Neglecting to report your compliance status yearly could lead to substantial fines or penalties from card associations, which may be passed on to you or potentially result in losing card acceptance capabilities. You're responsible for any fines, charges, or penalties incurred due to no-compliance with PCI DSS.

This policy adheres to PCI DSS version 4, which becomes compulsory starting in 2024, although adherence before this date is optional.

Stakeholders

  • PCI SSC
  • Payment processors
  • Service providers
  • Merchant (you)
  • Consumer (your client)
  • Payment brands

PCI SCC

The PCI Security Standards Council (PCI SSC) is a global forum that brings together payments industry stakeholders to create and promote data security standards and resources, ensuring secure payment transactions globally. Founded in 2006 by the major payment card companies, the council has hundreds of participating organizations representing merchants, banks, processors, and vendors worldwide.

The PCI SSC manages the standards, certifies assessors, and lists validated hardware and software for payment processing. The card brands define the rules regarding the actual requirements for merchant compliance.

Payment processors

You can choose from various types of businesses to handle your payment processing services. These businesses, such as payment service providers, payment facilitators, and acquirers, all play a role in the same process. They act as a chain connecting the cardholder to you, the merchant, and then to the issuing bank, making the payment processing possible

Service providers

Any entity you engage to participate in payment processing is considered a service provider. This includes your payment processor, the company hosting your payment servers (whether cloud-based or physical), and the developers of your payment processing software (for POS systems or websites). While you can outsource these functions, you're still responsible for compliance. If your service provider is PCI certified, there's no further action needed. However, if they aren't PCI certified, your compliance assessment must cover their services as if you were handling them yourself.

Merchant (you)

You're an entity that accepts payment cards bearing the logos of any card brands requiring compliance with PCI DSS.

Consumer (your client)

The cardholder is purchasing the goods or services.

Payment brands

A payment brand refers to any card company that mandates compliance with the PCI DSS, such as Visa, Mastercard, and various other card brands.

Goals of the PCI Data Security Standard

  • Build and maintain a secure network and systems
  • Protect account data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

The full standard and other documents can be found on the official PCI SSC website.

Importance of PCI DSS compliance

Compliance with PCI DSS brings major benefits to your business, while failure to comply can have serious and long-term negative consequences. Here are the key benefits for your business:

  • Protected financial data
  • Increased customer confidence with a higher level of data security
  • Maintained customer trust and safeguarded reputation
  • Avoided risk of financial penalties

Compliance is a continuous process, not just a one-time achievement. It's essential for preventing security breaches and protecting payment card data, both now and in the future, because:

  • You want to stay ahead of the threats as data compromise becomes ever more sophisticated
  • You'll benefit from continuous improvements to PCI Security Standards
  • There's a possibility of training your security professionals
  • When you stay compliant, you're part of the solution – a united, global response to fighting payment card data compromise

Indirect benefits of compliance: 

  • You'll be better prepared to comply with other regulations (such as HIPAA, SOX, etc.)
  • You'll be supporting information security management

It's important that you ensure and maintain tighter security around operations and the storing and transmitting of card data to avoid the following:

  • Fraud losses
  • Harm to your business
  • Card-reissuance costs (these are passed to you)
  • Cardholder inconvenience
  • Loss of consumer confidence
  • Adverse publicity, brand and reputational damage.

How to become and stay PCI DSS compliant

Assess

Start by finding out where your systems interact with credit card data. This will define the range of your assessment. If a service provider performs any activity on your behalf, it's important to ensure they're PCI compliant. If they're not, you should include their services in your assessment as if you were doing them yourself.

If your business has any IP addresses accessible from the internet, like online shops or IP-connected terminals, you might need to do ASV (Approved Scanning Vendor) scans every three months. These scans check for security weaknesses. 

If these scans are required, you must pass one each quarter of the year before your assessment date. If you fail a scan, you need to fix the issue and then get a passing result. Once you know the extent of what needs to be checked, you can choose the right way to report your compliance, as explained in the following section.

Report

The PCI DSS is the only "standard" you need to report on. It has lots of regulations, but only certain ones might apply to your kind of business. To help business owners report how they follow these rules, the PCI Security Standards Council (PCI SSC) offers two types of compliance reports:

  • Report on Compliance (ROC) – this report includes all the rules in the standard. It's suitable for any business that needs to undergo an assessment.
  • Self-Assessment Questionnaires (SAQs) – these templates cover only the rules relevant to particular merchant payment environments. They include different templates for handling e-commerce and in-person payments.

If the selected report template requires ASV scanning, it will be included in the list of requirements that you must meet. You'll be required to provide us with evidence of your compliance annually, which will be one of the following:

    • copy of the Attestation of Compliance (AOC) for your Report on Compliance (ROC)
    • copy of the SAQ to cover the assessment
    • if applicable, copy of the latest passed ASV scan report

Which reporting templates can you use?

If you process over 6 million transactions annually, you must document your assessment in a Report on Compliance (ROC). It needs to be signed by a Qualified Security Assessor (QSA) from outside your company or by an employee who is certified as an Internal Security Assessor (ISA).

Other merchants might be eligible to do a self-assessment and report their compliance using a Self-Assessment Questionnaire (SAQ). You can find information about the different SAQ types on the PCI Security Standards Council (PCI SSC) website.

Approved Scanning Vendor (ASV)

If you have an internet-facing IP address, you must perform a network scan by Approved Scanning Vendor (ASV). The SAQ type applicable to your business will contain the requirement to undertake ASV scanning if it's required. For more information, see the list of Approved Scanning Vendors.

Qualified Security Assessor (QSA)

If your business is classified as a level 1 merchant, meaning it processes over 6 million transactions a year, then a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA) working for your company may need to complete the Report on Compliance (ROC). For more details, check the Qualified Security Assessors list.

What you must do in case of a suspected breach?

Being PCI DSS compliant reduces the chance of credit card data being stolen or used fraudulently. However, even with compliance, a security breach might still happen or be suspected due to human error, internal fraud, or previously unknown vulnerabilities. In that case, you need to take the measures described below.

Suspected breach notification

Initiated by you

If you suspect a credit card breach, you must immediately inform your acquirer, payment service provider, and card brands. You can send a suspected breach notice related to Worldline through your account manager.

Initiated by the card brands: Common Point-of-Purchase (CPP) report

The credit card companies will check if all the cards reported for fraudulent activity were used at the same merchant during a specific period of time. This test is called Common Point of Purchase (CPP), which helps identify the card breach source. You might get a CPP report from your acquirer or payment service provider.

When you receive a CPP report, it's crucial to act fast and talk directly with your acquirers and payment service providers. Quick action can help reduce financial losses and negative effects on your business caused by the card breach. Also, make sure not to do anything that could harm evidence needed for any future forensic investigations.

Further investigation (if required)

You might need to engage a PCI Forensic Investigator (PFI). The PFI will look into where the suspected breach happened in your system, how much data was compromised, and what steps you need to take to fix it. You can find a qualified PFI company on the PCI Security Standards Council's list.

Mitigation

If a PCI Forensic Investigator (PFI) finds that there has been a data breach, it's crucial to act quickly to reduce or stop the ongoing risk. Waiting too long can worsen the breach and lead to bigger fines from the credit card companies. Usually, these fines are passed from the acquirer to the payment service providers and then to you.