Payment Service Provider, Acquirer, Processor? Here’s what you need to know about PCI DSS
PCI Data Security Standards, better known as PCI DSS applies to any entity which accepts and handles cardholder data from Mastercard, Visa, American Express, Discover and JCB. First introduced in 2006 to consolidate the various data security standards implemented by these main card companies, PCI DSS is a global framework intended to safeguard cardholder data during digital transactions throughout the whole payment ecosystem.
At the heart of this ecosystem lies the Payment HSM. Payment Hardware Security Modules perform cryptographic functions which involve generating cryptographic keys to encrypt and decrypt cardholder data. Their role is highly recommended to become PCI DSS compliant.
As a crucial set of security standards, here’s a quick guide to PCI DSS and how MYHSM Services can provide you with the most secure solution to protect your customers payment information.
What is PCI DSS Compliance?
As part of the standards there are 12 requirements which are enforced by the payment brands and acquirers and these mandate:
- A secure network by implementing specific controls for firewalls and routers to prevent unauthorised access to the payment system network where cardholder data can be breached.
- Security procedures which requires default software passwords, which are commonly known by fraudsters to be changed.
- Protection of cardholder data which limits the storage of data and ensures any stored data is encrypted. A procedure will need to be implemented for key management and cryptographic keys.
- Transmission of cardholder data via open, public networks must be encrypted.
- Anti-virus software needs to be up to date at all times and documented to prevent malicious software attacks.
- Secure systems and applications are essential and can be achieved by installing the latest security patches provided by the vendor. All software and systems deployed should be in accordance to industry standards.
- Stringent control measures need to be in place to ensure any personnel that requires access to cardholder data is assessed and permitted on a case by case basis.
- A unique ID needs to be assigned to all users who have access to the cardholder data environment.
- Restricted physical access to cardholder data to minimise the threat of devices, data and hardcopies being tampered with or removed.
- Networks should be monitored/tracked and tested regularly to minimise vulnerabilities.
- Security systems and processes needs to be tested frequently, particularly when new software is deployed or when changing system configurations.
- An information security policy must be maintained so all employees know exactly what needs to be adhered to.
How to comply with PCI DSS?
There are four levels to PCI DSS compliance which can be categorised by credit card transaction volumes processed annually. Each level will outline the reporting requirements;
Level 1 – 6 million+ transactions
Requires an Annual Report of Compliance (ROC) conducted via onsite assessment by a Qualified Security Assessor (QSA) and an Attestation of Compliance (AOC) once a year. In addition to a quarterly network scan by an Approved Scan Vendor (ASV).
Level 2 – 1 to 6 million transactions
Level 3 – 20K to 1 million ecommerce transactions
Level 4 – under 20K ecommerce transactions
Any organisations classified as level 2- 4 will need to conduct a self-assessment questionnaire (SAQ) and an Attestation of Compliance (AOC) once a year, plus a quarterly network scan by an Approved Scan Vendor (ASV).
In order to achieve PCI DSS, highly skilled staff, detailed procedures and accurate audit logging and documentation are essential. The validation and compliance process is continuous and as business functions develop over time, in addition to the introduction of updated PCI Standards to incorporate the changing technology and security needs within the payment industry, PCI DSS needs to be an ongoing focal point.
Security is our Priority
All customers using MYHSM Services are safe in the knowledge that MYHSM is PCI DSS and PCI PIN compliant. (Find out more about PCI PIN Security Requirements here). Our mission critical equipment is hosted in multiple Cyxtera and Equinix PCI DSS certified data centres. Furthermore, MYHSM is a PCI DSS Level 1 managed service provider.
Users of the MYHSM service will have to undergo their own PCI DSS assessment which will be simplified and reduced in scope. MYHSM will provide an Attestation of Compliance (AOC) for your own auditors and you can rely on MYHSM’s PCI DSS certified infrastructure to achieve your own overall certification whilst simultaneously improving time to market and achieving greater cost efficiencies. Contact our team of experts today to discuss your Payment HSM and compliance requirements here.