Skip to content
Things to know about PCI DSS

Things to know about PCI DSS

This answers base questions regarding the Payment Card Industry Data Security Standard.


What is the PCI DSS?

The PCI Data Security Standard (PCI DSS) was defined based on existing security standards from VISA and MasterCard and is by now adopted and recognized by all well-known credit card firms as common standards. The standard defines specific requirements in the different areas of payment card processing, which have to be met by merchants, service providers, payment application vendors, acquirer banks and processors. Please find more information at the PCI Security Standards Council.

How often do I have to provide the PCI DSS validation?

The PCI DSS validation must be provided at least once a year. Since the PCI DSS validation documents the current status of credit card processing in your company, you are required to react to changes in credit card acceptance or payment processing outside the specified cycle of one year by updating your PCI DSS validation.You are required to maintain PCI DSS compliance at all times.
If your validation includes ASV scans, your validation must be renewed every 90 day by ASV scan.

Why is PCI DSS compliance so important?

This question is indeed asked by many who are faced with the requirements of PCI DSS. For the processing of your payments you sometimes come into contact with sensitive payment data. When handling such credit card data, you assume the responsibility to keep it secure and confidential. You bear this responsibility towards your merchant bank (acquirer) and the credit card companies as well as your customers. The corresponding verification for this is provided by the measures resulting from the PCI Data Security Standard (SAQ as Self-Assessment, ASV scans, audits) and make your compliance with security standards transparent.

Why is compliance with these security standards so important? To understand the importance of the PCI DSS, you need to know that hackers are targeting your customers' cardholder data. Hackers try to learn the primary account number (PAN) as well as sensitive authentication data whih they could use to impersonate the cardholder, use the card, and steal the cardholder's identity.

Sensitive cardholder data can be stolen at various points:

  • Unprotected card reader
  • Paper stored in a filing cabinet
  • Data from a payment system database
  • Hidden camera that records the entry of authentication data
  • Stealthy access to your store's wireless or wired network.

These gateways for hackers must be kept closed. By complying with PCI DSS, you demonstrate that sensitive cardholder data is secure with you and handled responsibly, so that hackers will not be able to tap into it. In addition, you may face consequences if you fail to comply with the PCI DSS.

What are the consequences of PCI DSS non-compliance?

Your company can be fined by the credit card organizations or your acquirer (merchant bank). Furthermore, your company is liable if credit card data of your clients is stolen or misused. Apart from possible fines, you may also incur consequential damage to your image.

What are the 12 key requirements of PCI DSS?

The 12 main requirements are divided into 6 objectives:

BUILD AND OPERATE A SECURE NETWORK.

  1. Operation of a firewall environment
  2. Avoidance of vendor-specific standards for system passwords and other security settings

PROTECTION OF CREDIT CARD DATA
3. Protection of stored data
4. Encrypting the transmission of credit cards and other sensitive information over public networks

MANAGEMENT OF VULNERABILITIES
5. Use and regular updating of anti-virus software
6. Development and maintenance of secure systems and applications

STRONG ACCESS PROTECTION
7. Restricting access to data according to the need-to-know principle
8. Assigning an individual user ID to persons with IT access
9. Restriction of physical access to credit card information

REGULAR AUDIT AND TEST OF THE NETWORK.
10. Monitoring and tracking of all access to network resources and credit card information
11. Periodic testing of security systems and processes

MAINTENANCE OF AN INFORMATION SECURITY POLICY
12. Maintenance of an information security policy

I need assistance with PCI DSS. What support does usd AG offer?

For this purpose, our PCI DSS security experts are at your disposal for specific questions regarding PCI DSS through individually conducted consulting packages via telephone or web conference. Please feel free to inform yourself about our consulting services.

What does the term ASV mean?

ASV is the abbreviation for "Approved Scanning Vendor". External vulnerability scans (ASV Scan) may only be performed by suppliers approved for this purpose and evaluated for PCI DSS compliance. usd AG is such an ASV, i.e. an approved supplier.

What does ASV Scan mean?

An ASV Scan is an external vulnerability scan that is performed with an ASV scanning solution and assessed by approved ASV assessors. As an external PCI DSS vulnerability scan, it is performed over the internet as a remote service and complies with PCI DSS requirement 11.2.2. Vulnerability scans help identify vulnerabilities as well as misconfigurations of websites, applications and other information technology infrastructure with IP addresses facing the internet. By the way: Not every IT security company is allowed to perform ASV scans, because an approval is necessary for this. usd AG is such an approved ASV Scan Supplier with several years of experience.

ASV scans are part of my compliance validation: How often do I have to have these performed?

If ASV scans are mandatory, the compliance validation of ASV scans must be renewed every 90 days.