CHAPTER 5: HOW DO YOU COMPLY WITH THE REQUIREMENTS OF THE STANDARD?
All organisations must comply. There are two options for demonstrating compliance: an annual on-site security audit and the submission of four passing quarterly network scans by an ASV, or completion of a Self-Assessment Questionnaire, in some cases together with a submission of four passing quarterly network scans. Which option applies to any one organisation is determined by transaction volume and whether or not there has previously been a security breach.
The major global payment brands require that every entity – including financial institutions, merchants and service providers – that stores, processes, or transmits payment card data, in every channel – including catalogue and online retailers, as well as bricks-and-mortar businesses – must be in compliance with the PCI DSS.
Merchant PCI DSS compliance criteria
Compliance requirements are dependent on a merchant’s activity level. There are four levels, based on the annual number of credit/debit card transactions. While payment brands determine the compliance levels for their own brands, acquirers are usually responsible for determining the compliance validation requirement levels of their merchants. The compliance levels are based on the following table and usually refer to the number of transactions of each payment brand in a year. Whether or not transaction volume applies only to e-commerce transactions or to payments processed through all channels is decided separately by each payment brand but, in general, all transactions are included.
Table 1: Merchant PCI DSS compliance levels
Level one criteria: American Express 2.5 million American Express card transactions or more per year. Any merchant that has had a data incident. Any merchant that American Express otherwise deems a Level 1. Visa Merchants processing more than six million Visa transactions annually via all channels. Global merchants identified as level one by any Visa region. MasterCard Any merchant having more than six million total combined MasterCard and Maestro transactions per year. Any merchant that has suffered a hack or an attack that resulted in an account data compromise. Any merchant meeting Visa’s Level 1 criteria. Any merchant that MasterCard determines should meet the Level 1 merchant requirements to minimise risk to the system. Discover All merchants processing more than six million card transactions per year on the Discover network. Any merchant that Discover determines should meet the Level 1 compliance validation and reporting requirements. All merchants required by another payment brand or acquirer to validate and report their compliance as a Level 1 merchant. JCB One million JCB transactions or more per year. Level one validation requirements: Annual on-site audit by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA), passing Approved Scanning Vendor (ASV) scans and a Report on Compliance (RoC). |
Level two criteria: American Express 50,000 to 2.5 million American Express card transactions per year. Visa/MasterCard/Discover Merchants processing one million to six million transactions per year, across all of the brand’s channels. JCB Less than one million JCB transactions per year. Level two validation requirements: Annual Self-Assessment Questionnaire (SAQ), passing a quarterly scan by an ASV. In addition to passing quarterly network scans by an ASV, MasterCard requires either an annual on-site audit by a QSA at the merchant’s discretion, or an annual self-assessment by an ISA. Quarterly network scans by an ASV are only a requirement on some SAQ forms; check the requirements with the payment brand compliance programmes. |
Level three criteria: American Express Fewer than 50,000 American Express card transactions per year. Visa/MasterCard Merchants processing 20,000 to one million Visa/MasterCard e-commerce transactions per year, across all of the brand’s channels. Discover Merchants processing 20,000 to one million card-not-present transactions per year on the Discover network. Level three validation requirements: Quarterly scan by an ASV. Annual SAQ. |
Level four criteria: American Express Called ‘Level EMV’; 50,000 or more AMEX transactions per year, with at least 75% made on an EMV-enabled terminal. Visa E-commerce merchants processing fewer than 20,000 Visa e-commerce transactions annually. Non e-commerce merchants processing up to one million Visa transactions annually. MasterCard/Discover All other merchants – and the PCI Council is clear that PCI DSS compliance is required even if there is only one payment card transaction per year1. Level four validation requirements: Annual SAQ. Quarterly scan by an ASV (may be recommended or required, depending on acquirer compliance criteria). |
Service provider PCI DSS compliance criteria
A service provider is an organisation involved in the processing, storage, transmission and switching of transaction data and/or cardholder information, but is not a merchant or a card brand member. Hosting providers and others providing services to merchants would also fall into this category.
Service provider compliance requirements are defined by the payment brands. Visa, MasterCard and AMEX categorise service providers according to transaction volume and/or type of service provider. In comparison with the four levels of merchant compliance criteria, there are only two for service providers.
Table 2: Service provider PCI DSS compliance levels
Level one criteria: American Express 2.5 million American Express card transactions or more per year, or any other service provider that American Express otherwise deems a level 1 service provider. Visa VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 Visa transactions annually. MasterCard All Third Party Processors (TPPs). All Data Storage Entities (DSEs) that store, transmit, or process greater than 300,000 total combined MasterCard and Maestro transactions annually. All compromised TPPs and DSEs. |
Level one validation requirements: Visa, MasterCard and American Express Annual on-site review by a QSA. Quarterly network scan by an ASV. |
Level two criteria: American Express 50,000 to 2.5 million American Express card transactions per year. Visa Any service provider that stores, processes and/or transmits fewer than 300,000 Visa transactions annually. MasterCard All DSEs that store, transmit, or process fewer than 300,000 total combined MasterCard and Maestro transactions annually. Level two validation requirements: Visa, MasterCard and American Express Annual Self-Assessment Questionnaire. Quarterly network scan by an ASV. |
Level three criteria: American Express Fewer than 50,000 American Express card transactions per year. Level three validation requirements: American Express Annual Self-Assessment Questionnaire. Quarterly network scan. Level 3 service providers need not submit documentation but must still comply with all other provision of the DSOP. |
Designated entities will have to complete an additional supplemental RoC and AoC. This is in addition to the normal RoC and AoC. Designated entities are unlikely to be merchants or service providers that are not at the level 1 status.
Role of service providers
Many service providers deliver payment services directly to merchants using a variety of online and physical technologies. These services include online payment gateways, traditional document processing facilities and shared hosting server and application providers. The PCI DSS asks that shared hosting providers ensure compliance with additional requirements that include protecting each merchant’s hosted individual CDE, ensuring the availability of audit trails and allowing forensic investigation if required. To achieve compliance with the PCI DSS, a merchant must ensure that any service provider it uses must be PCI DSS compliant.
Service providers who have an indirect connection with the storage, processing or transmission of cardholder data – such as an IT support company that manages the firewalls in the perimeter of the CDE and hence can affect the inbound and outbound traffic – are also required to be PCI DSS compliant.
Service providers demonstrate their compliance with the PCI DSS with criteria as outlined in Figure 2. The PCI DSS recommends that, in addition to achieving compliance with the requirements of the Standard, service providers should also provide supporting evidence (via an AoC) to prove to merchants that they are compliant. Service providers and merchants must agree in writing which aspects of the PCI DSS requirements the service provider is responsible for ensuring compliance with and which the merchant is responsible for. Merchants must maintain a list of service providers and the compliant services they provide.
Online payment gateways
For merchants that sell their products or services online, we strongly recommend the use of a third-party payment gateway service which is fully PCI compliant. These services are available from PayPal, Sage Pay, WorldPay, HSBC Secure ePayments and Barclays ePDQ. For the smaller e-commerce business, outsourcing to a payment gateway service provides a cost-effective way of ensuring PCI compliance.
Please note that such a merchant (likely to be Level 3 or 4) will be required to complete the relevant Self-Assessment Questionnaire (SAQ) and submit the results of a quarterly scan by an Approved Scanning Vendor. The SAQ document required will either be SAQ A for those who have a fully outsourced e-commerce platform, or SAQ C-VT, which applies to merchants that use web-based virtual terminals to manually enter payment card information. See Chapter 9, Table 3 for further information.
1 www.pcisecuritystandards.org/documents/pciscc_ten_common_myths.pdf (Myth 7).