Understanding PCI DSS compliance requirements

Payment Card Industry Security Standards Council (PCI SSC) has prescribed PCI Data Security Standards  (PCI DSS) for keeping payment cardholder data secure.  PCI DSS applies to any business that stores, processes, or transmits cardholder data. In practice, this means PCI applies to all merchants that accept card payments, as well as to the member financial institutions and service providers that process the associated transactions. Matrix of the compliance requirements prescribed by PCI SSC is given in the table below. Before studying the table, it would be helpful to understand the terms cardholder data, merchant, service provider, acquirer, application scanning vendor and qualified security assessor.

 

Cardholder data – Cardholder data can be broadly categorized into 2 types. First type is that group of data that can be stored. They include (a) Primary Account Number (PAN), or the 16-digit account number (b) Cardholder name (c) Service code and (d) Expiration data. Second type includes Sensitive Authentication Data (SAD) which cannot be stored following authorization except by issuers. SAD includes full magnetic stripe or equivalent chip data, CAV2/CVC2/CVV2/CID, or the three- or four-digit number used to verify of the card in card-not-present transactions, PIN/PIN block, used in Chip-and-PIN cards primarily outside the US.

 

Merchant – All merchants that store, process, or transmit cardholder data

 

Service Provider – Service Providers are third party organizations that provide services to Merchants and other users related to the processing of card transactions. Service Providers include Authorized Processors, Third Party Processors, Gateway Providers, and any other providers to merchants of point of sale equipment, software, or systems or other payment processing solutions or services.

 

Acquirer – An acquiring bank (or acquirer) is the bank or financial institution that accepts credit or debit card payments for products or services on behalf of a merchant.

 

Application Scanning Vendor (ASV) – Data security firm that has been qualified and trained by the PCI SSC to use a vulnerability scanning solution to determine compliance of their customers with the external vulnerability scanning requirement of PCI DSS Requirement

 

Qualified Security Assessor (QSA) – Data security assessment firm that has been qualified and trained by PCI SSC to perform PCI DSS onsite assessments

 

 

Comments are closed.