If you process credit cards on a website, your site needs to be in compliance with the Payment Card Industry Data Security Standard. (This is abbreviated as PCI DSS, and even more often referred to simply as PCI.) PCI compliance certifies that your organization takes all necessary steps to protect sensitive customer data and provides a set of standards for your infrastructure and server setup. While Liquid Web does not offer full PCI compliance certification, we do offer a separate service that scans your server to see that PCI DSS requirements are met, a great tool during the compliance process.
What PCI Compliance Entails?
The Payment Card Industry Security Standards Council created the PCI DSS (Payment Card Industry Data Security Standard) as a response to the complex nature of keeping customer data safe and secure from outsiders. PCI DSS is a set of comprehensive requirements developed by major card brands to standardize data security measures. PCI DSS compliance is required by the Bank or Financial Institution that handles your credit card processing (Merchant Bank).
There are several steps required in order to ensure your site and server maintain PCI DSS compliance. The focus of these measures, as illustrated below, range from firewall configuration to unique usernames for each person that accesses information.
PCI DSS applies wherever account data is stored, processed or transmitted. Account Data
consists of Cardholder Data plus Sensitive Authentication Data, as follows:
|Cardholder Data Includes:||Sensitive Authentication Data Includes:|
|Primary Account Number (PAN)||Full Magnetic stripe data or equivalent on chip|
|Expiration Date||PINs/PIN Blocks|
The primary account number is the defining factor in the applicability of PCI DSS requirements. PCI DSS requirements are applicable if a primary account number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed or transmitted, PCI DSS requirements do not apply.
If cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the cardholder data environment, they must be protected in accordance with all PCI DSS requirements.
The following table illustrates commonly used elements of cardholder and sensitive authentication data, whether storage of each data element is permitted or prohibited, and whether each data element must be protected. This table is not exhaustive, but is presented to illustrate the different types of requirements that apply to each data element.
|Data Element||Storage Permitted?|
|Primary Account Number (PAN)||Yes|
|Full Magnetic Stripe Data||No|
There are a number of levels that merchants fall under. These different levels include various measures of security and practices. Currently there are four Merchant Levels. These levels range between the number of Visa or Mastercard e-commerce transactions per a year.
|Merchant Level||Criteria||Validation Actions||Validation Entity|
|Any merchant processing more than six million VISA transactions per a year.|
Any merchant that has suffered a hack or an attack that resulted in data being compromised.
Any merchant that is identified as a Level 1.
|Annual on-site security audit and quarterly network scan||You can have an independent security assessor.|
Internal audit, if signed by an officer of the company. Qualified independent scan vendor.
|One million to six million Visa or MasterCard transactions per a year.||Annual PCI Self-Assessment Questionnaire and quarterly network scan.||Merchant qualified independent scan vendor.|
|20,000 to one million Visa or MasterCard e-commerce transactions per a year.||Annual PCI Self-Assessment Questionnaire and quarterly network scan.||Merchant qualified independent scan vendor.|
|Less than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants processing up to one million Visa or MasterCard transactions per year.||Recommended annual PCI Self-Assessment Questionnaire and quarterly network scan.||Merchant qualified independent scan vendor.|
While compliance is mandatory for level 4 Merchants, validation is optional, but recommended.
Guidelines to be PCI DSS Compliant
There are industry tools and measurements to help ensure the safe handling of sensitive information such as credit card numbers. The following framework will assist you to develop a robust account data security process – including preventing, detecting and reacting to security incidents. To reduce the risk of compromise and mitigate its impacts if an incident occurs, it is important that all entities storing, processing, or transmitting cardholder data be compliant.
Framework to become PCI DSS Compliant (Basic Checklist). Please see the attached PDF for a complete guide.
I. Ensure that you comply with PCI DSS Requirements:
A. Build and Maintain a Secure Network
– Install and maintain a firewall configuration to protect cardholder data.
– Do not use vendor-supplied defaults for system passwords and other security parameters.
B. Protect Cardholder Data
– Protect stored cardholder data.
– Encrypt transmission of cardholder data across open, public networks.
C. Maintain a Vulnerability Management Program
– Use and regularly update anti-virus software or programs.
– Develop and maintain secure systems and applications.
D. Implement Strong Access Control Measures
– Restrict access to cardholder data by business need to know.
– Assign a unique ID to each person with computer access.
– Restrict physical access to cardholder data.
E. Regularly Monitor and Test Networks
– Track and monitor all access to network resources and cardholder data.
– Regularly test security systems and processes.
F. Maintain an Information Security Policy
– Maintain a policy that addresses information security for all personnel.
II. Complete a PCI DSS Self Assessment
A. Complete the Self Assessment Questionnaire that applies to your specific case (Categories include A through D)
Customers are required by the Payment Card Industry Security Standards Council to complete an SAQ (Self Assessment Questionnaire). The purpose of this Questionnaire is to ensure that customers have certain policies and procedures in place that will allow their organization to achieve full compliance. This questionnaire must be completed by the applicant. It is not legally permissible for Liquid Web to complete a document that requires specific information directly pertaining to an applicant’s organization policies and procedures. The Self-Assessment Questionnaire is intended to be completed by your own staff. Companies that outsource all web application, card data handling, and server functions will have the least to do. Companies that write their own code and manage their own data storage will need some input from their technical staff. The first time through will take the longest and subsequent filings will go much faster.
There are 5 versions of the Questionnaire. Version A is just a couple of pages long and could be done in less than an hour, including all the reading it requires. Version D is just 3 pages long for merchants, much more involved for service providers.
Please reference the table below to determine which one you should complete. Please review the attached PDF for more information. Liquid Web will provide its customers a copy of its Self Assessment Questionnaires type D (SAQ-D), which is also required.
|Card not present (ecommerce or mail/telephone order) merchants, all cardholder|
data functions outsourced. This would never apply to face to face merchants.
|Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage. This would never apply to e-commerce merchants.|
|Merchants using only web-based virtual terminals, no electronic cardholder data storage. This would never apply to e-commerce merchants.|
|Merchants with payment applications systems connected to the internet, no electronic cardholder data storage.|
|All other merchants not included in descriptions for SAQ types and through C above, and ALL SERVICE PROVIDERS defined by a payment brand as eligible to complete and SAQ.|
All SAQ forms can be located at the following site:
B. Complete an Attestation of Compliance. The form can be located at the following link:
The Attestation of Compliance (AOC) is where your company attests that it’s in compliance with the Data Security Standard annually. There are 5 versions of the Attestation of Compliance, just as there are 5 versions of the Self Assessment Questionnaire. If you qualify to use version A of the Questionnaire, use version A of the Attestation, etc.
For more information on how to select the correct Attestation of Compliance for your company, please visit this page: Attestation of Compliance versions A through D
Liquid Web will also provide its Attestation of Compliance, which is also required for certification.
III. Perform Quarterly ASV Scan
A. It is not required that four passing quarterly scans must be completed for initial PCI DSS compliance if the assessor verifies:
– The most recent can result was a passing scan,
– The entity has documented policies and procedures requiring quarterly scanning going forward, and
– Any vulnerabilities noted in the initial scan have been corrected as shown in a rescan.
For subsequent years after the initial PCI DSS review, four passing quarterly scans must have occurred. Scan must cover all externally accessible (Internet-facing) IP addresses in existence at the entity.
It is recommended that Liquid Web customers consult with a certified Auditor in order to ensure their application will be compliant. The above documentation needs to be submitted to your Financial institution as proof of compliance.
Please do not hesitate to contact a Sales Engineer if you have questions pertaining PCI DSS Compliance. If you need our assistance please contact us: