In a previous article, we discussed the subject of penetration testing, its issues and its indications. One of these guidelines is the PCI-DSS compliance check, which includes a requirement for vulnerability testing every 90 days. But what exactly is PCI-DSS? Does it apply to your business? What are the requirements, and what is at stake in this standard?

What Exactly Is PCI-DSS?

  The Payment Card Industry – Data Security Standard is a standard that applies to all actors in the payment chain: anyone who processes, transmits and stores payment card information is concerned. Initially founded by the 5 major card companies, this standard is now managed by an independent agency, the PCI Security Standards Council (PCI-SSC). The standard defines two categories:  
  • The merchant: any company or individual that accepts card payments. It is to the merchant that the customer gives his information as a cardholder, and represents the first link in the electronic payment chain;  
  • The Service Provider, or hosting provider: any company that stores, processes, or transmits payment card information on behalf of another company. These service providers can be thought of as intermediaries that provide various payment services to merchants. Some companies are considered to be both merchants and service providers: a telecommunications company, for example, receives card information from a customer for payment, and at the same time enables its transmission. They are therefore considered both a merchant and a service provider.

The Challenges of PCI-DSS

  The PCI-DSS standards exist to protect not only end users, but also all links in the chain: preventing bank data theft through a set of restrictive but comprehensive standards strengthens the protection of users, intermediaries, banks and merchants. It is also a standard that has become mandatory to follow in most cases, to deal with Visa, Mastercard, JCB, Discover, American Express, and virtually all credit card issuers. This is why a comprehensive data security policy must be considered, and also maintained, through regular vulnerability testing and penetration testing.

PCI-DSS Requirements

  The PCI-DSS consists of 12 sections, each of which is intended to contribute to the security of cardholder data. These requirements can be summarised by the following objectives:  
Intended Goal PCI-DSS Requirement

Build and Maintain a Secure Network and Systems

1. Installing and maintaining a firewall configuration to protect cardholder data.

2. Changing vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

3. Protecting stored cardholder data.

4. Encrypting transmission of cardholder data over open, public networks.

Maintain a Vulnerability Management Program

5. Protecting all systems against malware and performing regular updates of anti-virus software.

6. Developing and maintaining secure systems and applications.

Implement Strong Access Control Measures

7. Restricting access to cardholder data to only authorized personnel.

8. Identifying and authenticating access to system components.

9. Restricting physical access to cardholder data.

Regularly Monitor and Test Networks

10. Tracking and monitoring all access to cardholder data and network resources.

11. Testing security systems and processes regularly.

Maintain an Information Security Policy

12. Maintaining an information security policy for all personnel.

Compliance Assessment

To certify the compliance of an information system with the PCI-DSS standards, an external entity, called Qualified Security Assessors (QSA), will either produce a Report of Compliance (ROC) or assist the company in completing a Self-Assessment Questionnaire (SAQ). There are 4 levels of PCI-DSS compliance for merchants, depending on the volume of transactions they process annually:  
Merchant Level E-commerce Transactions
Volume (Per Year)
1 6 million+

1. Report of Compliance + Certification of Compliance (ROC + AOC) following an annual audit done by a QSA

2. Vulnerability scan, including a comprehensive penetration test

2 1 to 6 million

1. SAQ

2. Vulnerability scan

3. PCI-DSS Certification of Compliance (AOC)

3 20,000 to 1 million
4 Fewer than 20,000

The Self-Assessment Questionnaire (SAQ)

  This questionnaire consists of a series of closed-ended questions designed to assess an entity’s PCI-DSS readiness. It is to be completed by all PCI-DSS entities not exceeding the transaction volume that requires a compliance report. There are a variety of questionnaires depending on the exact nature of the payment data processing by the company seeking certification. These range from 20 to 300 questions. A company can decide to choose and complete this questionnaire itself, or it can involve an independent assessor.

Vulnerability Scan

  A vulnerability scan is the use of a vulnerability analysis tool on all networked applications within an organisation that can be accessed from the Internet, or in some cases from an intranet (e.g. in the case of private sites accessed from a VPN by customers). These scans are performed by a PCI-SSC approved vendor every 90 days to maintain compliance.

Certificate of Compliance (AoC)

  The certificate of compliance is simply a declaration completed and signed by the service provider or merchant, attesting it has completed the self-assessment questionnaire and adheres to the PCI-DSS rules. This attestation can also be completed by the assessor if the company’s situation makes it subject to a compliance report (Level 1 merchants).

Report of Compliance (RoC)

  In contrast to the certificate of compliance and the Self-Assessment Questionnaire, the Report of Compliance has to be issued by a Qualified Security Assessor (QSA). These assessors are appointed by the PCI-SSC, and independently certify compliance with the PCI-DSS rules.

The Importance of PCI-DSS

  Although PCI-DSS is not a de jure standard and legally required for payment data processing, it is de facto a standard, as it is a required by virtually all payment card companies. However, it is important to note that cardholder data is considered by some countries to be PII (Personally Identifiable Information), and therefore falls under the scope of the GDPR (General Data Protection Regulation). While not clearly outlined in the law, any data that can identify a person, such as unique identification numbers, is considered personal data. As such, cardholder data may be considered PII. In addition, some US states refer directly to the PCI-DSS standard in their legislation, making it a de facto mandatory standard. Credit card issuers can, and have, refused service to a merchant or service provider that are not compliant with the standard. All of these considerations make PCI-DSS, although not mandatory, a “seal of quality”, and an important aspect of networked system security. All the PCI-DSS rules can also constitute a good starting point for all your sensitive data security, and not just payment data; it is a solid base for strengthening the security of information systems.
Sonema’s networks and data centres are regularly audited by an external firm and are PCI-DSS compliant. For over 30 years, Sonema has been providing its customers with tailor-made connectivity, hosting and security solutions to meet their most demanding needs. For more information, contact us.