PCI DSS Flashcards
PCI DSS
- Payment Card Industry Security Standard
- Around since 2006
- Aims to protect cardholder information
- Developed by the PCI Standards Security Council (PCI SSC)
“Applies to all organizations who store, process or transmit cardholder information”
Acquirer Responsibility
Acquirers are responsible for ensuring the PCI compliance of their merchant portfolios
Requirements
The PCI DSS has 12 requirements classified into six goals, which cover all aspects of card data security
Compliance Validation
May be done either through self-assessment, or by engaging with an accredited third party
- Quality Security Assessor (QSA)
- Internal Security Assessor (ISA)
When compliance validation is performed by a QSA or ISA, a Report on Compliance (ROC) is produced
- An additional validation require- ment applies to e-commerce merchants where they must also complete (where applicable) a quarterly network vulnerability scan performed by an Accredited Scanning Vendor (ASV)
SAQ
“When compliance validation is performed through self-assessment, a Self-Assessment Questionnaire (SAQ) must be completed”
- Several options, depending on the type and size of the merchant
Visa Merchant Level 1
- Annual ROC by QSA
- Quarterly network scan by Approved Scan Vendor
Storage
Sensitive authentication data (which includes the card verification values) must not be stored post-authorisation