PCI DSS

Question 1

PCI DSS

Answer 1

• Payment Card Industry Security Standard
• Around since 2006
• Aims to protect cardholder information
• Developed by the PCI Standards Security Council (PCI SSC)

“Applies to all organizations who store, process or transmit cardholder information”

Question 2

Acquirer Responsibility

Answer 2

Acquirers are responsible for ensuring the PCI compliance of their merchant portfolios

Question 3

Requirements

Answer 3

The PCI DSS has 12 requirements classified into six goals, which cover all aspects of card data security

Question 4

Compliance Validation

Answer 4

May be done either through self-assessment, or by engaging with an accredited third party

• Quality Security Assessor (QSA)
• Internal Security Assessor (ISA)

When compliance validation is performed by a QSA or ISA, a Report on Compliance (ROC) is produced

• An additional validation require- ment applies to e-commerce merchants where they must also complete (where applicable) a quarterly network vulnerability scan performed by an Accredited Scanning Vendor (ASV)

Question 5

SAQ

Answer 5

“When compliance validation is performed through self-assessment, a Self-Assessment Questionnaire (SAQ) must be completed”

• Several options, depending on the type and size of the merchant

Question 6

Visa Merchant Level 1

Answer 6

• Annual ROC by QSA
• Quarterly network scan by Approved Scan Vendor

Question 7

Storage

Answer 7

Sensitive authentication data (which includes the card verification values) must not be stored post-authorisation