PCI DSS - How and Why Get a Certificate of Conformity

    Hi% username%!
    We have prepared this post for those who work in the field of Internet commerce and plan to accept (or already accept) payments on their own site. We will talk about the international PCI DSS data security standard. Let's talk about its basic requirements for an information infrastructure that provides processing and security of bank card data. We will also consider the main reasons for passing certification and the opportunities that a certified company receives.

    PCI DSS (Payment Card Industry Data Security Standard) is a data security standard for the payment card industry. The standard was developed by international payment systems Visa and MasterCard. Any organization planning to receive and process bank card data on its website must comply with PCI DSS requirements.

    There are 4 levels of PCI DSS certificates, which primarily differ in the maximum possible number of processed transactions:
    • Level 4 allows you to process up to 20 thousand transactions per year. Confirming compliance with PCI DSS requires quarterly scanning of external addresses for vulnerabilities ( ASV scans ) and filling out a self -assessment questionnaire (SAQ)
    • Level 3 allows you to process from 20 thousand to 1 million. transactions per year. Certification requires both a quarterly ASV scan and a self-assessment sheet (SAQ).
    • Level 2 allows you to process from 1 million to 6 million transactions per year. A quarterly ASV scan and self-assessment (SAQ) sheet is required to verify compliance with PCI DSS requirements. However, after June 30, 2012, to fill out the SAQ at this level, it will be necessary to either send your own employees to specialized training, or to engage an auditing company ( PCI QSA ).
    • Certification for compliance with PCI DSS Level 1 requirements is carried out only with the involvement of an independent auditor (QSA) and allows you to process more than 6 million transactions per year. The certification procedure includes a survey of the company's information infrastructure, development of recommendations and regulatory documents necessary for compliance with the standard, and consulting support for implementation.

    We are annually certified for compliance with the PCI DSS standard. For us, as a processing center, compliance with PCI DSS Level 1 is mandatory. International payment systems (MPS) impose such a requirement on companies providing Internet acquiring services.
    Enterprises selling goods or services over the Internet are certified for compliance with PCI DSS for a number of reasons:
    • Conversion. Companies are afraid of losing part of their payments when switching from a basket to a separate payment page.
    • Image. Sometimes large companies do not want the client to switch from the company’s website to the website of a third-party organization (bank or processing center) to enter bank card data.
    • Technical tasks. The company needs to build its own high-tech payment scheme, focused on the specifics of the business.

    PCI DSS certification allows you to work with banks directly through the payment interfaces of the bank and the Internet enterprise itself. This eliminates the buyer’s transition to a third-party website. In addition, building your own payment system allows you to work directly with several banks at once, "balancing" between them, and build a system of "cascading" payments. In case of a “cascade” payment, its authorization is carried out sequentially in several banks and processing centers, which can significantly reduce the percentage of rejected transactions.

    But independent work with banks gives the company not only an advantage in adapting the payment system "for itself". She obliges the company to take on the fight against fraudulent transactions while processing bank card data on its website. In other words, the company needs to build its own system for monitoring and combating fraudulent transactions (anti-fraud). The task of the anti-fraud system is to filter operations that are defined as fraudulent according to a number of signs (for example, the issuing bank does not coincide with the country of payment or the payer's residence).

    At the stage of constructing and debugging the anti-fraud system, it will take a long time to “collect” the collection and analysis of data on bank card transactions. The purpose of data collection is to identify the hallmarks of fraudulent transactions. In the process of collecting statistics, the company will have to face a large amount of “charge-back” operations.

    Building your own anti-fraud system is logical and financially justified for companies with a large turnover of bank card payments. For such companies, flexibility and full control over the payment filtering system are critical. Plus, such a company has the opportunity to allocate resources for the development and continuous development of technologies and tools of its own “mini processing center”.

    It is worth noting that in monitoring risks it is difficult to find a better service provider than a processing center. Due to the diversity and significant number of customers, the PC has an extensive history of monitoring and filtering. Even if a company is building its own anti-fraud system, it can send transactions for processing to the processing center that raise doubts among internal risk specialists.

    To make an informed decision about choosing a method of processing bank card data, it is necessary to evaluate all the components of the process from submitting documents to supporting cardholders. In order to make the decision easier, we made a comparison of two main approaches for receiving and processing bank card data: if data are entered on a third-party site (for example, a processing center) - and if data is entered on the company's website with subsequent authorization of payment at the bank.

    Bank card data are entered on the enterprise’s website with subsequent authorization of payments (for example, in a bank)Bank card data is entered on a third-party site (for example, on the secure payment page of the PC)
    PCI DSSPCI DSS certification is required.Certification is not required.
    ConnectionTo accept payments directly, you must independently connect to the bank. The decision of the bank depends, inter alia, on the turnover of the company.To connect, you must transfer the package of documents to a personal manager who will interact with the bank and prepare the contract.
    CommissionThe commission charged by the bank for processing payments is from 2% of the transaction amount and depends on the volume of turnover and the scope of the company. The percentage of commission received directly by the client from the bank is often equal to the percentage provided by the HRC. This is due to the “wholesale” working conditions for the HRC and the high level of reliability of transaction monitoring in which the bank is interested.The fee charged by the HRC for processing payments and a range of additional services is from 2.5% of the transaction amount and depends on the volume of turnover and the scope of the company.
    BookkeepingThe company engages in interacting with the bank on matters of accounting reporting and making payments independently. For the preparation of reports requires active work with the bank and the construction of its own billing system.The PC billing system provides customers with the opportunity to make online accounting of transactions. The ability to independently upload accounting documents (act, detailed statement of the PayOnline system, account) in the interface of your personal account.
    Payer SupportTo provide qualified support to payers, you need to organize your own Call-center or buy third-party services (from 25,000 rubles / month for the work of a specialist). If you already have a Call center, it is necessary to conduct additional training for specialists to work with card holders. It also requires the construction of Call-center infrastructure: software, telephony.Support for cardholders making payments in your online store is carried out by the specialists of the Call Center of the HRC.
    Transaction monitoringTransaction monitoring should be carried out by qualified staff of an e-commerce company that processes bank card data. The salary of a risk specialist is from 35,000 rubles. / monthTransaction monitoring, including software, is carried out by specialists of the risk department of the HRC.
    IronInvestments are required in the server part, necessary for certification and ensuring a sufficient level of security. The amount depends on the Level-a certificate and the proposed infrastructure.You do not need additional expenses for the development of the server side, since transaction processing occurs on secure PC servers.
    DevelopmentTo organize self-acceptance of payments, it is necessary to develop or purchase a billing system, including secure data transfer services to the bank, secure forms for accepting payments, and additional interfaces. Permanent work of a highly qualified specialist is required at a cost of at least 65,000 rubles. / monthTo connect to the processing center, a one-time involvement of the developer is required to implement the payment form on the company's website. If necessary, a branded payment form is developed by HR specialists.
    Accepting payments on the site (without switching to a third-party resource)You process bank card data on the site without switching to a third-party resource.It is possible to implement the acceptance of payments without directly going to the PC website using IFrame technology.


    Thus, if a company intends to pass certification for PCI DSS compliance and independently process bank card data on the site, all the requirements of the PCI DSS standard apply to it. They cover security at the level of networks, equipment, applications, databases, physical storage, documentation and process control. And, as mentioned above, the construction of an anti-fraud system and a billing system, a difficult and lengthy task to implement, is also carried out independently by the company.

    Companies that work only with a payment gateway and do not accept customers' bank cards on their data include only the requirements of the risk gateway of the payment gateway (PC). They relate to the site of the e-commerce enterprise, the correctness of the content and price offers, the organizational form of the company.

    If after reading this post you have questions - write in the comments. Evgeny Bezgodov aka Bezgodov , Executive Director of Deiteriy, CISA, PCI QSA, will advise you on behalf of the auditor and specialist in PCI DSS requirements . On the part of the payment gateway, as always, specialists from the PayOnline processing center are in touch.

    Also popular now: