PCI DSS Certification: What It Is and What It Eats With

Recently, Visa and MasterCard have begun to require PCI DSS standards from merchants and card data service providers. In this regard, the issue of the requirements of this standard becomes important not only for large players in the market, but also for small trading and service enterprises.

The PCI DSS standard was developed by the PCI Card SSC (Payment Card Industry Security Standards Council) and regulates a specific list of requirements for ensuring the security of payment card data (WPC), which affects both the technical and organizational side of organizations.

First of all, the standard definesrequirements for organizations in the information infrastructure of which payment card data is stored, processed or transmitted, as well as organizations that may affect the security of this data. Since mid-2012, all organizations involved in the storage, processing and transfer of WPC must comply with the requirements defined by PCI DSS, and companies in the Russian Federation are no exception.

To understand whether your company needs to comply with the PCI DSS standard, you need to answer two main questions: are payment card data stored, processed or transmitted in your organization? And can the business processes of your organization affect the security of these payment cards? If the answer to both questions is no, then PCI DSS certification is not necessary.



Obviously, to comply with the standard, certain requirements must be met, here are some of them: protection of the computer network, access control for data on cardholders, configuration of information infrastructure components, authentication mechanisms, physical protection of information infrastructure, protection of transmitted data on cardholders and so on . In general, the standard requires about 440 screening procedures.

There are various ways to confirm compliance with PCI DSS requirements, which include an external audit (QSA), internal audit (ISA), or self-assessment (SAQ).

An external audit of QSA is performed by an external audit organization certified by the PCI SSC Council. During the audit, auditors collect evidence of compliance with the requirements of the standard and save them for a period of three years.

ISA Internal Audit is performed by an internal, trained and certified PCI SSC Board Auditor. As for the self-assessment of SAQ, it is carried out independently by filling out a self-assessment sheet. In this case, the collection of certificates of compliance with the requirements of the standard is not required.

To answer the question in which situation it is necessary to conduct an external audit, and in which - internal, and whether it is worth doing it at all, you need to look at the type of organization and estimate the number of processed transactions per year. There is a classification according to which there are two types of organizations: trade and service enterprises and service providers.

A trade and service enterprise is an organization that accepts payment cards (shops, restaurants, online stores, and others) to pay for goods and services.

The service provider, in turn, is an organization that provides services in the payment card industry related to transaction processing (these are data centers, hosting providers, international payment systems and others).

Depending on the number of transactions processed per year, merchants and service providers can be assigned to different levels. For example, a sales and service company processes up to 1 million transactions per year using e-commerce.

According to the classification of Visa and MasterCard, the organization will be classified as level 3. Therefore, to confirm compliance with PCI DSS, a quarterly external scan of vulnerabilities of the components of the information infrastructure ASV (Approved Scanning Vendor) and annual self-assessment of SAQ are required.



As for service providers, the number of services offered by cloud providers is growing annually. Therefore, for organizations using the cloud infrastructure, the issue of PCI DSS hosting becomes relevant.

PCI DSS hosting is a service that ensures the safe handling of payment cards for organizations that have deployed their infrastructure on the side of a certified PCI DSS hosting provider, inside which payment card data is stored, processed or transmitted.

By choosing such a service, the organization automatically closes a significant part of the requirements of the PCI DSS standard - this means that the provider assumes the fulfillment of part of the requirements, for example, physical protection of the hosted servers and administration of operating systems.

As you know, outsourcing solves many problems, making life easier for organizations. Previously, many companies deployed information infrastructure in their own server room and fulfilled all the requirements for compliance with standards on their own, but now many delegate these tasks to certified service providers, thereby increasing the level of security of the card processing environment and reducing the risk of financial losses from possible information security incidents .

Any organization using its own card processing, sooner or later faces the need for certification according to the PCI DSS standard. Applying to certified service providers helps to significantly simplify the certification process for merchants and ensure the protection of payment card data at the proper level.

PS Other interesting materials from our blog on Habré:

• Failures in the work of the cloud provider: how to relate to this;
• Experience and problems of the data center: How to check the reliability of the data center;
• How IaaS provider to choose a data center to host the cloud: Experience IT-GRAD;
• Why business needs a cloud: an overview of real-world IaaS usage scenarios.