The Payment Card Industry Data Security Standard (PCI DSS) is a required security standard for the systems of merchants and organizations that handle payments card data.
Even organizations that process transactions through secured payment platforms (such as PayPal or Stripe) may be required to meet some of these compliance requirements.
This standard was created to prevent the devastating consequences of financial data breaches for businesses and consumers alike. Companies found to not be in compliance after a breach face serious fines and penalties.
Full compliance with the PCI DSS standard covers six main areas of your system through 12 high level controls. For most organizations, these must be validated every year. The Truvantis® team are PCI DSS experts and Qualified Security Assessors, with an extensive guide written on the standard and years of experience as a trusted partner for both compliance and validation.
The origins of PCI DSS begin in 2004 when the major payment card issuers, Visa, MasterCard, American Express and Discover, formed the Payment Card Industry Security Standards Council (PCI SSC) to create the PCI DSS standard in response to early-internet cybercrime:
Once you have achieved compliance by implementing the PCI DSS standard, validation certifies that your compliance has been verified and supplied to your acquirer (often your bank or payment gateway) as proof.
Some organizations are exempt from validation. VISA’s Technology Innovation Program (TIP), for example, exempts qualified merchants from the annual validation.
For everyone else, validation of compliance happens in one of two ways:
The choice between self-assessment and a QSA assessment is complex and based off of several criteria including transaction volume. Your acquirer will be able to tell you which route you have to take.
PCI SSC has developed self-assessment questionnaires (SAQ) to help specialist organizations assess the security of their cardholder information. For organizations with low transaction volumes, a properly-completed SAQ may be all they need to validate compliance.
A qualified security assessor or QSA is an individual or organization accredited to assess compliance with its standards. QSAs are the autonomous agents, trained and certified in payment card security methodology.
The assessment performed by a QSA is also sometimes known as a "Level 1 Assessment," referring to the highest burden for validation organizations as identified by the payment card issuers like Visa and Mastercard.
Organizations validating compliance with either an SAQ or a ROC from a QSA must submit an Attestation of Compliance (AOC): a declaration that they have performed the validation correctly and found their security protocols to be compliant.
Whether you’re looking for help achieving PCI DSS compliance, or need verification by a Qualified Security Assessor (QSA), Truvantis can help.
The solutions you choose and the vendor you partner with can leverage compliance into an opportunity to achieve your goals.
Unlike assessors coming from the accounting industry, we’re technology experts. We know that security compliance can be more than a one-size-fits-all solution. There’s a lot of different ways to check off those boxes.
We’ll work with you to find products and technology that are a great fit for your specific organization and goals, while ensuring you fulfill your compliance requirements along the way. That’s the advantage of working with a vendor that deeply understands the PCI DSS requirements and can translate them into concepts that are best-suited for your specific technology stack.
The Truvantis team offers a full range of services to help you to achieve and validate your PCI DSS compliance, including: