What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a security standard for entities which deal with branded credit and debit cards. It is a compulsory set of requirements that organisations are supposed to meet in order to reduce the risk of any criminal activity related to storing and processing credit and debit card data. With the main goal of maintaining a secure environment for sensitive cardholder data, PCI DSS helps to decrease fraud or online security breaches. The latest versions of PCI DSS documentation can be found on the PCI Security Standards Council website https://www.pcisecuritystandards.org/

What is cardholder data?

Cardholder data refers to any personally identifiable data associated with a cardholder - name, surname, card expiration date, card number, service code, etc. The data is either printed on a card itself or contained in digital format on the magnetic stripe embedded in the backside of a card or a chip embedded on the front side of a card. 

This information is used to authorize and process payment transactions, and it is highly valuable to cybercriminals who may attempt to steal it through various means such as phishing, skimming, or hacking. To protect cardholder data, various security standards and regulations have been established, including the Payment Card Industry Data Security Standard (PCI DSS) which outlines specific requirements for merchants, processors, and other entities that handle cardholder data. The PCI DSS apply to all cardholder data stored, processed, or transmitted. 

In what cases cardholder data can be exposed?

Some common examples of cardholder data exposure include:

• physical theft of data storage devices, such as laptops or portable hard drives;
• unauthorized access to data over unsecured networks, such as public Wi-Fi;
• malware or other malicious software that is installed on a system and steals cardholder data;
• insufficient security controls, such as weak passwords or inadequate access controls, that allow unauthorized access to cardholder data;
• human error, such as accidentally sending cardholder data to the wrong person or posting it publicly on a website.

What are the consequences of cardholder data exposure?

If cardholder data is stolen, the consequences can be serious for both the cardholder and the organization that was responsible for safeguarding the data. Here are some of the potential consequences:

Financial losses: The stolen cardholder data can be used to make unauthorized purchases, resulting in financial losses for the cardholder and potentially the organization that was responsible for safeguarding the data. The organization may also face fines and legal fees.

Damage to reputation: A data breach can damage the reputation of the organization that was responsible for safeguarding the data. Customers may lose trust in the organization and may be hesitant to do business with them in the future.

Regulatory penalties: Depending on the jurisdiction, the organization may be subject to regulatory penalties for failing to protect cardholder data.

Cost of remediation: The organization will need to take steps to remediate the breach, which can be costly and time-consuming. This may include forensic investigations, notifying affected individuals, providing credit monitoring services, and implementing additional security controls.

Legal liability: The organization may be held legally liable for failing to protect cardholder data. This can result in lawsuits and settlements.

Is FMPay PCI DSS Compliant?

PCI DSS is applied to all companies which accept, process, store or transmit credit and debit card data.  There are four PCI DSS levels which are based on transaction volumes over a 12-month period. FMPay complies with Level 1 Payment Card Industry Data Securities Standards, which is the highest standard of PCI DSS compliance.

Do I need to be PCI DSS compliant as a Merchant?

Yes, anyone selling goods and services online needs to be compliant with PCI DSS.

The main purpose of the PCI DSS is to prevent credit card fraud and set good practices for companies which deal with card information. Merchants are responsible for the security of cardholder data and must be careful not to store certain types of data on their systems or the systems of their third party service providers. Merchants are also responsible for any damages or liability that may occur as a result of a data security breach or other non-compliance with the PCI DSS. 

In general, achieving PCI compliance involves several requirements:

- Building and maintaining secure network and systems;

- Protecting stored and encrypting transmitted cardholders data; 

- Implementing strong access control measures;

- Testing security systems and processes annually;

- Maintaining Security Information Policy for all staff.

It is important to note that achieving and maintaining PCI compliance is a complex process that requires a significant investment of time, resources, and expertise. You may want to consider working with a qualified security consultant or managed service provider to help you navigate the process and ensure that your business is fully compliant.

How often will my PCI DSS compliance be checked?

We're constantly monitoring the PCI DSS compliance of our merchants. Your PCI DSS Level will be verified annually and we will request an external vulnerability scan by an ASV (Approved Scanning Vendor) of your processing website(s) quarterly. 

You may order this scan from any of authorized companies listed on the PCI Security Standards Council web-site.

The documents you will need to submit to us depend on your PCI DSS Level, which is based on the number of transactions per year and the type of technical integration of your website with our payment platform. Level 1 merchants process more than 6 million transactions per year, while level 4 merchants process fewer than 20,000 transactions per year. 

Level 1 Merchants can only validate compliance with an independent assessment by a QSA (Qualified Security Assessor). Level 2, 3, 4 Merchants may be able to validate their compliance by completing an SAQ (Self Assessment Questionnaire).

What is an SAQ?

The Self-Assessment Questionnaire (SAQ) is a series of questions that helps merchants to determine whether their business is compliant with the PCI DSS. The SAQ typically consists of a series of questions that ask about the organization's security practices, policies, and procedures related to the handling of sensitive information. The purpose of the SAQ is to help organizations identify areas where they may not be fully compliant with the applicable security requirements and take steps to address those areas. 

There are different versions of the SAQ, depending on your compliance level and the way you accept payments. The latest versions of all SAQs can be downloaded from the PCI Security Standards Council's website.

What is an ASV scan?

An ASV scan is a type of security assessment that is performed by an Approved Scanning Vendor (ASV) to determine whether an organization's network and systems meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS).

ASVs are companies that have been authorized by the PCI Security Standards Council to perform scans of an organization's network and systems to determine whether they meet the requirements of the PCI DSS. An ASV scan typically involves running automated tools to scan for vulnerabilities and weaknesses in the organization's network and systems, as well as conducting manual testing to identify potential security issues. 

The list of Approved Scanning Vendors (ASVs) is maintained by the Payment Card Industry Security Standards Council (PCI SSC) and can be found on their website.

FMPay will ask you to provide an ASV scan of your processing website(s) quarterly.

If I fully outsource cardholder data functions to a licensed third-party-provider, do I still need to send you PCI DSS documents?

If you are a merchant who has fully outsourced cardholder data functions to a third-party provider, you may still have responsibilities under the PCI DSS. Depending on the scope of your outsourcing arrangement, you may need to provide documentation and evidence of compliance with the standard. For example, you may need to provide evidence that your third-party provider is PCI DSS compliant, and that you have implemented appropriate controls to manage the outsourcing relationship.

There is no technical ability to outsource cardholder data in full — as a merchant you still have control over the server that runs your store and generates links to your payment processor gateway. This link can potentially be changed to a fraudulent one by bad actors. To prevent this, merchants who use third-party payment processors must ensure their cardholder data environment (CDE) is secure and there are appropriate controls in place to protect cardholder data.