The Payment Card Industry Security Standards Council (PCI SSC) has been established by the leading international card
organizations Visa, Mastercard , Amex, Diners, Discovery, JCB. The PCI SSC has developed the PCI DSS rules and documents to
regulate and lay down the card security principles and policies. Payment security guidance must be followed by all entities
(including banks, merchants, payment processors) which store, process or transmit cardholder data. These rules set the
technical and operational requirements for organizations accepting or processing payment transactions.
Please see the latest version of requirements and standards here.
All merchants that store, process or transmit cardholder data must be PCI DSS compliant.
Card data and sensitive authentication data elements:
|
Data Element |
Storage Permitted |
Render Stored Data Unreadable |
Cardholder Data |
|
Primary Account Number (PAN) |
Yes |
Yes Standard requires that the PAN must be rendered unreadable |
|
Cardholder Name |
Yes |
No |
|
Service Code |
Yes |
No |
|
Expiration Date |
Yes |
No |
Sensitive Authentication Data Sensitive authentication data must not be stored after authorisation, (even if encrypted) |
|
Full Track Data Full track data from the magnetic stripe, equivalent data on the chip, or elsewhere |
No |
Prohibited |
|
CVV2/CVC2 The three or four-digit value printed on the front or back of a payment card |
No |
Prohibited |
|
PIN/PIN Block Personal Identification Number entered by cardholder during a transaction, and/or encrypted PIN block present within the transaction message |
No |
Prohibited |
How to be sure that you are compliant with PCI DSS requirements?
We inform merchants once per year via e-mail what kind of action must be taken to comply with the PCI DSS. The requirements are presented in the table below.
Merchants are categorized into 4 levels based on the annual number of card payment transactions by one card brand (i.e. Mastercard, Visa, Amex etc.). We require Level 1 - Level 3 merchants to notify us of their compliance status after the required action has been taken. Level 4 merchants must notify us of their compliance status by sending a completed Self-Assessment Questionnaire (SAQ).
Merchant level |
Merchants transaction criteria |
Required actions from merchants |
Frequency |
Level 1 |
Merchants with 6 million and more annual transactions in total for Mastercard or Visa |
External security audit made by Qualified Security Assessor(QSA) |
once per year |
Network Scan conducted by an Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) |
once per quarter |
Level 2 |
Merchants with 1 to 6 million annual transactions in total for Mastercard or Visa |
Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) Level 2 merchants who choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC ISA training and pass the associated accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants, at their own discretion, must complete an annual onsite assessment conducted by a PCI SSC approved Qualified Security Assessor (QSA) rather than complete an annual self-assessment questionnaire. |
once per year |
1. Merchants completing the SAQ A, A-EP or D are required to engage a QSA or ISA for annual compliance validation.
2. Merchants completing the SAQ B, B-IP, C-VT, C or P2PE may now self-assess without the use of a QSA or ISA for compliance validation
|
once per year |
Network Scan conducted by an Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) |
once per quarter |
Level 3 |
E-commerce merchants with 20 000 to 1 million annual transactions in total for Mastercard or Visa |
Completing annual Self-Assessment Questionnaire (SAQ) required |
once per year |
Network Scan conducted by an Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) |
once per quarter |
Level 4 |
All other merchants |
Annual Self-Assessment Questionnaire (SAQ) at merchant’s discretion |
Recommended once per quarter |
Network Scan conducted by an Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) |
Recommended once per year |
Keep in mind, that you’ll need to perform:
- Security audit by a certified auditor acting as Qualified Security Assessor (QSA) at the legal entities that are presented on the official PCI DSS website.
- Scanning of the network by a qualified net scanning vendor acting as Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA). ASV can conduct a scanning procedure for in-store and online merchants but have no rights to perform annual audits.
- Internal audit, during which questions in SAQ (Self Assessment Questionnaire) have to be answered. The questionnaire content depends on technical solution.
PCI DSS requirements and goals
The 12 requirements and goals in the table below will help you to understand what important actions must be performed to be compliant wiht PCI DSS rules.
Goals |
PCI DSS Requirements |
Build and maintain a secure network and system |
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
|
Protect cardholder data |
3. Protect the stored cardholder data.
4. Encrypt transmission of cardholder data across open public networks.
|
Maintain a vulnerability managemenet program |
5. Protect all systems against malware and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
|
Implement strong access control measures |
7. Restrict access to cardholder data under business need-to-know.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
|
Regularly monitor and test networks |
10. Track and monitor all access to network resources and cardholder data.
11. Test security systems and processes on a regular basis.
|
Maintain an information security policy |
12. Maintain a policy that addresses information security for all personnel. |
For more information please visit https://www.pcisecuritystandards.org/
The cardholder shall have the right to contest a transaction made with the Mastercard or Visa card. Such an appeal shall be settled as chargeback in accordance with the rules established by the international card organisations.
In case of chargeback, the merchant shall provide additional documents in order to prove that the transaction took place in accordance with the requirements of the card organisations. If the merchant fails to do so or does not respond on time, the merchant shall be financially liable for the contested transaction.
The most common reasons for chargeback
The most common reasons for chargeback are:
- the cardholder confirms that he or she has not made the transaction (may indicate fraud);
- the service provided by a regular card payment was cancelled by the client;
- the goods do not correspond to the product information provided in the e-shop;
- the goods are defective;
- the cardholder has not received the ordered product/service within the time period established by the e-shop terms.
Recommendations for the merchant to prevent possible chargeback
Recommendations for the merchant to prevent possible chargeback:
- use the transport service, which also includes confirmation of delivery of the goods;
- make sure that the goods return policy of your company has clearly established the process of returning the goods and the time period during which the cardholder may file a complaint;
- always ensure that you have delivery insurance for any fragile products;
- make sure that you always have the order documents in a format which can be reproduced and the cardholder’s confirmation on agreeing with the terms and conditions of the order;
- if possible, contact the cardholder in writing so that you could have written material about the communication with the client.
- If the goods or services ordered by the client are not available, you have to inform the client and offer the replacement product/service of the same quality and price, or cancel the card transaction at the client’s request.
The consumer protection regulations have established the requirements for information that should be communicated to the client before entering into a contract. These requirements shall be applied to all who deliver goods or provide services under a distance contract.