The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes.

It is promulgated by the Payment Card Industry Security Standars Council (PCI SCC).

PCI DSS applies for:

  • Online payments
  • Point-of-Sales
  • etc.

SAQ = Self-Assessment Questionnaire

 PCI DSS establish different types of SAQs, depending on security level.

  • SAQ-A
  • SAQ-A-EP
  • SAQ-B
  • SAQ-B-IP
  • SAQ-C-VT
  • SAQ-C
  • SAQ-D
  • P2PE-HW

Qualified Security Assessor (QSA) is a copmany has achieved a certification to audit on PCI DSS. A QSA is entitled to perform an audit.

Those companies with a high volume of transactions (level 1) require a Report of Compliance (RoC).

AoC = Attestation of Compliance

CDE = Cardholder Data Environment

Each PCI DSS document has a validity of a year. After that it must be renewed. In case it is not renewed, it is marked in yellow during 90 days, that is a margin to renew it in case you did not before.

PCI DSS is enforced through contractual relationships between merchants and their banks.

How to check if a service provider is up to date regarding PCI DSS?

Electronic transfer companies provide on their websites a list of their service providers that are PCI compliant.

Links to list of PCI compliant service provider:

  • Mastercard (then download PDF under “The Mastercard SDP Compliant Registered Service Provider List”)
  • Visa

PCI DSS Documentation

You can find the official documentation related to PCI DSS on this external link.

PCI DSS Qualifications

There are different certifications related to PCI DSS. The full list can be found on this external link.

Qualifications featured on this post:

  • ISA
  • QSA
  • Approved Scanning Vendors

ISA

Internal Security Assessor (ISA)

Certification official link

Official training link

QSA

Qualified Security Assessor (QSA)

Certification official link

Approved Scanning Vendors

Approved Scanning Vendors (ASV) are vendors certified by PCI DSS that can be hired by organizations audited for PCI DSS to perform vulnerability scans, as required by PCI DSS in specific circunstances.

You can find a list of ASVs on this external link.

Certification official link

You might be interested in…

External references

One comment

Leave a Reply to Differences between PCI DSS 3.2.1 and 4.0 – RunModuleCancel Reply

Your email address will not be published. Required fields are marked *