PCI FAQ

Questions & answers about PCI

Nicht bearbeiten!

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

What is the PCI DSS?
The PCI Data Security Standard (PCI DSS) was defined based on existing security standards from VISA and MasterCard and are by now adopted and recognized by all well-known credit card firms as common standards. They define specific requirements in the different areas of payment card processing, which have to be met by merchants, service providers, payment application vendors, acquirer banks and processors. For more information, please refer to the website of the PCI Security Standards Council.
What are the objectives of the standard's security requirements?

The standard includes security requirements that pursue the following objectives:

  1. Establishment and operation of a protected network
  2. Protection of stored and transmitted cardholder data
  3. Establishment and operation of a vulnerability management system
  4. Implementation of effective access control policies
  5. Regular monitoring and review of the IT infrastructure
  6. Formulating and enforcing an information security policy
What are the objectives of the standard's security requirements?

PCI DSS comprises twelve security requirements. Organizations are considered PCI-compliant if they meet the following requirements:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Changing the default passwords and security settings specified by manufacturers
  3. Protection of stored cardholder data
  4. Encrypted transmission of credit cardholder data on public networks
  5. Use and regular updating of anti-virus software
  6. Development and use of secure systems and applications
  7. Restricting access to cardholder data according to business information needs
  8. Assigning a unique ID for each person with computer access
  9. Restrict physical access to cardholder data
  10. Logging and monitoring all access to network resources and cardholder data
  11. Regular review of security systems and procedures
  12. Establishment of a company policy with information security guidelines for employees and contractual partners
Which credit card organizations accept certification according to the PCI Data Security Standard?

Almost all large credit card organizations like VISA, MasterCard, American Express, JCB, Discover accept certification according to the PCI Data Security Standard.

Who must be certified according to the PCI Standard?

For e-commerce merchants, service providers and acquirers, the certification of their systems by accredited providers has been made mandatory by the credit card organizations, if they save and process credit card data or pass it on to third parties.

When do I store, process or forward credit card data?
You store, process or transfer credit card data when you receive numbers or validity data of customer credit cards on your IT systems to save them or to forward them to third parties. The duration of the processing (short-term or long-term storage, processing or forwarding) does not play a role here – the receipt of customer-specific credit card data on your IT systems is decisive in this case.You do not have to be certified according to the PCI Data Security Standard only if you can say with certainty that you do not receive, process or forward customer credit card data on your IT systems.
Nicht bearbeiten!

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

I work together with a payment service provider which has taken over all settlement tasks for me. Do I still have to be certified according to the PCI Security Standard?

If you store credit card data on your systems or forward them via your systems, you are required to be certified. If you are not sure, please ask your acquirer or our PCI Competence Center.

Does MasterCard or VISA provide information online regarding the topic of PCI?
According to what guidelines is a merchant and/or service provider classified?

The merchant and/or service provider is classified according to the guidelines of the credit card organizations. An essential factor for the classification is the annual transaction volume. Detailed information can be found here: MasterCard / VISA / American Express.

Self assessment questionnaire (SAQ)

Nicht bearbeiten!

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

Do all questions of the Self-Assessment Questionnaire have to be answered?
Yes, all questions have to be answered or else the questionnaire will not be accepted. In general, the questions should be answered with YES or NO. In some exceptions, it is possible to answer a question with N/A (not applicable). In this case, a written reason absolutely must be provided. If you have problems understanding something or require further support, please contact our usd PCI Competence Center.
Which topics does the Self-Assessment Questionnaire include?

The Questionnaire addresses the 12 main requirements of the PCI Data Security Standard (PCI DSS).

Contact

 

Please contact us with any questions or queries.

Phone: +49 6102 8631-190
Email: sales@usd.de
PGP Key
S/MIME
Contact Form

 

Benedikt Krümmel
usd Technical Sales Consultant,
PCI Professional