PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) outlines mandatory security measures for all organizations handling cardholder data, ensuring the safe storage, processing, and transmission of this sensitive information.
This policy is essential for processing credit card transactions through Worldline. To do this, achieving and maintaining PCI DSS compliance is necessary. The policy guides you on how to:
- Become compliant
- Remain compliant and demonstrate it to Worldline
- Understand the different validation levels
- Select the suitable Self-Assessment Questionnaire (SAQ)
- Respond to a card data breach
Scope
You must annually report your compliance with the Payment Card Industry Data Security Standard (PCI DSS). Our goal is to simplify your path to achieving and sustaining this compliance, safeguarding your business and customers from the repercussions of a card data breach. Compliance is obligatory for all entities accepting credit cards, including various payment methods such as in-store, mail/telephone orders, and e-commerce.
Neglecting to report your compliance status yearly could lead to substantial fines or penalties from card associations, which may be passed on to you or potentially result in losing card acceptance capabilities. You're responsible for any fines, charges, or penalties incurred due to no-compliance with PCI DSS.
This policy adheres to PCI DSS version 4, which becomes compulsory starting in 2024, although adherence before this date is optional.
Stakeholders
- PCI SSC
- Payment processors
- Service providers
- Merchant (you)
- Consumer (your client)
- Payment brands
PCI SCC
The PCI Security Standards Council (PCI SSC) is a global forum that brings together payments industry stakeholders to create and promote data security standards and resources, ensuring secure payment transactions globally. Founded in 2006 by the major payment card companies, the council has hundreds of participating organizations representing merchants, banks, processors, and vendors worldwide.
The PCI SSC manages the standards, certifies assessors, and lists validated hardware and software for payment processing. The card brands define the rules regarding the actual requirements for merchant compliance.
Payment processors
You can choose from various types of businesses to handle your payment processing services. These businesses, such as payment service providers, payment facilitators, and acquirers, all play a role in the same process. They act as a chain connecting the cardholder to you, the merchant, and then to the issuing bank, making the payment processing possible
Service providers
Any entity you engage to participate in payment processing is considered a service provider. This includes your payment processor, the company hosting your payment servers (whether cloud-based or physical), and the developers of your payment processing software (for POS systems or websites). While you can outsource these functions, you're still responsible for compliance. If your service provider is PCI certified, there's no further action needed. However, if they aren't PCI certified, your compliance assessment must cover their services as if you were handling them yourself.
Merchant (you)
You're an entity that accepts payment cards bearing the logos of any card brands requiring compliance with PCI DSS.
Consumer (your client)
The cardholder is purchasing the goods or services.
Payment brands
A payment brand refers to any card company that mandates compliance with the PCI DSS, such as Visa, Mastercard, and various other card brands.
Goals of the PCI Data Security Standard
- Build and maintain a secure network and systems
- Protect account data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
The full standard and other documents can be found on the official PCI SSC website.
Importance of PCI DSS compliance
Compliance with PCI DSS brings major benefits to your business, while failure to comply can have serious and long-term negative consequences. Here are the key benefits for your business:
- Protected financial data
- Increased customer confidence with a higher level of data security
- Maintained customer trust and safeguarded reputation
- Avoided risk of financial penalties
Compliance is a continuous process, not just a one-time achievement. It's essential for preventing security breaches and protecting payment card data, both now and in the future, because:
- You want to stay ahead of the threats as data compromise becomes ever more sophisticated
- You'll benefit from continuous improvements to PCI Security Standards
- There's a possibility of training your security professionals
- When you stay compliant, you're part of the solution – a united, global response to fighting payment card data compromise
Indirect benefits of compliance:
- You'll be better prepared to comply with other regulations (such as HIPAA, SOX, etc.)
- You'll be supporting information security management
It's important that you ensure and maintain tighter security around operations and the storing and transmitting of card data to avoid the following:
- Fraud losses
- Harm to your business
- Card-reissuance costs (these are passed to you)
- Cardholder inconvenience
- Loss of consumer confidence
- Adverse publicity, brand and reputational damage.
How to become and stay PCI DSS compliant
Assess
Start by finding out where your systems interact with credit card data. This will define the range of your assessment. If a service provider performs any activity on your behalf, it's important to ensure they're PCI compliant. If they're not, you should include their services in your assessment as if you were doing them yourself.
If your business has any IP addresses accessible from the internet, like online shops or IP-connected terminals, you might need to do ASV (Approved Scanning Vendor) scans every three months. These scans check for security weaknesses.
If these scans are required, you must pass one each quarter of the year before your assessment date. If you fail a scan, you need to fix the issue and then get a passing result. Once you know the extent of what needs to be checked, you can choose the right way to report your compliance, as explained in the following section.
Determine Self-Assessment Questionnaire
Are you not a level 1? Then, you must complete a Self-Assessment Questionnaire (SAQ) - a validation tool that assists you in self-evaluating your compliance with the PCI DSS. You need to fill out one of the questionnaires below. Which one depends on your business model and technical implementation.
SAQ | HOW DO YOU ACCEPT PAYMENT CARDS? |
---|---|
A | Card-not-present (e-commerce or mail/telephone-order): all cardholder data functions outsourced. This does not apply if you conduct business face-to-face. |
A-EP | E-commerce: partially outsource your e-commerce payment channel to PCI DSS validated third parties and you do not electronically store, process, or transmit any cardholder data on their systems or premises. |
B | Imprint-only: no electronic cardholder data storage, or standalone, dial-out terminals with no electronic cardholder data storage. |
B-IP | You may be either brick-and-mortar (card-present) or mail/telephone-order (card-not-present), which means you do not store cardholder data on any computer system. |
C-VT | You use only web-based virtual terminals, no electronic cardholder data storage. |
C | You have payment application systems connected to the Internet, no electronic cardholder data storage. |
D | If you do not fall into any of the descriptions for SAQ types A through C above. |
Description of SAQs (Self-Assessment Questionnaire)
SAQ A
SAQ A is the assessment for you if you:
- Have completely outsourced your cardholder data functions to validated third parties. In this case you only retain paper reports or receipts with cardholder data.
- You are either an e-commerce or mail/telephone-order merchant (card-not-present)
- And you must not store, process, or transmit any cardholder data in electronic format on your systems or premises.
Having an SAQ A compliance, you confirm that, for your payment channel:
- your company accepts only card-not-present (e-commerce or mail/telephone-order) transactions;
- All payment acceptance and processing are entirely outsourced to PCI DSS validated third-party service providers;
- Your company has no direct control of the manner in which cardholder data is captured, processed, transmitted, or stored;
- Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions;
- Your company has confirmed that all third party(s) handling acceptance, storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and
- Your company retains only paper reports or receipts with cardholder data, and these documents are not received electronically.
Additionally, for e-commerce channels:
- The entirety of all payment pages delivered to the consumer’s browser originates directly from a third-party PCI DSS validated service provider(s).
Applicable for you if you use the following services:
- MyCheckout hosted payment pages - the consumer is redirected to the MyCheckout hosted payment pages. The payment forms are entirely provided by our payment servers.
- iOS SDK, Swift SDK, Android SDK - the payment data in the app of the consumer is encrypted with a key obtained by the consumers device from our platform, sent to you and relayed to our platform. SAQ-A applies as well as section 6 of SAQ D. Please validate this with your account manager.
SAQ A-EP
SAQ A-EP is the assessment for you:
- If you are in the e-commerce industry and have a website(s) that does not itself receive cardholder data, but which does affect the security of the payment transaction and/or the integrity of the page that accepts the consumer’s cardholder data, or;
- If you are in the e-commerce industry and you partially outsource your e-commerce payment channel to PCI DSS validated third parties and do not electronically store, process, or transmit any cardholder data on their systems or premises.
Having SAQ A-EP compliance, you confirm that for this payment channel:
- Your company accepts only e-commerce transactions;
- All processing of cardholder data is outsourced to a PCI DSS validated third-party payment processor;
- Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor;
- Your e-commerce website is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate the website from all other systems);
- If your website is hosted by a third-party provider, the provider is validated to all applicable PCI DSS requirements (e.g., including PCI DSS Appendix A if the provider is a shared hosting provider);
- All elements of payment pages that are delivered to the consumer’s browser originate from either the merchant’s website or a PCI DSS compliant service provider(s);
- Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions;
- Your company has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and
- Your company retains only paper reports or receipts with cardholder data, and these documents are not received electronically.
Applicable to you if you use the following services:
- JavaScript SDK - the payment data in the browser of the consumer is encrypted with a key obtained by the consumer's device from our platform, sent to you and relayed to our processing site.
SAQ B
SAQ B is not described in detail because there are no applicable products for Worldline.
SAQ B-IP
SAQ B-IP is not described in detail because there are no applicable products for Worldline.
SAQ C-VT
Do you process cardholder data only via isolated virtual terminals on personal computers connected to the Internet? Then you must fill in a SAQ C-VT.
A virtual terminal is web-browser based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where you manually enter payment card data via a securely connected web browser. Unlike physical terminals, virtual terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual terminals are typically used instead of physical terminals in environments with low transaction volumes.
You process cardholder data only via a virtual terminal and do not store cardholder data on any computer system. These virtual terminals are connected to the Internet to access a third party that hosts the virtual terminal payment processing function. This third party may be a processor, acquirer, or other third-party service provider who stores, processes, and/or transmits cardholder data to authorize and/or settle your transactions.
This SAQ option is intended to apply only to you if you manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution.
SAQ C-VT
- Brick-and-mortar (card-present)
- Mail/telephone-order (card-not-present)
Having SAQ C-VT compliance, you confirm that for this payment channel:
- Your company’s only payment processing is via a virtual payment terminal accessed by an Internet-connected web browser;
- Your company’s virtual payment terminal solution is provided and hosted by a PCI DSS validated third-party service provider;
- Your company accesses the PCI DSS-compliant virtual payment terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment (this can be achieved via a firewall or network segmentation to isolate the computer from other systems);
- Your company’s computer does not have software installed that causes cardholder data to be stored (for example, there is no software for batch processing or store-and-forward);
- Your company’s computer does not have any attached hardware devices that are used to capture or store cardholder data (for example, there are no card readers attached);
- Your company does not otherwise receive or transmit cardholder data electronically through any channels (for example, via an internal network or the Internet);
- Your company retains only paper reports or paper copies of receipts, and these documents are not received electronically; and
- Your company does not store cardholder data in electronic format.
Applicable to you if you use the following services:
- Call Center Application - the call center employee is opening the payment forms of Worldline in a browser. The payment forms are entirely provided by our payment servers.
SAQ C
Are your payment application systems (for example, point-of-sale systems) connected to the Internet (for example, via DSL, cable modem, etc.)? Then you must fill in a SAQ C.
Having SAQ C compliance, you process cardholder data via a point-of-sale (POS) system or other payment application systems connected to the Internet, do not store cardholder data on any computer system, and may be either brick-and-mortar (card-present) or a mail/telephone-order (card-not-present).
Having a SAQ C compliance, you confirm that for this payment channel:
- Your company has a payment application system and an Internet connection on the same device and/or same local area network (LAN);
- The payment application system/Internet device is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate payment application system/Internet device from all other systems);
- The physical location of the POS environment is not connected to other premises or locations, and any LAN is for a single location only;
- Your company retains only paper reports or paper copies of receipts, and these documents are not received electronically; and
- Your company does not store cardholder data in electronic format.
SAQ D
If you do not meet the criteria for any other SAQ type you fill in a SAQ D.
Examples of environments that use SAQ D may include but are not limited to:
- E-commerce: if you accept cardholder data on your website.
- If you have an electronic storage of cardholder data
Applicable to you if you use the following services:
- REST API - You do not use: Worldline MyCheckout (the hosted payment pages), Android SDK, iOS SDK or JavaScript SDK solutions and sends in payment requests to our platform using the REST API interface.
Report
The PCI DSS is the only "standard" you need to report on. It has lots of regulations, but only certain ones might apply to your kind of business. To help business owners report how they follow these rules, the PCI Security Standards Council (PCI SSC) offers two types of compliance reports:
- Report on Compliance (ROC) – this report includes all the rules in the standard. It's suitable for any business that needs to undergo an assessment.
- Self-Assessment Questionnaires (SAQs) – these templates cover only the rules relevant to particular merchant payment environments. They include different templates for handling e-commerce and in-person payments.
If the selected report template requires ASV scanning, it will be included in the list of requirements that you must meet. You'll be required to provide us with evidence of your compliance annually, which will be one of the following:
-
- copy of the Attestation of Compliance (AOC) for your Report on Compliance (ROC)
- copy of the SAQ to cover the assessment
- if applicable, copy of the latest passed ASV scan report
Which reporting templates can you use?
If you process over 6 million transactions annually, you must document your assessment in a Report on Compliance (ROC). It needs to be signed by a Qualified Security Assessor (QSA) from outside your company or by an employee who is certified as an Internal Security Assessor (ISA).
Other merchants might be eligible to do a self-assessment and report their compliance using a Self-Assessment Questionnaire (SAQ). You can find information about the different SAQ types on the PCI Security Standards Council (PCI SSC) website.
Approved Scanning Vendor (ASV)
If you have an internet-facing IP address, you must perform a network scan by Approved Scanning Vendor (ASV). The SAQ type applicable to your business will contain the requirement to undertake ASV scanning if it's required. For more information, see the list of Approved Scanning Vendors.
Qualified Security Assessor (QSA)
If your business is classified as a level 1 merchant, meaning it processes over 6 million transactions a year, then a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA) working for your company may need to complete the Report on Compliance (ROC). For more details, check the Qualified Security Assessors list.
What you must do in case of a suspected breach?
Being PCI DSS compliant reduces the chance of credit card data being stolen or used fraudulently. However, even with compliance, a security breach might still happen or be suspected due to human error, internal fraud, or previously unknown vulnerabilities. In that case, you need to take the measures described below.
Suspected breach notification
Initiated by you
If you suspect a credit card breach, you must immediately inform your acquirer, payment service provider, and card brands. You can send a suspected breach notice related to Worldline through your account manager.
Initiated by the card brands: Common Point-of-Purchase (CPP) report
The credit card companies will check if all the cards reported for fraudulent activity were used at the same merchant during a specific period of time. This test is called Common Point of Purchase (CPP), which helps identify the card breach source. You might get a CPP report from your acquirer or payment service provider.
When you receive a CPP report, it's crucial to act fast and talk directly with your acquirers and payment service providers. Quick action can help reduce financial losses and negative effects on your business caused by the card breach. Also, make sure not to do anything that could harm evidence needed for any future forensic investigations.
Further investigation (if required)
You might need to engage a PCI Forensic Investigator (PFI). The PFI will look into where the suspected breach happened in your system, how much data was compromised, and what steps you need to take to fix it. You can find a qualified PFI company on the PCI Security Standards Council's list.
Mitigation
If a PCI Forensic Investigator (PFI) finds that there has been a data breach, it's crucial to act quickly to reduce or stop the ongoing risk. Waiting too long can worsen the breach and lead to bigger fines from the credit card companies. Usually, these fines are passed from the acquirer to the payment service providers and then to you.