Download Documents

Confirmation PCI DSS requirement 12.8.2

General

Registration

Master Data

SAQ (Self-Assessment Questionnaire)

Simplified Self Assessment for Hotels

Vulnerability scans

General

What is PCI DSS?

PCI DSS (Payment Card Industry Data Security Standard, short: PCI) is the credit card associations' security standard with strict requirements to ensure careful and secure handling of credit card data. The standard was mandated by the five major credit card companies (American Express, JCB, MasterCard, Discover Financial Services and Visa) and is comprised of security requirements with the following objectives:

  1. Setting up and maintaining a protected network
  2. Protecting stored and transmitted cardholder data
  3. Setting up and maintaining a vulnerability management programme
  4. Implementing effective guidelines on access control
  5. Regular monitoring and testing of the IT infrastructure
  6. Developing and enforcing an information security policy

What are the PCI DSS requirements?

PCI DSS is comprised of twelve security requirements. Organisations are classified as PCI compliant if they comply with the following standards:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Use and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need to know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel and contract partners

Who has to be PCI DSS compliant?

Every business that accepts credit card payments must comply with the credit card associations' security requirements (PCI DSS). Businesses have to proof compliance regardless of their size or the amount of annual credit card transactions.

Are there penalties for non-compliance?

Businesses that do not comply with PCI DSS can be fined by the credit card associations or their acquirer (merchant bank or payment service provider) and face refusal of service or cancellation of their credit card acceptance contract. Furthermore, non-compliant businesses are liable for damages in case of theft or compromise of their customers' credit card data.

What are the advantages of satisfying PCI DSS requirements?

The binding IT security requirements of PCI DSS were introduced to curb payment card fraud. There are several advantages to rigorous security measures when processing payment card data:

  • Improved data security and customer protection
  • Increased customer confidence, which can help raise the amount of credit card transfers and overall turnover
  • Improved protection against financial damages and indemnity payments
  • Protection of your company's image
  • Evaluation of security level of systems that store, process and/or transmit cardholder data
  • Minimising and avoiding data helps reduce company risks
  • Network segmentation reduces costs of maintaining PCI compliance

What does "compliant" mean?

Businesses that can prove PCI DSS compliance obtain a compliance certificate. Those businesses have successfully proven that they are familiar and compliant with the credit card companies' security requirements for handling credit card data. They have thereby acquired the status PCI DSS "compliant" and are protected under the so-called "Safe-Harbour Rule". In case of data theft or compromise, such a business can be partially or fully released of any fines by card associations or acquirer after a forensic investigation has been conducted.

Why do I have to validate secure handling of credit card data (PCI DSS)?

Your business offers credit card payments and thus has to prove compliance with PCI DSS. For this reason your acquirer has contacted to ask for proof of compliance.

How often do I have to validate PCI DSS compliance?

PCI DSS compliance has to be validated at least once a year. Since validation of PCI DSS compliance involves documenting the current state of credit card processing in your business, you are required to update your compliance validation every time a change occurs to the technology or the ways in which you accept and process card payments, regardless of when you last validated PCI DSS compliance. You are required to maintain compliance with PCI DSS at any time.

I outsourced processing of credit card transactions to a third-party service provider. Why do I still have to validate PCI DSS compliance?

Even if you have outsourced storing, processing and transmission of cardholder data to a third-party service provider, you have to validate PCI DSS compliance in order to document that your service provider is PCI compliant, and that you regularly verify your service provider's PCI status. Your acquirer generally requires you to provide a PCI DSS self assessment in which you document the ways in which you process credit card payments and validate compliance with the card associations' security requirements.

How can I verify if my service provider is PCI DSS compliant?

The card associations MasterCard and Visa have released a list of all PCI DSS compliant service providers online:

You can also contact your service provider directly to request their PCI DSSS Attestation of Compliance (AOC).

My service provider informed me that I do not need to validate PCI DSS compliance.

Any business that offers credit card payments is required to comply with PCI DSS and validate compliance. If you have outsourced credit card processing to a PCI DSS compliant service provider and do not store, process or transmit credit card data on your own IT systems, you are eligible for a simplified validation process.

Why do I have to address credit card payments through a different acquirer in my PCI DSS compliance validation?

You validate secure handling of cardholder data for your business, regardless of who your acquirer is. Accordingly, the compliance certificate serves as a universal proof of your business's secure handling of cardholder data.

Registration

I changed my password and cannot log in anymore.

Please review your login data:

  • Have you entered the same email address you provided as your user name?
  • Have you taken into account that the password is case sensitive?
  • Did you accidentally include a blank space?

If you have verified that you are using the correct login data and still cannot log in, please click on "Request new password".

I cannot log in with the login data you sent me (initial data).

Have you already registered on the PCI DSS platform? If you have, the initial login data we sent you is no longer valid. Please use the email address you provided as your user name (at which you also receive the reminder emails) and the personal password you created. If you have not yet used the initial data but cannot log in, please contact the PCI Competence Center.

I forgot my password. What can I do?

Please request a new password via the PCI DSS platform. Click on "Request new password" and enter the email address you have already provided as your user name. We will send you an email with your new password.

How many contacts can be specified on the platform?

You can provide one specific contact person responsible for PCI during your registration on the platform. Should you require to specify a different contact or multiple contacts later on, please contact the PCI Competence Center.

Master Data

Which business locations do I have to specify?

Please specify the location(s) for each branch of your business that requires you to provide proof of PCI DSS compliance.

What is payment processing software?

Payment processing software is a computer program that runs on your own IT systems and processes your customers' credit card payments. It must not be confused with a payment page, which is a payment module of your payment service provider, into which the customers enter their credit card data in order to make a payment. In this case, the credit card data is not stored, processed or transmitted via your own IT systems.

What are third-party service providers?

Third-party service providers are, for example, application service providers (payment gateways), web hosting service providers, (service providers that offer server space, network connectivity and internet connectivity and maintenance), as well as payment service providers.

What is an acquirer?

An acquirer, also called merchant bank, is the entity that processes credit or debit card payments on your behalf as part of a credit card acceptance contract. Your payment service provider can act as your acquirer as well.

What is point of sale (POS)?

Point of sale ist a payment system in which the customers makes a credit card payment at the merchant's location. Proof of the customers' identity is provided by their signature. The point of sale can be a stand-alone terminal that is connected to a payment service provider via telephone line, or it can be a payment system that is connected to the register and/or the internet.

What are JCB, CUP and Discover?

JCB (Japan Credit Bureau) and CUP (China Union Pay) are credit cards that are prevalent in Asia. The Discover Card is an American credit card.

I do not know the exact amount of my business's annual credit card transactions. What am I supposed to answer?

Please give an estimate of your annual credit card transactions if you do not know the exact amount.

SAQ (Self-Assessment Questionnaire)

Which SAQ applies to me?

Our SAQ selection assistant helps you determine the SAQ applicable to you by asking you specific questions about the ways in which you accept and process card payments in your business.

Why do I have to complete an SAQ?

By completing a self-assessment questionnaire (SAQ), you can validate compliance with PCI DSS.

The questions of SAQ A do not apply to me, since I have outsourced all processing of credit card data. What am I supposed to answer?

You can answer questions that are not applicable to your business with "N/A" (not applicable). Please comment with a short explanation as to why the question is not applicable to your business. The focus of SAQ A lies on the PCI compliance of your payment service provider. You are required to regularly verify that your payment service provider is PCI compliant and validate compliance by completing an SAQ.

I selected SAQ A / The SAQ selection assistant determined SAQ A for me. Why can I not access the SAQ questions?

Since selection of SAQ A always implies that a service provider is used to store, process or transmit cardholder data, please check if the question "Do you use service providers to store, process or transmit cardholder data?" in your master data ("administration", "edit merchant data") has been answered with a yes.

What does "N/A" stand for?

N/A stands for "not applicable" and can be used to answer questions of the SAQ that do not apply to your business. If you select N/A as an answer, you will be asked to provide an explanation as to why the question is not applicable to your business.

What are compensating controls?

If you are unable to satisfy technological specifications of a requirement but sufficiently remediate the resulting risk in another way, please select "compensating control" as your answer. In this case, you will be asked to provide more detailed information on the compensating security measures after completion of the SAQ.

Simplified Self Assessment for Hotels

Which hotels are eligible for the simplified self-assessment procedure?

  • The hotel offers only card present transactions (the cardholder is present during the payment process).
  • The hotel has a merchant level of 4, i.e. a maximum of one million Visa card present transactions are carried out per year (NO e-commerce or mail order/telephone order transactions!).

If your hotel meets those criteria, you should automatically be offered the Simplified Self Assessment for Hotels.

What information is needed for the Simplified Self Assessment?

If your hotel is eligible for the Simplified Self Assessment, you will be asked to confirm three statements regarding your handling of credit card data:

  • No sensitive cardholder data – neither track data or chip data, nor CVV/CVV2 or PIN – is electronically stored.
  • No no-show transactions are processed (if the booked accommodation is cancelled or fails to be claimed). Should no-show transactions be processed, they are processed exclusively in accordance with the Visa Europe Operating Regulations
  • Electronic access to credit card data (for example, through booking portals or hotel management software) is not possible. Should electronic access be possible, all vendor-specific default passwords of systems belonging to the cardholder data environment (especially hotel management software) are replaced with secure custom passwords.

Furthermore, you will be required to specify all third party service providers who store, process, and/or transmit cardholder data on your behalf, for example: booking portals, acquirers (merchant banks), payment terminal providers, payment service providers, etc.

Vulnerability scans

When do I have to to perform vulnerability scans in order to validate PCI DSS compliance?

If your customers' credit card data is stored, transmitted or processed via your own IT systems, and your IT systems or connected systems are accessible from the public internet, you are required to have an Approved Scanning Vendor (ASV) perform vulnerability scans on your systems every 90 days in order to test for security vulnerabilities.

I have completed SAQ C or D with the status PCI compliant, yet it still says on the platform that I have not obtained the status PCI compliant. What else do I have to do?

Selection of SAQ C or D implies that your customers' credit card data is stored, processed or transmitted via your own IT systems, which might require you to have vulnerability scans performed in order to be PCI compliant. Our PCI Competence Center is happy to help you clarify whether or not this is the case.

I have had vulnerability scans performed by an ASV. Why do I keep being notified that I have not yet obtained the status PCI compliant?

If your ASV informs you that a vulnerability scan validated that you are PCI compliant, this information has not yet been added to your data set on the platform. If you did not have the vulnerability scan performed by the usd AG, you will have to manually upload and save the vulnerability scan report to the platform. Please log into the PCI platform and upload the Executive Summary Report, which is comprised of the "Attestation of Scan Compliance" and the "Executive Summary", under the section "Your Scans".

Free compliance seal for online shop or website

If you have completed either self-assessment questionnaire A, B or C-VT and obtained the status PCI compliant, you are welcome to implement a compliance seal into your online shop. The seal is provided to you free of charge by your acquirer's partner, the usd AG. Please use the link under section "PCI DSS vulnerability scans" to register with the usd AG. Should you have any questions, please contact the usd AG's PCI Competence Center at +49 6102 8631-90 or pci@usd.de