About Payment Card Industry
We have put together a Q&A to help merchants using Microsoft Dynamics learn about Payment Card Industry (PCI) and secure payment processing.
What is PCI?
The Payment Card Industry (PCI) Data Security Standards (DSS) are international, technical, and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect credit card data. To learn more, visit their website: https://www.pcisecuritystandards.org/.
What is PA-DSS?
Acronym for Payment Application Data Security Standard, which defines security requirements and assessment procedures for software vendors of payment applications. Use of a PA-DSS compliant application by itself does not make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment.
Who does PCI apply to?
The PCI standards apply to all entities that store, process, or transmit credit cards. This includes merchants, software developers, and manufacturers of applications and devices used in those transactions. In general, PCI Security Standards include:
- PCI Data Security Standard (PCI DSS)
- PIN Transaction Security Requirements (PTS)
- Payment Application Data Security Standards (PA‐DSS)
- PCI Point‐to‐Point Encryption Standard (P2PE)
What is a merchant?
For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.
What is a service provider?
A business entity that is not a payment brand, but is directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS, etc. as well as hosting providers and other entities. If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).
What is a payment application?
In the context of PA-DSS (Payment Application – Data Security Standards), a software application that stores, processes, or transmits cardholder data as part of authorization or settlement, where the payment application is sold, distributed, or licensed to third parties.
What is a vulnerability scan?
A vulnerability scan is a computer program designed to assess a merchant or service provider’s systems for flaws or weaknesses which, if exploited, may result in an intentional or unintentional compromise of a system or its data. Vulnerability scans help in validating PCI DSS compliance. PCI DSS Requirement 11.2 requires that external vulnerability scanning be performed quarterly by an approved scanning vendor (ASV). The ASV needs to be qualified by PCI SSC.
What is an Approved Scanning Vendor (ASV)?
An Approved Scanning Vendor (ASV) is a data security firm using a scanning solution to determine whether or not the customer meets the PCI DSS external vulnerability scanning requirement 11.2. ASVs are qualified by the PCI Security Standards Council to perform external network and system scans required by PCI DSS. ASVs may submit compliance reports to the acquiring institution on behalf of a merchant or service provider, if agreed by the ASV and their customer.
What is a SAQ?
The Self‐Assessment Questionnaire (SAQ) is a validation tool for merchants and service providers to report the results of their PCI DSS self‐assessment, if they are not required to submit a Report on Compliance (ROC). The SAQ includes a series of yes‐or‐no questions for each applicable PCI DSS requirement. If an answer is no, the organization may be required to state the future remediation date and associated actions. There are different SAQs available to meet different merchant environments. If you’re not sure which SAQ would apply to you, contact your acquiring bank or payment card brand for assistance.
How can Nodus help companies maintain PCI Compliance?
All of Nodus’ solutions are PA-DSS certified. Nodus tests every new version of our products before we ever release them to the public. In addition, we offer off-premises storage methods through PayFabric that removes all sensitive payment information from your local environment.
For additional reading, check out our whitepaper: PCI Compliance: What It Is and How to Maintain It: https://www.nodus.com/pci-compliance-what-it-is-and-how-to-maintain-it/