Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data.

  • Applies to any organization involved in payment card processing
  • The minimum set of requirements for protecting account data
  • Validation and reporting requirements defined by payment brands

E_01

Report on Compliance (RoC)

E_23

Attestation on Compliance (AoC)

A_04-1

Qualified Security Assessor (QSA)

Payment Application Data Security Standard (PA-DSS) / Payment Card Industry Software Security Framework (PCI SSF)

PA-DSS and PCI SSF define the security requirements and assessment procedures for software vendors of payment applications. The standard and framework applies to software vendors and applications participating in the authorization and settlement process.

  • Validated applications help maintain PCI DSS compliance
  • Two standards applicable to applications (licensed or off-the-shelf) and software development companies.
  • Not applicable to in-house, single-customer or mobile applications

E_16

Remediation and Technological Support

E_10

Report on Validation (RoV)

E_23

Attestation on Validation (AoV)

Payment Card Industry 3-D Secure (PCI 3DS)

The PCI 3DS standard defines physical and logical security requirements and assessment procedures for entities performing or providing 3DS functions. The PCI DSS comprises a minimum set of requirements for protecting 3DS sensitive data, based on 14 principles structured into more than 200 requirements.

The standard applies to all entities which provide the following functions:
  • 3DS Server (3DSS)
  • 3DS Directory Servicer (DS)
  • 3DS Access Control Server (ACS)

E_09

Formal Assessment of Compliance

E_07

3DS Report on Compliance (RoC)

E_23

3DS Attestation on Compliance (AoC)

Payment Card Industry Point-to-Point Encryption (PCI P2PE) / NESA

P2PE (and NESA) defines the requirements and testing procedures for point-to point-encryption (and non-listed encryption security). Encryption strengthens customer's account data from the point of interaction (within the encryption environment where account data is captured) to the point of decrypting that data inside the decryption environment, effectively removing clear-text account data between these two points. P2PE applies to P2PE solution providers, payment application vendors or component providers

P2PE component providers may validate the following service they provide:

Encryption Management Services (EMS)
  • Encryption Management Component Provider (EMCP)
  • POI Deployment Component Provider (PDCP)
  • POI Management Component Provider (PMCP)

Decryption Management Services (DMS)
  • Decryption Management Component Provider (DMCP)

Key Management Services (KMS)
  • Key Injection Facility (KIF)
  • Key Management Component Provider (KMCP)
  • Key Loading Component Provider (KLCP)
  • Certification Authority/Registration Authority (CA/RA)

E_13

6 Domains, more than 1500 Requirements

E_18

Report on Validation (P-RoV)

E_03

Attestation on Validation (P-AoV)

A_04-1

Remediation and Technological Support

A_35

Industry Standard Encryption Requirements

Payment Card Industry PIN Security (PCI PIN)

The PCI PIN Security standard contains a complete set of requirements for the secure management, processing and transmission of personal identification number (PIN) data during online and offline payments card transaction processing at ATMs and attended and unattended point-of-sale (POS) terminals.

  • PIN Security applies to all entities involved in PIN processing including ATM and POS transactions
  • Validation and reporting requirements are defined by payment brands
  • PIN Security assessments must be performed by PCI validated QPA companies

E_17

7 Control Objectives, more than 300 Requirements

E_10

PIN Security Report on Compliance (RoC)

E_11

PIN Security Attestation on Compliance (AoC)

Payment Card Industry Token Service Providers (PCI TSP)

The PCI TSP is a Payment Card Industry standard for entities providing services as a Tokenization Service Provider. A TSP is an entity that provides registered token requestors, such as merchants holding the card credentials, with ‘surrogate’ PAN (Primary Account Number) values (or ‘payment tokens’). These tokens can only be used in specific domains such as the merchant's website or more recently in pre-defined channels such as via a mobile device to make an NFC (near field communication) payment.

  • Applies to all entities performing services as a Tokenization Service Provider
  • Validation and report requirements defined by payment brands
  • Assessments to be provided by QSA (P2PE 'Point-to-Point Encryption')

A_04-1

QSA P2PE

E_14

TSP Report on Compliance (RoC)

E_11

TSP Attestation on Compliance (AoC)

expert

BOOK AN EXPERT

Tell us more about you and one of our experts will call you back