PCI DSS

What is the PCI DSS standard?

The Payment Card Industry Data Security Standard (PCI DSS) is a security standard designed to protect cardholder data, as well as other sensitive authentication information, during its processing, storage and/or transmission.

The current version of the standard is PCI DSS 4.0, published in March 2022. Compliance is mandatory for all companies that accept, process or transmit card data. Failing to comply can lead to significant penalties or even the loss of payment-processing permissions.

Background before PCI DSS

Before the first version of PCI DSS existed, each card brand had its own security programme. Each programme defined its own security controls, compliance reporting processes and penalties for non-compliance.

This meant that businesses handling cards from multiple brands had to comply with several different security programmes at once, resulting in duplication, inconsistencies and overlapping requirements.

Requirements to comply with PCI DSS

With the introduction of PCI DSS, all requirements were unified under a single security standard. These are the essential controls for protecting sensitive card data and preventing fraud:

• Use of firewalls to prevent unauthorised access

• Data encryption to ensure confidentiality

• Access controls to restrict access to authorised personnel

• Network monitoring to detect suspicious activity

• Security testing to identify vulnerabilities

• Password management policies to ensure strong and secure credentials

Together, these elements form a comprehensive framework that protects against threats such as data theft and fraud, ensuring customer data security and compliance with PSD2.

PCI DSS compliance levels

PCI DSS defines four levels of compliance based on annual transaction volume:

• Level 1: more than 6 million transactions

• Level 2: 1 to 6 million transactions

• Level 3: 20,000 to 1 million transactions

• Level 4: fewer than 20,000 transactions

Levels 2, 3 and 4 must complete:

• The SAQ (Self-Assessment Questionnaire)

• A quarterly network scan performed by an ASV (Approved Scanning Vendor)

• An AOC (Attestation of Compliance)

Level 1 entities face stricter controls and longer audit processes. They must also submit an annual ROC (Report on Compliance) prepared by a QSA (Qualified Security Assessor).

PaynoPain and PCI DSS

At PaynoPain, as a payment solutions provider, we have spent more than 15 years ensuring full compliance with PCI DSS Level 1, one of the highest security standards in the industry. We are also certified under ISO 27001, which ensures the implementation of an Information Security Management System (ISMS) that protects the confidentiality, integrity and availability of information.