In order to ensure credit card payments when purchasing on e-commerce websites, it is crucial the payment solution implement and maintain very strict safety norms. Indeed the credit card operation’s securing is a very sensitive matter, all vulnerability being used by cybercriminals.
The PCI-DSS norm compliance allows to fight against those vulnerabilities and allows to protect credit card owners’ data.
From 2016, PayPlug is PCI-DSS (currently 3,2), this certification is renewed every year. PayPlug is also present in the list published by Visa Europe each year and whose last version is available here.
The ROC (Report of Compliance) is also available for banks and acquirers that aske for it.
What is PCI-DSS certification?
The PCI-DSS certification is a set of requirement regarding technical and operational procedures and aspects. This norm aim is to protect credit card data and all sensitive information that will be processed, transferred and saved. We can, among all, talk about the financial institutions and their needs in term of infrastructure and IT software.
These requirement are established by the PCI safety norm council whose stakeholder are the founding members: American Express, Discover, JCB, MasterCard, Visa.
The council aims at spreading, developing and improving the existing PCI-DSS safety norms in the card payment sector.
The procedure and control points required by the PCI-DSS norm are essential in order to ensure the payment protection on e-commerce websites, especially, the credit card number, the card holder and the security code (CVV).
The principal items of the PCI-DSS norms are the following:
- Design and maintain a safe network and infrastructure
The management vulnerability procedure aims at permanently looking for safety breaches in the network infrastructure and servers. This includes the devices, the software, the process and set-up norms.
- Implementation of strong access control measures
- Keep information policy on safety
|
List of requirements
|
Requirement definition
|
|
1-Install and keep up a firewall
|
« The data related to credit card payments go through IT networks. A firewall is a software and/or device allowing to comply with the network security policy, defining what are the authorized communication types on the IT network ». The firewall can be involved in all the network components.
|
|
2-Do not use the original set-up or password of manufacturers or providers
|
The easiest way to hack a network is often to fin an original configuration and password, after, thanks to specific tools, having found the type of device and server used . This is then essential to change and secure all the passwords and existing configurations.
|
|
3-Protect the credit card data
|
The credit card mustn’t be saved. The credit card number must especially get unreadable or partially masked via the « card mask » use (six first figures and fourth last ones)
|
|
4- Encrypt the credit card data transmission through networks
|
The encryption technology is required in order for the credit card not to be, in any case, readable by cybercriminals.
|
|
5- Protect the systems against malware and viruses thanks to a continuous update of software
|
The use of these software types on all the payment solution devices is essential in order to avoid malware intrusion or computers and servers infection by viruses
|
|
6- Develop and keep the infrastructure and app safety
|
The security breach in an infrastructure and the related apps are used by cyrbercriminals. To overcome this threat, the software update and the security patch application is imperative.
|
|
7- Limit the access to the data of the credit card holder.
|
The access to data must be limited to minimum. Procedures must be set up in order for each operational level within the payment solution to have access only to the necessary information to the task realization.
|
|
8-Identify and authentify the access to the infrastructure components
|
A unique ID assignment for each organization and payment channel contributor ensure all actions that all actions done on sensitive data might be followed and identified. This concerns the staff of the payment solution and the merchants accounts.
|
|
9- Limit physical access to
|
Every physical access to systems hosting credit card data must be as limited as possible. The physical and virtual networks must be exempt from virtual or physical vulnerability that can allow cybercriminals to access to devices or data.
|
|
10- Identify and monitor the access to the credit cardholders’network
|
The ability to identify and monitor the network access is essential within the fight against Cybercrime. The error logs allow especially to investigate in the case there are compromised data.
|
|
11-Regularly test the systems and process.
|
Every component and process set-up by the payment solution must continually be tested and monitored in order to ensure that the security measures are continuously applied very rigorously. Indeed, the safety breaches can be discovered at any moment by the software editor and manufacturer.
|
|
12-Keep for all the staff an informative policy about security.
|
A strong security policy must be applied within the payment solution. Each employee must be aware of their responsibilities regarding credit card data and the way to protect them.
|
As a merchant, is the PCI-DSS certification mandatory?
The PCI-DSS certification applies to all e-commerce actors having to store, process or transmit credit card data, independently from the company size. All e-merchant must be in compliance with PCI-DSS. This compliance need applies to all distribution channels: phone, letters, distance-selling, physical or virtual payment terminals. The merchant must prove he is compliant with the PCI-DSS norm.
Can PayPlug require from its merchant their PCI-DSS certification?
At the moment, we only ask to or merchants using PayPlugjs to prove they are PCI-DSS. For that purpose, this is necessary then to fill in a self-assessment questionnaire.
Moreover, this is to be noted that in France, the PCI-DSS standard is not a legal obligation, but is is imposed by the main actors in the market: Visa and MasterCard. A non-compliant company is, this way, exposed to financial penalties, ether imposed directly by the networks, or by a payment channel partner.
How to get the PCI-DSS certification?
You should fill in the A-EP assessment questionnaire available on the following page:
Once the questionnaire and the compliance proof are filled in and signed by the e-merchant, he must submit it to a payment establishment he is working with (PayPlug).
How long does it take to get the PCI-DSS certification?
The processing time depends on the type of company. For example, for a small retail trader, it generally takes 15 to 30 minutes fill in the form assuming that ther is no compliance issue.
Does the fact tha a website has HTTPS is enough to comply with the PCI-DSS certification?
No. Altough it is an essential element of the website securing, the SSL certificates doesn’t protct a website from attacks or intrusions. The compliance with the PCI-DSS norm allows to guarantee that additional measures are taken in order to secure the credit card data processing.
We specifically advise those articles reading: