What is PCI DSS?
Payment Card Industry Data Security Standard (PCI DSS) is a standard that includes technical and managerial requirements aimed at ensuring the security of credit and debit card transactions and protecting cardholders from misuse of their personal information. PCI DSS was co-created by five major credit card companies in 2004.
PCI DSS Controls Our methodology
01 PROJECT START MEETING
The project's purpose, process, necessary resources, and risks are evaluated with a project kickoff meeting attended by senior management and relevant unit managers. In consultation with the relevant units, it is ensured that the scope that will be the basis for PCI DSS compliance and auditing is determined correctly.
02 DETERMINING THE SCOPE OF PCI DSS
While determining the scope, all processes and components related to the business processes, campuses, data centers, systems, employees, service providers, transmission, operation, storage, destruction of the credit/debit card, and card information security are considered. PCI DSS scope document is prepared.
03 PCI DSS DIFFERENCE (GAP) ANALYSIS
A difference analysis service is performed to determine the compliance of the existing structure with the current PCI DSS standard.
The analysis study determines the elements that do not comply with the standard and the reasons for non-compliance.
A Difference Analysis Report is prepared as a result of the analysis service. It is performed by QSA (Qualified Security Assessor) experts authorized by PCI SSC.
04 PCI DSS IMPROVEMENT CONSULTING SERVICE
Consultancy services are provided for Credit/Debit card applications and the establishment of payment infrastructure by PCI DSS.
With Secureway and the organization, a prioritization document is created, work steps, responsibilities, and deadlines are determined to eliminate incompatibilities.
Necessary documents for compliance are prepared.
05 PCI DSS SITE AUDIT (ON-SITE AUDIT) SERVICE
On-site inspection service with QSA (Qualified Security Assessor) experts authorized by PCI SSC after eliminating all incompatibilities identified in the Difference Analysis Report
(On-Site Audit) is performed.
ROC as a result of audit service
(Report On Compliance) is prepared.
06 CERTIFICATE OF COMPLIANCE (AOC) PREPARE AND SHARE
After the ROC document is prepared and forwarded by Secureway and reviewed by the Organization, the PCI DSS Compliance Certificate - Attestation of Compliance (AOC) document is prepared. The audit process ends with the signature of the Auditor (QSA) and the Authority's officials.
If the AOC document needs to be forwarded to payment brands or banks, Secureway provides the necessary communication and sharing.
PCI SSC and Standards
It is a standard developed by the PCI council to ensure the security of payment cards. Established by VISA, Mastercard, American Express, Discover, and JCB, the commission sets security standards for payment cards and leads the payment cards industry in their announcement, training, and audits.
Standards published by the PCI council
- PCI DSS - Payment Card Industry Data Security Standard
- PA-DSS - Payment Application Data Security Standard
- P2PE - Point to Point Encryption Standard
- PTS - Pin Transaction Security
- PCI 3DS - PCI 3DSecure Core Security Standard
- PCI FAQ - Secure Software Standard
PCI DSS MERCHANT LEVELS
|
CATEGORY |
CRITERIA |
REQUIREMENTS |
|
Level 1 |
Ø Businesses that have been exposed to any hack or attack and whose customer information has been compromised (Account Data Compromise - ADC) Ø Companies with more than 6 million Mastercard and Maestro transactions per year Ø Companies that meet VISA's Level 1 criteria Ø MasterCard's workplaces consider being in the Level-1 category to reduce the risk. |
Annual on-site audit |
|
Level 2 |
Ø Businesses with more than 1 million and less than or equal to 6 million total Mastercard and Maestro transactions per year
Ø Businesses that meet VISA's Level 2 criteria |
Annual on-site audit or self-assessment |
|
Level 3 |
Ø Businesses with more than 20,000 total Mastercard and Maestro e-commerce transactions per year, but with less than or equal to 1 million real Mastercard and Maestro transactions per year - Businesses that meet VISA's Level 3 criteria |
Ø Annual Self Assessment
Ø On-site Audit according to the preference of the workplace |
|
Level 4 |
Ø All other workplaces |
Ø Annual Self Assessment
On-site Audit according to the preference of the workplace |
PCI DSS SERVICE PROVIDER LEVELS
|
CATEGORY |
CRITERIA |
REQUIREMENTS |
|
Level 1 |
Ø All third party transaction providers - All Third Party Processors (TPPs) Ø All progressive digital wallet operators - All Staged Digital Wallet Operators (SDWOs) Ø All digital activity providers - All Digital Activity Service Providers (DASPs) Ø All token service providers - All Token Service Providers (TSPs) Ø All 3-DSecure service providers - All 3-D Secure Service Providers (3-DSSPs) Ø All AML/Sanctions service providers Ø Over 6 million total Mastercard and Maestro transactions per year All Data Storage Entities (DSEs) and Payment Facilitators (PFs) with more than 300,000 total combined Mastercard and Maestro transactions annually |
Ø on-site audit. Must be performed by a QSA approved by PCI SSC |
|
Level 2 |
Ø All DSEs1 and PFs with 300,000 or less total combined Mastercard and Maestro transactions annually Ø All Terminal Providers - All Terminal Servicers (TSs) |
Ø Annual Self Assessment |