Home Our Solutions PCI-DSS Compliance
On this page you can find information about:
PCI-DSS Compliance Services provided by Devoteam Cyber Trust
Compliance Levels for Merchants and Service Providers
VISA and Mastercard Compliance Validation Levels for Merchants
PCI-DSS FAQ’s section
All companies that process, handle or store data from payment cards must comply with PCI-DSS requirements. The global Data Security Standard created to reduce fraud associated with the use of payment cards during commercial transactions.
Devoteam Cyber Trust, as Qualified Security Assessor (QSA), provides audits and professional advice to companies that process and transmit payment card data in the course of their activity.
Additionally, we provide a persistent management advisory service, named DSSManager, to help organisations be compliant with the PCI-DSS requirements.
PCI-DSS training allows companies that need to achieve PCI-DSS compliance, but do not have adequate resources to do so, to be able to inform and form elements of a potential work team.
The training focuses on:
Our QSA team will provide PCI guidance, through a risk-based approach, where:
If corrections are required to achieve or maintain PCI compliance, Devoteam Cyber Trust QSA elements may:
The team will remain available to review the progress, while the client performs remediation activities, to ensure the efforts are made in the correct way to achieve compliance.
SAQs are designed for a specific type of credit card transactions, there are 9 types of SAQs to date, for example, A, B, B-IP, C, D. These questionnaires allow the merchant to self-assess their PCI-DSS compliance, document the different practices necessary to be able to conduct credit card transactions securely, as well as identify cases where there are divergences with control objectives to identify and document how latent concerns are addressed in the PCI-DSS.
Report made of more than 200 requirements resulting from the face-to-face work developed out in the field, such as inspection of evidence, and interviews made by an Devoteam Cyber Trust QSA. The assigned QSA element will be responsible for conducting the assessment and will guide the client through this process.
The PCI-DSS assessment carried out includes:
The Compliance Certificate is a formal document issued by Devoteam Cyber Trust that certifies the execution of the conformity assessment and its result. This document demonstrates that the controls defined as necessary by the PCI Consortium are correctly implemented in the respective Organization and in the specific environment under this Certification. This document can be issued when accompanied by a SAQ or ROC.
Devoteam Cyber Trust QSA consultants can help merchants and service providers in this level carrying out their QSA assessment, through:
PCI compliance assessments;
Completion of compliance reports;
And the SAQ’s (Self-Assessment Questionnaire).
Merchants and service providers at these levels can request an Devoteam Cyber Trust consultant (QSA) to help them:
Determine their scope;
Define which PCI requirements are appropriate for the organisation;
Complete the Self-Assessment Questionnaire (SAQ *).
* SAQ = Self-Assessment Questionnaire. It’s a self-validation tool to assess the security of cardholder data. It demonstrates to both consumers and the bank, that the organization has used an external and independent partner to assess its compliance.
| LEVEL NUMBER | NUMBER OF CARD TRANSACTIONS/12 MONTHS | *SAQ REQUIREMENT | ||
| 1 | 6M + | *SAQ replaced with PCI DSS certification | ||
| 2 | 1M - 6M | *SAQ mandatory, signed by a QSA or a trained PCI SSC ISA employee | ||
| 3 | 20K - 1M | *SAQ mandatory | ||
| 4 | up to 20K | *SAQ recommended, not mandatory |
| * SAQ stands for Self-Assessment Questionnaire. It’s a self-validation tool to assess the security of cardholder data. |
PCI-DSS stands for Payment Card Industry Data Security Standard and represents a global security standard, with operational and technical requirements, designed to improve control over data on users' payment cards.
This security standard, and its 12 standards, aim to ensure a safe environment for users and entities that process data from payment cards, avoiding fraud.
PCI-DSS compliance requirements cover technical and operational components of the system, included or directly linked to cardholder data.
If your company accepts or processes payments with credit cards, you need to be compliant with the 12 requirements shown in the table below:
| GOALS | PCI-DSS REQUIREMENTS | |
| Build and Maintain a Secure Network |
1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters |
|
| Protect Cardholder Data |
3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks |
|
| Maintain a Vulnerability Management Program |
5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications |
|
| Implement Strong Access Control Measures |
7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data |
|
| Regularly Monitor and Test Networks |
10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes |
|
| Maintain an Information Security Policy | 12. Maintain a policy that addresses information security for employees and contractors |
All companies that process, handle, or store data from payment cards must comply with PCI-DSS requirements.
These requirements ensure that the processing of transactions, using payment cards, is safe for all parties involved, safeguarding consumers and businesses against problems of theft and data breach.
Yes. The payment card brands that make up the PCI consortium can fine a receiving bank up to $ 500,000 per month for breaches of PCI compliance, and it's quite likely that banks pass this fine on to the merchant.
However, more serious than fines is the revocation of the right to process payment card transactions, that may be issued by the PCI Council, and will dictate the death sentence for many companies.
The PCI Council (PCI-SSC), is an independent global entity created in 2006 by the five main payment card systems (American Express, Discover, MasterCard, Visa, and Japan Credit Bureau).
This entity has the responsibility to develop, manage, educate, and raise awareness about the PCI Data Security Standards. In addition, it also recognizes QSAs (Qualified Security Assessors) and ASVs (Approved Scanning Vendors) as qualified entities, enabling them to validate compliance, in alignment with the PCI Security Standards, as is the case with Devoteam Cyber Trust, acting as a vendor.
Edifício Atrium Saldanha
Praça Duque de Saldanha, nº 1, 2º andar
1050-094, Lisboa | Portugal
T: +351 21 33 03 740
E: info@integrity.pt
5th Floor, Cottons Centre
Hay's Lane
London, SE1 2QG | United Kingdom
T: +44 20 7288 2800
Calle Cronos 63, 4ª planta Oficina 2
28037, Madrid | España
T: +34 91 376 88 20
