What is PCI Compliance?

What is PCI Compliance?

If your systems or applications process electronic payments or store client payment and transaction data, then PCI compliance should be a high priority for your business.

PCI compliance is governed by the PCI Security Standards Council (PCI SSC) formed in 2006 by American Express, Discover, JCB International, Visa & Mastercard, who established a Data Security Standard (PCI DSS) as a standard for their respective data security compliance programs.

The goals of PCI DSS are to encourage businesses to:

The PCI SSC provides the annual certification of independent security organisations as Qualified Security Assessors (QSA’s). When seeking PCI Compliance through a 3 rdparty QSA you should verify their credentials here:


The PCI SSC also maintains a register of “Approved Scanning Vendors” being organisations that possess the tools and provide external vulnerability scanning services to ensure your systems meet PCI DSS requirements. This is required when organisations are undertaking Self Assessment. It’s also a useful process to ensure your cloud network security is on point.

You can find a list of ASV’s here:

https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendorsIs PCI Compliance Mandatory?

While compliance is not mandated by law, businesses and payment processors you deal with in the day to day transactional operations of your business will expect your systems to meet certain standards. If not, you may attract higher card transaction fees or be exposed to legal and insurance claims to cover data breaches including the resulting card replacement fees, fines and the costs of forensic audits and investigations into your business systems.

The potential brand damage resulting data breaches involving personal data or credit card and bank account details can be potentially catastrophic.

The requirements set out in the PCI DSS guide organizations and sellers to safely and securely accept, store, process, and transmit cardholder data during credit card transactions to prevent fraud and data breaches.

It’s important to note that while the PCI SSC sets the compliance framework, it is left to the individual credit card companies and businesses to ‘self-regulate’. The PCI SSC provides mechanisms like the self-assessment questionnaire (SAQ) to ensure compliance, it is left to the payment processors to enforce them amongst sellers and organisations that accept credit cards.

Who needs PCI DSS compliance certification?

Although there is technically no such thing as “PCI certification,” sellers of all sizes, service providers, banks, and any other organizations that process credit card payments may need to prove they are PCI compliant. This is especially true if you store credit card numbers, card holder names, expiration dates or CAV2/CID/CCV2/CVV2 numbers in your database.

If you do, then you need to be prepared to demonstrate that this data is secure and your network is sufficiently locked down.

Who Needs PCI Compliance?

There are currently four PCI DSS compliance levels and each come with varying degrees of compliance requirements which are governed by the volume of payment transactions being processed.

Merchant Level 1

Businesses that process over 6 Million transactions per year are considered level 1 merchants.

You may also be placed in this category if you have suffered a data breach or hack that resulted in data loss or theft.

A merchant may also be considered level 1 if nominated by a card association.

PCI Requirements:

Level 1 merchants are required to prepare an annual report on compliance (ROC) by a qualified security assessor (QSA). This is more commonly known as a Level 1 onsite assessment.

On top of the ROC, you are also required to contract a qualified ASV to conduct quarterly network scan and complete a Attestation of Compliance form.

Merchant Level 2

Level 2 merchants process between 1 Million to 6 Million card transactions per year.

As a level 2 merchant you are required to complete a PCI DSS Self Assessment Questionnaire.

You will also need to complete and provide evidence of successfully passing network vulnerability scans conducted by an ASV.

Evidence of both SAQ and ASV pass should be provided to your acquirer (merchant processor)

Merchant Level 3

As a level 3 merchant processing between 20,000 and 1 Million transactions, you are also required to complete a PCI DSS Self Assessment Questionnaire.

You will also need to complete and provide evidence of successfully passing network vulnerability scans conducted by an ASV.

Evidence of both SAQ and ASV pass should be provided to your acquirer (merchant processor)

Merchant Level 4

Level 4 merchants process up to 20,000 transactions per year.

As a level 4 merchant you are required to complete a PCI DSS Self Assessment Questionnaire.

You will also need to complete and provide evidence of successfully passing network vulnerability scans conducted by an ASV.

Evidence of both SAQ and ASV pass should be provided to your acquirer (merchant processor)

What does it cost to be PCI DSS compliant?

The fees to become PCI compliant, and maintain that standing annually, can range anywhere from approximately $1,000 annually to over $50,000 annually, depending on the size of your business. Costs will vary depending on the ASV you engage to scan your network and whether you require a full ROC or handle the preparation of your SAQ internally or not.

Am I responsible for a PCI DSS Compliance Self-Assessment Questionnaire (SAQ)?

The PCI DSS Self-Assessment Questionnaire is a checklist ranging from 19 to 87 pages, created and distributed by the PCI Security Standards Council. It’s used as a mechanism for sellers to self-validate their PCI DSS compliance.

Depending on your payment processor and the payment gateway integration you have implemented sometimes the onus is your business to prepare the SAQ, while other times this is handled by your payment processor.

Is PCI Compliance International?

PCI DSS is a global standard

PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect cardholder data.

The standards globally govern all merchants and organizations that store, process or transmit this data — with new requirements for software developers and manufacturers of applications and devices used in those transactions.

Compliance with the PCI set of standards is mandatory for their respective stakeholders, and is enforced by the major payment card brands who established the Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

How does PCI Compliance affect developers?

PA-DSS the payment application data security standard is designed to guide developers in the production of secure payment processing applications.

The PA-DSS minimizes vulnerabilities in payment applications. The goal is to prevent the compromise of full magnetic stripe data located on the back of a payment card.

PA-DSS covers commercial payment applications, integrators and service providers. Merchants and service providers should use certified payment applications and should check with their acquiring financial institution to understand requirements and associated timeframes for compliance.

The PA-DSS recommends developers adhere to these guidelines:

Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CIV2, CW2) or PIN block data

Facilitate secure network implementation

Provide secure password features

Do not store cardholder data on a server connected to the Internet

Protect stored cardholder data

Facilitate secure remote software update

Log application activity

Facilitate secure remote access to application

Develop secure applications

Encrypt sensitive traffic over public networks

Protect wireless transmissions

Encrypt all non-console administrative access

Test applications to address vulnerabilities

Maintain instructional documentation and training programs for customers, resellers and integrators

How does Hava’s accurate network documentation assist with PCI compliance?

Having automatically generated network documentation provides a credible platform to support your compliance obligations.

Because Hava uses automation, the network diagrams generated represent the source of truth. You are looking at the “Actual” state of your network topology, not the assumed state of play based on potentially outdated architecture diagrams.

One of the core requirements of PCI compliance is network and data security. Hava’s unique security visualization maps out exactly how traffic flows in and out of your network and security groups. Any open ports that shouldn’t be open immediately stand out and can be addresses well in advance of reaching an audit or being discovered by a bad actor.

Having a comprehensive version history is also invaluable, especially if you have been deemed a Level 1 organisation because of suspected network incursion or data loss.

If you are subjected to a PCI Compliance audit for legal or insurance purposes, having an accurate unadulterated representation of your network at any point (since you connected your cloud accounts to Hava) in time, means you have documentary evidence that all your technical ducks were in a row.

With more and more organisations transitioning from on-premise infrastructure to public cloud solutions, the need to keep on top of things like PCI compliance and broader network security is paramount.

Having continuously self-updating network documentation that retains version history diagrams every time your network configuration is a major step forward for organisations looking to address security and PCI DSS requirements as part of their broader governance obligations.

You can connect hava.io to your AWS, Azure or Google Cloud Platform accounts and start automatically documenting your cloud infrastructure and verify your cloud architecture expectations vs reality.

A 14 day free trial is available for your team to assess whether Hava will provide the diagrams and documentation your developers, operations and security team need in order to sail through your next PCI compliance audit or ASV network security assessment.

Take the free trial and within minutes you’ll have your first aws architecture diagram, gcp diagram or azure diagram (or combinations of all three)

(No CC required) > https://www.hava.io

Originally published at https://www.hava.io.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store