A security lock on credit cards

Payment Card Industry (PCI) Data Security Standard (DSS)



Helping you ensure that your credit card processing has appropriate security


Do I need to know about PCI?
If your business accepts customer payments via credit card, you are most likely subject to the Payment Card Industry (PCI) Data Security Standard (DSS). Unless you take payments via a system purchased from a company like Square (which takes care of the PCI DSS work for you), your credit card processor will most likely have you attest at least once a year that your company’s network is adhering to the requirements in PCI DSS. This is typically done via a web-based platform that asks you various questions about your network and how you protect credit card data.

It is critical for companies to understand that PCI DSS is not a one-size-fits-all compliance framework; you could be subject to only a handful of requirements or must make use of the entire 360-page PCI DSS framework depending on how you take credit card payments and the devices you use.

PCI DSS Levels
Credit card processors verify your compliance with PCI DSS by having you attest to the requirements in the Self-Assessment Questionnaire (SAQ). The table below lists the common levels and describes in plain English the payment scenario that would bind you to that level.

SAQ
Description
A or A-EP For online (e-commerce) or telephone/mail order businesses who don’t handle any credit card data themselves and instead use secure outsourced companies that follow strict data and safety rules. This can be done by redirecting you to a third-party payment page (A) or integrating a third-party payment system into your website (A-EP).
B or B-IP This is the most common scenario over the past few decades. Merchants use imprint machines (those that make physical copies of cards) or standalone phone-line terminals that don’t electronically store any account data (B) or similar-looking payment terminals that connect to the computer network (B-IP).
C or C-VT Merchants utilizing payment application systems linked to the internet, such as a Point of Sale (POS) application on a computer (C) or a secure payment website for manual payment entering (C-VT), but don’t store any electronic account data.
P2PE Merchants solely rely on a validated and approved Point-to-Point Encryption (P2PE) device or solution. This means they have no access to the actual card information in plain text, and they don’t store any electronic data. This is the most popular method. (Example: https://squareup.com/us/en/home/q9xf2)
D All scenarios not included in descriptions for the above SAQ types. Category D is for companies that do store credit card data on their systems. You don’t want to be here; this is the largest set of cyber requirements.

SAQ-Instructions-Guidelines-PCI-DSS-v4-0.pdf (pcisecuritystandards.org)


CALL OR EMAIL:


Richard Wolford
Software Engineer

814-262-6961
pa-cybersecurity@ctc.com

Padlock with keyhole illustrating cyber data in Pennsylvania


Customer making a credit card payment
Let us help you verify your credit card processor has you categorized at the correct level, ensuring you're not paying too much for network security services or being fined for non-compliance!
A male's hand paying bill with credit card contactless payment on smartphone
The PCI DSS Easy (Kind of) Button - P2PE
Most companies want to become compliant in the easiest and cheapest fashion possible. We recommend ensuring that the only way you take credit card payments is with a Point of Sale (POS) device that is (Point to Point Encryption) P2PE compliant. One of the most used POS devices is the Verifone MX915 (https://www.verifone.com/en/us/devices/multilane/mx-915), so we’ll use this as an example. Determining if a POS device is P2PE compliant is a difficult process. Most manufacturers will list on the device’s spec sheet that it is P2PE compliant, but some credit card processors want you to manually enter the device details into the SAQ form for your yearly self-assessment. This will potentially require you to search three different PCI P2PE lists to find your specific device.
You’ll first search the Solutions list for your device. If it’s not listed, it’s possible that the device is not P2PE approved but instead uses an application or component that is P2PE approved, so you’ll also have to search the other two lists. Using the Verifone MX915 as an example, it does not immediately appear on any of the three lists. Extra research is needed on the specific device to determine what solution/application/components are in use in the device, understanding that although the device is made by Verifone, it may be using solutions/applications/components from another manufacturer.

You can find the MX915 on the approved list in two ways:

  1. Search the Components list for Verifone and select the Company Verifone, Inc. Scroll to the end of the list to find “Verifone North American POI Deployment Services.” Click the link for Component Details to find the MX915 under the “PCI-Approved POI Devices Supported” heading.
  2. Search the Solutions list for Bluefin, find Bluefin Payment Systems (our research showed that Verifone uses software from Bluefin in their devices). Click the link for Solution Details to find the MX915 under the “PCI-Approved POI Devices Supported” heading.

In both cases, we get a link to the approval for the MX915
(https://listings.pcisecuritystandards.org/popups/pts_device.php?appnum=4-10177) that shows us the specific hardware IDs, firmware IDs, and approval number(s) for this specific P2PE device that we can enter into our credit card processor’s SAQ form to prove that we are using a P2PE device.

Although this may seem like a lot of work, using a P2PE device removes the requirement of any additional network security devices/services for your company’s network because the POS devices themselves are secured. This is the cheapest way to achieve PCI DSS compliance while providing your customers with the familiar card swiping/dipping experience they use at any major retailer.
Copyright © 2024 Concurrent Technologies Corporation. All rights reserved. Send comments & questions to the Webmaster.

We are an equal opportunity employer and all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, disability status, protected veteran status, or any other characteristic protected by law.
CTC on Facebook    CTC on LinkedIn    CTC on YouTube