Security
10
READING TIME
How to obtain PCI certification?
Many businesses that accept card payments are familiar with the term PCI DSS (Payment Card Industry Data Security Standard). As soon as you start figuring out what you need to process cards and how to do it, the topic comes up. How many times have you heard about PCI certification or the PCI standard? Some try to avoid dealing with it, seeing it as a problem they can get rid of (paperwork, endless procedures, etc.). But that won’t do if your business accepts card payments. Put simply: if you accept card payments, you need PCI certification.
Rather than getting overwhelmed, the best approach is to understand how to achieve this certification for your online business. Let’s take a closer look at PCI DSS to understand what needs to be done and how to make the process easier.
What exactly is PCI DSS?
In short, PCI DSS was created as a data security program to prevent fraud related to card data leaks. Obtaining PCI certification helps you set up best practices for processing sensitive cardholder information. But be careful—the certification itself doesn’t work magic. The requirements help, but staying compliant depends on your business and your staff.
From the start, PCI DSS has been backed by major financial institutions (Visa, MasterCard, American Express, etc.), with more efforts added over time to improve compliance.
Most importantly: it is a mandatory industry standard for payments, even if it is not prescribed by law.
Everyone involved in the payment process who accepts, stores, or transmits cardholder information must have PCI certification. It doesn’t matter if you are a merchant (e-commerce, retail stores, travel agencies), a service provider (issuers, payment gateways, processors), or a financial institution (banks). It also doesn’t matter if card data is obtained indirectly through a third-party service provider—the compliance requirements are equally strict. There is a PCI standard you must follow to remain a trusted business, to be better prepared for other security requirements, and to secure better commercial conditions from card service providers. Card networks care about the safety of their customers, and if your business doesn’t comply with PCI DSS, they will turn their back on you in any negotiation.
Do I have to comply with PCI DSS?
This question usually comes with others: when do I need to comply? What happens if I don’t? How do I meet the current PCI DSS requirements? What should I do if I’m not compliant but want to be, for the safety of my business and my customers?
It’s natural to ask these questions at the beginning. You may suddenly receive a huge amount of information and not know where to start in figuring out whether you are compliant or how to get there. We’ve all been there, but with some effort, the process is manageable.
As mentioned earlier, if your business transmits, stores, or accepts card payments, you must comply and obtain PCI certification. It doesn’t matter if your business is small, medium, or large, if you sell products or services, or whether you process 50 transactions or 50K—you must comply because you process sensitive cardholder data. By sensitive information we mean basics like the PAN, cardholder name, expiration date, service code, security code, etc.
Once you’ve understood this, the next step is knowing there are two main ways PCI DSS compliance is evaluated. The choice depends on transaction volume and processing method. The first is an external audit coordinated by a PCI-certified entity. Since this council is formed by the major card companies, rigor is guaranteed. The good news is that many businesses qualify for the second option: a self-assessment questionnaire, which may or may not be supervised. In that case, it’s best to answer based on your actual compliance status, since the questionnaire is essentially a sworn declaration.
How to comply with PCI DSS
Let’s briefly review some of the most important requirements. The standard defines 12 requirements, but focusing on a few gives a good overview of the journey ahead. These requirements reflect the general spirit of PCI DSS, and at the end you’ll find an infographic with the full list.
Information security policy
Welcome to PCI DSS. While this requirement appears last in the official list, it’s really the foundation. PCI DSS is all about security policies. If you accept card payments, the first step is to ask yourself: how effective is my security policy? Does it cover the full flow of information processing? Are all employees aware of it? And remember, the policy should not only cover payment data—it applies to all the information your business processes. Every employee should know their responsibility in protecting the data they handle.
With a well-defined security policy, you can efficiently evaluate risks and vulnerabilities (network intrusions, data leaks after system changes, unauthorized wireless access, etc.). These security measures should also be regularly tested through scans or targeted checks.
Everything documented in the policy must be mandatory for employees.
Maintain secure networks and systems
It is recommended to maintain (or install, if not already in place) a firewall configuration for every internet connection across all business devices. At this point, it helps a lot to have previously inventoried the available equipment and to have regulated its operation according to responsibilities. The common practice is to justify each service and assign IPs and ports to each group or individual using them.
Protect cardholder data through encryption
As mentioned earlier, not all card data is necessary to complete a transaction. The best practice is to limit the storage of unnecessary data, since this reduces risk and simplifies the process. For the data you do store, tokenization is one of the best protection strategies, especially if you use a service provider such as a payment gateway. Tokenization may be an important factor when choosing one provider over another, as it is now considered one of the highest-level security protocols. With tokenization, the PAN is replaced with a unique token linked to the real card data. The token cannot be used to infer the underlying confidential data, which minimizes the risk of insecure storage. The main advantage is that with tokenization you don’t need to implement the same strict controls required for confidential data, since the token is not considered confidential.
Change passwords used for data protection
This requirement does not need much explanation. Following it regularly avoids many headaches.
Evaluate corporate antivirus and anti-malware solutions
The recommendation is to combine both and deploy them—with their respective updates—on all systems and applications accessible from the internet. This prevents data from being compromised and ensures that your networks and systems remain secure against potential attacks. Another recommendation is to stay informed about evolving threats, which is an excellent way to prevent future incidents.
Identify and authenticate access to system components and network resources
This is a way to restrict any access to files containing cardholder data. By establishing these restrictions, you can determine who has access and under what conditions. Having this information helps you better manage the security of stored data. It is also worth regularly reviewing activity logs to detect any issues early.
And although it may sound obvious, it is also necessary to restrict physical access to offices and keep a record of each visitor, clearly defining the authorization levels they hold. Digital compliance is useless if outsiders can walk into your premises and collect sensitive information.
The 12 PCI DSS requirements*
Install and maintain a firewall configuration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect stored cardholder data.
Encrypt transmission of cardholder data across open, public networks.
Protect all systems against malware and regularly update antivirus software.
Develop and maintain secure systems and applications.
Restrict access to cardholder data by business need-to-know.
Identify and authenticate access to system components.
Restrict physical access to cardholder data.
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes.
Maintain an information security policy for all personnel.
*Source: PCI Data Security Standard
PCI DSS, beyond the basics
In addition to the requirements already mentioned, you should know that new PCI DSS updates include additional ones. One relates to shared hosting, a practice everyone knows. Shared hosting providers, among other requirements, must ensure that each entity only has access to its own cardholder data and that no files from one entity can be shared with or viewed by another.
The more intermediaries involved in a payment transaction, the more precautions are needed to comply with PCI DSS, because if card data is compromised, the responsibility falls on the primary business that should have confirmed whether the provider was PCI compliant.
The same applies to payment gateways. As almost indispensable service providers, integrating them is a way to meet user needs. The recommendation is to know which ones simplify PCI DSS compliance. Some gateways store and process all card data on their own servers, meaning none of that data goes to your servers. That is a significant advantage, although at that point you must verify whether the chosen gateway is PCI compliant. For example, by integrating with Zru, the number of PCI DSS requirements an online business must meet is greatly reduced.
What does PCI DSS really provide?
The greatest benefit of PCI certification is the best practices it validates. With this certification, you become more reliable and secure for future commercial negotiations. At the same time, compliance improves efficiency and optimizes overall business management.
Several risks arise if you do not comply with PCI DSS. Consequences range from fines or penalties if data is compromised, reduced transaction volume (no compliant third party will accept payments from a non-compliant business), extra costs from additional controls, and perhaps most importantly: the loss of trust from customers and providers. Customers want security when buying a product, and under no circumstances want their private information deliberately exposed.
How to obtain PCI certification
Once you know the requirements of the standard and your current level of compliance, the rest is a straightforward task. Prepare a compliance program that evaluates how you will meet the objectives set by the requirements, and define a strategy that minimizes identified risks while increasing the security of what you already do well. Each specific action must clearly state which requirement (or risk) it addresses. Needless to say, this program requires the time and resources you allocated in your initial assessment.
The results of this program are then documented to show compliance status. Businesses with large transaction volumes undergo an external audit by a PCI-certified entity, while others must complete the self-assessment questionnaire. Both must also undergo quarterly network scans to ensure high security levels and confirm certification.
In Spain there are several companies that have obtained PCI certification and, more importantly, some are authorized by the PCI Council to perform audits and supervise and advise annual self-assessments. Among them: A2 Secure, SIA Grupo, Integrated Technology Systems, and Atos Consulting.
How can Zru help you comply with PCI DSS?
Zru is a payment platform that minimizes the requirements you must meet to obtain PCI certification. As a payment platform, Zru makes handling cardholder data much easier:
Your customers’ card data goes directly to our servers, so you neither process nor store this data on your own servers.
We store your customers’ payment data for you and return a token that is directly linked to that data, but replaces it for security reasons. Since the token maintains the functionality of the real data, you can use it to charge in the future.
We use HTTPS for all access points to our platform.
You do not need card data to process refunds.
We comply with the requirements set by PCI DSS and are audited by a certified entity.
By choosing Zru, you reduce the number of PCI DSS requirements you must meet, saving time and money. You can also access more information about PCI DSS compliance when using Zru through this link.
Security
10
READING TIME
How to obtain PCI certification?
Many businesses that accept card payments are familiar with the term PCI DSS (Payment Card Industry Data Security Standard). As soon as you start figuring out what you need to process cards and how to do it, the topic comes up. How many times have you heard about PCI certification or the PCI standard? Some try to avoid dealing with it, seeing it as a problem they can get rid of (paperwork, endless procedures, etc.). But that won’t do if your business accepts card payments. Put simply: if you accept card payments, you need PCI certification.
Rather than getting overwhelmed, the best approach is to understand how to achieve this certification for your online business. Let’s take a closer look at PCI DSS to understand what needs to be done and how to make the process easier.
What exactly is PCI DSS?
In short, PCI DSS was created as a data security program to prevent fraud related to card data leaks. Obtaining PCI certification helps you set up best practices for processing sensitive cardholder information. But be careful—the certification itself doesn’t work magic. The requirements help, but staying compliant depends on your business and your staff.
From the start, PCI DSS has been backed by major financial institutions (Visa, MasterCard, American Express, etc.), with more efforts added over time to improve compliance.
Most importantly: it is a mandatory industry standard for payments, even if it is not prescribed by law.
Everyone involved in the payment process who accepts, stores, or transmits cardholder information must have PCI certification. It doesn’t matter if you are a merchant (e-commerce, retail stores, travel agencies), a service provider (issuers, payment gateways, processors), or a financial institution (banks). It also doesn’t matter if card data is obtained indirectly through a third-party service provider—the compliance requirements are equally strict. There is a PCI standard you must follow to remain a trusted business, to be better prepared for other security requirements, and to secure better commercial conditions from card service providers. Card networks care about the safety of their customers, and if your business doesn’t comply with PCI DSS, they will turn their back on you in any negotiation.
Do I have to comply with PCI DSS?
This question usually comes with others: when do I need to comply? What happens if I don’t? How do I meet the current PCI DSS requirements? What should I do if I’m not compliant but want to be, for the safety of my business and my customers?
It’s natural to ask these questions at the beginning. You may suddenly receive a huge amount of information and not know where to start in figuring out whether you are compliant or how to get there. We’ve all been there, but with some effort, the process is manageable.
As mentioned earlier, if your business transmits, stores, or accepts card payments, you must comply and obtain PCI certification. It doesn’t matter if your business is small, medium, or large, if you sell products or services, or whether you process 50 transactions or 50K—you must comply because you process sensitive cardholder data. By sensitive information we mean basics like the PAN, cardholder name, expiration date, service code, security code, etc.
Once you’ve understood this, the next step is knowing there are two main ways PCI DSS compliance is evaluated. The choice depends on transaction volume and processing method. The first is an external audit coordinated by a PCI-certified entity. Since this council is formed by the major card companies, rigor is guaranteed. The good news is that many businesses qualify for the second option: a self-assessment questionnaire, which may or may not be supervised. In that case, it’s best to answer based on your actual compliance status, since the questionnaire is essentially a sworn declaration.
How to comply with PCI DSS
Let’s briefly review some of the most important requirements. The standard defines 12 requirements, but focusing on a few gives a good overview of the journey ahead. These requirements reflect the general spirit of PCI DSS, and at the end you’ll find an infographic with the full list.
Information security policy
Welcome to PCI DSS. While this requirement appears last in the official list, it’s really the foundation. PCI DSS is all about security policies. If you accept card payments, the first step is to ask yourself: how effective is my security policy? Does it cover the full flow of information processing? Are all employees aware of it? And remember, the policy should not only cover payment data—it applies to all the information your business processes. Every employee should know their responsibility in protecting the data they handle.
With a well-defined security policy, you can efficiently evaluate risks and vulnerabilities (network intrusions, data leaks after system changes, unauthorized wireless access, etc.). These security measures should also be regularly tested through scans or targeted checks.
Everything documented in the policy must be mandatory for employees.
Maintain secure networks and systems
It is recommended to maintain (or install, if not already in place) a firewall configuration for every internet connection across all business devices. At this point, it helps a lot to have previously inventoried the available equipment and to have regulated its operation according to responsibilities. The common practice is to justify each service and assign IPs and ports to each group or individual using them.
Protect cardholder data through encryption
As mentioned earlier, not all card data is necessary to complete a transaction. The best practice is to limit the storage of unnecessary data, since this reduces risk and simplifies the process. For the data you do store, tokenization is one of the best protection strategies, especially if you use a service provider such as a payment gateway. Tokenization may be an important factor when choosing one provider over another, as it is now considered one of the highest-level security protocols. With tokenization, the PAN is replaced with a unique token linked to the real card data. The token cannot be used to infer the underlying confidential data, which minimizes the risk of insecure storage. The main advantage is that with tokenization you don’t need to implement the same strict controls required for confidential data, since the token is not considered confidential.
Change passwords used for data protection
This requirement does not need much explanation. Following it regularly avoids many headaches.
Evaluate corporate antivirus and anti-malware solutions
The recommendation is to combine both and deploy them—with their respective updates—on all systems and applications accessible from the internet. This prevents data from being compromised and ensures that your networks and systems remain secure against potential attacks. Another recommendation is to stay informed about evolving threats, which is an excellent way to prevent future incidents.
Identify and authenticate access to system components and network resources
This is a way to restrict any access to files containing cardholder data. By establishing these restrictions, you can determine who has access and under what conditions. Having this information helps you better manage the security of stored data. It is also worth regularly reviewing activity logs to detect any issues early.
And although it may sound obvious, it is also necessary to restrict physical access to offices and keep a record of each visitor, clearly defining the authorization levels they hold. Digital compliance is useless if outsiders can walk into your premises and collect sensitive information.
The 12 PCI DSS requirements*
Install and maintain a firewall configuration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect stored cardholder data.
Encrypt transmission of cardholder data across open, public networks.
Protect all systems against malware and regularly update antivirus software.
Develop and maintain secure systems and applications.
Restrict access to cardholder data by business need-to-know.
Identify and authenticate access to system components.
Restrict physical access to cardholder data.
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes.
Maintain an information security policy for all personnel.
*Source: PCI Data Security Standard
PCI DSS, beyond the basics
In addition to the requirements already mentioned, you should know that new PCI DSS updates include additional ones. One relates to shared hosting, a practice everyone knows. Shared hosting providers, among other requirements, must ensure that each entity only has access to its own cardholder data and that no files from one entity can be shared with or viewed by another.
The more intermediaries involved in a payment transaction, the more precautions are needed to comply with PCI DSS, because if card data is compromised, the responsibility falls on the primary business that should have confirmed whether the provider was PCI compliant.
The same applies to payment gateways. As almost indispensable service providers, integrating them is a way to meet user needs. The recommendation is to know which ones simplify PCI DSS compliance. Some gateways store and process all card data on their own servers, meaning none of that data goes to your servers. That is a significant advantage, although at that point you must verify whether the chosen gateway is PCI compliant. For example, by integrating with Zru, the number of PCI DSS requirements an online business must meet is greatly reduced.
What does PCI DSS really provide?
The greatest benefit of PCI certification is the best practices it validates. With this certification, you become more reliable and secure for future commercial negotiations. At the same time, compliance improves efficiency and optimizes overall business management.
Several risks arise if you do not comply with PCI DSS. Consequences range from fines or penalties if data is compromised, reduced transaction volume (no compliant third party will accept payments from a non-compliant business), extra costs from additional controls, and perhaps most importantly: the loss of trust from customers and providers. Customers want security when buying a product, and under no circumstances want their private information deliberately exposed.
How to obtain PCI certification
Once you know the requirements of the standard and your current level of compliance, the rest is a straightforward task. Prepare a compliance program that evaluates how you will meet the objectives set by the requirements, and define a strategy that minimizes identified risks while increasing the security of what you already do well. Each specific action must clearly state which requirement (or risk) it addresses. Needless to say, this program requires the time and resources you allocated in your initial assessment.
The results of this program are then documented to show compliance status. Businesses with large transaction volumes undergo an external audit by a PCI-certified entity, while others must complete the self-assessment questionnaire. Both must also undergo quarterly network scans to ensure high security levels and confirm certification.
In Spain there are several companies that have obtained PCI certification and, more importantly, some are authorized by the PCI Council to perform audits and supervise and advise annual self-assessments. Among them: A2 Secure, SIA Grupo, Integrated Technology Systems, and Atos Consulting.
How can Zru help you comply with PCI DSS?
Zru is a payment platform that minimizes the requirements you must meet to obtain PCI certification. As a payment platform, Zru makes handling cardholder data much easier:
Your customers’ card data goes directly to our servers, so you neither process nor store this data on your own servers.
We store your customers’ payment data for you and return a token that is directly linked to that data, but replaces it for security reasons. Since the token maintains the functionality of the real data, you can use it to charge in the future.
We use HTTPS for all access points to our platform.
You do not need card data to process refunds.
We comply with the requirements set by PCI DSS and are audited by a certified entity.
By choosing Zru, you reduce the number of PCI DSS requirements you must meet, saving time and money. You can also access more information about PCI DSS compliance when using Zru through this link.
