PCI DSS stands for Payment Card Industry Data Security Standard, which sets the requirements for organizations to safely and securely accept, store, process and receive/transmit cardholder data to prevent fraud and data breaches.
The PCI Standard is mandated by the card schemes (Visa, Mastercard, American Express, etc.) and is administered by PCI Security Standards Council (PCI SSC).
At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.
Sensitive Authentication Data including but not limited to card validation codes/values (CAV2/CVC2/CVV2/CID), full track data (from the magnetic stripe or equivalent on a chip), PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions.
PCI DSS applies to any Organisation, regardless of size or number of transactions, that accepts the transmission, processes and/or stores any cardholder and/or sensitive authentication data.
Even if the Organisation stores or receives/transmits card data using secure method (like hashing or encryption), PCI DSS will still apply.
If the Organisation does not store, process and/or receive/transmit any card information from Solaris and/or directly from card holders then the Organisation is out of scope of PCI DSS and do not need to be PCI DSS. (If Card holder name and Expiry date present without 16-digit PAN then PCI DSS would not apply to those elements.)
Any of Solaris client access below API methods must comply with PCI DSS. If card holder name and Expiry date API method is accessed without Full PAN then those elements are out of PCI DSS.
- Card _ ActivateCard
- Card _ GetSpecificVirtualCard
- Card _ GetVirtualCardCVV
- Card _ LinkPreissuedCard
- Card _ ViewPin
- Card _ AddVirtualCard
As per PCI DSS, service provider is “Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data.” Solaris clients are classified as co-issuer or service using issuer and fall into Service Provider Levels as they involve in Processing, Storage or transmission of card data. There are two level of PCI DSS and client shall determine appropriate level based on below criteria:
- Level-1: Processors or any service provider that stores, processes and/or receives/transmits over 300,000 transactions annually.
- Level-2: Processors or any service provider that stores, processes and/or receives/transmits less than 300,000 transactions annually.
PCI DSS compliance needs to maintain on yearly basis. On the basis of PCI DSS level, you can go for it:
- For PCI DSS Level-1 Compliant , Solaris client must engage PCI SSC approved QSA organisation to assess the environment and provide the ROC and AOC.
- For PCI DSS Level-2 Compliant , Solaris client can appoint any PCI SSC approved QSA to complete and verify the PCI DSS SAQ-D service provider.
Submit the SAQ-D service provider along with other evidence like Approved Scanning Vendor passed scan, Internal Vulnerability Scan, Penetration testing, Policies, procedures, and other reference documents to Solaris. In this case Solaris can take appointment of their QSA to validate the completed SAQ along with evidence. The QSA fee will need to be borne by client.
Organisation needs to be PCI DSS compliant before go live.
|Payment Card Industry Data Security Standard
|Payment Card Industry Security Standards Council
|Qualified Security Assessor
|Primary Account Number
|Card Authentication Value 2
|Card Validation Code 2
|Card Verification Value 2
|Card Identification Number
|Personal Identification Number
|Report on Compliance
|Attestation of Compliance