PCI DSS (Pay Card Industry Data Security standard) is a security standard for the payment card industries. The standard has been developed by the international payment systems of Visa and MasterCard. Any organization that plans to accept and process the bank card data on its site must comply with PCI DSS requirements.
There are four levels of PCI DSS certificates that are primarily different from the maximum number of transactions processed:
- Level 4 allows up to 20 thousand transactions per year. To confirm compliance with PCI DSS requirements, a quarterly scan of external addresses for vulnerabilities (ASV-scanning) and a self-assessment sheet (annual self-Assessment Questionnaire, SAQ) is required.
- Level 3 allows for processing of 20 thousand to 1 million transactions per year. Both the quarterly ASV and the completion of the self-assessment sheet (SAQ) are required to pass certification.
- Level 2 allows you to handle from 1 million up to 6 million transactions per year. To confirm compliance with PCI DSS requirements, a quarterly ASV is required to scan and populate the self-assessment sheet (SAQ). However, after June 30, 2012, to fill saq at this level, it will be necessary either to send in-house staff to specialized training or to attract the auditor company (PCI QSA).
- Certification for PCI DSS Level 1 is only conducted with an independent auditor (QSA) and allows more than 6 million transactions per year to be processed. The certification process includes a survey of the company’s information infrastructure, the development of recommendations and normative documents required to comply with the standard, and advisory support for implementation.
Enterprises that implement products or services over the Internet prefer to be certified to comply with PCI DSS requirements for a number of reasons:
- Conversion. Companies fear loss of part of the payment when moving from the customer bin to a separate payment page.
- Image. Sometimes large companies do not want the customer to enter bank card data from the company’s site to a third-party organization (Bank or processing center) site.
- Technical tasks. Companies need to build their own high-tech business specific payment scheme.
PCI DSS certification allows you to work with banks directly through the bank’s payment interfaces and the internet enterprise itself. This eliminates the customer’s transition to a third-party site. In addition, building your own payment system allows you to work directly with multiple banks, “balancing” between them, and build a “cascade” system of payments. With a “cascade” payment, its authorization is performed sequentially in several banks and processing centers, which can significantly reduce the percentage of transactions that have been rejected.
But working with banks is not only the advantage of adapting the payment system to “under itself”. It obliges the company to take control of fraudulent transactions in the processing of bank card data on its site. In other words, companies need to build their own system for monitoring and controlling fraudulent operations (anti-fraud). The task of the anti-fraud system is to filter transactions defined as fraudulent, on a number of grounds (for example, the issuer’s mismatch with the country of payment or the payer’s residence).
Building of the own anti-fraudulent system is logical and financially justified for companies with a high turnover of bank card payments. For such companies, flexibility and full control over the payment filtering systems are critical. Plus, such a company has the ability to allocate resources to the development and continuous development of the technologies and tools of its own mini processing center.
If the company is going to be certified to comply with PCI DSS and to process the bank card data on the site, all requirements of the PCI DSS standard will be applied to it. They cover network-level security, hardware, applications, databases, physical storage, documentation, and process management. And, as mentioned above, the construction of the anti-fraud system and the billing system, the task is not easy and time-consuming, and also must be implemented by the company itself.