Requisitos de Segurança PCI DSS

What is it? What is its purpose?

The PCI DSS (Payment Card Industry Data Security Standards) is a security standard developed and managed by an independent entity created in 2006 by the main international payment systems (Visa Inc., MasterCard, Discover Financial Services, JCB International and American Express). Its purpose is:

Protect the holders of payment cards, in way to assure the confidentiality and integrity of the sensitive data associated to the using of payment cards, whether they are data of the card or of authentication;
Protect the merchants of adverse consequences, financial and to his reputation, that may result in the breach of that confidentiality;
Uniform the security requirements to be used by all the intervenients in the payment industry, guaranteeing a transverse control of the risk of compromising data and a greater trust level.

Which are the sensitive data of the card?

PCI DSS has the purpose to protect the data of the cardholder and of authentication, considering the following restrictions:

PCI Sensitive data	Data elements	Storage allowed	Making the stored data unreadable, according PCI requirement
Cardholder’s data	No. of the card (PAN)	Yes	Yes
	Cardholder’s name	Yes	No
	Service Code	Yes	No
	Expiration date	Yes	No
Confidential Authentication ¹	Magnetic stripe data²	No	Not able to store, according to PCI requirement
	CAV2/CVC2/CVV2/CID ³	No	Not able to store, according to PCI requirement
	PIN ⁴	No	Not able to store, according to PCI requirement

The encryption data are confidential and must not be stored after authentication (even if encrypted).
Complete tracking data of the magnetic stripe, equivalent data on chip, or in another place
The three or four-digit value printed on the front or on the back of a payment card
The personal identification number inserted by the cardholder during a transaction with a card and/or the block of the encrypted PIN within the transaction message.

Who must perform a PCI certification?

Every merchant must fulfil the PCI security requirements.
To assess which certification level to perform, each merchant must read in www. pcisecuritystandards.org the validation requirements mandatory to each merchant category.
The classification of each category crosses the merchant’s number of annual transactions, the acceptance channel where the transaction occurs and the merchant’s level of risk.
The distinction between the validation requirements and the subsequent proof of compliance required varies according to the level of risk at which the merchant fits.

Level	Criterion	Proof of compliance
1	Merchants that: Perform more than 6 million transactions per year, independently of the acceptance channel; Have suffered an attack to their computer systems that have compromised his customer’s cards data.	AOC – Attestation of Compliance
2	Merchants that perform between 1 to 6 million transactions per year, independently of the acceptance channel;	AOC – Attestation of Compliance
3	Merchants that perform between 20 thousand and 1 million e-commerce transactions per year;	Prove the business relationship with the certified services provider (listed in www.visaeurope.com and MC), and Present a self-assessment quiz (SAQ Self Assessment Questionnaire)[1]
4	E-commerce merchants that perform less than 20 thousand transactions per year;

How to obtain the PCI certifization?

The PCI certification may be performed using a qualified security consultant – QSA (Qualified Security Assessor), that is certified by the international Payment Systems or by an internal security auditor of the merchant – ISA (Internal Security Assessor), that has concluded the ISA training program, developed according to PCI Council criteria:

https://www.pcisecuritystandards.org/training/isa_training.php
https://programs.pcissc.org/isaregistration.aspx

For more information about PCI DSS, further reading of the websites of the following entities is suggested:
PCI Security Standards Council -> https://www.pcisecuritystandards.org/
Visa Europe -> https://www.visaeurope.com/receiving-payments/security/
MasterCard -> https://www.mastercard.us/en-us/merchants/safety-security/security-recommendations/site-data-protection-PCI.html
Banco de Portugal – > https://www.bportugal.pt/pt-PT/pagamentos/BoasPraticas/Paginas/Cartoes-de-Pagamento-Comerciantes.aspx

[1] SAQ publicados em www.pcisecuritystandards.org

Contact Center

213 132 900

Contact us

Point-of-sale payments

online and remote sales

campaigns