The PCI DSS (Payment Card Industry Data Security Standards) is a security standard developed and managed by an independent entity created in 2006 by the main international payment systems (Visa Inc., MasterCard, Discover Financial Services, JCB International and American Express). Its purpose is:
PCI DSS has the purpose to protect the data of the cardholder and of authentication, considering the following restrictions:
|PCI Sensitive data||Data elements||Storage allowed||Making the stored data unreadable, according PCI requirement|
|No. of the card (PAN)||Yes||Yes|
|Confidential Authentication 1||Magnetic stripe data 2||No||Not able to store, according to PCI requirement|
|CAV2/CVC2/CVV2/CID 3||No||Not able to store, according to PCI requirement|
|PIN 4||No||Not able to store, according to PCI requirement|
Every merchant must fulfil the PCI security requirements.
To assess which certification level to perform, each merchant must read in www. pcisecuritystandards.org the validation requirements mandatory to each merchant category.
The classification of each category crosses the merchant’s number of annual transactions, the acceptance channel where the transaction occurs and the merchant’s level of risk.
The distinction between the validation requirements and the subsequent proof of compliance required varies according to the level of risk at which the merchant fits.
|Level||Criterion||Proof of compliance|
|AOC – Attestation of Compliance|
|2||Merchants that perform between 1 to 6 million transactions per year, independently of the acceptance channel;|
|3||Merchants that perform between 20 thousand and 1 million e-commerce transactions per year;|
|4||E-commerce merchants that perform less than 20 thousand transactions per year;
The PCI certification may be performed using a qualified security consultant – QSA (Qualified Security Assessor), that is certified by the international Payment Systems or by an internal security auditor of the merchant – ISA (Internal Security Assessor), that has concluded the ISA training program, developed according to PCI Council criteria:
For more information about PCI DSS, further reading of the websites of the following entities is suggested:
PCI Security Standards Council -> https://www.pcisecuritystandards.org/
Visa Europe -> https://www.visaeurope.com/receiving-payments/security/
MasterCard -> https://www.mastercard.us/en-us/merchants/safety-security/security-recommendations/site-data-protection-PCI.html
Banco de Portugal – > https://www.bportugal.pt/pt-PT/pagamentos/BoasPraticas/Paginas/Cartoes-de-Pagamento-Comerciantes.aspx