Popular Posts

3 Key Points About CCPA

PCI-DSS regulations aren’t law; they are a set of security regulations credit card companies voluntarily agree to uphold. As a result, any merchant that stores, processes, and/or transmits cardholder data through the major credit card networks must also agree to uphold these security standards. Third-party vendors may or may not be required to comply, depending on the function they provide for your organization.
The Payment Card Industry Security Standards Council (PCI SSC) created the PCI-DSS regulations as a set of security standards for the major credit cards: American Express, Visa, Mastercard, Discover, and JCB International. These standards are designed to keep payment accounts secure while reducing fraud.
All five major credit card companies have agreed to comply with the PCI-DSS standards and bear the responsibility of enforcing compliance with every payment transaction. This means that all merchants must agree to comply with PCI-DSS regulations in order to be approved for payment processing. For example, when a grocery store wants to accept Visa card payments, that merchant must sign a contractual agreement with Visa binding them to PCI-DSS compliance.
When a merchant is found to be non-compliant, a card network such as Visa has the right to ban that merchant from accepting payments through their network.
PCI-DSS regulations differ based on the volume of payments processed by any given merchant as well as how much access an organization has to credit card information.
At a basic level, PCI-DSS regulations prohibit the storing, processing and/or transmission of certain aspects of cardholder data and require strict protection for account numbers.
Specifically, PCI-DSS has six main objectives that are to be achieved under 12 requirements. These goals include:
These six goals are achieved in specific ways, as outlined in the PCI security standards documents:
Generally speaking, any entity that enters into a contract agreeing to comply with PCI-DSS is bound by PCI-DSS regulations. This can include issuers, acquirers, processors, merchants and banks.
Third-party service providers
If your third party service providers store, process and/or transmit cardholder data, they would need to comply with PCI-DSS regulations and provide an AOC (Attestation of Compliance) to prove compliance .
Even if they are not involved in any of these data processes above, the services they provided must be in accordance with the terms delineated in the vendor agreement throughout the vendor’s business relationship with your organization.
PCI-DSS is not a law, but there are consequences for non-compliance. The consequences will vary depending on the PCI DSS compliance level. However, in general, the consequences of non-compliance include:
When you’re bound by PCI-DSS or any regulation, you can’t make assumptions about your vendors’ compliance. However, Panorays can help you quickly and efficiently understand who is compliant, who is not but needs to be and how to streamline the process of ensuring vendor compliance. With customizable security questionnaires, your vendors can meet the expectations of regulatory measures as well as your own internal company policies. In addition, Panorays continuously monitors and evaluates the vendor, and sends live alerts about any security changes that may affect your vendors’ regulatory compliance.
Want to learn more about how Panorays can help you keep your third-party vendors PCI-DSS compliant? Sign up for a free Panorays demo to learn how we can help.