PCI DSS Validation
Third-party partners must be PCI DSS compliant.
The Payment Card Industry Data Security Standard is a set of security standards designed to ensure that all companies that accept, process, store or transmit payment information maintain a secure environment. The PCI DSS applies to any organization, regardless of size or number of transactions, that accepts, transmits or stores any payment data. Payment processors, acquirers, issuers and service providers are examples of such organizations.
Using the Forward Proxy allows you to distribute sensitive payment data freely across PCI-compliant endpoints (Receivers). In order to ensure that you only share payment data with compliant and trustworthy Receivers, we can help you to validate the compliance status of the respectively third-party Receiver to ensure continued protection of your customers' payment data.
PCI DSS Compliance for merchants and third-parties is usually defined in terms of levels. Each of these levels vary slightly according to the card schemes and is quoted in transactions per year. A summary of Level 1 and Level 2 Service Providers is given here.
| Scheme | Level 1 Definition | Level 2 Definition | Source |
|---|---|---|---|
| Visa | Over 6 million Visa transactions | 1 to 6 million transactions | https://usa.visa.com/support/small-business/security-compliance.html |
| Mastercard | Over 6 million Mastercard and Maestro transactions | 1 to 6 million transactions | https://www.mastercard.us/en-us/business/overview/safety-and-security/security-recommendations/site-data-protection-PCI/merchants-need-to-know.html |
| American Express | Over 2.5 million American Express transactions | 50,000 to 2.5 million transactions | https://www.americanexpress.com/us/merchant/us-data-security.html |
| Discover | Over 6 million Discover transactions | 1 to 6 million transactions | https://www.discoverglobalnetwork.com/solutions/pci-compliance/identify-merchant-level/ |
Validation for Level 1 Service Providers
Level 1 Service Providers must complete an annual On-site Assessment conducted by a PCI SSC certified Qualified Security Assessor (QSA) or Internal Security Assessor (ISA).
For each third-party you engage with to send or receive PCI sensitive data to or from, you should:
- Request a signed copy of their AOC for On-site Assessments
- Upload a copy to the Dashboard under the Receiver AOC section
Upload third-party AOCs on the Dashboard
- If you are requesting a new integration, send a copy of the AOC to [email protected] .
Validation for Level 2 Service Providers
Level 2 Service Providers must complete an annual self-assessment the Self-Assessment Questionnaire D.
See below for a link to the template.
For Level 2 Service Providers, you should:
- Request a signed copy of their AOC for Self-Assessment Questionnaire D
- Obtain a written and signed acknowledgment about the responsibility for the security of cardholder data (PCI DSS requirements 12.8.2 and 12.9). Reach out to your Technical Account Manager at PCI Proxy for an example Letter of Acknowledgement.
- Upload a copy of each of them to the Dashboard under the Receiver AOC section (see above)
- For new integrations, send a copy of the AOC and Letter of Acknowledgement to [email protected].
You will be notified when your uploaded documents are approved.
Only official documents from the PCI SSC website are recognized for PCI DSS validation.
Any other documentation or form of certificate issued for the purposes of demonstrating compliance to PCI DSS or any other PCI standard are not authorized or valid and their use is not acceptable for showing compliance. The use of certificates or other non-authorized documentation to validate PCI DSS Requirement 12.8 and/or 12.9 is also not acceptable.
PCI DSS Terminology
| Acronym | Definition | Further information |
|---|---|---|
| PCI SCC | Payment Card Industry Security Standards Council | PCI Security Standards |
| PCI DSS | Payment Card Industry Data Security Standard | Download the latest standard |
| AOC | Attestation of Compliance | Download the latest template for service providers |
| SAQ-D | Self-Assessment Questionnaire type D. A reporting tool used to document self-assessment results from an entity's PCI DSS assessment. | Download the latest template for service providers |
| QSA | Qualified Security Assessor. QSAs are qualified by PCI SSC to perform PCI DSS on-site assessments. | Search for a QSA |
| ISA | Internal Security Assessor. ISAs are professionals of qualifying organizations that received PCI DSS training and certifications which will improve the organization's understanding of PCI DSS. | Verify an ISA employee |
Updated almost 2 years ago