1. Purpose of this policy
The Payment Card Industry Data Security Standard ("PCI DSS") contains the security requirement which applies to all entities that store, process, transmit or could impact on the security of card data. It defines a standard of due care and protection of Cardholder data.
This policy applies to you if you want to process credit card transactions with Worldline. In order to do so you need to become PCI DSS compliant. After you have read the policy you know how to:
- Become compliant,
- Remain compliant and how to evidence this to Worldline,
- Understand the different validation levels,
- Identify the correct Self-Assessment Questionnaire (SAQ),
- Act in case of a card related data breach.
Worldline welcomes any questions you have on PCI DSS.
It is a requirement for you to report on your PCI DSS compliance. We want to make it as easy as possible for you to achieve and maintain PCI DSS compliance in order to help you protect your business and your customers from the negative effects of a card data breach. Compliance is required if you accept credit cards. The requirements apply to all payment channels, including retail, mail/telephone order, and e-commerce. You are required to report your compliance status on an annual basis. Failure to do so may result in significant fines or penalties from the card associations being passed on to you, or even withdrawal of card acceptance facilities. You are liable for any fines, charges or penalties arising from non PCI DSS compliance. This policy based on PCI DSS version 4 which is mandatory from 2024 (and optional prior to that date).
3. PCI-DSS Stakeholders
You are not the only one involved with PCI DSS. There are a number of main stakeholders:
The PCI Security Standards Council (PCI SSC) is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide. Founded in 2006 by the major payment card the Council has hundreds of participating organizations representing merchants (like yourself), banks, processors and vendors worldwide.
The PCI SSC manages the standards, certifies assessors, and lists validated hardware and software for use in payment processing. The rules regarding the actual requirements for merchant compliance are defined by the card brands.
There are many different types of businesses that you can contract to provide your payment processing services. These include Payment Service Providers, Payment Facilitators, Acquirers, but they are all links in the same chain that connect the card holder to you and on to the issuing bank to make payment processing possible.
Any entity you engage to perform a role in processing payments is a service provider. Your payment processor is a service provider, so is the company that hosts your servers that take payments (cloud or physical), and the company that writes your payment processing software (POS or web site). You can outsource the function but you are still responsible for the compliance. If you use a PCI certified service provider then nothing more needs to be done. If you use an entity that is not PCI certified then your own assessment must include whatever they do for you just as it would if you did it yourself.
You are an entity that accepts payment cards bearing the logos of any of the card brands that require compliance with PCI DSS.
Consumer (your client)
The card holder making the purchase of goods and/or services.
Payment Brand is any card brand that requires compliance with PCI DSS. This includes Visa, Mastercard, and several other card brands.
4. Goals of the PCI Data Security Standard
PCI DSS includes specific requirements grouped under the following headings:
- Build and Maintain a Secure Network and Systems,
- Protect Account Data,
- Maintain a Vulnerability Management Program,
- Implement Strong Access Control Measures,
- Regularly Monitor and Test Networks,
- Maintain an Information Security Policy.
The full standard and other documents referred to in this article can be found on the PCI SSC web site here:
5. Key Benefits
Importance of PCI DSS compliance
Compliance with PCI DSS brings major benefits to your business, while failure to comply can have serious and long-term negative consequences. These are the benefits to your business:
- Protection of financial data,
- Increased customer confidence through a higher level of data security,
- Maintain customer trust and safeguard reputation,
- Avoid the risk of financial penalties.
Compliance is an ongoing process, not a one-time event. It helps you to prevent security breaches and theft of payment card data, not just today, but also in the future because:
- You want to stay ahead of the threats as data compromise becomes ever more sophisticated.
- You will benefit from continuous improvements to PCI Security Standards.
- The PCI SSC offers training to assist you in ensuring your business is secure.
- When you stay compliant, you are part of the solution – a united, global response to fighting payment card data compromise.
Compliance has also indirect benefits:
- If you are PCI DSS compliant, you will likely be better prepared to comply with other regulations, such as GDPR.
- You will be supporting information security management.
It is now more important than ever that you implement and maintain tighter security around operations and the storing and transmitting of Card Data. Always consider security in the light of:
- Fraud losses,
- Harm to your business,
- Card-reissuance costs (these are passed to you),
- Cardholder inconvenience,
- Loss of consumer confidence,
- Adverse publicity, brand and reputational damage.
6. Process Flow
The steps to become and stay PCI DSS compliant
There are two steps to PCI DSS compliance: Assess and Report.
Once you have identified where card data touches your systems you have identified the scope of the assessment. If any of the activity is performed by a service provider on your behalf you will need to obtain evidence that they are PCI Compliant themselves or you will need to extend the scope of your assessment to include their services as if you did them yourself.
If you have any externally facing ("internet facing") IP addresses (e-commerce sites or IP connected terminals) you may be required to undergo quarterly ASV scans to identify any vulnerabilities that exists. If you are required to undertake ASV scans then you will be required to have a passing scan for every quarter in the year leading up to the date of the assessment. If you failed a scan then you must have remediated the cause and then received a passing scan.
When you have confirmed the scope you will be able to select the correct reporting mechanism for your compliance as described in the next section.
- There is only one "standard" to report against – PCI DSS. This standard contains a large number of requirements and only some of them may apply to specific types of businesses. To assist merchants in reporting their compliance, the PCI SSC have created two types of compliance reports:
1. Report on Compliance (ROC): Contains all the requirements in the standard, can be used by any entity undergoing an assessment.
2. Self-Assessment Questionnaires (SAQs): A set of templates containing only those requirements which are applicable to specific merchant payment environments. These include templates for different implementations of e-commerce and face to face payments.
- If ASV scanning is required by the selected report template then it will be included in the list of requirements that you must meet.
- You will be required to provide us with evidence of your compliance annually, which will be either:
- A copy of the Attestation of Compliance (AOC) for your ROC,
- A copy of the SAQ to cover the assessment,
- if applicable a copy of the latest passing ASV scan report.
Which reporting template can I use?
If you process more than 6 million transaction per year then you will be required to document your assessment in a Report on Compliance which must be signed by either an external Qualified Security Assessor (QSA) or an employee who is currently certified as an Internal Security Assessor (ISA).
Other merchants may be eligible to self-assess and report their compliance using an SAQ. Guidance on the types of SAQ can be found on the PCI SSC web site here:
Approved Scanning Vendor
If you have an internet facing IP address, you need to perform a network scan by an Approved Scanning Vendor (ASV). The SAQ type applicable to your business will contain the requirement to undertake ASV scanning if it is required. A list of ASV’s can be found on the PCI SCC site using the following link:
Official PCI Security Standards Council Site
Qualified Security Assessor
If you have been determined to be classified as a level 1 merchant (more than 6 million transactions annually) the Report on Compliance may need to be completed by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA) employed by your company. You can find a list of QSA companies by using the following link:
7. Additional Information
What you must do in case of a suspected breach
Being PCI DSS compliant minimizes the potential for theft or fraudulent use of credit card data. However, a breach can still occur or be suspected due to human error, internal fraud or previously unknown vulnerabilities. What do you need to do if you suspect or establish a credit card data breach?
Suspected Breach Notification
Originated by yourself
If you suspect a credit card breach you must immediately inform your acquirer(s), payment service provider(s), and/or card brands.
You can send a (suspected) breach related to Worldline through your account manager.
Originated by the card brands - Common Point-of-Purchase (CPP) report
The card brands will investigate and determine whether all of the cards reported to have been subject to fraudulent activity have been used at the same merchant over a specific period of time. This test, known as “common point of purchase” or CPP, is one of the core means to determine the source of a card breach.
You may receive a Common Point-of-Purchase (CPP) report through your acquirer or your payment service provider.
When a Common Point-of-Purchase (CPP) report is received it is vital for you to act quickly and communicate directly with your acquirer(s) and/or payment service provider(s). In doing so the financial consequences and the negative business impact resulting from the card breach may be minimized. You must ensure that you do nothing that would jeopardise any evidence that may be required in a subsequent forensic investigation.
Further investigation – if required
PCI Forensic Investigator (PFI)
You may be required to engage a PCI Forensic Investigator (PFI). The PFI will aim to identify where in your environment a suspected breach occurred, the extent of the data compromise, and the remediation steps you must take. You can find a suitable PFI company on the PCI Security Standards Council list.
If it is determined by the PFI that there has been a data breach, it’s vital that you take steps to mitigate or eliminate the existing exposure immediately. Delays resulting in longer exposure times can increase the size of the breach and also increase the related fines levied by the card brands. Generally, the fines from the card brands are passed from the acquirer to the Payment Service Providers and ultimately to you.