PCI Compliance

Q: What is the PCI Security Standards Council (PCI-SSC)?

A Limited Liability Corporation (LLC) chartered in Delaware, USA, the Payment Card Industry Security Standards Council was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. All five payment brands share equally in the council's governance; have equal input to the PCI Security Standards Council and share responsibility for carrying out the work of the organization. The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Security Standards, including: the Data Security Standard (DSS), Payment Application Data Security Standard (PA-DSS), and Pin-Entry Device (PED) Requirements. All of the five founding members have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs.

Q: What is the PCI-DSS?

The Payment Card Industry Data Security Standard, or “PCI-DSS”, is a set of comprehensive requirements for enhancing payment account data security. The PCI-DSS was developed by the founding payment brands of the PCI Security Standards Council to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI-DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

Q: Who does the PCI-DSS apply to?

The PCI-DSS applies to any entity that is processing, storing or transmitting cardholder data (in any form).

Q: Is the PCI-DSS a state or federal law?

No, the PCI-DSS is essentially a set of information security standards created by the Payment Card Industry Security Standards Council that are directed at Merchants who process, store or transmit cardholder data.

Q: If the PCI-DSS is not a state or federal law, then why does a Merchant need to comply?

In order to accept credit cards, Merchants must sign an agreement with their Acquiring Bank. The language in this agreement varies with each Acquiring Bank, but typically holds the Merchant responsible for complying with the PCI-DSS and liable for all costs, including fines and penalties, assessed if the Merchant is compromised and found not to be PCI-DSS compliant.

Q: What are the Visa PABP and PCI PA-DSS standards?

Visa developed the Payment Applications Best Practices, “PABP”, guidelines to assist software vendors in creating secure payment applications that help Merchants and agents mitigate compromises, prevent storage of sensitive cardholder data (i.e. full magnetic stripe data, CVV, CVV2 or PIN data) and support overall compliance with the PCI Data Security Standard (PCI-DSS). Effective October of 2008, the Payment Card Industry Security Standards Council has taken this over from Visa and re-named the standard the Payment Application Data Security Standard, or PCI PA-DSS.

Q: Is Jonas responsible for deleting any default or generic user accounts or passwords on its customer systems?

No. Jonas is not responsible for the creation, management or deletion of any user accounts or passwords. This is strictly the responsibility of the merchants.

Q: Are merchants required to use only strong user accounts and passwords as part of being PCI-DSS compliant?

Yes, merchants are required to use passwords that are at least seven characters in length and consist of at least 3 of the following 4 character types: (upper case letters, lower case letters, numbers, symbols). Merchants are also required to change their passwords at least once every 90 days, and to immediately disable or delete any access credentials for any users who leave the organization or change jobs and no longer require access to the payment processing application.

Q: Is Jonas required to take steps to ensure that its customers are PCI-DSS compliant?

No, it is the sole responsibility of the Merchant to ensure that it is PCI-DSS compliant.

Q: What should Jonas customers do to determine their level of PCI-DSS compliance and to mitigate any gaps in order to become PCI-DSS compliant?

For information on assessing their level of PCI-DSS compliance, customers can visit the PCI Security Standards Council web site at: http://www.pcisecuritystandards.org.

Q: Can Jonas assist its customers with their efforts to assess their level of PCI-DSS compliance or mitigation?

Jonas is not a Qualified Security Assessor “QSA” and cannot offer these services.

Q: Does installing a PA-DSS validated payment processing application satisfy all of the PCI-DSS requirements?

No, although this is part of PCI-DSS compliance, installing a PA-DSS validated payment application is only one element of PCI-DSS compliance. The PCI-DSS contains more than 200 individual requirements, most of which have nothing to do with the Jonas product. For more information on the PCI-DSS requirements, please visit the PCI Security Standards Council web site at: www.pcisecuritystandards.org

Q: Should I contact Jonas to find out if I am PCI-DSS compliant?

No. Only the PCI Security Standards Council or a certified QSA is qualified to make this determination. Jonas strongly recommends that its customers take steps to ensure that they are PCI-DSS compliant. A good starting point is to visit the PCI Security Standards Council web site at: http://www.pcisecuritystandards.org .