PCI DSS - how and why to get a certificate of conformity
Hi% username%!
We have prepared this post for those who work in the field of Internet commerce and plans to accept (or already accept) payments on their own website. We will talk about the international data security standard PCI DSS. Let's talk about its basic requirements for the information infrastructure, which ensures the processing and security of bank card data. We will also consider the main reasons for certification and the opportunities that a certified company gets.
PCI DSS (Payment Card Industry Data Security Standard) is a data security standard for the payment card industry. The standard is developed by international payment systems Visa and MasterCard. Any organization planning to receive and process bank card data on its website must comply with PCI DSS requirements.
There are 4 levels of PCI DSS certificates, which are primarily distinguished by the maximum possible number of processed transactions:
We undergo annual certification for compliance with the requirements of the PCI DSS standard. For us, as for the processing center, compliance with the requirements of PCI DSS Level 1 is mandatory. Such a requirement is imposed by international payment systems (MPS) on companies that provide Internet acquiring services.
Companies selling goods or services over the Internet are certified for compliance with PCI DSS requirements for several reasons:
PCI DSS certification allows you to work with banks directly through the payment interfaces of the bank and the Internet company itself. This allows you to exclude the transfer of the buyer to the third-party site. In addition, building your own payment system allows you to work directly with several banks directly, “balancing” between them, and build a system of “cascading” payments. When "cascading" the payment, its authorization is carried out sequentially in several banks and processing centers, which can significantly reduce the percentage of declined transactions.
But independent work with banks gives the company not only an advantage in adapting the payment system “for themselves”. It obliges the company to take on the fight against fraudulent transactions when processing bank card data on its website. In other words, the company needs to build its own system of monitoring and combating fraudulent operations (anti-fraud). The task of the anti-fraud system is to filter operations that are defined as fraudulent, for a number of reasons (for example, the issuing bank does not coincide with the country of payment or residence of the payer).
')
At the stage of building and debugging an anti-fraud system, a lot of time will be “eaten” by collecting and analyzing data on bank card transactions. The purpose of the data collection is to identify the hallmarks of fraudulent transactions. In the process of collecting statistics, the company will have to face a large amount of charge-back operations.
Building your own anti-fraud system is logical and financially reasonable for companies with a large turnover of payments by bank cards. For such companies, flexibility and full control over the payment filtering system are crucial. Plus, such a company has the opportunity to allocate resources for the development and continuous development of technologies and tools of its own “mini processing center”.
It is worth noting that in risk monitoring it is difficult to find a better service provider than the processing center. Due to the diversity and significant number of clients, the HRC has an extensive history of monitoring and filtering. Even if the company is building its own anti-fraud system, it can send transactions to the HRC for processing that raise doubts among internal risk specialists.
In order to make an informed decision on the choice of the method of processing bank card data, it is necessary to evaluate all the components of the process from submitting documents to supporting cardholders. In order to make the decision easier, we compared two main approaches to receiving and processing bank card data: if data is entered on a third-party site (for example, PC) - and if data is entered on the company's site with subsequent authorization of the payment in the bank.
Thus, if a company is going to get certified for compliance with PCI DSS and independently process bank card data on the site, all requirements of the PCI DSS standard apply to it. They cover security at the level of networks, equipment, applications, databases, physical storage, documentation and process management. And, as mentioned above, building an anti-fraud system and a billing system, a difficult and time-consuming task to implement, is also carried out by the company itself.
For companies that work only with a payment gateway and do not accept customers' bank cards on their data, only the requirements of the risk gateway of the payment gateway (PC) are applicable. They concern the e-commerce enterprise site, the correctness of the content and price offers, and the organizational form of the company.
If after reading this post you have any questions - write in the comments. On the part of the auditor and PCI DSS specialist, you will be advised by Evgeny Bezgodov aka Bezgodov , Executive Director of Deiteriy, CISA, PCI QSA. PayOnline processing center specialists are always in touch with the payment gateway.
We have prepared this post for those who work in the field of Internet commerce and plans to accept (or already accept) payments on their own website. We will talk about the international data security standard PCI DSS. Let's talk about its basic requirements for the information infrastructure, which ensures the processing and security of bank card data. We will also consider the main reasons for certification and the opportunities that a certified company gets.
PCI DSS (Payment Card Industry Data Security Standard) is a data security standard for the payment card industry. The standard is developed by international payment systems Visa and MasterCard. Any organization planning to receive and process bank card data on its website must comply with PCI DSS requirements.
There are 4 levels of PCI DSS certificates, which are primarily distinguished by the maximum possible number of processed transactions:
- Level 4 allows you to process up to 20 thousand transactions per year. PCI DSS requires quarterly external address scanning for vulnerabilities ( ASV scanning ) and annual Self-Assessment Question (SAQ) to confirm compliance.
- Level 3 allows you to process from 20 thousand to 1 million. transactions per year. For certification, both a quarterly ASV scan and a self-assessment sheet (SAQ) are required.
- Level 2 allows you to process from 1 million to 6 million transactions per year. To confirm compliance with PCI DSS requirements, a quarterly ASV scan and a self-assessment sheet (SAQ) is required. However, after June 30, 2012, to fill the SAQ at this level, it will be necessary either to send their own employees to specialized training, or to engage an auditor company ( PCI QSA ).
- Certification for compliance with PCI DSS Level 1 is carried out only with the assistance of an independent auditor (QSA) and allows you to process more than 6 million transactions per year. The certification procedure includes a survey of the company's information infrastructure, the development of recommendations and regulatory documents necessary for compliance with the standard, and consulting support during implementation.
We undergo annual certification for compliance with the requirements of the PCI DSS standard. For us, as for the processing center, compliance with the requirements of PCI DSS Level 1 is mandatory. Such a requirement is imposed by international payment systems (MPS) on companies that provide Internet acquiring services.
Companies selling goods or services over the Internet are certified for compliance with PCI DSS requirements for several reasons:
- Conversion. Companies fear the loss of part of their payments when they switch from the basket to a separate payment page.
- Image. Sometimes, large companies do not want a client to go from a company's website to a third-party organization (bank or processing center) to enter a bank card data.
- Technical tasks. The company needs to build its own high-tech payment scheme, focused on the specifics of the business.
PCI DSS certification allows you to work with banks directly through the payment interfaces of the bank and the Internet company itself. This allows you to exclude the transfer of the buyer to the third-party site. In addition, building your own payment system allows you to work directly with several banks directly, “balancing” between them, and build a system of “cascading” payments. When "cascading" the payment, its authorization is carried out sequentially in several banks and processing centers, which can significantly reduce the percentage of declined transactions.
But independent work with banks gives the company not only an advantage in adapting the payment system “for themselves”. It obliges the company to take on the fight against fraudulent transactions when processing bank card data on its website. In other words, the company needs to build its own system of monitoring and combating fraudulent operations (anti-fraud). The task of the anti-fraud system is to filter operations that are defined as fraudulent, for a number of reasons (for example, the issuing bank does not coincide with the country of payment or residence of the payer).
')
At the stage of building and debugging an anti-fraud system, a lot of time will be “eaten” by collecting and analyzing data on bank card transactions. The purpose of the data collection is to identify the hallmarks of fraudulent transactions. In the process of collecting statistics, the company will have to face a large amount of charge-back operations.
Building your own anti-fraud system is logical and financially reasonable for companies with a large turnover of payments by bank cards. For such companies, flexibility and full control over the payment filtering system are crucial. Plus, such a company has the opportunity to allocate resources for the development and continuous development of technologies and tools of its own “mini processing center”.
It is worth noting that in risk monitoring it is difficult to find a better service provider than the processing center. Due to the diversity and significant number of clients, the HRC has an extensive history of monitoring and filtering. Even if the company is building its own anti-fraud system, it can send transactions to the HRC for processing that raise doubts among internal risk specialists.
In order to make an informed decision on the choice of the method of processing bank card data, it is necessary to evaluate all the components of the process from submitting documents to supporting cardholders. In order to make the decision easier, we compared two main approaches to receiving and processing bank card data: if data is entered on a third-party site (for example, PC) - and if data is entered on the company's site with subsequent authorization of the payment in the bank.
| Entering a bank card data is carried out on the company's website with subsequent authorization of payments (for example, in a bank) | The data of a bank card is entered on a third-party site (for example, on a secure payment page of the HRC) | |
|---|---|---|
| PCI DSS | Certification for compliance with PCI DSS requirements is required. | Certification is not required. |
| Connection | To receive payments directly, you must connect to the bank yourself. The decision of the bank depends, among other things, on the company's turnover. | To connect, you must transfer the package of documents to your personal manager, who will interact with the bank and prepare the contract. |
| Commission | Commission charged by the bank for processing payments ranges from 2% of the transaction amount and depends on the volume of turnover and the scope of the company. The percentage of commission received by the client directly from the bank is often equal to the percentage provided by the PC. This is due to the “wholesale” operating conditions for the PC and the high level of reliability of transaction monitoring in which the bank is interested. | The commission charged by the PC for processing payments and the range of additional services is between 2.5% of the transaction amount and depends on the volume of turnover and the scope of the company's activity. |
| Accounting | The company interacts with the bank on financial statements and making payments independently. Reporting requires active work with the bank and building your own billing system. | The billing system of the PC provides customers with the ability to make online records of transactions. The ability to independently unload accounting documents (statement, detailed PayOnline statement, account) in the personal account interface. |
| Payers support | To provide qualified support to payers, you need to organize your own Call-center or buy third-party services (from 25,000 rubles per month for the work of a specialist). If you already have a Call Center, you need to conduct additional training for specialists to work with cardholders. It also requires building a Call Center infrastructure: software, telephony. | Support for cardholders making payments in your online store is provided by HR Call Center specialists. |
| Transaction monitoring | Transaction monitoring should be carried out by full-time qualified specialists of the e-commerce enterprise processing bank card data. Salary risk specialist - from 35 000 rubles. / month | Transaction monitoring, including software, is carried out by specialists of the risk department of the HRC. |
| Iron | Required investments in the server part, necessary for certification and to ensure a sufficient level of security. The amount depends on the Level-a certificate and the proposed infrastructure. | You do not need additional expenses for the development of the server part, since the processing of transactions takes place on secure servers of the PC. |
| Development | To organize self-service payments, it is necessary to develop or purchase a billing system, including secure data transfer services to the bank, secure payment acceptance forms, additional interfaces. Requires constant work of highly qualified specialists worth at least 65,000 rubles. / month | To connect to the PC, a one-time developer attraction is required to implement the payment form on the company's website. If necessary, the branded payment form is developed by HR specialists. |
| Acceptance of payments on the site (without switching to a third-party resource) | You process the bank card data on the site without switching to a third-party resource. | It is possible to realize the acceptance of payments without a direct transfer to the PC site using the IFrame technology. |
Thus, if a company is going to get certified for compliance with PCI DSS and independently process bank card data on the site, all requirements of the PCI DSS standard apply to it. They cover security at the level of networks, equipment, applications, databases, physical storage, documentation and process management. And, as mentioned above, building an anti-fraud system and a billing system, a difficult and time-consuming task to implement, is also carried out by the company itself.
For companies that work only with a payment gateway and do not accept customers' bank cards on their data, only the requirements of the risk gateway of the payment gateway (PC) are applicable. They concern the e-commerce enterprise site, the correctness of the content and price offers, and the organizational form of the company.
If after reading this post you have any questions - write in the comments. On the part of the auditor and PCI DSS specialist, you will be advised by Evgeny Bezgodov aka Bezgodov , Executive Director of Deiteriy, CISA, PCI QSA. PayOnline processing center specialists are always in touch with the payment gateway.
Source: https://habr.com/ru/post/130652/
All Articles