What is PCI DSS

So what exactly is PCI DSS and why should your organization care.“The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard defined by the Payment Card Industry Security Standards Council.” The standard was created to help protect organizations that process card payments from credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations that hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands.

Typical Path to PCI DSS Compliance

All companies and organizations that deal with credit card information must adhere to PCI DSS. If your company takes credit card payments online, or through a call center, PCI DSS is a must.

Here are the basic goals the PCI DSS tries to achieve:

  • Build and Maintain a Secure Network
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy

These 6 objectives may sound straight forward at first, but when you dig deeper into the standard, the 12 section SAQ (Self Assessment Questionnaire) can become fairly complicated. There are over 200 questions to answer in the SAQ. Failing only one of them could put your PCI Compliance status at risk. Download the SAQ here to take a look.

Why Businesses Need to be PCI Compliant

PCI Compliance is a requirement mandated by the payment card industry, that protects organizations and their clients from fraud. This allows organization to stay in business and keep the trust and respect of their customers.

The Hosted PCI Simplified Path

HostedPCI makes PCI compliance straight forward for organizations by removing the responsibility of credit card processing, exchanging and storing from the organization. This means that typically if your company collects and stores credit card data the SAQ required is type D. SAQ type D is a very detailed SAQ with roughly 347 questions to be read and completed. By using HostedPCI services the organization only needs to fill out SAQ type A which is reduced to roughly 14 questions. This allow companies the ability to be PCI compliant without the stress. Whether you accept credit cards online or through a call centre HostedPCI has services to make your  business run smoother.

The Difference Between SAQ type A and SAQ type A-EP

Determining the differences between SAQ type A and SAQ type A-EP can become complicated for Ecommerce companies because the differences are extremely subtle. SAQ type A and is for card-not-present companies who outsource all the functions related to collecting, storing and exchanging the credit card data to a third party validated PCI company. This means that the companies never come in contact with the cardholder data and that the data never enters their company’s environment. However SAQ type A-EP only applies to E-commerce merchants who outsource all the functions related to collecting, storing and exchanging the credit card data to a third party PCI compliant company. The difference is that the embedded iFrame is hosted by the merchant and not the third party company. For further information about the differences between SAQ type A and SAQ type A-EP please visit the guideline from the PCI security standards link below.      

PCI SAQ type A vs SAQ type A-EP