The Payment Card Industry Data Security Standards (PCI DSS) is a set of information security standards created and managed by the Payment Card Industry Security Standards Council (PCI SSC) for organizations that store, process, or transmit credit card data.
The major card brands (including Visa, Mastercard, Discover, and American Express) require PCI DSS compliance.
Finix helps you and your users validate compliance with PCI DSS by providing the necessary forms and verifying the submitted information. Users can include any entity that stores, processes, or transmits credit card data.
There are four levels of PCI compliance. If the requirements apply to you or a user, the entity will need to meet that level of PCI DSS compliance before it can process payments.
|PCI Level 1
|PCI Level 2
|PCI Level 3
|PCI Level 4
Finix is certified as a Level 1 Payment Card Industry Data Security Standards (PCI DSS) compliant Service Provider.
Every one of your sellers eligible to process payments is required to validate compliance with PCI DSS annually.
Sellers can validate compliance by completing and attesting to a Self Assessment Questionnaire (SAQ).
Self-Assessment Questionnaires (SAQs) are validation tools to aid entities in self-evaluating their compliance with PCI DSS. For PCI Levels 2-4, there are different SAQ types based on the manner of your payment integration.
|Self-Assessment Questionnaire (SAQ)
|Sellers using only:
Each PCI DSS Self-Assessment Questionnaire comprises the following:
- Questions associated with the PCI DSS requirements that are appropriate for your cardholder data environment (CDE).
- Attestation of Compliance: The attestation contains your declaration of eligibility for completing the applicable SAQ and the results of a self-assessment requirements under PCI DSS.
Finix will evaluate your method of payment integration to help alleviate some of the PCI compliance burden. Finix takes care of the heavy lifting and creates the SAQ compliance forms your sellers need to complete. Finix pre-fills some information based on the information collected from you as part of the implementation process. For many organizations, this helps save countless hours of auditing and compliance checks.
Additionally, Finix actively monitors PCI compliance on an ongoing basis and will notify you in advance of any compliance validation issues or changes.
For information on how you and your sellers can validate compliance with PCI DSS, see Managing PCI Compliance.
Additional articles and materials are also available to help you understand the Payment Card Industry Data Security Standards:
- Everything You Need to Know About PCI Compliance
- PCI Security Standards Council articles:
|Attestation of Compliance
|A document to complete as a declaration of the results reflected in an associated Self-Assessment Questionnaire (SAQ).
|Approved Scanning Vendor
|An organization with a scan solution that is tested and approved by the PCI SSC to conduct external vulnerability scanning adhering to PCI DSS Requirement 11.2.2.
|Cardholder Data Environment
|The people, processes and technology that store, process, or transmit cardholder data.
|At minimum, cardholder data consists of the full PAN (Primary Account Number), and may also include: cardholder name, expiration date and/or service code.
|Primary Account Number
|Also referred to as the account number and is a unique payment card number that identifies the issuer and the particular cardholder account.
|Payment Card Industry Data Security Standards
|Payment Card Industry Security Standards Council
|PCI DSS Help Site
|PIN Transaction Security
|PTS is a set of modular evaluation requirements managed by the PCI SSC for PIN acceptance Point-of-Interaction terminals.
|Qualified Security Assessor
|An independent security organization that has been qualified by the PCI SSC to validate an entity’s adherence to PCI DSS. A QSA employee is an individual who is employed by a QSA company and has satisfied all QSA requirements.
|Report on Compliance
|The ROC provides details about an entity’s environment and assessment methodology, and documents the entity’ compliance status for each PCI DSS requirement.
|Sensitive Authentication Data
|Security-related information used to authenticate cardholders and/or authorize card transactions (may include card validation codes/values - CVS/CVV, PINs, full track data from the magnetic stripe or equivalent on a chip).
|A validation tool intended to aid merchants and service providers in self-evaluating their compliance with PCI DSS.
|Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity.