Introduction

The Payment Card Industry Data Security Standards (PCI DSS) is an industry-wide compliance requirement for every entity that stores, processes, or transmits payment card data (such as accepting credit card payments). To demonstrate compliance with the PCI DSS, merchants and service providers are required to conduct periodic PCI Security Scans. Regular vulnerability scanning is a critical component to all security architectures and is a required component for all merchants accepting credit card payments.

PCI Security Scans are conducted over the Internet by an Approved Scanning Vendor (ASV). Scans help identify vulnerabilities and misconfigurations of web sites, applications, and information technology (IT) infrastructures with Internet-facing internet protocol (IP) addresses. Scan results provide valuable information that support efficient patch management and other security measures that may improve protection against Internet attacks.

PCI DSS Compliance Requirements

PCI DSS requires all merchants to complete a Self-Assessment Questionnaire about their payment card environment, processes and for all Internet-facing IP addresses to be scanned for vulnerabilities. In some instances, companies may have a many IP addresses available while they only use a few for card acceptance or processing. In these cases, merchants and service providers define the appropriate scope of the scan required to comply with the PCI.

PCI Security Scans apply to all merchants and service providers with internet-facing IP addresses. Even if an entity does not offer internet-based transactions, other services may access the Internet. Basic functions such as e-mail and employee internet access will result in the Internet-accessibility of a company’s network. Such seemingly insignificant paths to the internet might provide unprotected pathways into merchant and service provider systems and potentially expose cardholder data if not properly controlled.

Web servers and application servers allow internet users to view web pages and interact with web merchants. Because these servers are fully accessible from the public Internet, scanning for vulnerabilities is essential.

To achieve compliance, merchants must meet the two requirements of the PCI DSS:

Before approving the Client Account to go live, the merchant must successfully pass SAQ and Network (IP address) Scan to confirm PCI Compliance.

SAQ Types

The 4 SAQ options are:

SAQ A

To be completed for card-not-present merchants that have all of their cardholder data functions outsourced. Examples of this might be e-Commerce merchants that forward their customers to third party payment page.

SAQ B

Not Applicable for e-Commerce / card not present merchants.

SAQ C

To be completed by e-Commerce merchants that DO NOT STORE credit card data but accept the payment card data directly via a payment page hosted on their website and post the transaction details via a server to server post.

SAQ D

To be completed by e-Commerce merchants that DO STORE credit card data and accept the payment card data directly via a payment page hosted on their website and post the transaction details via a server to server post.

The difference between SAQ C and SAQ D: Merchants that STORE credit card data for any reason, including those who perform recurring transactions, must complete SAQ D.

Scheduled Requirements

Most acquirers require that successful PCI scans are presented quarterly performed by an Approved Scanning Vendor (ASV) and yearly filled and signed correspondent SAQ.

In cases where the PCI scan discovers problems, the Merchant is generally given 10 days to resolve the issue. Upon successful resolution, another scan must be manually scheduled and a successful scan recorded. During that time the processing of the Merchant will not be disrupted.

In cases where the problem might take more than 10 days to be resolved, the acquirer must be duly updated and such instances will be worked on case by cases basis.

For further information, please contact CLIQ Payments administration at admin@cliqpayments.com