About Payment Card Industry (PCI)

What is PCI DSS?

The Payment Card Industry (PCI) Data Security Standards (DSS) are international technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect credit card data.

Is PayFabric PCI Compliant?

PayFabric is PCI DSS Level 1 Compliant. Please see our supported security documents and listings for additional details.

  PCI DSS Attestation of Compliance

  ASV PCI Scan Attestation of Compliance

  PayFabric’s PCI DSS listings for MasterCard   PayFabric’s PCI DSS listings for Visa

What is PA-DSS?

Acronym for Payment Application Data Security Standard, which define security requirements and assessment procedures for software vendors of payment applications. Use of a PA-DSS compliant application by itself does not make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment.

Who does PCI apply to?

The PCI standards apply to all entities that store, process or transmit credit cards, including merchants, software developers and manufacturers of applications and devices used in those transactions. In general, PCI Security Standards include:

What is a merchant?

For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.

What is a service provider?

Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).

What is a payment application?

In the context of PA-DSS (Payment Application – Data Security Standards), a software application that stores, processes, or transmits cardholder data as part of authorization or settlement, where the payment application is sold, distributed, or licensed to third parties.

What is a vulnerability scan?

A vulnerability scan is a computer program designed to assess a merchant or service provider’s systems for flaws or weaknesses which, if exploited, may result in an intentional or unintentional compromise of a system or its data. Vulnerability scans are used as part of validating PCI DSS compliance. PCI DSS Requirement 11.2 requires that external vulnerability scanning be performed quarterly by an approved scanning vendor (ASV) qualified by PCI SSC.

What is an Approved Scanning Vendor (ASV)?

An Approved Scanning Vendor (ASV) is a data security firm using a scanning solution to determine whether or not the customer meets the PCI DSS external vulnerability scanning requirement 11.2. ASVs are qualified by the PCI Security Standards Council to perform external network and system scans as required by the PCI DSS. ASVs may submit compliance reports to the acquiring institution on behalf of a merchant or service provider, if agreed by the ASV and their customer.

What is a SAQ?

The Self‐Assessment Questionnaire (SAQ) is a validation tool for merchants and service providers to report the results of their PCI DSS self‐assessment, if they are not required to submit a Report on Compliance (ROC). The SAQ includes a series of yes‐or‐no questions for each applicable PCI DSS requirement. If an answer is no, the organization may be required to state the future remediation date and associated actions. There are different SAQs available to meet different merchant environments. If you are not sure which SAQ would apply to you, contact your acquiring bank or payment card brand for assistance.