Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,363
- Points
- 113
Any industry in its development goes from freedom of creativity to one or another form of regulation, carried out by the state or non-governmental organizations. The aim of regulation is usually to protect interests that are in conflict with profit-making and for this reason are not a matter of concern on the part of the business.
The payments industry is no exception. The interest of the business lies in the fastest and most comfortable implementation by buyers of payments in favor of trade and service enterprises and the offer of related services to all market participants. Unfortunately, a convenient one-click payment on the store's website can lead to unpleasant consequences for the bank card holder if one of the participants in the payment chain - a store, a bank or a processing center has not taken the necessary security measures when processing data. Although the safety of money on customer cards is a matter of reputation for business, it does not, frankly, bring any direct benefit. So government regulators and international communities come into play, setting requirements for protection.
Over the past few years, a number of regulations on payment security have appeared, and judging by the activity of regulators, more will appear. Currently, the most relevant international standards in Russia are PCI DSS and PA-DSS , as well as Federal Law No. 161-FZ "On the National Payment System" and accompanying by-laws in the field of security. It is with them that Russian companies mainly have to deal with, deciding to link their business with non-cash payments. Let's consider them in order.
The Payment Card Industry Data Security Standard (PCI DSS) comes from the West and has historically been the first popular set of requirements for securing payments. The standard was developed by the community of international payment systems Visa, MasterCard, American Express, JCB and Discover, which created a regulatory body for its development - the PCI SSC Council.
The object of application of this standard is every organization that stores, processes or transmits in its information systems numbers of payment cards issued under the brand of any of the above international payment systems. That is, its requirements apply to ordinary and online stores, banks, payment gateways, processing centers and other related structures. All organizations involved in one way or another in the process of processing a payment transaction, according to the ideology of the regulator, are divided into two categories - merchants and service providers. The first includes everyone who sells goods or services and accepts bank cards as payment from buyers - shops, restaurants, hotels, gas stations, parking lots. To the second - all those who provide the payment process - banks,
The PCI DSS standard contains a list of fairly specific technical and organizational requirements for ensuring information security of card data, divided into 12 sections. Requirements are organized according to the principle of a control chart, along which you can navigate from one requirement to another and put a checkmark: "met" or "not met". This approach has its drawbacks, information security professionals periodically criticize the standard for its inflexibility and lack of a risk-based approach. However, in justification of PCI DSS, it is worth saying that the standard is designed for mass adoption by merchants, whose staff rarely has information security specialists who are able to professionally manage risks in the style of ISO 27001.
The requirements of the standard are focused on ensuring the security of information infrastructure at all levels. The secure rooms house properly configured network devices and servers that are used by securely developed applications and databases. The relevance of protection is ensured by continuous monitoring and regular audits. Trained personnel administer information systems in accordance with established procedures. This is roughly how information security looks in practice from the point of view of international payment systems.
An organization needs to confirm its compliance with the PCI DSS standard on an annual basis, and there are several ways to confirm it. These are completing the SAQ self-assessment sheet, performing an internal ISA audit and passing an external QSA audit. Which way to choose? The answer to this question is not as obvious as it might seem at first glance. To begin with, you need to remember which of the two main types the organization belongs to - a merchant or a service provider.
If we are talking about a service provider, then you need to remember the figure 300,000. This is the border between the first and second levels (Level 1 and Level2), set by both Visa and MasterCard for service providers. If the annual number of transactions or the total number of card numbers stored in the database exceeds the limit of 300,000, then this is the first level, and you need to call an audit company with PCI QSA status to undergo an external QSA audit. If the number of transactions is less, then it is enough to fill out the SAQ type D self-assessment sheet and provide it to the servicing acquiring bank. We'll talk about the types of self-assessment sheets later.
If the organization is a trade and service enterprise, then there are as many as four levels for it. But for simplicity, again, you need to remember just one number - one million. If the store processes more than one million transactions per year, then it belongs to the first or second level and must undergo an external QSA or internal ISA audit annually. If the annual total number of transactions is less than one million, then this is the third or fourth level, for them it will be enough to fill out the SAQ self-assessment sheet, the type of which is selected based on the method of card processing. The defining criterion here is the storage of card numbers in the information systems of the store. If the store stores card data, then this is SAQ D. If it only transmits through its systems and does not store - SAQ C. If it transmits to the service provider exclusively by telephone line - SAQ B.
It should be remembered that the definitions of the levels of merchants and service providers are given by international payment systems for general guidance only. The most important rule is that the service provider or merchant is primarily responsible for compliance with the PCI DSS requirements, and only the acquiring bank has the right to unambiguously determine the method of conformity confirmation for the organization.
(to be continued)
Table. PCI DSS validation options
The payments industry is no exception. The interest of the business lies in the fastest and most comfortable implementation by buyers of payments in favor of trade and service enterprises and the offer of related services to all market participants. Unfortunately, a convenient one-click payment on the store's website can lead to unpleasant consequences for the bank card holder if one of the participants in the payment chain - a store, a bank or a processing center has not taken the necessary security measures when processing data. Although the safety of money on customer cards is a matter of reputation for business, it does not, frankly, bring any direct benefit. So government regulators and international communities come into play, setting requirements for protection.
Over the past few years, a number of regulations on payment security have appeared, and judging by the activity of regulators, more will appear. Currently, the most relevant international standards in Russia are PCI DSS and PA-DSS , as well as Federal Law No. 161-FZ "On the National Payment System" and accompanying by-laws in the field of security. It is with them that Russian companies mainly have to deal with, deciding to link their business with non-cash payments. Let's consider them in order.
The Payment Card Industry Data Security Standard (PCI DSS) comes from the West and has historically been the first popular set of requirements for securing payments. The standard was developed by the community of international payment systems Visa, MasterCard, American Express, JCB and Discover, which created a regulatory body for its development - the PCI SSC Council.
The object of application of this standard is every organization that stores, processes or transmits in its information systems numbers of payment cards issued under the brand of any of the above international payment systems. That is, its requirements apply to ordinary and online stores, banks, payment gateways, processing centers and other related structures. All organizations involved in one way or another in the process of processing a payment transaction, according to the ideology of the regulator, are divided into two categories - merchants and service providers. The first includes everyone who sells goods or services and accepts bank cards as payment from buyers - shops, restaurants, hotels, gas stations, parking lots. To the second - all those who provide the payment process - banks,
The PCI DSS standard contains a list of fairly specific technical and organizational requirements for ensuring information security of card data, divided into 12 sections. Requirements are organized according to the principle of a control chart, along which you can navigate from one requirement to another and put a checkmark: "met" or "not met". This approach has its drawbacks, information security professionals periodically criticize the standard for its inflexibility and lack of a risk-based approach. However, in justification of PCI DSS, it is worth saying that the standard is designed for mass adoption by merchants, whose staff rarely has information security specialists who are able to professionally manage risks in the style of ISO 27001.
The requirements of the standard are focused on ensuring the security of information infrastructure at all levels. The secure rooms house properly configured network devices and servers that are used by securely developed applications and databases. The relevance of protection is ensured by continuous monitoring and regular audits. Trained personnel administer information systems in accordance with established procedures. This is roughly how information security looks in practice from the point of view of international payment systems.
An organization needs to confirm its compliance with the PCI DSS standard on an annual basis, and there are several ways to confirm it. These are completing the SAQ self-assessment sheet, performing an internal ISA audit and passing an external QSA audit. Which way to choose? The answer to this question is not as obvious as it might seem at first glance. To begin with, you need to remember which of the two main types the organization belongs to - a merchant or a service provider.
If we are talking about a service provider, then you need to remember the figure 300,000. This is the border between the first and second levels (Level 1 and Level2), set by both Visa and MasterCard for service providers. If the annual number of transactions or the total number of card numbers stored in the database exceeds the limit of 300,000, then this is the first level, and you need to call an audit company with PCI QSA status to undergo an external QSA audit. If the number of transactions is less, then it is enough to fill out the SAQ type D self-assessment sheet and provide it to the servicing acquiring bank. We'll talk about the types of self-assessment sheets later.
If the organization is a trade and service enterprise, then there are as many as four levels for it. But for simplicity, again, you need to remember just one number - one million. If the store processes more than one million transactions per year, then it belongs to the first or second level and must undergo an external QSA or internal ISA audit annually. If the annual total number of transactions is less than one million, then this is the third or fourth level, for them it will be enough to fill out the SAQ self-assessment sheet, the type of which is selected based on the method of card processing. The defining criterion here is the storage of card numbers in the information systems of the store. If the store stores card data, then this is SAQ D. If it only transmits through its systems and does not store - SAQ C. If it transmits to the service provider exclusively by telephone line - SAQ B.
It should be remembered that the definitions of the levels of merchants and service providers are given by international payment systems for general guidance only. The most important rule is that the service provider or merchant is primarily responsible for compliance with the PCI DSS requirements, and only the acquiring bank has the right to unambiguously determine the method of conformity confirmation for the organization.
(to be continued)
Table. PCI DSS validation options
| Option | Applicability | Number of verification procedures |
| SAQ A | Merchants performing e-commerce transactions that have transferred all functions of electronic processing, storage and transfer of card data to a service provider that has confirmed compliance with PCI DSS. | 13 |
| SAQ B | Trade and service enterprises that use POS-terminals, use a telephone line, do not transmit card data via the Internet, and do not have electronic storage of card data. | 29 |
| SAQ C | Merchants who use POS terminals or payment applications that transmit card data via the Internet and do not have electronic storage of card data. | 40 |
| SAQ C-VT | Merchants who use virtual web terminals via the Internet from a service provider that has confirmed compliance with PCI DSS and do not have electronic storage of card data. | 51 |
| SAQ D | All merchants and all service providers, except for those who, according to the requirements of the payment system or the acquiring bank, need an ISA or QSA audit. | 288 |
| ISA audit | All merchants, except for those who, according to the requirements of the payment system or the acquiring bank, need a QSA audit. | 288 |
| QSA audit | All merchants and all service providers. | 288 |
