Understanding PCIDSS Part 2: Roles and Responsibilities within the PCIDSS and Card Payment Circle.

The PCI DSS was created by 5 founding payment brands namely Visa, Mastercard, American Express, Discover, and JCB. In November 2020 a new member called Union Pay was added. Each founding member has an internal compliance program. It secures against threats and secures other elements in the payment system. If data is outsourced to a third party, the organization is responsible for ensuring that the third party protects the Cardholder's data. The PCI DSS does not supersede local or regional laws.

The PCI DSS provides a baseline of technical and operational requirements designed to protect account data. it applies to all entities that store, process, transmits, or impact the security of? cardholders' data which includes;

• Merchants?
• Processors?
• Acquirers
• Issuers
• Service providers etc?

What is Sensitive Authentication Data?

Sensitive Authentication Data (SAD) is a data which cannot be stored after authorization but issuers or entities providing issuing services can store SAD after authorization if there is a legitimate business justification.

Merchant Levels

Each payment brand defines its merchant level which is based on the volume of transactions per year.?

PCI DSS Levels

The PCI DSS standard recognizes that not all organizations have equal risk factors or equal capability to roll out security infrastructure. The specific requirements for meeting the standard that your organization will need to meet will depend on your company’s level, which is in turn determined by how many credit card transactions you process annually:

• Level 1: Merchants that process over 6 million card transactions annually.
• Level 2: Merchants that process 1 to 6 million transactions annually.
• Level 3: Merchants that process 20,000 to 1 million transactions annually.
• Level 4: Merchants that process fewer than 20,000 transactions annually.

Level 1

This assessment is done by a QSA company that delivers the ROC at the end of the assessment. After the ROC is complete, they would need to provide an attestation of compliance AOC to the acquirer. They also need to provide an Approved Scanning Vendor (ASV). This is a report that shows that the environment in the scope of the PCI DSS is scanned quarterly for vulnerabilities.??

Level 2, 3, 4?

They usually complete a SELF-ASSESSMENT QUESTIONAIRE (SAQ)

Roles and Responsibilities within the PCIDSS

Internal Security assessor-ISA

The ISA is the subject matter expert from the organization who leads the engagement and is the main point of contact for all the activities regarding PCI.

Responsibilities

• Gather evidence and coordinate preparedness across multiple departments before the assessment.
• Review policies and procedures and ensure compliance with the PCI DSS
• Validate the scope of the assessment
• Point of contact between the QSA and the organization
• Performs the PCI-DSS Assessment if there is no QSA
• Support and guidance during the assessment
• SME regarding PCI compliance
• Support in the selection of samples for the assessment
• Review and evaluate compensating controls
• Ensure that PCI compliance is an ongoing process throughout the year.??

Qualified Security Assessor- QSA

• Validate the scope of the assessment?
• Perform PCI-DSS assessment?
• Validate all the information evidence provided by merchants (policies, procedures, diagrams, etc)
• Perform testing procedures as indicated in the PCI-DSS
• Adhere to the PCI-DSS requirements and assessment procedures
• Select a sample of business facilities and system components when employing sampling?
• Evaluate compensating controls
• Produce the final report(ROC, SAQ)

Merchants and Service Providers

• If storing CHD- They need to apply physical and logical control to protect it
• Review and understand the PCI security standard?
• Understand the validation and reporting requirements of each payment brand
• Report PCI compliance to the acquirer every year
• Ensure that PCI is an ongoing process

Acquirers

• Specify to its merchants when and how to report PCI compliance?
• Determine Merchant's levels and reporting process
• Accept or deny merchant compensating controls
• Understand each payment brand’s compliance validation programs
• Payment Card Industry Security Standards Council(PCI-SSC)
• Promote payment card security?
• Maintain the PCI-DSS, PA-DSS
• Training, certification, and up-to-date list of QSAs, PA-QSAs, ISAs, PCI-Ps, ASVs)
• Maintain a list of approved QSA companies and ASV
• Maintain a list of validated payment applications, solutions, and devices
• Creation and maintenance of the documentation used by PCI professionals?

Payment Brands

• Forensic investigation of data breaches involving CHD
• Define fines for non-compliant entities
• Development of compliance programs
• Endorse QSA and ASV company's qualification criteria

The card payment cycle

Whenever you make payment with a card for any good or service, it goes through three payment circles namely;

1. Authorization?

2. Clearing

3. Settlement?

Authorization

1. The cardholder inserts the card or the card information for payment
2. The acquirer sends a request to the payment brands, to determine the issuer
3. The payment band determines who the issuer is and sends requests for approval?
4. The issuer approves the purchase
5. The payment brands send approval to the acquirer
6. The acquirer sends approval to the merchant
7. The cardholder gets approval to complete the purchase.

Clearing

1. The acquirer sends purchase information to the payment brand
2. The payment brand sends purchase information to the issuer
3. Payment brand provides a resolution to the acquirer

Duration: One day

Settlement

1. The issuer determines who the acquirer is
2. The issuer sends payment to the acquirer
3. The acquirer pays the merchant for the purchase?
4. The issuer bills the cardholder

Duration:2 Days

Kindly read and share.