What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a standard that includes technical and managerial requirements aimed at ensuring the security of credit and debit card transactions and protecting cardholders from misuse of their personal information. PCI DSS was introduced by five major credit card companies in 2004.

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a standard that includes technical and managerial requirements aimed at ensuring the security of credit and debit card transactions and protecting cardholders from misuse of their personal information. PCI DSS was introduced by five major credit card companies in 2004.

PCI DSS Controls

Our methodology

01

PROJECT START MEETING

With a project kickoff meeting attended by senior management and relevant unit managers, the purpose, process, necessary resources and risks of the project are evaluated. In consultation with the relevant units, it is ensured that the scope that will be the basis for PCI DSS compliance and auditing is determined correctly.

02

DETERMINING THE SCOPE OF PCI DSS

While determining the scope, the business processes, locations, data centers, systems, employees, service providers, all processes and components related to the transmission, operation, storage, destruction of the credit/debit card and any other aspects affecting the security of the card information are taken into consideration.

01

PROJECT START MEETING

With a project kickoff meeting attended by senior management and relevant unit managers, the purpose, process, necessary resources and risks of the project are evaluated. In consultation with the relevant units, it is ensured that the scope that will be the basis for PCI DSS compliance and auditing is determined correctly.

02

DETERMINING THE SCOPE OF PCI DSS

While determining the scope, the business processes, locations, data centers, systems, employees, service providers, all processes and components related to the transmission, operation, storage, destruction of the credit/debit card and any other aspects affecting the security of the card information are taken into consideration.

03

PCI DSS DIFFERENCE (GAP) ANALYSIS

A difference analysis service is performed to determine the compliance of the existing structure with the current PCI DSS standard.
With the analysis study, the elements that do not comply with the standard and the reasons for non-compliance are determined. As a result of the analysis service, a Difference Analysis Report is prepared. It is performed by QSA (Qualified Security Assessor) experts authorized by PCI SSC.

04

PCI DSS IMPROVEMENT CONSULTING SERVICE

Consultancy services are provided for Credit/Debit card applications and payment infrastructure in accordance with PCI DSS. Secureway working together with the organization; a prioritized approach document is formed, work steps, responsible parties and deadlines are determined for the remediation of incompatibilities.
Required documents are prepared for compliance.

03

PCI DSS DIFFERENCE (GAP) ANALYSIS

A difference analysis service is performed to determine the compliance of the existing structure with the current PCI DSS standard.
With the analysis study, the elements that do not comply with the standard and the reasons for non-compliance are determined. As a result of the analysis service, a Difference Analysis Report is prepared. It is performed by QSA (Qualified Security Assessor) experts authorized by PCI SSC.

04

PCI DSS IMPROVEMENT CONSULTING SERVICE

Consultancy services are provided for Credit/Debit card applications and payment infrastructure in accordance with PCI DSS. Secureway working together with the organization; a prioritized approach document is formed, work steps, responsible parties and deadlines are determined for the remediation of incompatibilities.
Required documents are prepared for compliance.

05

PCI DSS SITE AUDIT
(ON-SITE AUDIT) SERVICE

After remediation of all the inconfirmities identified in the Difference Analysis Report, an On-Site Audit is performed with QSA (Qualified Security Assessor) experts authorized by PCI SSC.

ROC as a result of audit service
(Report On Compliance) is prepared.

06

CERTIFICATE OF COMPLIANCE (AOC)
PREPARE AND SHARE

After the ROC document is prepared and shared by Secureway, the document is reviewed by the Organization. Upon confirmation of the organization, PCI DSS Compliance Certificate – Attestation of Compliance (AOC) document is prepared. The audit process ends with the signatures of the Auditor (QSA) and the Authority’s officials.
If the client is required to share audit documents with payment brands or banks, Secureway provides the necessary communication and information sharing in this regard.

05

PCI DSS SITE AUDIT
(ON-SITE AUDIT) SERVICE

After remediation of all the inconfirmities identified in the Difference Analysis Report, an On-Site Audit is performed with QSA (Qualified Security Assessor) experts authorized by PCI SSC.

ROC as a result of audit service
(Report On Compliance) is prepared.

06

CERTIFICATE OF COMPLIANCE (AOC)
PREPARE AND SHARE

After the ROC document is prepared and shared by Secureway, the document is reviewed by the Organization. Upon confirmation of the organization, PCI DSS Compliance Certificate – Attestation of Compliance (AOC) document is prepared. The audit process ends with the signatures of the Auditor (QSA) and the Authority’s officials.
If the client is required to share audit documents with payment brands or banks, Secureway provides the necessary communication and information sharing in this regard.

PCI SSC and Standards

It is a standard developed by the PCI council to ensure the security of payment cards. Established by VISA, Mastercard, American Express, Discovery and JCB, the council establishes security standards for payment cards and leads the payment cards industry in their announcement, training and audits.

Standards published by the PCI council

  • PCI DSS – Payment Card Industry Data Security Standard
  • PA-DSS – Payment Application Data Security Standard
  • P2PE – Point to Point Encryption Standard
  • PTS – Pin Transaction Security
  • PCI 3DS – PCI 3DSecure Core Security Standard
  • PCI SSS – Secure Software Standard
  • Card Production
PCI DSS Standards

PCI SSC and Standards

It is a standard developed by the PCI council to ensure the security of payment cards. Established by VISA, Mastercard, American Express, Discovery and JCB, the council establishes security standards for payment cards and leads the payment cards industry in their announcement, training and audits.

Standards published by the PCI council

  • PCI DSS – Payment Card Industry Data Security Standard
  • PA-DSS – Payment Application Data Security Standard
  • P2PE – Point to Point Encryption Standard
  • PTS – Pin Transaction Security
  • PCI 3DS – PCI 3DSecure Core Security Standard
  • PCI SSS – Secure Software Standard
  • Card Production
PCI DSS Standards

PCI DSS Merchant Levels

PCI DSS Merchant
Levels

CATEGORYCRITERIAREQUIREMENTS
Level 1• Businesses that have been exposed to any hack or attack and whose customer information has been compromised (Account Data Compromise - ADC) - Businesses with more than 6 million total Mastercard and Maestro transactions per year

• Businesses that meet the Level 1 criteria of VISA

• Businesses that MasterCard voluntarily considers as Level-1 in order to reduce risk		• Annual on-site audit
Level 2• Businesses with more than 1 million total Mastercard and Maestro transactions less than or equal to 6 million annually

• Businesses that meet the Level 2 criteria of VISA		• Annual on-site audit or Self Assessment
Level 3• Businesses with more than 20,000 total Mastercard and Maestro e-commerce transactions per year, but less than or equal to 1 million total annual Mastercard and Maestro transactions

• Businesses that meet the Level 3 criteria of VISA		• Annual Self Assessment

• On-site audit according to the preference of the workplace (On-site Audit)
Level 4• All other businesses• Annual Self Assessment

• Annual Self Assessment

PCI DSS Service Provider Levels

PCI DSS Service Provider
Levels

CATEGORYCRITERIAREQUIREMENTS
Level 1• All third party processors – All Third Party Processors (TPPs)

• All third party processors – All Third Party Processors (TPPs)

• All digital activity providers – All Digital Activity Service Providers (DASPs)

• All Token Service Providers – All Token Service Providers (TSPs)

• All 3D Secure Service Providers – All 3D Secure Service Providers (3-DSSPs)

• All AML/Sanctions Service Providers – All AML/Sanctions Service Providers

• All Data Storage Entities (DSEs) and Payment Facilitators (PFs) with more than 300,000 total combined Mastercard and Maestro transactions annually		• Annual on-site audit. Must be performed by a QSA approved by PCI SSC.
Level 2• All Data Storage Firms and Payment Service Providers with 300,000 or less total Mastercard and Maestro transactions per year All DSEs1 and PFs with 300,000 or less total combined Mastercard and Maestro transactions annually

• All Terminal Providers – All Terminal Services (TSs)		• Annual Self-Assessment
(Self Assessment)

Contact us

Please let us know
how we can assist

Secureway’s business philosophy is to provide the highest quality innovative solutions, total customer satisfaction, timely delivery of solutions and the best price performance available in the industry.

Our mission is to help you improve your security performance, reduce risks, make you more productive, less stressed and a little more confident.

Contact Form

Form EN

Contact us

Please let us know
how we can assist

Secureway’s business philosophy is to provide the highest quality innovative solutions, total customer satisfaction, timely delivery of solutions and the best price performance available in the industry.

Our mission is to help you improve your security performance, reduce risks, make you more productive, less stressed and a little more confident.

Contact Form

Form EN