PCI DSS

PCI DSS

Understanding PCI DSS compliance and secure payment integration

Payment Card Industry Data Security Standards (PCI DSS) is a set of technical and operational criteria designed to reduce the risk of fraud and data breaches in the payment ecosystem, applicable to any entity that accepts or processes payment cards.

Solidgate, a certified e-commerce PSP with PCI DSS Level 1, acts as a gateway services provider, managing all requests and issues related to merchant processing.

Solidgate offers two integration options:

Host-to-Host (H2H)
Involves Guide
Understanding host-to-host integration is essential for a merchant planning to integrate with a payment system, as it offers secure transactions, flexible payment options, efficient management of credit card payments, and features like 3D Secure, tokenization, and recurring transactions. direct data transfer between systems, requiring the merchant to provide information about their certified AOC company and request quarterly ASV scans (requires SAQ-D/AOC + quarterly ASV).
Iframe
Incorporates a Guide
Understand how to integrate the payment form into your product. payment form or Guide
Use e-commerce plugins to integrate your software providers with Solidgate for payment collection. widget into the merchant’s website, shifting the responsibility of card data collection and storage away from the merchant. Requires annual SAQ updates and quarterly ASV scans starting March 31, 2024, as per SAQ-A v.4.0 clause 11.3.2.

PCI compliance levels

PCI DSS compliance is categorized into four levels based on annual transaction volume:

Level 1

Level 1 merchants, with or 6 million Visa/Mastercard transactions, or 2.5 million American Express transactions, or a data breach, or card association designation, require an annual ROC and quarterly scans.

Level 2

Those processing between 1 to 6 million transactions annually must complete a Self-Assessment Questionnaire (SAQ) and perform quarterly scans.

Level 3

Merchants handling between 20,000 to 1 million e-commerce transactions annually need to fill out an SAQ and conduct quarterly scans.

Level 4

Merchants with fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually are required to complete an SAQ.

Required documents by PCI Level:

Level 1

Level 1 merchants are required to undergo a Report on Compliance (ROC) and perform quarterly external ASV scans.

For service providers, it’s also mandatory to carry out network segmentation tests at least every six months or following any significant changes to their network segmentation, in alignment with PCI DSS requirement 11.3.4.1. This ensures continuous compliance and security of cardholder data across their network.

Level 2

Level 2 merchants must either complete a Report on Compliance (ROC) or an appropriate Self-Assessment Questionnaire (SAQ), in addition to conducting quarterly external ASV scans.

The exact requirements may differ depending on the specific demands of the card brands involved. This process aims to maintain a robust security posture and ensure adherence to PCI DSS standards.

Level 3

Merchants classified as Level 3 are required to complete an eligible Self-Assessment Questionnaire (SAQ) and also conduct quarterly external ASV scans.

This is to verify that their payment systems remain secure against vulnerabilities and comply with PCI DSS requirements, thus safeguarding cardholder data effectively.

Level 4

Merchants classified as Level 4 are required to complete an eligible Self-Assessment Questionnaire A (SAQ-A).

From March 31, 2024, SAQ-A merchants should conduct quarterly external ASV scans according to the PCI DSS v.4.0.

SAQ-A v.4.0

Key updates in SAQ-A v.4.0 include:

Update list

Expand all

6.3 Address security vulnerabilities for iframe or TPSP redirect users

Any merchant website using an iframe from a Third-Party Service Provider (TPSP) for payment collection or redirecting customers to a TPSP-managed site must implement a vulnerability management strategy.

It’s essential for merchants to actively monitor industry sources for vulnerabilities affecting their e-commerce systems. Furthermore, documenting a process for prioritizing risks related to identified vulnerabilities is necessary.

Identifying high-risk vulnerabilities is key to effectively implementing monthly patching. (= 6.2 SAQ A v3.2.1)

6.4.3 Payment page script checks required by March 31, 2025

Until March 31, 2025, it is considered best practice, and thereafter, it becomes mandatory to authorize, conduct integrity checks, and maintain an inventory of all payment page scripts.

This requirement is applicable to pages that are redirected from or contain iframes.

8.2.1 - 8.3.9 Strengthen user access and authentication

8.2.1 All users must be assigned a unique ID before being allowed access to system components or cardholder data, ensuring individual accountability and traceability. (= 8.1.1 SAQ A v3.2.1)

8.2.2 Use of group, shared, or generic accounts and other shared authentication credentials is restricted to exceptional cases only, to minimize security risks. (= 8.5 SAQ A v3.2.1)

8.2.5 Immediate revocation of access for terminated users is required to prevent unauthorized access to sensitive data. (= 8.1.3 SAQ A v3.2.1)

8.3.1 Authentication for user access to system components is mandatory, including for both regular users and administrators, through methods such as passwords, passphrases, token devices, smart cards, or biometric elements. (= 8.2 SAQ A v3.2.1)

8.3.5 Passwords must be set to a unique value at initial establishment or reset and changed upon first use to ensure security from the outset.

8.3.6 Passwords must be at least twelve characters long, including letters and numbers, as a best practice until March 31, 2025, after which it becomes a mandatory requirement in PCI DSS assessments.

8.3.7 Reusing any of the last four passwords or passphrases is prohibited to enhance password security.

8.3.9 Passwords must be changed every 90 days if single-factor authentication is used. Alternatively, account security levels are dynamically analyzed, with resource access automatically determined in real time based on appropriate settings.

11.3.2 & 11.3.2.1 Quarterly or as-needed external vulnerability scans rated CVSS 4.0+

11.3.2 External vulnerability scans

Conducted at least once every three months.
Performed by a PCI SSC Approved Scanning Vendor (ASV).
Ensure vulnerabilities are resolved and meet ASV Program Guide requirements for a passing scan.
Rescans are necessary to confirm resolutions per ASV Program Guide standards.

External ASV scans are obligatory for e-commerce merchants using a third-party iframe for payment processing. Merchants whose websites redirect to a TPSP payment acceptance page should consider this requirement as Not Applicable if it doesn’t apply to their setup. These scans, required quarterly, aim to promptly address vulnerabilities, with rescans verifying the resolution according to ASV guidelines.

11.3.2.1 Post-change external vulnerability scans

Initiated after any significant change.
Focus on resolving vulnerabilities with a CVSS score of 4.0 or higher.
Include rescans as needed to ensure compliance.
Scans must be conducted by qualified personnel, emphasizing the need for organizational independence of the tester, which does not have to be a QSA or ASV.

11.6.1 Change detection for payment iframes by March 31, 2025

To use iframes for hosting a payment service provider’s payment page, it’s necessary to implement a change and tamper detection mechanism. This mechanism must alert personnel to any modifications in HTTP headers or the content of the payment page.

It should operate at a minimum of every seven days or on a periodic basis, considered best practice until March 31, 2025, after which it becomes a mandatory requirement.

These updates aim to further secure payment processing by enhancing vulnerability management, access controls, and scanning protocols.

Looking for help? Contact us

Stay informed with Changelog