Text size Increase Font-SizeDecrease Font-SizeReset Font-Size

Welcome to the PCI
Security Standards Council's
Services & Professionals area!

The PCI DSS 3.0 and PA-DSS Version 3.0 Now Available!

The latest version of the PCI DSS and PA-DSS is designed to provide greater clarity and flexibility to facilitate improved understanding of the requirements and eased implementation for merchants. Version 3.0 becomes effective on January 1, 2015.


Protecting Cardholder Data Is Good For Your Business
  • Become Qualified
    Information for security companies seeking to become qualified.

  • QSA Companies
    Search for Qualified Security Assessors (QSA) companies

  • Verify a QSA Employee
    Verify the certification status of representatives from PCI SSC Qualified Security Assessor Companies







  • Information Supplements
    Documents related to the security framework of the Payment Card Industry Data Security Standard (PCI DSS)




Previous Month
APRIL 2015
Next Month
SuMoTuWeThFrSa
   1234
567891011
1213
13th April:
PCI Awareness Training: Lagos, Nigeria
14
14th April - 15th April:
PCIP Training: Lagos, Nigeria.
14th April:
Webinar: PCI DSS 3.1 Overview Webinar
15
15th April - 16th April:
QSA Training: Stockholm, Sweden.
16
16th April - 17th April:
ISA Training: Lagos, Nigeria.
17
17th April - 18th April:
PA-QSA Training: Stockholm, Sweden.
18
192021222324
24th April - 25th April:
QSA Training: San Francisco, CA, United States.
25
26
26th April - 27th April:
ISA Training: San Francisco, CA, United States.
27
27th April:
PCI Awareness Training: Istanbul, Turkey
28
28th April - 29th April:
PCIP Training: Istanbul, Turkey.
2930
30th April - 1st May:
ISA Training: Istanbul, Turkey.
  
13 April 2015Lagos, Nigeria
14 April 2015Lagos, Nigeria.
15 April 2015Stockholm, Sweden.
16 April 2015Lagos, Nigeria.


No. QSAs and ASVs do not send reports of compliance or scanning results to the PCI Security Standards Council, and they should continue to follow the payment brand specific procedures.
The requirements for Payment Application Data Security Standard (PA-DSS) are derived from the Payment Card Industry Data Security Standard (PCI DSS). This document details what is required for a merchant to be PCI DSS compliant (and therefore what a payment application must support to facilitate a merchant's PCI DSS compliance). Traditional PCI DSS compliance may not apply to payment application vendors since most vendors do not store, process, or transmit cardholder data. However, because these payment applications are used by merchants to store, process, and transmit cardholder data, and merchants are required to be PCI DSS compliant, payment applications should facilitate, and not prevent, merchants' PCI DSS compliance. Just a few of the ways payment applications can prevent a merchant's compliance are: 1) storage of magnetic stripe data in the merchant's network after authorization; 2) applications that require merchants to disable other features required by PCI DSS, such as anti-virus software or firewalls, and; 3) vendors that use unsecured methods to connect to the application to provide support to the merchant.
The PCI Security Standards Council will maintain a robust evaluation program for approved security providers. The PCI Security Standards Council will regularly evaluate new QSAs for consideration within specified time frames during the course of a calendar year. Businesses that meet these qualifications and are approved will then be listed on the PCI Security Standards Council Web site. Information on how new QSAs should contact the PCI Security Standards Council can also be found on the PCI Security Standards Council Web site. In addition, the Web site will contain information about renewal processes for existing QSAs that wish to remain listed on the PCI Security Standards Council Web site. New ASV participation requests will continue to be evaluated during the course of a calendar year. Businesses that meet these qualifications and are approved will also be listed on the PCI Security Standards Council Web site. Renewal processes for ASVs will also be documented on the PCI Security Standards Council Web site.
PCI DSS requirement 3.3 requires that the PAN be masked when it is displayed (for example, on screens, logs, reports, receipts), unless the viewing party has a specific need to see the full card number. Business needs may exist to validate if the appropriate numbers were entered properly prior to completing the transaction (for example, for customer service representatives). To compensate for not masking the PAN on the screen for these types of transactions, controls such as Time To Live (TTL) or webpage "timeouts" should be deployed so that the screen does not display the card numbers indefinitely. Additionally, as should all websites that transmit cardholder data, the website which displays the PAN should be SSL enabled to ensure the data is secured as it is entered and validated.



Back to Top

The PCI Security Standards Council (the "Council") provides a variety of tools, questionnaires, guidance, FAQs, training resources and other materials and information to assist organizations seeking to achieve compliance with its standards (the "Standards"). Third party products and services are also available, but the Council does not endorse or recommend any such third party products or services, and advises all organizations seeking to achieve compliance to become familiar with the Standards and related requirements before purchasing third party products or services. Ultimately, all applicable requirements must be met in order to achieve compliance, regardless of whether or what third party products or services are used.