Payment Card Industry (PCI) Compliance

Independent and qualified experts (auditors) apply the following auditing techniques:

Document review:
Evaluation of the organisation’s requirements and/or documentation to ensure the systematic control of all processes relevant for the handling and management of payment card information.

On-site-audit:
Verification in the form of interviews on-site at the customer's premises that the above requirements are effectively implemented in practice.

Technical testing:
Assessment of the configuration of relevant system by performing appropriate random tests if necessary.

To ensure you can always work in conformity with the PCI standard and benefit from highest security measures, we offer the necessary solutions for PCI DSS or PA DSS certification and a number of additional benefits. Selected services include:

• Technical advisory for all issues and steps of PCI DSS compliance
• Seminars, training and workshops
• Compliance portal for merchants, service providers, and acquirers to provide efficient evidence of compliance with the requirements
• On-site audits carried out by a qualified security assessor (QSA)Vulnerability scans performed by an approved scanning vendor (ASV)
• Awareness training (e-Learning)
• Support with completing the PCI Self-Assessment Questionnaire (SAQ)
• TÜV SÜD certification mark for certified organizations

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know basis
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security

Fraud and identity theft are on the rise. The reality of a data breach is not only detrimental to your business; it affects your customers as well. This risk is not restricted to the security breaches you see in the news involving large companies as smaller merchants are also affected.

Within TÜV SÜD, internationally accredited certification bodies offer services for various management systems. We have extensive experience in auditing and certifying a wide range of internationally recognised management systems. Our experienced team of global experts will guide you through the process, from on-site audits to certification. Our auditors will guide you in the periodic assessments to identify and minimise potential risks. By partnering with us, your company’s attention and commitment to the PCI compliance will gain global recognition. Beyond certification, we will also provide you with periodic feedbacks on ways to improve on your existing processes.

Our solutions cover all PCI DSS standards, supporting you on your way to PCI certification. Contributing our know-how in the auditing of information security and our experience in the payment-card industry we guarantee that you are on the safe side in matters of payment security. Our comprehensive services enable you to implement effective security systems.

Our references in the finance and payment industry, among banks, commerce, and e-commerce show off our extensive experience in payment security.

As the relevant industry standard, the PCI DSS standard also supports all organizations that process payment cards, helping them to reach compliance with the relevant requirements.

Our accreditations with the PCI Security Standards Council and the payment card schemes authorize us to assist you with all aspects of reaching PCI certification and to issue the PCI certificate. We offer a range of certifications, including:

• Qualified Security Assessor Company (QSAC)
• Approved Scanning Vendor (ASV)
• Qualified Payment Application Security Assessor (QPASA)

In-depth assessment – A quarterly qualitative and quantitative analysis will be performed and a detailed report and analysis of your company’s PCI compliance will be produced at the end. By assessing your strengths and weaknesses, you ensure that your operations are not compromised.

One-stop solution – In addition to PCI certification, TÜV SÜD is also a one-stop provider for other certifications and management systems such as the ISO 9001 standard.

Improve marketability - By certifying that you are PCI compliant, your reputation and trust from your customers and partners increase. Confident customers are more likely to come back and recommend your business to their network, thus driving profitability as well.

Minimise risk - Through consistent achievement of compliance according to the requirements, you ensure that your payment services are secure.

Increased adaptability - With PCI certification, your business will be prepared to comply with future regulations. You will also be able to identify ways to improve the IT infrastructure of your business, thus increasing productivity.

Global presence - TÜV SÜD’s international experts are well-equipped to apply a beneficial external view on your processes, thus minimising existing risks and enhancing your reputation within the industry

• Safer Shopping Certification
• Vulnerability Assessment & Penetration Testing

From standardised vulnerability scans (ASV) to our extensive Merchant Compliance Portal and individual advice, we offer merchants all the solutions they need to achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS) and thus, ultimately, PCI DSS certification.

PCI CERTIFICATION WITH THE MERCHANT COMPLIANCE PORTAL FOR MERCHANTS
As a merchant accepting credit card payments, you must make sure to prevent any misuse of sensitive cardholder data by unauthorized third parties. To do this, you must comply with the global Payment Card Industry Data Security Standards (PCI DSS), which were developed by the credit card schemes to improve data security in payment transactions. Evidence of your compliance with the standards must be furnished at regular intervals in the form of PCI certification.

We offer a simple and all-inclusive portal solution that supports merchants, irrespective of their size and area of industry, along their way to certification ––from newsstand owners with only an occasional credit-card payment to small bookstores, travel agents, and established online shops. Our free Merchant Compliance Portal provides guidance at every step of the certification process.

• The Merchant Compliance Portal bundles all the necessary test criteria and carries them out automatically, aligned to individual needs.
• As a merchant, you can document your compliance with the security criteria and demonstrate it to your acquirers.
• In addition, the portal offers extensive technical support and can take over complete compliance monitoring, performed by trained TÜV SÜD experts.

PCI CERTIFICATION FOR ONLINE SHOPS AND RETAILERS
For PCI DSS certification, the leading credit card schemes categorise their merchants into various levels with different security requirements. The following forms of security evidence are basic requirements for PCI certification:

• Annual self-assessment / Self Assessment Questionnaire (SAQ)
• Quarterly vulnerability scans performed by an approved scanning vendor (ASV)
• Annual on-site audits – these on-site security audits are intended for merchants with millions of transactions per year.

THE MERCHANT COMPLIANCE PORTAL OFFERS THE FOLLOWING SERVICES
 Retailers which need not undertake on-site auditing can complete their SAQs directly online in the Merchant Compliance Portal, and take advantage of automated processing of the required ASV scans for a smooth road to PCI Compliance.

Registration: Creating your personal user account.
Classification: With a few questions, the portal can define which self-assessment questionnaire is relevant for you.
Self-Assessment: Complete the questionnaire defined in advance, containing questions on your company, type of credit-card acceptance etc.
Vulnerability Scans: Vulnerability scans may be necessary depending on the type of credit card acceptance and integration into your network.
Reporting: Your compliance report, results of vulnerability scans, and other relevant documents will be provided in the portal.

For these services, the Merchant Compliance Portal offers merchants the following features:

• For merchants, use of the portal including the SAQs is completely free of charge.
• The content of self-assessments are saved until the next time an SAQ has to be completed.
• Vulnerability scans can be ordered and carried out in an automated process.
• The portal sends out automatic notifications if activities on the part of the merchants are required.
• Use of the systematic project management approach helps to cut costs right from the start, e.g. by reducing the number of ASV scans or the scope of the on-site audits.
• WHAT IS INCLUDED IN THE PCI DSS SECURITY AUDITS FOR MERCHANTS?
  Self-Assessment Questionnaire (SAQ): In addition to the processing of payment card information in your company, the questionnaire surveys the following aspects:
  
  
• General company information
• Connections with other companies
• Technical details relevant for the implementation of the PCI DSS key requirements.

Vulnerability scan (ASV scan): The objective of the security scan is to identify security gaps in systems and websites which might be used by attackers to access payment card data. Vulnerability scans identify potential gaps by running automated tests on the following parts of your IT systems:

• Network components
• Operating systems
• Applications

On-site audits: Major merchants in particular must undergo an annual on-site audit in addition to the ASV scan. This on-site security audit covers various activities, including

• Inspection of server rooms
• Employee interviews
• Review of process documentation and hardening guidelines
• Software testing for system configuration and patch status

EXPERT SUPPORT BEYOND THE MERCHANT COMPLIANCE PORTAL
We support our merchants not only by providing the Merchant Compliance Portal, but also by advising them on all further issues, such as the essential technical questions in the SAQ. The specially trained experts at TÜV SÜD First Level Support are familiar with the technical details and speak the same language as the merchants. In addition to PCI DSS certification, we can supply merchants with further optional Payment Security services, based on our cross-functional expertise in a variety of cybersecurity fields:

Compliance awareness: Technical advisory and workshops at management and employee level
Pre-compliance services: Compliance analyses, GAP analyses, pre-audits and pre-scans
Implementation support: Support with the development of policies and procedures, advice on technical concepts and penetration tests

SECURITY WITH THE MERCHANT COMPLIANCE PORTAL
Trust is a factor of paramount relevance in virtual transactions. We support your operations as a merchant, assisting with secure implementation of modern technology and enabling you to accept credit card payments and guarantee your customers the highest security standards as demonstrated by the established TÜV SÜD certification mark. As an accredited certification provider, we accompany you step by step along the road to PCI Compliance.

By providing our extensive acquirer portal, which can be used for easy implementation of all reporting tasks and other requirements for PCI DSS certification, we help acquirers to ensure end-to-end PCI DSS compliance at their merchants and service providers as well as in their own organizations. We support your authorized merchants with their efficient fulfillment of PCI requirements and submission of compliance evidence, offering comprehensive support and an attractive Merchant Compliance Portal

Security and trust concerning personal data are key concerns in our modern society. Consumers expect a high level of protection and security––particularly when it comes to handling credit card information. As an acquirer, you must therefore offer your merchants a comprehensive Payment Card Industry (PCI) compliance solution and fulfill the requirements of the various payment card schemes.

This involves a number of challenges. As an acquirer, you must both comply with the security standards and keep an overview of the status of all of your merchants and your own processes. Our Merchant Compliance Portal (Acquirer Portal) supports you by providing expedient solutions and offering the following advantages:

• Automation of the required reporting tasks
• Support with compliance program management with respect to the regulations defined by Visa AIS, MasterCard SDP, American Express DSOP, and other payment card schemes
• Management of all information of your merchants, independently of the Qualified Security Assessor
• Full-service and full-support options – also as white-label solution
• Fast-track processing for merchants by providing automation of all key tasks plus 1-click certification based on the possibility of importing your merchants' previous year information.

THE ACQUIRER PORTAL OFFERS THE FOLLOWING VERIFICATION SERVICES

The compliance software for acquirers clearly visualizes all information about your merchants and payment service providers.

• See the status of PCI certifications and store and evaluate all verification data at a single location.
• Obtain access to the acquirer portal. Your merchants obtain access to the merchant portal, where they can complete an online self-assessment questionnaire (SAQ) to declare their compliance with the payment card industry data security standards (PCI DSS).
• Deal with your reporting and monitoring tasks efficiently in the acquirer portal. No more missed deadlines!
• Stay permanently up to date, with information updated online in real time.
• Generate general statistics at the click of a button.

Benefit from our extensive data import features and connectivity options to your CRM systems and ERP tools.

CUSTOMIZED COMPLIANCE MANAGEMENT SOLUTIONS FOR ACQUIRERS

Every acquirer imposes a different set of demands on compliance management applications. To ensure our compliance solution exactly fits your company and your needs, the application can be extensively customized.

If required, the acquirer portal can be provided in various languages (e.g. English, German, French or Italian). If you have operations in several countries, all your merchants can thus complete the questionnaires in their native language.

 In addition, the texts and layout of the compliance management portal for acquiring banks can be aligned to your requirements. This is a particularly important advantage in terms of retention of your customers, i.e. your merchants.

MERCHANT COMPLIANCE PORTAL FOR ACQUIRERS – ALWAYS UP TO DATE

We have a wealth of longstanding experience in web-based software development and back office integration as well as knowledge in compliance management, which enables us to supply premium solutions for regulatory institutions. Secure and up-to-date applications that run smoothly are an essential aspect of success in this area. Accordingly, we offer the following features:

• Implementation of a ready-to-use merchant compliance solution in your organization
• Regular updates, adjustment, and maintenance on our part
• No installation or work required by you
• Assurance of highest security standards in hosting and operation
• Compliance with all legal requirements, including data-protection regulations
• Full-support option, including merchant hotline, offered by our technical experts

MERCHANT PROTECTION WITH THE COMPLIANCE PORTAL FOR ACQUIRERS

The compliance solution developed by our experts enables you to offer your merchants comprehensive protection for their businesses. You benefit from our trustworthy compliance security solutions, which you can implement seamlessly at your merchants. The treatment of sensitive data demands particularly high security standards. With our Merchant Compliance Portal, the implementation and verification of these standards is a straightforward process. Your merchants receive independent access to the portal, regulated by you.

By partnering with TÜV SÜD, you benefit from an acquirer portal which is customized to your needs, thereby inspiring trust and a sense of security in your merchants.

For software manufacturers, we offer an integrated solution for Payment Application Data Security Standard certification (PA DSS certification). We are at your side every step of the way, supporting you with individual advice and the necessary security audits. 

As a manufacturer and vendor of payment solutions, terminals, cash machines, and payment-related software applications, you need to demonstrate that your products are in conformity with the Payment Application Data Security Standards (PA DSS). For this purpose, we offer an in-depth service customised to the specific needs of your company.

 We accompany you along every single step of the process, ensuring that you will obtain the PA DSS certification you need as a manufacturer of payment solutions. As a certification body, we offer you the required security standards, plus further optional services to improve the security of your products in credit card transactions:

Pre-compliance advisory to ensure dedicated preparation of your organization for PA DSS certification
Remediation, technical advisory, and support in implementation of requirements
Performance of certification in the form of an on-site review, followed by issue of the TÜV SÜD certification mark and entry into the database of the PCI Council

PA DSS AS BASIS FOR PCI DSS COMPLIANCE
The PCI Council developed the Payment Application Data Security Standard (PA DSS) to prevent payment card theft and fraud based on errors in the design, programming, or configuration of payment software. Distribution partners, integrators, and contracting partners which purchase, sell, or install payment applications must ensure that the payment applications they use are certified in accordance with PA DSS.

The 14 main requirements, including a total of 90 detailed requirements, mainly refer to the following software functions:

• Storage and protection of sensitive data
• Access control and logging
• Design and development of secure software systems
• Documentation of safety-relevant functions
• Implementation in secure network architectures

SERVICES FOR YOUR PA DSS COMPLIANCE
As well as performing certification, we already assist you during preparation to ensure you will be able to implement all compliance requirements by the time of your on-site audit.

PRE-COMPLIANCE ADVISORY BEFORE PA DSS CERTIFICATION
Providing workshops and technical advisory services, we help software vendors to interpret PA DSS requirements for their own organizations and identify related nonconformities in their payment applications. We work with you to discuss the measures needed for conformity with the requirements and identify which business units must be involved.

REMEDIATION AND SUPPORT FOR THE PCI CERTIFICATION OF MANUFACTURERS
Working with the manufacturers and vendors of payment software, we review the design process and the implementation of their payment applications to correct any potential nonconformities with the PA DSS standard. In this process, vendors and manufacturers benefit from our qualified auditors and their longstanding wealth of know-how, which enables our auditors to verify software improvements for their effectiveness with respect to security standards.

PA DSS CERTIFICATION FOR PAYMENT APPLICATIONS
Working with the responsible employees, our auditors carry out periodic on-site reviews in which they assess whether the software manufacturer complies with PA DSS requirements. After the review, the results will be documented in a detailed report. In case of a positive result, the TÜV SÜD certification mark will be affixed to your payment application, guaranteeing the security of the products. In addition, the payment software will be entered in the “PA DSS listed Payment Applications” register.

The on-site review for PA DSS compliance covers the following services:

• Inspection of server rooms
• Interviews with employees in the following areas: IT, application development, system administration, HR
• Review of process documentation and hardening guidelines
• Software testing for system configuration and patch status
• Review of the implementation guide and appropriate Installation

IMPROVED SECURITY WITH SOFTWARE APPLICATIONS CERTIFIED ACCORDING TO PCI DSS
Technological progress in payment transactions is only possible if you ensure security in the handling of personal data in your role as a provider of payment applications. Merchants in eCommerce, retailers, banks, acquirers and, not least, cardholders rely on software manufacturers to provide secure payment applications. By partnering with us, you gain the support of an experienced and accredited certification body, which is renowned––including among your stakeholders––for ensuring the safe and secure implementation of innovative technologies.

Work with us and achieve efficient, cost-effective, and fast compliance with PCI certification requirements.
Partner with us and take further actions to improve the security of your software beyond compliance with the PCI standard.
Show your commitment to safety and quality with the well-established TÜV SÜD certification mark.
 
Irrespective of whether you are a payment service provider or a provider of hosting and cloud services, as a service provider you come into contact with a host of confidential data when processing transactions, hosting information, or supplying credit card connectivity.

To safeguard data security standards, credit card schemes and acquirers impose mandatory PCI certification on businesses that process credit card information. Given this, as a service provider, you also need to be in compliance with the Payment Card Industry Data Security Standard (PCI DSS) and fulfill the relevant security requirements.

But staying on top of things and successfully mastering all steps for PCI DSS certification may prove challenging for service providers. As a certification body authorized by the PCI Council, we assist you in all aspects of your PCI DSS compliance for service providers, and support you in areas such as:

• Training and assessment preparation through in-depth information and introductory workshops on PCI DSS for service providers.
• Advice and support on compliance along the road to certification by applying our proven frameworks
• Performance of vulnerability scans (ASV) using our compliance portal, where existing problems are directly identified and addressed in detail.
• Assessment services in the form of an on-site review by our auditors

We offer payment service providers and cloud or hosting providers in-depth PCI advisory, comprehensive auditing as well as seminars and training, and many more constructive solutions on their way to PCI DSS certification. 

As a service provider, you constantly come into contact with payment card information when performing electronic processing of payment transactions or consumer authentication and providing support and hotline services. However, compliance with the PCI standard is also mandatory for service providers that do not have direct contact with payment card information but may influence the security of the payment card environment––such as data centers or suppliers of security services and cloud solutions. To protect both you and your customers, the PCI Council has the aim of strongly and sustainably promoting compliance with the PCI security standards. The council is made up of representatives from the payment-card schemes VISA, MasterCard, JCB, American Express, and Discover, and classifies PCI DSS service providers in two levels. Service providers must fulfill various requirements depending on their level.

PCI DSS CERTIFICATION SERVICES FOR SERVICE PROVIDERS

To support you fully along the road to PCI DSS certification, we provide an application on our compliance portal which enables you to implement many of the PCI DSS requirements for service providers easily and straightforwardly. They include annual completion of the PCI Self-Assessment-Questionnaire (SAQ), which you can also save and submit within the portal. We also provide the following services:

• Quarterly vulnerability scans performed by an approved scanning vendor (ASV)
• Annual on-site audit carried out by a qualified security assessor (QSA)
• Awareness training as eLearning addressing the secure handling of payment-card information.
• If we detect potential security gaps in this context, we inform you immediately and advise you on how to close these gaps.

TRAINING ON PCI DSS COMPLIANCE FOR SERVICE PROVIDERS

As a service provider, you and your employees rely on your IT applications every single day. As these applications may be vulnerable, informing yourself in-depth about IT security is crucial for every business. In our training and information events we instruct you about potential threats, how to recognize them, and how to protect yourself against them.

SECURE CODING TRAINING

Secure and robust software is a key factor of the PCI compliance of service providers. Ideally, software development should follow the Best-Practice Guidelines of the “Open Web Application Security Project Guide” (OWASP). In secure coding training, we present the security-relevant aspects associated therewith and teach you everything you need to know for implementation.

 AWARENESS TRAINING

PCI DSS requirement 12.6 demands that the organization holds regular awareness training and establishes a security awareness program. We address these requirements by providing workshops and training, strengthening your employees' awareness of security issues, and pointing out the right way of handling sensitive data, such as credit card information. This ensures you and your employees meet the PCI compliance requirements of your contracting partners and customers, and can raise information security in your business to the next level.

SECURITY THROUGH PCI DSS CERTIFICATION FOR SERVICE PROVIDERS

Our extensive range of workshops, training, and support services ensure that you obtain all relevant information on PCI certification for service providers and stay up to date at all times. We help you to provide your customers and partners with secure processing of their data and protect yourself against potential security threats. We are your partner of trust in all aspects and requirements of PCI DSS certification for service providers. As an additional benefit, following successful certification you will obtain the TÜV SÜD certification mark for use on your website.