PCI DSS

PCI DSS is an information security standard, accepted in Visa and MasterCard industry. All companies which accept cards to make payments shall comply with standard requirements. Some companies shall confirm their compliance.

Compliance with Requirements

The basic requirement of a standard is to limit as much as possible any access to payment card data. An optimal solution is not to have access to them at all, and instead to use certified providers to accept payments. In practice, it means that it is impossible neither to request nor to send card numbers. If a customer calls and informs that a payment cannot be done, and then begins to dictate a number, you shall interrupt him. If a customer sends his card number via e-mail/Skype, please delete this message and ask him no longer make such attempts.

Secured data include a full card number and a CVV2/CVC2 code (last 3 digits at a card’s back side). The standard does not prescribe to protect an owner name, a card validity and a masked card number (first 6 and last 4 digits), therefore you can use them within due limits.

Compliance with PCI DSS together with CloudPayments

CloudPayments is a certified service provider which supports a maximum PCI DSS compliance and has the right to store payment card data and to process more than 6 million payments per year. Compliance is confirmed every year within a certification audit.

All CloudPayments’ payment tools are designed to automatically meet security requirements when using such tools. No additional measures are required.

An exception is an acceptance of payments using the Checkout technology. To use it, you shall confirm compliance: fill out a self-assessment list and quarterly check your web site for vulnerabilities using a special scanner.

Checkout Technology

Checkout is the unique card tokenization technique to accept payments on your web site, in your form without built-in iframes, which provides the maximum control and conversion of payments. Payment card data are encrypted in a buyer’s browser, therefore your web site is not involved in processing and storing of card numbers. It allows to significantly reduce the scope of PCI DSS requirements. Nevertheless, a web site influences card data security. To provide protection, you shall scan at least once a quarter in order to search for viruses and vulnerabilities. Scanning shall be performed by an accredited vendor (ASV) from a list published on a PC council’s web site.

ASV Scanning

ASV scanning is a computer based check of your web site for vulnerabilities. A scanner checks for viruses, known vulnerabilities, such as XSS, SQL Injections and so on, then generates a detailed report on how to fix problems.

A scanner shall be used to accept payments using the Checkout technology. For other tools such as widget, mobile SDK, recurring and recurrent, it is not required.

You are free to select a vendor for scanning, but it shall be on a list on a PCI council’s web site. If you have no preferences, we recommend using Trustwave which is the international well-known leader in information security.

 

How to Connect a Trustwave’s ASV Scanner

Annual service package value is USD 229. It includes a subscription to scanning, assistance to create self-assessment list, training resources and security policy.

 

To connect, proceed as follows:

  • Register at https://pci.trustwave.com/pci (click a Get Started button).
    During your registration specify your Merchant ID. For details contact your manager or our support service via support@cloudpayments.ru.
  • Specify that you accept payments on your web site.
  • Select also a "My Website" option.
  • Pay $229 (only cards are accepted).
  • Specify IP addresses of your web site and a schedule of scanning.