The PCI Data Security Standard (PCI DSS) was defined based on existing security standards from VISA and MasterCard and are by now adopted and recognized by all well-known credit card firms as common standards. They define specific requirements in the different areas of payment card processing, which have to be met by merchants, service providers, payment application vendors, acquirer banks and processors. Please find more information at the PCI Security Standards Council.
For e-commerce merchants, service providers and acquirers, the certification of their systems by accredited providers has been made mandatory by the credit organizations, if they save and process credit card data or pass it on to third parties.
You store, process or transfer credit card data when you receive numbers or validity data of customer credit cards on your IT systems to save them or to forward them to third parties. The duration of the processing (short-term or long-term storage, processing or forwarding) does not play a role here – the receipt of customer-specific credit card data on your IT systems is decisive in this case.You do not have to be certified according to the PCI Data Security Standard only if you can say with certainty that you do not receive, process or forward customer credit card data on your IT systems.
The merchant and/or service provider is classified according to the guidelines of the credit card organizations. An essential factor for the classification is the annual transaction volume. Detailed information can be found here: MasterCard / VISA / American Express.
Depending on the annual number of transactions, a merchant or service provider goes through various certification measures. For one, you must fill in a Self-Assessment Questionnaire. For another, PCI security scans are performed on the external IT systems of the merchant or service provider.
The price for certification is determined by the level classification of the merchant or service provider and the number of annual security scans thus determined. You can find details about our services and prices here or please contact the usd PCI Competence Center.
A cookie does not contain any information about you and your system that the server does not already know when the cookie is being set. The PCI DSS Platform uses a cookie with the name “zenid” so that you can be recognized after consecutive accesses. This recognition is important so that you can access your data after logging in. It also lets you keep the language you select and the settings of your shopping cart. This cookie remains stored on your system only until you close your browser completely.
Within the course of a PCI security scan, all systems of the merchant or its respective service provider that can be reached via the Internet must be checked for weaknesses. This particularly applies to webservers, mail servers, routers, firewalls, application servers, database server and load balancers.
During a security scan, it is necessary that the systems making the scan obtain unlimited access to the target systems. Since such a security scan is similar to the preparation of a targeted attack on your system, it is essential that any mechanisms used to protect against such attacks, such as intrusion detection or prevention systems (IDS/IPS), be configured in such a way that the work of the security scanner is not hindered. All accesses that usd AG attempts within the scope of such security scans on your systems take place from IP address ranges 188.8.131.52 – 184.108.40.206 unless otherwise stipulated.
Yes, all questions have to be answered or else the questionnaire will not be accepted. In general, the questions should be answered with YES or NO. In some exceptions, it is possible to answer a question with N/A (not applicable). In this case, a written reason absolutely must be provided. If you have problems understanding something or require further support, please contact our usd PCI Competence Center.
Can I define the time of the security scan myself?
Yes, you can basically select the point in time freely and set the date via the PCI DSS Platform yourself. We recommend that you plan your security scan early so that we can reserve the corresponding resources for your desired date. A binding registration for scanning must take place at least three days before your planned date.
After finishing a security scan, you will be informed by e-mail at a previously defined e-mail address. After that, the reports (executive summary and technical report) will be created in *.pdf format. You will be able to download these reports from the platform.
usd AG checks the architecture and configuration of the Internet connection for weaknesses that an attacker could use to break into the system. In the process, the system is scanned from the Internet using security scanners to check it for any vulnerabilities.
No. Within the scope of the PCI review, usd AG performs exclusively so-called non-intrusive scans which only analyze whether vulnerabilities in your systems exist or can be recognized from the Internet. The potential security gaps identified in this way are in no way used to damage the integrity and availability of the respective systems, that is, to hack them.
The scanning method we use does not have the objective of “breaking into” the target system, but rather is merely a means of determining weaknesses in its configuration using information that the respective target systems themselves provide. This type of data recording is similar to the preparation of an attack on your system through an external attacker, but merely the people you authorize obtain access to this data material.
In this case, we inform you by e-mail that the scan was not successful and give you recommendations how to change the configuration of your systems to permit a successful scan in a *.pdf report. After corresponding measures have been taken, a rescan can be planned. This rescan will check all IP addresses specified for the scan again to reach a generally successful result.