PCI FAQ

Questions & answers about PCI

Nicht bearbeiten!

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

What is the PCI DSS?
The PCI Data Security Standard (PCI DSS) was defined based on existing security standards from VISA and MasterCard and are by now adopted and recognized by all well-known credit card firms as common standards. They define specific requirements in the different areas of payment card processing, which have to be met by merchants, service providers, payment application vendors, acquirer banks and processors. Please find more information at the PCI Security Standards Council.
Which credit card organizations accept certification according to the PCI Data Security Standard?

Almost all large credit card organizations like VISA, MasterCard, American Express, JCB, Discover accept certification according to the PCI Data Security Standard.

Who must be certified according to the PCI Standard?

For e-commerce merchants, service providers and acquirers, the certification of their systems by accredited providers has been made mandatory by the credit organizations, if they save and process credit card data or pass it on to third parties.

When do I store, process or forward credit card data?
You store, process or transfer credit card data when you receive numbers or validity data of customer credit cards on your IT systems to save them or to forward them to third parties. The duration of the processing (short-term or long-term storage, processing or forwarding) does not play a role here – the receipt of customer-specific credit card data on your IT systems is decisive in this case.You do not have to be certified according to the PCI Data Security Standard only if you can say with certainty that you do not receive, process or forward customer credit card data on your IT systems.
Nicht bearbeiten!

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

I work together with a payment service provider which has taken over all settlement tasks for me. Do I still have to be certified according to the PCI Security Standard?

If you store credit card data on your systems or forward them via your systems, you are required to be certified. If you are not sure, please ask your acquirer or our PCI Competence Center.

Does MasterCard or VISA provide information online regarding the topic of PCI?
According to what guidelines is a merchant and/or service provider classified?

The merchant and/or service provider is classified according to the guidelines of the credit card organizations. An essential factor for the classification is the annual transaction volume. Detailed information can be found here: MasterCard / VISA / American Express.

Registration & certification procedure

Nicht bearbeiten!

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

How can I sign up?

Just register via the usd PCI DSS Platform. After successful registration, an employee of our PCI Competence Center will call you and discuss all further steps with you.

How long does registration last via the usd PCI DSS Platform?

Registration takes about 10 minutes.

How does the certification work via the PCI DSS Platform?

Depending on the annual number of transactions, a merchant or service provider goes through various certification measures. For one, you must fill in a Self-Assessment Questionnaire. For another, PCI security scans are performed on the external IT systems of the merchant or service provider.

What are the fees for signing up?

You can sign up for usd PCI DSS Platform free of charge.

Nicht bearbeiten!

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

What does certification cost?

The price for certification is determined by the level classification of the merchant or service provider and the number of annual security scans thus determined. We will be happy to provide you with detailed information about our services and prices. Please contact us.

Do the costs for a security scan depend on the number of my IP addresses?

You can find details about our services and prices here or please contact the usd PCI Competence Center.

The first security scan showed that my systems are not compliant with PCI. Do additional costs arise for another scan after I have closed the security gaps in my system?

If your scan has not resulted in compliance, you have the possibility to have your IP addresses rescanned free of charge within four weeks to eliminate vulnerabilities and achieve PCI Compliance.

Technical requirements for using the PCI DSS platform

Nicht bearbeiten!

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

Which technical requirements must be met for the use of the PCI DSS Plattform?

The following technical requirements must be met for the use of the PCI DSS Platform: Browser: IE (Internet Explorer) 6.x or Mozilla Firefox 1.x and Acrobat Reader from 4.x. Please activate JavaScript. In addition, we recommend the activation of cookies.

For what are cookies used?
A cookie does not contain any information about you and your system that the server does not already know when the cookie is being set. The PCI DSS Platform uses a cookie with the name “zenid” so that you can be recognized after consecutive accesses. This recognition is important so that you can access your data after logging in. It also lets you keep the language you select and the settings of your shopping cart. This cookie remains stored on your system only until you close your browser completely.
Nicht bearbeiten!

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

Which systems have to be checked during a PCI security scan?
Within the course of a PCI security scan, all systems of the merchant or its respective service provider that can be reached via the Internet must be checked for weaknesses. This particularly applies to webservers, mail servers, routers, firewalls, application servers, database server and load balancers.
Which technical requirements must be met to make a security scan by usd AG possible?
During a security scan, it is necessary that the systems making the scan obtain unlimited access to the target systems. Since such a security scan is similar to the preparation of a targeted attack on your system, it is essential that any mechanisms used to protect against such attacks, such as intrusion detection or prevention systems (IDS/IPS), be configured in such a way that the work of the security scanner is not hindered. All accesses that usd AG attempts within the scope of such security scans on your systems take place from IP address ranges 64.39.96.1 – 64.39.111.254 unless otherwise stipulated.

Self assessment questionnaire (SAQ)

Nicht bearbeiten!

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

Do all questions of the Self-Assessment Questionnaire have to be answered?
Yes, all questions have to be answered or else the questionnaire will not be accepted. In general, the questions should be answered with YES or NO. In some exceptions, it is possible to answer a question with N/A (not applicable). In this case, a written reason absolutely must be provided. If you have problems understanding something or require further support, please contact our usd PCI Competence Center.
Which topics does the Self-Assessment Questionnaire include?

The Questionnaire addresses the 12 main reqiurements of the PCI Data Security Standard (PCI DSS).

Nicht bearbeiten!

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

Is there a German version of the Self-Assessment Questionnaire?

No, to avoid linguistic imprecision, the questions are asked and should be answered only in English.

Scanning process

Nicht bearbeiten!

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

Can I define the time of the security scan myself?
Can I define the time of the security scan myself?
Yes, you can basically select the point in time freely and set the date via the PCI DSS Platform yourself. We recommend that you plan your security scan early so that we can reserve the corresponding resources for your desired date. A binding registration for scanning must take place at least three days before your planned date.
Which information do I obtain after a security scan has been performed?

After finishing a security scan, you will be informed by e-mail at a previously defined e-mail address. After that, the reports (executive summary and technical report) will be created in *.pdf format. You will be able to download these reports from the platform.

How long does the actual scanning process last?

The duration of a security scan depends on the number and type of the services that can be reached on the target system. In general, however, a security scan lasts about 1 hour per IP Address.

How are my systems checked over the Internet?
usd AG checks the architecture and configuration of the Internet connection for weaknesses that an attacker could use to break into the system. In the process, the system is scanned from the Internet using security scanners to check it for any vulnerabilities.
Nicht bearbeiten!

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

Are my systems hacked during the security scan?
Does the scan make a break-in attempt on my system?

The scanning method we use does not have the objective of “breaking into” the target system, but rather is merely a means of determining weaknesses in its configuration using information that the respective target systems themselves provide. This type of data recording is similar to the preparation of an attack on your system through an external attacker, but merely the people you authorize obtain access to this data material.

What happens if a security scan is not successful?

In this case, we inform you by e-mail that the scan was not successful and give you recommendations how to change the configuration of your systems to permit a successful scan in a *.pdf report. After corresponding measures have been taken, a rescan can be planned. This rescan will check all IP addresses specified for the scan again to reach a generally successful result.

Use of the PCI DSS platform

Nicht bearbeiten!

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

I have forgotten my password

On the login page you will find the “Forgotten your password?” function. Just click this function to obtain a new password from us by e-mail.

I accidentally entered incorrect data during the Registration.

Log in to the PCI DSS Platform and select the “my account” area. Here you can change all data that refers to your customer account.

Nicht bearbeiten!

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

My company data has changed. What do I have to do?

Log in to the PCI DSS Platform and select the “my account” area. Here you can change all data that refers to your customer account.

The language settings change even though I have selected a certain language.

Make sure that you have activated cookies in your browser.

Contact

 

Please contact us with any questions or queries.

Phone: +49 6102 8631-190
Email: sales@usd.de
PGP Key
S/MIME
Contact Form

 

Benedikt Krümmel
usd Technical Sales Consultant,
PCI Professional