PCI-DSS Compliance

You will learn about the different levels of PCI-DSS compliance and how you can achieve PCI-DSS compliance through self-assessment.

What is PCI-DSS Compliance?

PCI-DSS stands for Payment Card Industry Data Security Standard.

The standard was established in 2006 by American Express, Discover Financial Services, JCB International, Mastercard, and Visa with the goal of enhancing the security of cardholder data.

What is Cardholder Data?

The term cardholder data (CHD) in e-commerce transactions includes:

• The full card number (Primary Account Number, PAN)

• The CVV/CVC code (3- or 4-digit security code on the back of the card)

Why Do I Need PCI-DSS Compliance?

To accept card payments as a merchant, you need a contract with one or more acquiring banks. These acquiring banks are required by the card networks (e.g., Mastercard or Visa) to ensure a certain level of PCI-DSS compliance.

Depending on your transaction volume, you may be asked to provide evidence of PCI-DSS compliance.

How Does Payrexx Help?

• Payrexx is PCI-DSS Level 1 Service Provider compliant, covering many of the more than 250 PCI-DSS requirements. This simplifies the process for you to achieve PCI-DSS compliance. The current Attestation of Compliance (AoC) from Payrexx is dated June 10, 2024.

• If you receive cardholder data through other channels (e.g., at the Point of Sale, over the phone, or via email) in addition to Payrexx, you must meet additional requirements beyond those mentioned in this article. Please contact our support team for further assistance.

• If you use only Payrexx, fulfilling PCI-DSS within the SAQ-A scope is sufficient.

Which Level of PCI-DSS Compliance Do I Need?

The required level of compliance depends on the number of card transactions processed annually:

• Level 1: over 6 million transactions per year

• Level 2: between 1 and 6 million transactions per year

• Level 3: between 20 000 and 1 million transactions per year

• Level 4: fewer than 20 000 transactions per year

The method for validating PCI-DSS compliance depends on the respective level:

• Level 1: An on-site assessment by a PCI-DSS QSA is mandatory. If this applies to you, please contact our support team so we can assist you with this process.

• Levels 2 – 4: A self-assessment is sufficient for achieving PCI-DSS compliance.

How Does the Self-Assessment Work?

The type of Self-Assessment Questionnaire (SAQ) required varies based on the integration method. Since Payrexx offers solutions with iFrame and redirect, the SAQ-A self-assessment is sufficient.

A prepared document in English can be found under PCI-DSS-v3_2_1-SAQ-A.pdf.

The following guide will help you complete the document correctly.

Section 1: Assessment Information

Page 7

Please fill in your company information:

Page 8

Describe your business under "Description of Payment Card Business" in relation to payment cards. Also, list your company's locations and the data centers used by your web application if you have integrated Payrexx into your system.

Page 9

Please read the "Eligibility to Complete SAQ A" section carefully first. If you do not agree with one or more points, you will likely need to complete a different self-assessment. Please contact our support team in this case.

Section 2: Self-Assessment Questionnaire A

Section 2 deals with the various requirements you must meet.

Page 10

If you are only using the Payrexx tools and not an e-commerce shop or any other application associated with Payrexx, you can mark requirements 2, 8, and 9 as N/A. Continue with requirement 12 afterward.

If you are using your own software connected to Payrexx, you must complete all requirements, including numbers 2, 8, and 9.

Requirement 2

Applies to the web hosting or server where your web application connected to Payrexx is installed (either with a redirect, a modal, or an iFrame solution). The requirements concern system passwords and other security parameters.

2.1 (a)

Are vendor-supplied defaults always changed before installing a system on the network?

Ensure that your web server (e.g., FTP account, web hosting account, operating system user, and database accounts) does not use default passwords. If your passwords are managed by a web hosting partner, obtain written confirmation that default passwords are not used.

It is important to document the configuration standard in writing. You can find a template for this under Policy / Procedures Template Download.

2.1 (b)

Are unnecessary default accounts removed or disabled before installing a system on the network?

Please ensure that default accounts are deactivated. If you are working with a web hosting partner, obtain written confirmation of this.

Requirement 8

Applies to the web hosting or server where your web application connected to Payrexx is installed (either with a redirect, a modal, or an iFrame solution). The requirements concern authentication and access to the server.

8.1.1

Are all users assigned a unique ID before allowing them to access system components or cardholder data?

Ensure that all users (database, operating system, SSH, and FTP users) are assigned a unique ID. If you are working with a web hosting partner, obtain written confirmation of this.

8.1.3

Is access for any terminated users immediately deactivated or removed?

Ensure that no accounts of terminated employees are active.

8.2

In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users? ▪ Something you know, such as a password or passphrase ▪ Something you have, such as a token device or smart card ▪ Something you are, such as a biometric.

Ensure that no users are allowed and exist without a password. If you are working with a web hosting partner, obtain written confirmation of this.

8.2.3 (a)

Are user password parameters configured to require passwords/passphrases meet the following? • A minimum password length of at least seven characters • Contain both numeric and alphabetic characters. Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified above.

Ensure that all passwords comply with the requirement.

8.5

Are group, shared, or generic accounts, passwords, or other authentication methods prohibited as follows: ▪ Generic user IDs and accounts are disabled or removed; ▪ Shared user IDs for system administration activities and other critical functions do not exist; and ▪ Shared and generic user IDs are not used to administer any system components?

Ensure that no user accounts are shared among multiple individuals. Generic user accounts or default user accounts must be disabled.

It is important to have a written policy for requirement 8. You can find a template for this under Policy / Procedures Template Download.

Requirement 9

Applies to the web hosting or server where your web application, connected to Payrexx, is installed (either with a redirect, a modal, or an iFrame solution). The requirements concern the physical security of the servers.

If you use a third-party provider for your hosting, verify the requirements with the support of the hosting partner.

Since most websites are not hosted on-premises, we will not go into detail on this requirement.

If your hosting provider is PCI-DSS compliant, mark requirement 9 as N/A. This applies, for example, to Amazon Web Services or Google Cloud).

If the hosting provider is not PCI-DSS compliant, inquire if they can confirm this. If yes, answer the question with "Yes".

Requirement 12

Applies to the web hosting or server where your web application, connected to Payrexx, is installed (either with a redirect, a modal, or an iFrame solution). The requirements concern the providers handling CHD on your behalf.

12.8.1

Is a list of service providers maintained, including a description of the service(s) provided? Maintain a list of service providers who could impact the security of the cardholder data.

In principle, you must have Payrexx on this list of service providers. If you use additional payment service providers, you must also list them.

12.8.2

Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment?

You need an agreement with Payrexx. For this purpose, we are happy to provide you with the template PCI-Agreement-with-Merchants.pdf. Please send the signed agreement to compliance@payrexx.com for Payrexx to countersign.

12.8.3

Is there an established process for engaging service providers, including proper due diligence prior to engagement?

Ensure that you have a formal process for engaging service providers like Payrexx.

12.8.4

Is a program maintained to monitor service providers’ PCI-DSS compliance status at least annually?

Ensure that you have a process in place to annually review the PCI-DSS compliance of Payrexx.

12.8.5

Is information maintained about which PCI-DSS requirements are managed by each service provider, and which are managed by the entity?

Payrexx assumes full responsibility for all services provided by *.payrexx.com. You are responsible for the servers and applications that connect to Payrexx.

12.10.1.a

Has an incident response plan been created to be implemented in the event of system breach?

Ensure that an Incident Response Plan is maintained to address a potential security incident. A template for this can be found under Incident Response Plan Template Download.

It is important to have a written policy for this requirement 12. You can find a template for this under Policy / Procedures Template Download.

Signature

By signing the self-assessment, you confirm that you have truthfully completed all questions. You can now send the Self-Assessment Questionnaire to Payrexx at: compliance@payrexx.com