PCI DSS compliance for Autopay partners

Are you working on an online shop and planning to start selling online soon?

We have prepared a guide for you to understand the PCI DSS compliance requirements.

What is the PCI DSS?

The PCI DSS (Payment Card Industry Data Security Standard) is an international security standard that aims to aims to protect payment cardholder data. It applies to all entities that store, process or transmit card data, regardless of the scale of operation.

Why is the PCI DSS important?

  • prevents data leakage and fraud,
  • protects the company's reputation and finances,
  • strengthens customer confidence,
  • meets the requirements of International Payment Organisations and financial institutions.

What does the PCI DSS cover?

The requirements are grouped into six areas, including:

  • securing networks and systems,
  • protection of cardholder data,
  • access control,
  • monitoring and testing of systems,
  • updates and vulnerability management,
  • security policy.

PCI DSS compliance levels for partners

According to the PCI DSS rules, partners are divided into four levels, depending on the number of card transactions processed annually card transactions per year. The level determines which paperwork has to be fulfilled:

  • Level 1 - more than 6 million transactions per year or after a data breach incident; full audit required QSA - Qualified Security Assessor (PCI Certified Compliance Auditor) or PCI SSC- Certified Internal Security Assessor (ISA) and an annual compliance assessment.
  • Level 2 - between 1 and 6 million transactions; mostly annual SAQ - Self-Assessment Questionnaire (Self-Assessment Questionnaire) and sometimes ASV (Approved Scanning Vendor) scans. Vulnerability Scanning Vendor)
  • Level 3 - between 20,000 and 1 million transactions per year; usually SAQ and possible scanning.
  • Level 4 - less than 20,000 e-commerce transactions per year; SAQ or other confirmation specified by the payment operator.

Autopay, as a payment operator, monitors the transaction volume of its Partners and, in the event that additional paperwork needs to be fulfilled for the transition to another PCI compliance level, it will contact the Partner to guide it through the next steps.

What does the compliance process look like?

  • Identify the payment acceptance model, i.e. e-commerce, and the number of transactions carried out.
  • Written confirmation of compliance. This process is carried out by EITHER selecting the appropriate SAQ (Self-Assessment Questionnaire) - a self-assessment form tailored to the payment processing method - or completing another written declaration prepared by Autopay. You will be informed by email about the need to complete the relevant declaration.
  • Implement technical and organisational measures - from updating systems to security procedures.
  • Compliance monitoring and annual confirmation of compliance.

SAQ (Self-Assessment Questionnaire) forms for the e-commerce industry

In the e-commerce industry, the partner most often uses one of three SAQ forms, depending on the method of payment integration:

  • SAQ A - the simplest option, used when the shop has no contact with the card data and uses only redirection or fully hosted payment forms.
  • SAQ A-EP - for shops whose website has a technical impact on the payment process (e.g. own front-end or scripts), even though card data is still not processed with them.
  • SAQ D - the most extensive option, for entities that handle payment forms themselves, store data or have a more complex system architecture.

The PCI DSS defines the SAQ as the primary compliance self-assessment form, but a payment service provider, such as Autopay, can also collect confirmation of compliance from Partners in the form of another written declaration.

Consequences of non-compliance

Remember that failure to comply with the standard can lead to:

  • the imposition of charges or penalties by International Payment Organisations and financial institutions.
  • increased risk of attack, fraud, loss of customer data.
  • loss of customer confidence, which can translate into lower turnover.

Obligations of payment service providers

Autopay is obliged to ensure that Partners using its services comply with the PCI DSS. This standard applies to all entities that accept card payments, so verification of compliance is part of its obligations under industry regulations.

What does this look like in practice?

Autopay, as a payment service provider, is obliged to:

  • collect a Self-Assessment Questionnaire (SAQ) or other written confirmation from the partners. confirmation,
  • inform partners of the requirements,
  • periodically report to the IPA on the compliance of the Partners with the requirements as defined within the PCI DSS standard.

According to the PCI Data Security Standard (PCI DSS), partners accepting card payments are responsible for for ensuring data security. In practice, however, Autopay, as a payment service provider, assumes the most of the responsibility related to card data protection and supports the Partners at every stage of compliance.

Autopay offers solutions that significantly simplify the compliance process, such as tokenisation and full compliance on its side at PCI DSS Level 1.

As a result, Partners have no contact with card data and their responsibilities are usually limited to filling in an appropriately sized form.