PCI DSS Certification (AKA Visa CISP Compliance)
Eliminating the potential for misuse of client credit card information is a critical element of the IPayX eServices security infrastructure. To ensure maximum protection for our clients all eService credit card payment functions were developed based on the Payment Card Industry (PCI) Data Security Standard (DSS) outlined in table 1 and for which we have achieved Level 1 certification; the highest level possible
The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. It is defined by the PCI Security Standards Council. The executive committee for this organization includes senior executives from:
o American Express
o Discover
o JCB International
o Visa
o MasterCard
Certified compliance with this standard is a requirement for any company which processes credit card payments and stores or transmits credit card data. There currently is no similar DSS which applies to check payments. However, to ensure maximum protection for bill payers, IPayX utilizes the PCI DSS where applicable in developing check payment functions. Table 1 includes a high level overview of the PCI DSS. The detailed specification can be accessed at Payment Card Industry - Data Security Standard.
There are two categories of payment processors:
1) Merchant processors who process credit card payments only for their own business.
2) Payment service providers who process credit card payments for a number of businesses.
To ensure adherence to the PCI DSS, compliance validation is required for every provider at one of three levels which are based on transaction volume or whether the provider has implemented a payment gateway(s) (table 2).
Because IPayX provides payment services to multiple companies we are classified as a payment service provider. The volume of payments we process on an annual basis requires us to be certified at Level 2, however we have achieved Level 1 so that we can provide direct payment gateways if required.
The validation process requirements differ for each level of compliance (table 3). They all, however, require a quarterly network scan by an independent security firm certified by the Payment Card Industry.
Since we are a Level 1 provider, the steps required to maintain our certification include:
o
Annual On-Site PCI Data Security Assessment
o
Quarterly
Network Scan
The network scans and the assessment are preformed by an Truarx a vendor authorized by the Payment Card Industry, and our PCI/DSS certificate is issued by Ambrion Trustwave
To learn more about the PCI/DSS visit PCI DSS Council