PCI-DSS Compliance

PCI-DSS (Payment Card Industry Data Security Standard) is an information security standard for credit card transactions. It exists to better control cardholder data (CHD) and to reduce credit card fraud, and is developed by the PCI Security Standards Council. PCI-DSS consists of a set of actionable rules - core requirements which you must fulfil if you store, process, or transmit cardholder data.

DynamicWeb prioritizes secure communication with payment providers, ensuring no sensitive data is transmitted. Through robust encryption protocols and secure transmission channels, DynamicWeb employs industry-standard security measures to protect all data exchanged during payment transactions.

This includes:

Implementing Transport Layer Security (TLS) protocols to encrypt data transmitted over networks
Employing tokenization techniques for added security

Additionally, DynamicWeb adheres to stringent security standards and regularly updates its systems to mitigate potential vulnerabilities, reinforcing trust in the payment processing ecosystem. By emphasizing the absence of sensitive data transmission and prioritizing communication security, DynamicWeb maintains a resilient barrier against unauthorized access, further enhancing customer confidence.

Is DynamicWeb 10 PCI-DSS Compliant?

DynamicWeb does not collect or transmit information which necessitates PCI compliance. While some payment providers can save credit card information, DynamicWeb purposefully only stores tokens, payment IDs, or other identifiers which do not contain credit card information or CHD. As such, only the payment service you integrate with need to be PCI compliant.

Furthermore, while some responses from payment gateways contain e.g. the last four digits of a credit card, saving this information does not mandate PCI compliance from either the software or hosting environment.

Do I need to be PCI-DSS Compliant?

If you've built customizations which store, process, or transmit cardholder data then yes.

However, if you're handling payments off-site using a payment service or gateway which uses its own servers to process payments, and you're not in other ways hooking into this loop then no.

PCI Compliance using embedded and inline forms

Inline and embedded payment forms are commonly used in e-commerce platforms to offer seamless user experiences, allowing customers to input their payment information directly on the merchant’s page.

When handling cardholder data (CHD) through inline or embedded forms, it’s critical to understand that these forms can place your organization in scope for PCI DSS compliance. Under PCI DSS v4.0, all systems that store, process, or transmit CHD must meet the necessary compliance requirements.

Inline Forms vs Embedded Forms

Inline Payment Forms: The form is presented directly on the merchant’s website, often using the merchant’s own branding. This increases the risk as CHD is handled by the merchant’s environment, making it fully in scope for PCI DSS requirements.
Embedded Payment Forms: This method allows a third-party payment processor to handle the CHD while the form is still visible on the merchant’s website (typically through an iframe). While this reduces the merchant’s PCI DSS scope, it is not entirely out of scope.

Key PCI DSS v4.0 Considerations for Inline and Embedded Forms

Embedded forms, where payment data is collected directly on the organization’s site, place greater responsibility on the organization for securing the data. In contrast, inline payment forms (hosted by a PCI-compliant payment processor) reduce the organization's PCI scope by offloading sensitive data collection to the payment provider.

If an organization chooses to use an embedded payment form on their e-commerce system under PCI DSS 4.0, the consequences include:

Increased PCI Scope: The organization is responsible for securing the entire environment where payment data is collected, transmitted, and stored. This means the scope of their PCI compliance increases significantly, as they must protect not just the website but also the server infrastructure and network handling sensitive payment data.
Higher Level of Validation: The organization will need to complete a more rigorous PCI DSS Self-Assessment Questionnaire (SAQ) or may even require an on-site assessment by a Qualified Security Assessor (QSA), depending on their transaction volume. SAQ A-EP or SAQ D is typically required, which are more comprehensive than those used for offloading payment processes to third parties.
More Security Controls: The organization is responsible for implementing and maintaining a wider range of PCI security controls, such as encryption of payment data, strong access control mechanisms, secure coding practices, vulnerability management, regular penetration testing, and logging of all access to payment systems.
Increased Risk of Non-Compliance: If any part of the environment where payment data is handled is not properly secured, it could lead to non-compliance, resulting in potential fines, reputational damage, or even the revocation of the ability to process card payments.
Liability in Case of Breach: In case of a data breach involving cardholder data, the organization could be held liable for damages, including costs related to the breach investigation, card issuer penalties, and customer compensation.

In contrast, using a hosted or inline payment form can significantly reduce the organization’s PCI scope, as the payment data is not handled by their own systems but by a compliant third-party payment processor.

How do I become PCI-DSS Compliant?

To comply, secure your network, implement a vulnerability management program, craft an information security policy, and protect card data.

In broad strokes you should satisfy 12 core requirements:

Maintain a firewall configuration to safeguard customer information
Change default system passwords and other security parameters provided by vendor suppliers
Protect stored credit card information within the store
Encrypt cardholder data transmitted over open or public networks
Regularly update antivirus software
Develop and employ secure systems and applications
Restrict access to credit card information on a need-to-know basis
Assign a unique ID to each individual with access to sensitive data
Limit physical access to credit card information
Monitor access to network resources and cardholder data
Conduct regular security system scans and tests
Maintain an information security policy

You can find the latest requirements for becoming PCI-DSS Compliant in the PCI Security Standards Council document library.

How do I get a PCI-DSS Attestation of Compliance (AOC)

A PCI-DSS Attestation of Compliance (AOC) is a declaration of an organization's compliance with current PCI-DSS requirements. It serves as documented evidence that the organization's security practices effectively protect against threats to CHD. Typically, PCI Compliance reports and AOCs are enforced by your payment processor.

There are with three validation methods:

Self-Assessment Questionnaire (SAQ)
External Qualified Security Assessor (QSA)
Firm-specific Internal Security Assessor (ISQ)