To ensure payment card information is not compromised and provide all parties involved with the best possible protection against data misuse, credit card schemes have introduced a safety standard for the handling of payment card and transaction information. This standard, known as Payment Card Industry Data Security Standard or PCI DSS, applies equally to banks (issuers and acquirers), payment service providers, hosting providers, merchants, and payment application providers. Compliance with these PCI DSS standards is verified at regular intervals. Parties who cannot furnish proof of PCI DSS certification are not permitted to process payment card information.
We offer comprehensive advice, preparation, auditing, and verification of your security measures, thereby supporting you in all requirements for PCI DSS certification. If you meet the PCI DSS standards, as an accredited certification body we can supply you with the TÜV SÜD certification mark and all evidence required by the credit-card schemes.
What is PCI certification?
The PCI standards define technical and organizational requirements for the storage, processing, and transfer of cardholder information. These standards apply to all parties involved in payment-card processing. The PCI standard also applies to organizations involved in the operation or provision of infrastructure, data centers, and other security-relevant components. For PCI conformity, organizations must fulfill certain criteria and thus provide appropriate evidence.
We differentiate between PCI DSS and PA DSS certification, with the latter applying exclusively to manufacturers of payment software (Payment Application Data Security Standard).
Depending on whether you are a service provider, software manufacturer, merchant, or acquirer, you need to comply with various requirements and security-assessment procedures of the PCI DSS and/or PA DSS. Read more:
PCI requirements at a glance
PCI certification requirements are laid down in a standard comprising 12 clauses. To establish a relationship of mutual trust with customers and merchants, all these requirements must be observed and verified at regular intervals. The individual PCI requirements are:
- Installation and maintenance of a firewall configuration to protect cardholder data.
- No vendor-supplied defaults for system passwords and other security parameters may be used.
- Stored cardholder data must be protected.
- Cardholder data and other sensitive information must be encrypted for transmission across open, public Networks.
- Antivirus programs must be used and regularly updated.
- Secure systems and applications must be developed and maintained.
- Access to cardholder data must be restricted according to the need-to-know principle.
- All individuals with computer access must be assigned clear user authentication.
- Physical access to cardholder data must be restricted.
- Comprehensive tracking and monitoring of all access to cardholder data and network resources.
- System and process security must be regularly tested.
- The information security policy must be observed and maintained.
TÜV SÜD services in PCI certification and compliance
To ensure you can always work in conformity with the PCI standard and benefit from highest security measures, we offer the necessary solutions for PCI DSS or PA DSS certification and a number of additional benefits. Selected services include:
- Consulting on all issues and steps of PCI DSS compliance
- Seminars, training and Workshops
- Compliance portal for merchants, service providers, and acquirers to provide efficient evidence of compliance with the requirements
- On-site audits carried out by a qualified security assessor (QSA)
- Vulnerability scans performed by an approved scanning vendor (ASV)
- Awareness training (eLearning)
- Support with completing the PCI Self-Assessment Questionnaire (SAQ)
- TÜV SÜD certification mark for certified organizations
Levels of the acting parties
Since differentiation between service providers and merchants is not always easy, we will be happy to advise you on PCI requirements and categorizations.
From standardized vulnerability scans (ASV) to our extensive Merchant Compliance Portal and individual consultancy, we offer merchants all the solutions they need to achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS) and thus, ultimately, PCI DSS certification. Read more.
By providing our extensive acquirer portal, which can be used for easy implementation of all reporting tasks and other requirements for PCI DSS certification, we help acquirers to ensure end-to-end PCI DSS compliance at their merchants and service providers as well as in their own organizations. We support your authorized merchants with their efficient fulfillment of PCI requirements and submission of compliance evidence, offering comprehensive support and an attractive Merchant Compliance Portal. Read more.
For software manufacturers, we offer an integrated solution for Payment Application Data Security Standard certification (PA DSS certification). We are at your side every step of the way, supporting you with individual consultancy and the necessary security audits. Read more.
For service providers
We offer payment service providers and cloud or hosting providers in-depth PCI consulting, comprehensive auditing as well as seminars and training, and many more constructive solutions on their way to PCI DSS certification. Read more.
TÜV SÜD – The certification body of trust for all your PCI concerns
Our solutions cover all PCI DSS standards, supporting you on your way to PCI certification. Contributing our know-how in the auditing of information security and our experience in the payment-card industry we guarantee that you are on the safe side in matters of payment security. Our comprehensive services enable you to implement effective security systems.
Our references in the finance and payment industry, among banks, commerce, and e-commerce show off our extensive experience in payment security.
As the relevant industry standard, the PCI DSS standard also supports all organizations that process payment cards, helping them to reach compliance with the relevant GDPR requirements.
Our accreditations with the PCI Council
Our accreditations with the PCI Security Standards Council and the payment card schemes authorize us to assist you with all aspects of reaching PCI certification and to issue the PCI certificate. We offer a range of certifications, including:
Qualified Security Assessor Company (QSAC)
Approved Scanning Vendor (ASV)
Qualified Payment Application Security Assessor (QPASA)