PCI DSS Standard

12 requirements for bank card data security

What is the PCI DSS standard?

PCI DSS is a reference source for security requirements designed to ensure the confidentiality of bank cards and credit cards when used in IT systems. The reference source is edited and maintained by the PCI Council, a professional asssocation of credit card companies that includes VISA, Mastercard, American Express, JCB and Discovery.

Who are the major players in an electronic banking system?

  • Cardholder: the owner of the card and the account associated with it (end user)
  • Issuer: bank of the cardholder
  • Merchant: storekeeper who accepts credit cards as a means of payment
  • Acquirer: bank that acquires transactions on behalf of the merchant
  • Card brands: trusted third parties that manage the relationship between the parties in a transaction (Visa, Mastercard, American Express, etc.)
  • Payment Service Providers (PSP): all of the other intermediaries in the electronic payment chain. As an IaaS provider, OVH is a PSP

Every bank that issues cards to its customers holding bank accounts, or collects transactions for its merchant customers, is free to provide a contractual definition of the security requirements that its customers and partners must comply with. PCI DSS standard defines a common security level that covers the vast majority of requirements. PCI DSS standard has become a benchmark in electronic payment security, and compliance with this standard has become a systematic requirement for parties in online payment systems. Every party in the online payment system hosting chain holds a degree of responsibility in maintaining the platform's overall security. These obligations are contractually transferred from the card brands to all actors involved in the electronic payment platform.

PCI DSS standard officially lists more than 250 controls and security features that need to be set up to process card numbers securely. These controls are divided into 6 groups:

  • Build and maintain a secure network and system

    Condition 1: Install and maintain a firewall configuration to protect the card holder's data
    Condition 2: Do not use vendor-supplied defaults for system passwords and other security settings
  • Protect the card holder's data

    Condition 3: protect the card holder's stored data
    Condition 4: encrypt any transfer of the card holder's data on open public networks
  • Maintain a vulnerability management program

    Condition 5: protect all systems against malware, and update anti-virus software or programs regularly
    Condition 6: develop and maintain secure systems and applications
  • Implement strong access control measures

    Condition 7: restrict access to the card holder's data by individuals on a need-to-know basis
    Condition 8: identify and authenticate access to components of the system
    Condition 9: restrict physical access to the card holder's data
  • Regularly monitor and test networks

    Condition 10: track and monitor all access to network resources and the card holder's data
    Condition 11: regularly test security systems and processes
  • Maintain an information security policy

    Condition 12: maintain a policy that addresses Information Security for all staff

How to be PCI DSS compliant

PCI DSS compliance applies to the entire electronic payment platform, and is complied with by the merchant through its reliance on the PCI DSS-compliant building blocks that belong to its service provider. This means that each party involved in the platform's use complies with the standard's requirements that are relevant to its activities, and demonstrates this compliance to its customers.

In the context of OVH PCI DSS Payment Infrastructure, OVH is responsible for the infrastructure's security, whilst you remain responsible for the security of the virtual machines we host, the use of virtual network features, and the application layers deployed on your virtual machines. In this way, PCI DSS compliance is a joint effort to combine your software and system platform's security measures with those of the OVH Private Cloud infrastructure.

PCI DSS compliance can be certified with an Attestation of Compliance (AoC) drawn up after a self-assessment questionnaire has been completed, or after an audit has been performed by one or several QSA (Qualified Security Assessor) companies.

Your platform's compliance with PCI DSS standard is a structured process, for which the characteristics and obligations depend on several factors:

  • The number of transactions completed annually
  • Type(s) of bank card(s) accepted
  • Acquiring bank(s)
  • Complexity of the electronic payment infrastructure

Becoming PCI DSS compliant involves approaching the parties concerned, to understand their precise expectations. OVH recommends that you contact your acquiring bank and/or contact a QSA company to assist you with this process.

VISA reporting level

Niveau Description Obligations
1 > 6 million transactions/year Audit by a QSA
Quarterly scans by an Approved Scanning Vendor (ASV)
Attestation of Compliance
2 1 million < x < 6 million transactions/year Self-evaluation questionnaire
Quarterly scans by an Approved Scanning Vendor (ASV)
Attestation of Compliance
3/4 x < 1 million transactions /year Defined and tested by each bank

source: https://www.visaeurope.com/receiving-payments/security/merchants
This data is given for information purposes only. Only your acquiring bank can provide you with the information adapted to your context.

The OVH platform undergoes annual audits by a QSA company. The audit documents are available for you to read, so that you can:

  • Understand which requirements are covered by our certification
  • Define the requirements you need to cover
  • Show your QSA that all of the applicable requirements are acknowledged by OVH, and are PCI DSS compliant

OVH can also help you become compliant, through its team of experts as well as the supporting documentation it offers:

  • Create a PCI DSS responsibility assignment matrix
  • Special conditions detailing the responsibility of OVH
  • Specifications template for performing mandatory intrusion tests

Responsibility assignment matrix

This responsibility assignment matrix describes the responsibility of OVH and the Customer with regards to the requirements of PCI DSS standards, so that you can anticipate the compliance areas for which you remain responsible. Only a detailed analysis of the Attestation of Compliance, supplied on request when you subscribe to a service, will provide you with all of the information required to implement your compliance process.

Build and maintain a secure network and system
Condition 1: Install and maintain a firewall configuration to protect the card holder's data OVH for the physical network
The Customer for the virtual features within the virtual DC
Condition 2: Do not use OVH-supplied defaults for system passwords and other security settings for infrastructure hardware The Customer for virtual machines and applications
Protect the card holder's data
Condition 3: Protect stored card holder data Sole resonsibility of the customer linked to its implementation
Condition 4: Encrypt transmission of card holder data across open, public networks Sole resonsibility of the customer linked to its implementation
Maintain a vulnerability management program
Condition 5: Protect all systems against malware, and regularly update anti-virus software or programs OVH for infrastructure hardware
The Customer for virtual machines and applications
Condition 6: Develop and maintain secure systems and applications OVH for infrastructure hardware
The Customer for virtual machines and applications
Implement strong access control measures
Condition 7: Restrict access to card holder data, only providing access to individuals on a need-to-know basis OVH for infrastructure hardware
The Customer for virtual machines and applications
Condition 8: Assign a unique ID to each person with computer access OVH for infrastructure hardware
The Customer for virtual machines and applications
Condition 9: Restrict physical access to card holder data Exclusive responsibility of OVH for the physical hosting of the platform
Regularly test and monitor networks
Condition 10: Track and monitor all access to network resources and card holder data OVH for infrastructure hardware
The Customer for virtual machines and applications
Condition 11: Regularly test security systems and processes OVH for infrastructure hardware
The Customer for virtual machines and applications
Maintain an information security policy
Condition 12: Maintain a policy that addresses information security for employees and contractors OVH for infrastructure hardware
The Customer for virtual machines and applications

OVH Payment infrastructure facts sheet

  • Payment Services Provider (PSP) Level 1
  • PCI DSS V3.2
  • QSA: Provadys
  • The PCI DSS option is available on the OVH Payment Infrastructure. You can upgrade from any SDDC infrastructure
  • Scope: areas of responsibility held by OVH (see responsibility assignment matrix)

Overview

Below are two simple cases of electronic payment hosting chains, to explain the contractual relationships and compliance reports. Each case is unique and requires an in-depth analysis, but most situations will be close to one of the two templates below.

I am a merchant hosting my platform on an OVH PCI DSS infrastructure:

I am a Payment Services Provider (PSP) hosting systems on an OVH PCI DSS infrastructure. My customers are merchants.