Monthly Archives: March 2016

Cardholder Data Discovery Tools

While use of a data discovery tool is not required by PCI DSS, they may be able to assist with the scoping process. There are many different tools available that can be used for cardholder data discovery. The tool or tools you use is very dependent on a number of factors including budget, environment, and… Read More »

Track 1 vs. Track 2 Data

There are two types of full track data located within the magnetic stripe – Track 1 and Track 2. Track 1 contains all fields of Track 2 plus the cardholder’s name and additional fields for proprietary use of the card issuer. It is the longer track, up to 79 characters, where Track 2 is shorter,… Read More »

Why Use P2PE Solutions?

Using a validated, Council-listed P2PE solution may reduce the scope of a merchant’s cardholder data environment, where the merchant does not store or decrypt encrypted data within their own environment. Let’s look at how P2PE solutions may allow merchants to reduce the scope of their PCI DSS validation. Firstly, the merchant has no access to… Read More »

What is a P2PE Solution?

What is a Point-to-Point Encryption, or P2PE, Solution? A validated P2PE solution is one that has been verified as meeting the PCI P2PE standard and program requirements, and that is listed by the Council. A P2PE solution requires that payment card data be secured and encrypted at the point-of-interaction (or POI) using approved devices and… Read More »

PA-DSS Overview

Payment Application Data Security Standard (PA-DSS) is a comprehensive set of requirements for payment application software vendors to facilitate their customers’ PCI DSS compliance. It is distinct from but aligned with PCI-DSS. PA-DSS applies to third-party payment applications that store, process, or transmit cardholder data as part of authorization and/or settlement. The first consideration when… Read More »

Service Provider Levels

For service providers, multiple entities may be involved in determining their level. When a service provider is involved in the authorization of a transaction, the acquirer or payment brand may simply determine the transaction volume. However, if a service provider is not involved with authorizing transactions, their level may be determined by their merchant customers,… Read More »

Merchant Levels

We will now briefly touch on merchant levels and transaction volumes. A merchant’s level will be defined by the Payment Brands and determined by the acquirer, or by payment brand where it is an acquirer. This means an organization may be different levels for different payment brands. Transaction volumes: Each acquirer determines merchant transaction volumes,… Read More »

Service Providers

The definition for a service provider is a business entity directly involved in the processing, storage, or transmission of transaction data or cardholder data on behalf of another merchant or service provider. Service providers also include companies that provide services which control or could impact the security of cardholder data. Examples may include providers of… Read More »