Data Security
Litle & Co., a Level 1 Third-Party Processor, has been registered as a validated PCI DSS compliant service provider since 2003.
FREQUENTLY ASKED QUESTIONS
Commonly provided information about PCI and Data Security
What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS. All merchants that store, processes or transmit cardholder data must be compliant now.
What is PA-DSS?
PA-DSS stands for Payment Application Data Security Standard. PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of an authorization or settlement when these applications are sold, distributed or licensed to third parties. Merchants must ensure their payment applications are compliant by 7/1/10.
Validated applications are listed at:
www.pcisecuritystandards.org/security_standards/pa_dss.shtml
What is a Vulnerability Scan?
A non-intrusive scan to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant. These scans are performed by Approved Scanning Vendors. You can find an ASV at https://www.pcisecuritystandards.org/qsa_asv/find_one.shtml
How do I become compliant?
Step 1 – Determine your Merchant Level
|
Merchant Level |
Criteria |
Onsite Security Assessment |
Self-Assessment Questionnaire |
Network Vulnerability Scan |
|
1 |
At least 6 million transactions annually from any acceptance channel |
Required Annually |
N/A |
Required Quarterly |
|
|
|
|
|
|
|
2 |
1 million to 6 million transactions annually from any acceptance channel |
At Merchant Discretion* |
Required Annually* |
Required Quarterly |
|
|
|
|
|
|
|
3 |
20k to 1 million ecommerce transactions annually |
N/A |
Required Annually |
Required Quarterly |
|
|
|
|
|
|
|
4 |
Less than 20k ecommerce annually or less than 1 million transactions from any acceptance channel annually |
N/A |
Required Annually |
Required Quarterly |
*Effective 30 June 2011, Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC-offered merchant training programs and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual self-assessment questionnaire.
Step 2– Identify your validation type, determine which Self Assessment Questionnaire is appropriate for your business, and complete the SAQ.
|
SAQ Validation Type |
Description |
SAQ |
|
1 |
Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. |
A |
|
|
|
|
|
2 |
Imprint-only merchants with no cardholder data storage |
B |
|
|
|
|
|
3 |
Stand-alone dial-up terminal merchants, no cardholder data storage |
B |
|
|
|
|
|
4 |
Merchant with payment application systems connected to the internet, no cardholder data storage. |
C |
|
|
|
|
|
5 |
All other merchants (not included in descriptions for SAQs A - C above) and all service providers defined by payment brand as eligible to complete an SAQ. |
D |
Step 3 – Complete and obtain evidence of passing vulnerability scan with a PCI SSC Aproved Scanning Vendor (ASV). It is required for Validation Type 4 and 5 – those merchants with external facing IP addresses. You can find a Qualified Security Assessor and Approved Scanning Vendor (ASV) at https://www.pcisecuritystandards.org/qsa_asv/find_one.shtml
