FAQ – Business financial products and services – The PCI DSS standard
During a transaction, sensitive data including client credit card numbers is transmitted, processed and sometimes stored for brief periods of time. In order to adequately protect that sensitive data at all stages of the transaction, PCI DSS requires that all payment industry stakeholders adopt security measures.
The goal of the PCI DSS standard is to protect all data related to credit card use.
PCI DSS applies to all payment industry stakeholders who have access to credit card numbers, including card issuers, transaction acquirers and merchants.
All merchants who accept credit card payment and who store, process or transmit card numbers must comply with PCI DSS regardless of the number of transactions they process annually.
The 12 PCI DSS security standard requirements
To comply, payment industry stakeholders who store, process or transmit credit card numbers must meet the following 12 requirements:
Build and maintain a secure network
- Install and maintain a firewall configuration to protect credit card holder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect credit card holder data
- Protect stored cardholder data.
- Encrypt transmissions of cardholder data and sensitive information across open, public networks.
Maintain a vulnerability management program
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
Implement strong access control measures
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
Regularly monitor and test networks
- Track and monitor all access to network resources and cardholder data.
- Regularly test security processes and systems.
Maintain an information security policy
- Maintain a policy that addresses information security for all personnel.
Learn more
See the PCI DSS - Requirements and Security Assessment Procedures (PDF, 1 MB1)
- We recommend high-speed access.
Applying the PCI DSS Security Standard according to the payment solution used
The requirements that apply to your situation depend on the payment solutions you use and the extent of credit card number integration in your business processes.
DePOSiTEL telephone payment solution
By using our DePOSiTEL telephone payment solution, you considerably reduce credit card number exposure in your payment environments.
Simply ensure that you do not enter the credit card numbers in your computer systems to significantly lessen your PCI DSS requirements.
You must physically protect the receipts and papers that list credit card numbers, and ensure that you provide adequate support to your employees who handle credit card numbers.
See the PCI Security Standards Council's Self-Assessment Questionnaire A for an overview of the requirements applicable to your situation.
Payment terminals
By using Desjardins payment terminals, you considerably reduce credit card number exposure in your payment environments.
Ensure that you do not enter the credit card numbers in your computer systems to significantly lessen your PCI DSS requirements.
See the PCI Security Standards Council's Self-Assessment Questionnaire B for an overview of the requirements applicable to your situation.
Payment terminals for "card not present" transactions
If you accept "card not present" transactions, ensure that you do not store credit card numbers in your computer systems to significantly lessen your PCI DSS requirements.
You must physically protect the receipts and papers that list credit card numbers, and ensure that you provide adequate support to your employees who handle credit card numbers.
See the PCI Security Standards Council's Self-Assessment Questionnaire A for an overview of the requirements applicable to your situation.
FLEX Semi-integrated solution
The Desjardins FLEX semi-integrated solution allows you to partially interface your cash registers with the payment equipment without exposing your systems to credit card number theft.
Ensure that you do not enter the card numbers in your computer systems to significantly lessen your PCI DSS requirements.
See the PCI Security Standards Council's Self-Assessment Questionnaire B for an overview of the requirements applicable to your situation.
Fully encrypted integrated solutions
Desjardins' fully encrypted integrated solutions allow you to completely interface your cash registers with our payment equipment without exposing your systems to credit card numbers. With this option, card numbers go through your system but they are encrypted to ensure that you are never exposed to them. Desjardins assumes responsibility for protecting card numbers so you don't have to worry about it.
Simply ensure that you do not enter the card numbers in your computer systems to lessen your PCI DSS requirements.
See the PCI Security Standards Council's Self-Assessment Questionnaire B for an overview of the requirements applicable to your situation.
Partially encrypted integrated solutions
With integrated solutions, your systems are necessarily exposed to card numbers during transactions.
You must ensure that you store, process and transmit card numbers only to sites that are essential to your operations. You can also choose a fully encrypted solution that eliminates your systems' exposure to credit card numbers during transactions.
See the PCI Security Standards Council site for information on the requirements applicable to your environment, and see Self-Assessment Questionnaire C for an overview of these requirements.
Internet solution with hosted payment page
By using an Internet payment solution with a hosted payment page that redirects to third-party servers that are PCI DSS compliant, you significantly reduce your exposure to credit card numbers.
Simply ensure that you do not enter the credit card numbers in your computer systems to significantly lessen your PCI DSS requirements.
See the PCI Security Standards Council's Self-Assessment Questionnaire A for an overview of the requirements applicable to your situation.
Internet solution with non-hosted payment page
Internet payment solutions with a non-hosted payment page that redirects to third-party servers that are PCI DSS compliant require, by default, that your systems be exposed to credit card numbers during transactions.
You must ensure that you store, process and transmit card numbers only to sites that are essential to your operations. You can also choose our Internet payment solution with payment page hosted by a third-party that is PCI DSS compliant, which would eliminate the risk of exposure of your systems to credit card numbers during transactions.
See the PCI Security Standards Council site for additional information on the requirements applicable to your environment, and see Self-Assessment Questionnaire D for an overview of these requirements.
Batch payment solution
The batch payment solution (file transfer) requires, by default, that you store card numbers in your systems.
You must ensure that you store, process and transmit card numbers only to sites that are essential to your operations.
You must physically protect the receipts and papers that list credit card numbers, and ensure that you provide adequate support to your employees who handle credit card numbers.
See the PCI Security Standards Council site for additional information on the requirements applicable to your environment, and see Self-Assessment Questionnaire D for an overview of these requirements.
It depends on your merchant level, which is based on:
- your annual number of Visa and Mastercard transactions
- your type of business: do you have a storefront or e-commerce business?
Merchants are attributed a merchant level based on these criteria, ranging from Level 1 (highest) to Level 4 (lowest). It is important to note that the merchant level can vary from one payment network to another, since the annual number of transactions per card type differs. A merchant could be attributed one level by Mastercard and another by Visa. The level attributed should be the highest level, although this is at the acquirer's discretion.
PCI level | Number of annual transactions | Type of commerce |
---|---|---|
1 | More than 6,000,000 | All types |
2 | From 1,000,000 to 6,000,000 | All types |
3 | From 20,000 to 1,000,000 | E-commerce |
4 | Less than 1,000,000 | Business with a storefront |
4 | Less than 20,000 | E-commerce |
Once the merchant level is established, the merchant must prove that it complies with the following PCI DSS requirements:
Level 1, 2 or 3 merchant
- Desjardins contacts you to confirm that you are in compliance with the standard.
Level 4 merchant
- You can confirm your compliance yourself, or hire a certified auditor or consultant to do so.
- You do not need to inform Desjardins of the progress of your work or of your PCI DSS compliance status.
- You do not need to prove your PCI DSS compliance to Desjardins each year.
Find out more
See the official list of auditors maintained by the PCI Council.
If it is proven that a merchant's credit card data were compromised and the merchant is not PCI DSS compliant, the merchant may face fines, be required to pay the cost of a possible investigation, and still be held liable for the fraud perpetrated. Accordingly, for the security of your business and of your clients, it is essential that you be PCI DSS compliant.
To preserve your image:
- To increase customer loyalty and build your clientele
To develop a competitive edge:
- A positive sales argument and a strategic advantage, particularly for cash register software manufacturers and distributors.
To increase employee awareness about protection of confidential data:
- Fostering knowledge about data security while promoting best practices among all employees can only lead to success.
To protect yourself and consumers against fraud and potential disputes:
- Everyone benefits from a climate of trust.
As a merchant, you are committed to offering your customers secure payment solutions. Thanks to the PCI DSS Security Standard, you can efficiently meet their expectations and increase their satisfaction with your services.
Find out more
See the PCI Security Standards Council's global forum.
Can't find the answer to your question?
Non-users
Write to us for general inquiries
You can also see our directory.