Introduction

The Payment Card Industry Data Security Standards (PCI DSS) is a set of global security standards created by the Payment Card Industry Security Standards Council (PCI SSC) to ensure that every company that collects, processes, stores, or transmits cardholder data maintains a secure cardholder data environment. PCI DSS applies to all entities that accept credit cards or are involved in payment processing, such as payment processors, acquirers, issuers, and service providers.

PCI DSS is adopted by the major card schemes (Mastercard, Visa, JCB, Diners, and American Express) and defines a set of technical and operational requirements that when implemented correctly, helps you to protect cardholder data, reduce fraud, and minimize the chances of a data breach resulting from malicious attacks. Complying with the requirements helps you to maintain your shopper's trust.

As mandated by the card schemes, every merchant that accepts credit card payments has to comply with PCI DSS requirements. Even though PCI DSS is not part of any law, the standard is applied globally, and it comes with significant penalties and costs for organizations that don't comply with the requirements. These financial consequences include non-compliance assessment fees, legal costs, and costs for forensic investigations, onsite QSA assessments, and security updates.

It is important to understand that:

  • PCI DSS applies solely to the people, processes, and technology that collect, store, process, or transmit cardholder data, known as the Cardholder Data Environment (CDE).

  • PCI DSS is not a single event, but a continuous, ongoing process. Every entity must validate their compliance with PCI DSS annually by completing one of the official PCI SSC validation documents.

For more information about PCI DSS, see the PCI DSS quick reference guide.

Cardholder data

The aim of PCI DSS is to protect account data, account data is the cardholder data and sensitive authentication data.

  • Cardholder data: · Primary account number, Cardholder name, Expiration date, Service code

  • Sensitive authentication data: Full track data (magnetic-strip data or equivalent on a chip), Card verification code, PINs/PIN block

The primary account number (PAN) is the defining factor for cardholder data. The term account data therefore covers the following: the full PAN, any other elements of cardholder data that are present with the PAN, and any elements of sensitive authentication data.

OneSettle's role in PCI DSS compliance

Implementing PCI DSS in your business can be a challenge, especially if you don't have an existing framework to protect sensitive information.

To help clarify the scope of PCI DSS compliance, OneSettle offers solutions that handle most of the PCI DSS requirements. The simplest way for you to be PCI compliant is to use our encrypted solutions - you never see and never have access to unencrypted cardholder data.

When you use OneSettle’s solutions, you are outsourcing most PCI DSS responsibilities to OneSettle. However, because you accept credit card payments on your website, your app, or in your physical store, your integration with OneSettle does not completely eliminate all of your PCI scope and your responsibilities.

  • OneSettle's responsibility: OneSettle is responsible for the security of cardholder data only as soon as OneSettle receives the data through the relevant payment interface.

  • Merchant responsibility: You are responsible for making sure that cardholder data is secure and protected before the data reaches OneSettle. Your responsibilities depending on your type of integration (eCommerce or point-of-sale) are outlined in subsequent sections of this document. OneSettle will provide materials and guidance to aid you in your responsibilities.

OneSettle is a PCI DSS-certified Service Provider, with PCI DSS compliance assessed by an independent Qualified Security Assessor (QSA) annually.

Common merchant responsibilities

These responsibilities are common for both eCommerce (eCom) and point-of-sale (POS) merchants.

Merchant requirement How to comply
Protect cardholder data Never store or send account data to OneSettle or other parties. Account data can for example originate from support requests from users
Deliver relevant information upon request OneSettle may on occasion contact you and ask you to provide necessary PCI DSS documentation.
Limited PCI DSS certification If your volume of transaction reaches certain levels, OneSettle might require you to complete a PCI DSS Self-Assessment Questionnaire (SAQ).

E-commerce (eCom) merchants

OneSettle provides a fully PCI DSS compliant payment window that you can integrate in your system. The payment window can be integrated as a redirect to the window or embedded in your page as an IFrame element.

The content of the embedded elements is isolated from your web page, and the cardholder data is encrypted on your shopper's browser. You do not have access to decryption keys, thus you do not have access to your shoppers' cardholder data.

This payment window can be integrated directly or through an approved third-party system already integrated with OneSettle. If you use an approved third-party system OneSettle will, together with the third-party vendor, ensure PCI DSS compliance.  

Possible risks | low-medium: This integration type may still be susceptible to data compromises by malicious actors. If an attacker gains unauthorized access to your website, they can find ways to deceive the shopper. For example, attackers can create alternative content for the payment components, or drop an IFrame over the already existing IFrame. In these scenarios, the payment may still be completed, but a copy of the cardholder data is sent to the attacker.

Migration of risks: The risks associated with this integration can be significantly reduced by doing the following:

  • Making sure vendor-supplied usernames and passwords are not used within your environment.

  • Actively monitoring industry sources for vulnerability information and patching software according to the risk ranking of identified vulnerabilities.

  • Implementing controls to manage payment page scripts securely.

  • Using unique user IDs and requiring strong passwords of at least 12 characters.

  • Implementing a security policy that includes an incident response plan and defines information security roles and responsibilities for all personnel.

  • Performing external vulnerability scans every 3 months.

  • Deploying change- and tamper-detection systems on payment pages.

eCom merchant responsibilities

There are no PCI DSS requirements directly related to eCom merchants if you use our solutions as described.

Point-of-sale (POS) merchants

OneSettle’s POS terminals provide end-to-end encryption (E2EE) between the terminal and the cardholder data environment. This design reduces the PCI DSS scope for you as a merchant to a minimum. None of your systems, including your POS system, receive cardholder data in unencrypted forms.

Possible risks | Low: OneSettle ensures End-to-End Encryption and is responsible for the security of your shoppers' cardholder data as soon as we receive the data through the payment terminal. The risks for in-person payments integrations are related to the physical security of the payment terminal. Malicious actors can tamper with or replace payment terminals.

Mitigating the risks: Risks associated with this integration, such as skimming attacks, can be significantly reduced by doing the following:

  • Implementing policies and procedures to periodically inspect the security of the payment terminals, to confirm that they have not been tampered with and that seals have not been broken.

  • Implementing a security policy which defines information security roles and responsibilities for all personnel.

  • Engaging and maintaining a relationship with only PCI DSS compliant third-party service providers.

POS merchant responsibilities

Merchant requirement How to comply
Inspection of POS terminals Inspection of the POS terminals must be conducted with the frequency given in the service handling manual provided by OneSettle.
Staff training Staff must receive trained for inspection routines and responsibilities annually and upon hire.
Incident handling training Staff must receive training in handling incidents according to the incident handling routine provided by OneSettle. This training must be performed annually and upon hire.
Make terminals available for system patching OneSettle will automatically upgrade and patch POS terminals. To upgrade the terminals must have internet connectivity for the duration of the upgrade.

OneSettle will notify you if your terminals are unable to upgrade, and you must then make sure they have a stable Internet connection for the upgrade to succeed