In 2018, British Airways, the largest airline company of the United Kingdom, experienced a large-scale breach of customer data. Hackers stole payment card information of about 380,000 people.

The PCI DSS certificate was developed in order to reduce the incidence of data leakage. Read more about it in our article.

What is a PCI DSS certificate

PCI DSS is an international standard that regulates the information security of credit card data. It was developed in 2005 by the Payment Card Industry Security Standards Council. Visa, MasterCard, American Express, JCB and Discover initiated the creation of the Council. According to the standard, the company that accepts their payment cards must have a PCI DSS certificate. Mandatory certification came into effect in 2012.

For example, every evening you buy groceries at the supermarket near your house and pay by card. Who is responsible for the security of data transmission? A supermarket or a bank that installed a POS terminal in it? The owner of the supermarket probably thinks that it is the bank. But it is not. Ensuring data protection against fraud and complying with the requirements of the PCI DSS standard is the task of the supermarket owner, since the store processes a large number of transactions, and you show your card details, enter a pin code. Therefore, even a supermarket near the house must be certified according to PCI DSS, not to mention large banks and fintech companies.

According to CBR, almost all Ukrainian Internet users made purchases on-line

Who needs to get a PCI DSS certificate

Any trading and service companies and service providers must have a certificate if they accept, transfer or store the following data of international user cards: primary card number (PAN), holder’s name, validity period and service code. Including: banks, government institutions, e-commerce, retail, software developers, cloud operators, etc.

In Ukraine, obtaining this standard is not regulated by law. But IT projects appear every year: electronic and virtual banking, on-line stores, and with the introduction of quarantine, on-line trade began to develop actively. The issue of ensuring cybersecurity is the most important for them, because it is, first of all, an issue of their reputation and status in the market. Companies that do not have this certificate may not protect customer data well. Therefore, they become an easy target for fraudsters, and it is they who will have to compensate the damage to customers in the event of an incident.

Let's make an analogy: a fintech company without PCI DSS is a doctor who practices without a license. He can accept patients without it, as long as he is not fined. But, being in the patient's place, would you want to be treated by such a doctor?

PCI DSS certificate levels

Trade and service enterprises and service providers have their own classification, depending on the number of processed payment transactions per year.

Levels of certificates for trade and service enterprises:

• The first is for more than 6 million payment transactions per year;
• The second is for 1 million and up to 6 million;
• The third is for 20,000 and up to 1 million;
• The fourth is from 20,000 e-commerce payment transactions and up to 1 million by other means.

Certificate levels for service providers:

• The first is for more than 300 thousand payment transactions;
• The second is for less than 300,000.

Today, more than 90% of trade terminals in Ukraine are contactless

What exactly do you need to get a PCI DSS certificate for

To successfully pass the certification, companies must ensure the security of their customers’ payments on three levels:

• physical (security of storage of physical equipment)
• virtual (security of virtual infrastructure);
• software (payment application security).

As a result, the company receives one certificate that covers all these three levels. The PCI DSS standard sets strict and precise requirements for the security of infrastructure components. It consists of six control zones and contains 12 basic requirements for the processing and transmission of critical data. Each requirement is divided into 20-30 more detailed ones. On average, this is 260 requirements.

Carrying them out by the company is a long, laborious and expensive process. One of the ways to solve this problem is the use of cloud technologies. A company can move its payment application to a cloud infrastructure, that is PCI DSS certified. As for Ukrainian cloud operators, GigaCloud has such a. The GigaCenter data centre, in which the operator places its equipment, has the same certificate. This means that by contacting the cloud operator, the customer can cover two levels at once: physical and virtual.

Two areas of responsibility: a cloud operator and a customer

The operator is responsible for the audit and certification of the cloud infrastructure. Its area of responsibility covers the following:

• management of firewalls, personal access, network and data access;
• control of parameters by default;
• data protection against viruses, encryption during transmission;
• testing of the protection system;
• provision of information security policy.

The cloud operator provides the customer with a virtual isolated environment to which it does not have access. The customer independently installs the software in it, administers its application and configures access. The operator only ensures the security of the virtual environment. Both the operator and the customer are required to undergo regular audits and renew the certificate. But, hosting in the cloud with PCI DSS simplifies and speeds up the process of obtaining a certificate for the customer.

The presence of a PCI DSS certificate of the company provides the following:

• the ability to meet the requirements of international payment systems;
• reduction of risks of possible leakage of payments;
• reliability and stability status.

Cloud infrastructure has a high level of requirements for information protection, which is difficult to achieve on your own infrastructure

Advantages of hosting in the cloud

PCI DSS regulates not so much the secure storage of equipment, but the systems, procedures and business processes that are responsible for information security.

All technical resources: processors, memory, disk space are virtual, any software can be deployed on them. If the client needs additional technical resources, there is possibility get them in a short time. Cloud solutions provide fast and affordable backup and recovery of information. Even if something goes wrong, the cloud operator always has a plan B.

Migration to the cloud infrastructure is an opportunity to create a system that will work non-stop 24/7.