What is PCI DSS Level 1 Certification?
- In general, what is PCI-DSS certification?
- What is a PCI Validated Service Provider?
- Is CommerceV3 PCI certified?
- How do I know that CommerceV3 is fuly compliant?
- What does this mean to me as a PCI merchant?
- Can I rely on the results of CommerceV3’s PCI Report on Compliance (ROC) or will additional testing be required to be fully compliant?
- Do QSAs for Level 1 merchants require a physical walk-through of a service provider’s data center?
- Will CommerceV3 cooperate with forensic investigations if required?
- Can you provide a copy of the PCI DSS standard?
Below is a list of frequently asked questions about CommerceV3′s PCI certification.
The Payment Card Industry (PCI) Data Security Standard (DSS) is an information security standard defined by the Payment Card Industry Security Standards Council. PCI certification is required for organizations (merchants) that process credit card payments. The certification is designed to prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands.
PCI-DSS is a standard that specifies best practices and various security controls. Certification in the standard requires organizations to:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong security measures
- Regularly test and monitor networks
- Maintain an information security policy
All organizations processing credit card information, regardless of their deployment model, are required to be certified. For larger merchants (Merchant Level 1 is the largest type), validation by an independent and approved reviewer is required. A PCI Qualified Security Assessor (QSA) is authorized to perform an independent assessment and certify a vendor.
Service providers are organizations that process, store, or transmit cardholder data on behalf of clients, merchants, or other service providers. They may include shared hosting environments in which cardholder data may be stored. Certified credit card merchants must use service providers that are compliant with the PCI Data Security Standard (DSS). A validated service provider is one that has undergone an audit by an independent QSA and is found to be in conformity with the PCI security standards outlined in the latest version of the Data Security Standard published by PCI. CommerceV3 is a Certified Level 1 PCI Service Provider.
Yes. CommerceV3 is a Certified Level 1 PCI Service Provider. We have been since 2008. The CommerceV3 core infrastructure is PCI DSS 2.0 compliant. This compliance has been validated by an authorized independent QSA (Qualified Security Assessor).
PCI “certification” is a term reserved for those merchants who require certification to process credit card transactions. CommerceV3 provides a secure environment that has been validated by a QSA, allowing merchants to establish a secure cardholder environment and to achieve their own certification, having confidence that their underlying technology infrastructure is fully compliant. Achieving PCI DSS 2.0 Validated Service Provider status for CommerceV3 helps our customers obtain their own PCI certification.
Service provider levels are defined as:
- Level 1: Any service provider that stores, processes and/or transmits over 300,000 transactions annually
- Level 2: Any service provider that stores, processes and/or transmits less than 300,000 transactions annually
CommerceV3 Maintains PCI-DSS Level 1 Certification. You can review the full VISA CISP/PCI Service Provider List right on VISA’s site, you’ll find us there.
Our PCI Service Provider status means that customers who use our services to store, process or transmit cardholder data can rely on our PCI compliance validation for the technology infrastructure as they manage their own compliance and certification, including PCI audits and responses to incidents. Our service provider compliance covers all requirements as defined by PCI DSS for physical infrastructure service providers. Moving your cardholder environment to CommerceV3 can simplify your own PCI compliance by relying on our validated service provider status.
All merchants must manage their own PCI certification. For the portion of the PCI cardholder environment deployed at CommerceV3, your QSA (Qualified Security Assessor) can rely on our validated service provider status, but you will still be required to satisfy all other PCI compliance and testing requirements that don’t deal with the technology infrastructure at CommerceV3, including how you manage the cardholder environment that you host with CommerceV3.
No. A merchant can obtain certification without a physical walkthrough of a service provider’s data center if the service provider is a Level 1 validated service provider (such as CommerceV3). A merchant’s QSA (Qualified Security Assessor) can rely on the work performed by our QSA.
Yes. CommerceV3 is classified as a shared hosting provider and, as specified in DSS requirement A.1.4, has written policies that provide for a timely forensics investigation of related servers in the event of a compromise. CommerceV3 will work with merchants and designated Qualified Incident Response Assessors (QIRA) as required to perform forensic investigations. CommerceV3 also meets all breach notification requirements as applicable to CommerceV3.
You can download the standard directly from the PCI Security Standards Council