• Home
  • Platform Tour
    • Intro Movie
    • Features
    • PCI-DSS Compliance
    • CV3 Mobile Edition
    • Open Source Templates
    • Join a Weekly Webinar
    • Request a Demo
  • Showcase
  • Partners
  • Company
    • About The Company
    • Careers
    • Management Team
    • News
  • Blog
  • Testimonials

CommerceV3

E-commerce Software for Multi-channel Retail Stores

  • Q & A
  • Training Videos
  • Documentation
  • Update Log
  • Service Status
  • Merchant Login »

PCI-DSS Level 1 Certification FAQ

January 5, 2012 by Justin Hollender

What is PCI DSS Level 1 Certification?

  • In general, what is PCI-DSS certification?
  • What is a PCI Validated Service Provider?
  • Is CommerceV3 PCI certified?
  • How do I know that CommerceV3 is fuly compliant?
  • What does this mean to me as a PCI merchant?
  • Can I rely on the results of CommerceV3’s PCI Report on Compliance (ROC) or will additional testing be required to be fully compliant?
  • Do QSAs for Level 1 merchants require a physical walk-through of a service provider’s data center?
  • Will CommerceV3 cooperate with forensic investigations if required?
  • Can you provide a copy of the PCI DSS standard?

Below is a list of frequently asked questions about CommerceV3′s PCI certification.


In general, what is PCI-DSS certification?

The Payment Card Industry (PCI) Data Security Standard (DSS) is an information security standard defined by the Payment Card Industry Security Standards Council. PCI certification is required for organizations (merchants) that process credit card payments. The certification is designed to prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands.

PCI-DSS is a standard that specifies best practices and various security controls. Certification in the standard requires organizations to:

  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong security measures
  • Regularly test and monitor networks
  • Maintain an information security policy

All organizations processing credit card information, regardless of their deployment model, are required to be certified. For larger merchants (Merchant Level 1 is the largest type), validation by an independent and approved reviewer is required. A PCI Qualified Security Assessor (QSA) is authorized to perform an independent assessment and certify a vendor.


What is a PCI Validated Service Provider?

Service providers are organizations that process, store, or transmit cardholder data on behalf of clients, merchants, or other service providers. They may include shared hosting environments in which cardholder data may be stored. Certified credit card merchants must use service providers that are compliant with the PCI Data Security Standard (DSS). A validated service provider is one that has undergone an audit by an independent QSA and is found to be in conformity with the PCI security standards outlined in the latest version of the Data Security Standard published by PCI. CommerceV3 is a Certified Level 1 PCI Service Provider.


Is CommerceV3 PCI certified?

Yes. CommerceV3 is a Certified Level 1 PCI Service Provider. We have been since 2008. The CommerceV3 core infrastructure is PCI DSS 2.0 compliant. This compliance has been validated by an authorized independent QSA (Qualified Security Assessor).

PCI “certification” is a term reserved for those merchants who require certification to process credit card transactions. CommerceV3 provides a secure environment that has been validated by a QSA, allowing merchants to establish a secure cardholder environment and to achieve their own certification, having confidence that their underlying technology infrastructure is fully compliant. Achieving PCI DSS 2.0 Validated Service Provider status for CommerceV3 helps our customers obtain their own PCI certification.

Service provider levels are defined as:

  • Level 1: Any service provider that stores, processes and/or transmits over 300,000 transactions annually
  • Level 2: Any service provider that stores, processes and/or transmits less than 300,000 transactions annually


How do I know that CommerceV3 is fully compliant?

CommerceV3 Maintains PCI-DSS Level 1 Certification. You can review the full VISA CISP/PCI Service Provider List right on VISA’s site, you’ll find us there.


What does this mean to me as a PCI merchant?

Our PCI Service Provider status means that customers who use our services to store, process or transmit cardholder data can rely on our PCI compliance validation for the technology infrastructure as they manage their own compliance and certification, including PCI audits and responses to incidents. Our service provider compliance covers all requirements as defined by PCI DSS for physical infrastructure service providers. Moving your cardholder environment to CommerceV3 can simplify your own PCI compliance by relying on our validated service provider status.


Can I rely on the results of CommerceV3’s PCI Report on Compliance (ROC) or will additional testing be required to be fully compliant?

All merchants must manage their own PCI certification. For the portion of the PCI cardholder environment deployed at CommerceV3, your QSA (Qualified Security Assessor) can rely on our validated service provider status, but you will still be required to satisfy all other PCI compliance and testing requirements that don’t deal with the technology infrastructure at CommerceV3, including how you manage the cardholder environment that you host with CommerceV3.


Do QSAs for Level 1 merchants require a physical walkthrough of a service provider’s data center?

No. A merchant can obtain certification without a physical walkthrough of a service provider’s data center if the service provider is a Level 1 validated service provider (such as CommerceV3). A merchant’s QSA (Qualified Security Assessor) can rely on the work performed by our QSA.


Will CommerceV3 cooperate with forensic investigations if required?

Yes. CommerceV3 is classified as a shared hosting provider and, as specified in DSS requirement A.1.4, has written policies that provide for a timely forensics investigation of related servers in the event of a compromise. CommerceV3 will work with merchants and designated Qualified Incident Response Assessors (QIRA) as required to perform forensic investigations. CommerceV3 also meets all breach notification requirements as applicable to CommerceV3.


Can you provide a copy of the PCI DSS standard?

You can download the standard directly from the PCI Security Standards Council

Filed Under: Blog Tagged With: certification, certified, compliant, pci, pci-dss, security

Test Drive CV3

Want to see how CV3 can help you generate more revenue? Get a comprehensive tour focusing on areas that impact your business.

Request a Demo

Categories

  • Blog
  • CV3
  • Documentation
    • Email
    • User Manual
  • Featured
  • Featured Sites
  • Integration
    • Consultants
    • Order & Inventory Management
    • Search
    • Shipping
  • News
    • Christina's Corner
    • Inside CV3
    • Multichannel Merchant Articles
    • Press Releases
  • Timberline Marketing Center
  • Update Log

Featured Stories

IRCE Road Trip! CV3′s Amazing Race to Internet Retailer

CV3 is celebrating the beginning of summer in style -- road trip style. Starting on Memorial Day

Content is king, why aren’t you adding it to your site regularly?

Let me rephrase that, FRESH content is king, for many reasons. Of course the 'bots and spiders,'

Testimonial for CommerceV3 from G.W. Little

"If it were not for Commerce V3 we would be out of business. Our previous dedicated web hosting

Return to top of page

© 2013 CommerceV3, Inc. · Contact Us