Solve and prevent information security problems and leverage your company's sales and transactions!
We certify the whole process in up to 2 weeks!
PCI - DSS CERTIFICATION for all companies that work with credit cards
We are a specialized company focused on the needs of each client in PCI-DSS certification, with qualified professionals to assist you with the requirements according to your scope.
What is PCI DSS certification?
PCI Compliance is a required certification for all companies involved in transactions involving credit card data, taking into account the storage, transmission and processing of this sensitive information.
What is the purpose of PCI DSS certification?
Due to huge losses from fraud, the main credit card brands in the world created the PCI DSS standard. Certification is the set of rules to generate more protection in transactions via the internet and also in physical stores. They must always be carried out in a secure environment, always accompanied by an environment with SSL digital certifications.
Who must comply with PCI DSS?
All entities that process data with credit cards.
What are the requirements for PCI DSS certification?
Briefly, the 12 requirements that must be met to obtain PCI DSS certification are:
-
use an efficient firewall;
-
do not use default passwords and settings;
-
protect stored cardholder information;
-
encrypt data transmission;
-
use security solutions such as antivirus, antispyware and antimalware;
-
create and maintain secure applications and systems;
-
restrict access to card data;
-
create a login for each system user;
-
restrict access to card data;
-
track and monitor all accesses;
-
test the security of the system used;
-
define a security policy.
What is the purpose of the PCI DSS Self-Assessment Questionnaire?
The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool that merchants and other service providers use to report the results of their PCI DSS self-assessment. Merchants complete an SAQ each year and submit it to the acquiring bank to assess their PCI DSS compliance. In addition to informing the acquiring bank that the merchant is in compliance, the SAQ helps merchants detect breaches in security practices, giving them a chance to make corrections before they become a bigger issue.
Solve and prevent information security problems and leverage your company's sales and transactions!
SECURITY
Your servers and network environment are much safer, protecting customer data and preventing fraud in the system.
RELATIONSHIP
Your company's image is protected from negative exposure and even improves credibility with customers.
TRUST
Adaptation to the best practices of the largest companies in the world, protecting your company's image in the market.
CONFORMITY
Inform your partners and customers that your company complies with global security standards for processing cards.
CONTROL
Control access to information, reducing the risk of company data leaks.
MONITORING
It is not enough to carry out validation just once, always be monitored to avoid the chance of any future problems.
PCI Levels
Level 1
over 6 million annual transactions
For businesses that process more than 6 million card transactions per year.
Conducted by an authorized PCI auditor, companies must undergo an internal audit once a year. Additionally, once a quarter, they must submit for a PCI scan by an Approved Scanning Vendor (ASV).
Validation Requirements:
-
The Qualified Security Assessor (“QSA”) applies the necessary actions for the environment to be fully compliant with PCI-DSS
-
Vulnerability Testing quarterly Approved Scanner (“ASV”).
-
Penetration test with technical report
-
Certificate of Conformity (“AOC”).
Level 3
between 20 thousand and 1 million annual transactions
Level 3 applies to merchants who process between 20,000 and one million e-commerce transactions annually.
Companies are required to complete an assessment once a year using an assessment questionnaire (SAQ). Additionally, a quarterly PCI scan is required, in addition to Penetration performed on the environment with technical report.
Validation requirements:
-
Environmental Assessment Questionnaire (SAQ)
-
Vulnerability testing (ASV)
-
Penetration test with technical report
-
Implement necessary policies for each type of environment.
-
Certificate of Conformity (AOC)
Level 2
between 1 and 6 million annual transactions
Level 2 if applies to merchants who process between one and six million credit or debit card transactions annually.
Companies are required to complete an assessment once a year using an assessment questionnaire (SAQ). Additionally, a quarterly PCI scan is required, in addition to a Pentest performed in the environment with a technical report.
Validation requirements:
-
Environmental Assessment Questionnaire (SAQ)
-
Vulnerability testing (ASV)
-
Penetration test with technical report
-
Implement necessary policies for each type of environment.
-
Certificate of Conformity (AOC)
Level 4
between 20 thousand and 1 million annual transactions
Level 3 applies to merchants who process between 20,000 and one million e-commerce transactions annually.
Companies are required to complete an assessment once a year using an assessment questionnaire (SAQ). Additionally, a quarterly PCI scan is required, in addition to Penetration performed on the environment with technical report.
Validation requirements:
-
Environmental Assessment Questionnaire (SAQ)
-
Vulnerability testing (ASV)
-
Penetration test with technical report
-
Implement necessary policies for each type of environment.
-
Certificate of Conformity (AOC)
PCI DSS SAQ Types
How does your organization store, process or transmit payment card data? The PCI Council has created nine self-assessment questionnaires (SAQs) tailored to payment card transaction channels. Selecting the appropriate PCI SAQ is an important step towards compliance. The PCI Council provides guidance on how to select the appropriate SAQ, however, even with the guidance provided, many organizations struggle to select the correct SAQ.
Tipo de SAQ PCI DSS | Critérios de elegibilidade |
|---|---|
SAQ D para provedores de serviços | Para prestadores de serviços considerados elegíveis para preencher um SAQ. |
SAQ D para comerciantes | Para todos os comerciantes qualificados para SAQ que não atendem aos critérios para outros tipos. Para comerciantes que não terceirizam o processamento do cartão de crédito ou usam uma solução P2PE e podem armazenar os dados do cartão de crédito eletronicamente. |
SAQ P2PE | Para comerciantes que utilizam dispositivos de criptografia ponto a ponto (P2PE) aprovados, sem armazenamento eletrônico de dados do titular do cartão. |
SAQ C | Para qualquer comerciante que utilize um aplicativo de pagamento conectado à Internet, mas sem armazenamento eletrônico de dados do titular do cartão. |
SAQ C-VT | Para comerciantes que utilizam um terminal virtual em um computador dedicado exclusivamente ao processamento de cartões e que não armazenam dados eletrônicos do titular do cartão. Isso não é para atividades de comércio eletrônico. |
SAQ B-IP | Para comerciantes que usam apenas terminais de pagamento independentes aprovados pela PTS com uma conexão IP ao processador de pagamento e que não armazenam dados eletrônicos do titular do cartão. Isso não é para atividades de comércio eletrônico. |
SAQ B | Para comerciantes que utilizam máquinas de impressão e/ou terminais de discagem independentes e não transmitem, processam ou armazenam dados eletrônicos do titular do cartão. Isso não é para atividades de comércio eletrônico. |
SAQ A-EP | Para comerciantes somente de comércio eletrônico que dependem de provedores de serviços terceirizados para lidar com as informações do cartão e que têm um site que não processa dados de cartão de crédito, mas pode afetar a segurança da transação de pagamento. Não há armazenamento, processamento ou transmissão eletrônica de quaisquer dados do titular do cartão nos sistemas ou instalações do comerciante. |
SAQ A | Para comerciantes de e-commerce/correio/pedido por telefone (cartão não presente) que terceirizaram completamente todas as funções de dados do titular do cartão. Não há armazenamento, processamento ou transmissão eletrônica de quaisquer dados do titular do cartão nos sistemas ou instalações do comerciante. |