What is the PCI-DSS standard?

The Payment Card Industry (PCI) Security Standards Council is an international conglomerate for the development, improvement, storage, dissemination and ongoing implementation of security standards for protecting account data. This organisation was founded by the main card issuers (Visa, Mastercard, American Express, Discover, JCB). Its objective is to define the best practices that merchants and service providers must follow in order to protect the payment data of cardholders. It is this conglomerate that created the Data Security Standards or DSS.

PCI DSS is a set of business and network security guidelines and best practices adopted by the PCI Security Standards Council to establish a minimum standard of security to protect customer payment card information. This standard applies to all systems, networks, and applications that process, store, or transmit cardholder data, as well as systems used to secure and log access to affected systems.

Is MondoPal PCI-DSS compliant?

Yes, we are. The simplest way for us to be PCI compliant is to never see (or have access to) card data. The payment gateways we are using make this easy for us as they can do the heavy lifting to protect our customers’ card information.

In a nutshell, we are taking payments off site by using gateways that use their own servers to process payments, and therefore we are not transmitting card data ourselves.

By using gateways, a best-in-class hosting provider and clear business policies/best practices, we are in compliance with the 12 core PCI-DSS requirements, across the six PCI standard categories. More information below.

Categories	Core requirements
Build and maintain a secure network	Install and maintain a firewall configuration to protect cardholder data; Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect cardholder data	Protect stored cardholder data; Encrypt transmission of cardholder data across open, public networks.
Maintain a vulnerability management program	Use and regularly update anti-virus software; Develop and maintain secure systems and applications.
Implement strong access control measures	Restrict access to cardholder data by business need-to-know; Assign a unique ID to each person with computer access; Restrict physical access to cardholder data.
Regularly monitor and test networks	Track and monitor all access to network resources and cardholder data; Regularly test security systems and processes.
Maintain an information security policy	Maintain a policy that addresses information security.

---