What is PCI DSS compliance for AndDone merchants?

PCI Compliance for Sub-Merchants

To use the AndDone portal, you must go through the process of creating a sub-merchant account.   One of the requirements for sub-merchants is to attest to their PCI DSS (Payment Card Industry Data Security Standard) status annually.

For an AndDone sub-merchant, the PCI DSS compliance is minimal since all of the technology is hosted by AndDone, and the insurance provider doesn't store or handle credit card data.   However, it is still necessary for AndDone sub-merchants to meet PCI DSS requirements and attest to their compliance. 

To simplify this process, AndDone has partnered with MAXpci, a PCI DSS compliance firm. MAXpci offers our AndDone sub-merchants a simplified way to meet the PCI DSS requirements.

Who Has to Comply?

• Member banks (the acquiring bank and card-issuing banks).
• Merchants (sub-merchants) - (entities who accept major card brands, including Visa, Mastercard, American Express, and Discover).
• Service providers (internet gateways, shopping cart vendors, and hosting companies).

PCI DSS Basics

PCI DSS stands for Payment Card Industry Data Security Standard. This standard was established by major credit card companies to protect cardholder data and reduce the risk of security breaches.   It is a set of 12 requirements that organizations must follow to achieve and maintain compliance with the standard. Compliance with PCI DSS helps to protect sensitive information and maintain the trust of customers and the security of transactions. 

The 12 Requirements

The 12 requirements of PCI DSS are essential guidelines that organizations follow to achieve and maintain compliance with the Payment Card Industry Data Security Standard. These requirements are designed to protect cardholder data and reduce the risk of security breaches. Let's take a closer look at each of the requirements:

1. Install and maintain a firewall configuration: This requirement focuses on implementing and maintaining a robust firewall to protect cardholder data from unauthorized access.
2. Do not use vendor-supplied defaults for system passwords: Organizations must change default passwords and ensure that strong, unique passwords are used to secure systems and devices.
3. Protect stored cardholder data: This requirement emphasizes the importance of encrypting cardholder data when it is stored to prevent unauthorized access.
4. Encrypt transmission of cardholder data across open (public) networks: Organizations must use encryption techniques to protect cardholder data transmitted over public networks, such as the internet.
5. Use and regularly update antivirus software: This requirement highlights the need for organizations to deploy and update antivirus software to protect their systems from malware and other malicious threats.
6. Develop and maintain secure systems and applications: Organizations must implement secure coding practices and regularly update their systems and applications to protect against vulnerabilities and security flaws.
7. Restrict access to cardholder data: This requirement focuses on implementing access controls to ensure only authorized individuals can access cardholder data.
8. Assign a unique ID to each person with computer access: Organizations must maintain a unique identification for every user with computer access to track and monitor their activities.
9. Restrict physical access to cardholder data: This requirement emphasizes the need for physical security measures, such as access controls and surveillance systems, to protect cardholder data stored in physical locations.
10. Track and monitor all access to network resources and cardholder data: Organizations must implement logging and monitoring mechanisms to track and review all access to network resources and cardholder data.
11. Regularly test security systems and processes: This requirement emphasizes the importance of conducting regular security testing and vulnerability assessments to identify and address weaknesses or vulnerabilities.
12. Maintain a policy that addresses information security for all personnel: Organizations must develop and maintain a comprehensive information security policy that outlines the responsibilities and requirements for all personnel.

It is important to note that the responsibilities for achieving PCI DSS compliance differ for AndDone, sub-merchants, and customers. AndDone, as a service provider, must comply with the requirements specified in their contracts with merchants and ensure that the necessary security measures are in place. On the other hand, sub-merchants are responsible for implementing and maintaining the required security controls to protect cardholder data. Customers play a vital role in maintaining the security of their payment card information by regularly monitoring their accounts and promptly reporting any suspicious activities.

What is MAXpci?

MAXpci is a web-based PCI DSS Compliance firm specializing in helping merchants and sub-merchants meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS). AndDone has partnered with MAXpci to provide our merchants with a convenient and streamlined solution for achieving and maintaining PCI DSS compliance.

 By utilizing MAXpci's free services, AndDone sub-merchants gain access to the expertise and resources needed to navigate the complex landscape of PCI DSS compliance.

**Please note: AndDone sub-merchants have minimal PCI DSS requirements, as all technology is hosted by AndDone, and credit card data is not stored or handled by our insurance provider. However, it is still necessary for them to meet PCI DSS requirements.**

If you need assistance or have any further questions, please click here to contact our support team.