Banks and processing centers need to undergo the PCI DSS standard certification. Why is it necessary? Let’s consider this topic in depth.

Probably, everyone knows what a bank is.

A bank is an organization whose activity is related to the employment and use of funds. The bank activity is also focused on all possible monetary as well as securities calculations and transactions.

Not everyone knows what processing centers are all about, so let’s enlarge upon this point.

Processing centers are organizations whose business is focused on payment processing. A processing center is a fundamentally modern, automated payment processing system with the use of bank cards.

Processing centers can be divided into two categories. The first one includes independent processing centers. And the second one includes processing centers, which are subdivisions of large banks.

What is the common feature of banks and processing centers?

Banks and processing centers are directly connected to the international payment systems (such as Visa, MasterCard, American Express).

It goes without saying that the international payment systems have their own strict rules and requirements. Banks and processing centers must comply with these rules and requirements. Of particular note, banks and processing centers are responsible for meeting all of the international payment system requirements.

The payment system market leaders, like Visa and MasterCard, set an indispensable condition for the banks and processing centers to comply with the PCI DSS standard in order to ensure the customers’ money safety.

It can’t hurt to recall what the PCI DSS standard is.

Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. It was developed by the Payment Card Industry Security Standards Council (PCI SSC) which was established by such international payment systems as Visa, MasterCard, American Express, JCB and Discover.

The PCI DSS standard is a set of requirements for ensuring the security of cardholder data that are stored, transmitted and processed in the banks, processing centers and other commercial entities.

In fact, banks and processing centers cannot operate without compliance with the PCI DSS standard requirements.

Let’s consider the life of an ordinary person and the way he pays for the simplest good.

A young man is going to work in the morning; he visits his favorite cafe on the way and buys coffee there. Instead of cash, he takes a piece of plastic out of his wallet, this is a payment card. There are his first and last name, magnetic stripe, chip and expiration date on it.

The young man received this card at the bank. A bank that issued the card is called the issuer.

A barman brewed some fragrant coffee. Since the payment will be made by a bank card, the barman must provide a POS terminal (a device for receiving card payments).

However, you need to understand that the card itself has no money, it’s not a wallet. The bank card is just a key to the young man’s bank account.

The task of the POS terminal is to verify that the card is valid. After the verification, the POS terminal sends information that a transaction was done with this particular card. The information goes to a merchant acquirer. It is a bank which provides its services to this cafe.

This operation is called payment authorization. And in order for it to be successful, the merchant acquirer should contact the issuer to confirm that the account exists and it has money for the payment. This is a complicated interaction during a simple purchase of coffee. This interaction should be done in a matter of seconds.

There are thousands of banks (issuers and acquirers) in the world. A card which the customer used to pay for a bottle of water in Nice, can be issued somewhere in Australia.

In order for the banks to interconnect among themselves, there are such payment systems as Visa, MasterCard, American Express and others. They are the data exchange centers between banks.

The authorization was successful. The young man received a check, took his coffee and went to the office. Most likely, he thinks that his money has already been debited for the coffee, but it is not quite so.

In fact, the money is not yet debited from the client’s account and transferred to the seller. During the authorization, the issuer only blocks the required amount, and the merchant acquirer receives a guarantee that this money will be transferred.

A monetary movement starts much later. As a rule, the settlement phase begins at the end of the working day. This is the money resettlement phase.

The very core of this operation lies in the fact that the merchant acquirers and issuers exchange payments over a certain period of time (usually one day). In fact, there is a mutual settlement between the banks.

The last stage is clearing. It completes the payment. As a result, the banks exchange supporting e-documents. They contain a list of complete transactions for the last few days. And the money is actually debited from the customer’s account and transferred to the seller’s account.

Now imagine that every person, who has several payment cards in his wallet, generates several transactions of such a kind during the day.

A vast number of card payments creates data traffic between buyers’ and sellers’ banks. This data exchange is called processing.

A lot of banks create their own processing but it requires time and considerable funding. Other banks choose the plain sailing; they connect to an external independent processing center that exists on the market.

Obviously, the card data security is extremely important for the processing centers. Processing center security breach can lead to the huge financial losses and diminished public confidence in the card payments.

Therefore, the PCI DSS standard requirements must be fulfilled by both banks and processing centers!

It’s a popular misconception among the bank management that the qualitative audit and PCI DSS standard certification cannot be undergone in Ukraine. Therefore, they are looking for partners abroad, and very often they face such problems that the certification procedure takes a much longer time and, as a consequence, its cost is higher. On top of that, there are a lot of inconveniences to all bank staff.

Our company IT SPECIALIST offers a full range of services related to the PCI DSS standard certification exactly in Ukraine.

Our best experts in the field of PCI DSS certification are always here. You can come to our office in the center of Kyiv at any point of time and get answers to all the questions related to the PCI DSS certification in Ukraine, taking into account the peculiarities of Ukrainian mentality and way of doing business.

You can also invite our experts to your office in order to discuss all the procedures required to undergo the PCI DSS standard certification in Ukraine.

The PCI DSS standard requirements are most extensive and strict for the processing centers and banks.

These requirements involve such security measures as:

– Secure data encryption during storage and transfer.

– Protection of the facilities, where processing machinery, servers, etc. are located, from the physical and network penetration.

– Careful recruitment, training and certification.

– Developing a system of rules, regulations, procedures, instructions for nominal and off-nominal situations.

And it’s not the full list!

The young man with coffee has appeared in this article for a good reason. We wanted to show how many different tools and processes are involved in the usual morning coffee purchase.

In almost every article we send a message to the reader that electronic money is becoming more and more popular. It gradually replaces banknotes.

The process of e-money payment requires special and constant security. Only those organizations that meet all the PCI DSS standard requirements can ensure that security.

Our company has been providing the big banks and processing centers with the preparation services for compliance with the PCI DSS standard certification for many years. We advise on all issues related to the payment card security.

Our clients receive the PCI DSS certificate and a set of documents confirming compliance with all the standard requirements.

All banks and processing centers are welcome to undergo the PCI DSS standard certification.

By Oleksandr Kuberskii and Mariia Osadcha
IT Specialist