PCI DSS

What is the PCI DSS standard?

PCI DSS is a reference source for security requirements designed to ensure the confidentiality of bank cards and credit cards when used in computer systems. The reference source is edited and maintained by the PCI Council, a professional association of credit card companies that includes VISA, Mastercard, American Express, JCB and Discover.

Any bank that issues cards to its bank account customers, or cashes transactions for its merchant customers, is free to provide a contractual definition of the security requirements that its customers and partners must comply with. The PCI DSS sets out a common security level that covers most needs. The PCI DSS has become a benchmark for electronic payment security, and compliance with this standard has become a systematic requirement for users of online payment systems. Each party in the online payment system hosting chain has a shared responsibility in monitoring the overall security of the platform. These obligations are contractually transferred by the card brands to all the parties involved in the electronic payment platform.

The PCI DSS officially lists more than 250 security features and controls that need to be implemented in order to process card numbers securely. These controls are divided into six groups:

• Build and maintain a secure network and system

• Protect cardholder data

• Maintain a vulnerability management programme

• Implement strong access control measures

• Regularly monitor and test networks

• Maintain an information security policy

How to be PCI DSS compliant

PCI DSS compliance applies to the entire electronic payment platform and is adhered to by the merchant by using the PCI DSS-compliant building blocks belonging to their service provider. This means that each party involved in the use of the platform must comply with the requirements of the standard that are relevant to its activities, and demonstrate this compliance to its customers.

As part of OVHcloud’s PCI DSS payment infrastructure, OVHcloud is responsible for the infrastructure’s security, while you remain responsible for the security of the virtual machines we host, the use of virtual network features, and the application layers deployed on your virtual machines. This way, PCI DSS compliance is a joint effort to combine your software and system platform's security measures with those of OVHcloud's Private Cloud infrastructure.

PCI DSS compliance can be certified with an Attestation of Compliance (AoC) drawn up after a self-assessment questionnaire has been completed, or after an audit has been performed by one or more QSA (Qualified Security Assessor) companies.

Your platform's compliance with the PCI DSS is a structured process, for which the characteristics and obligations depend on several factors:

•     The number of transactions completed annually;
•     Type(s) of bank card(s) accepted;
•     Acquiring bank(s);
•     Complexity of the electronic payment infrastructure.

Becoming PCI DSS compliant involves approaching the parties concerned, in order to understand their precise expectations. OVH recommends that you contact your acquiring bank and/or contact a QSA company to assist you in this process.

The OVH platform undergoes annual audits by a QSA company. The audit documents are available for you to view and:

•     Understand which requirements are covered by our certification;
•     Define the requirements you need to cover;
•     Show your QSA that all applicable requirements are acknowledged by OVHcloud and are PCI DSS compliant.

OVHcloud can also help you become compliant with the support of its team of experts, as well as the documentation offered:

•     Creating a PCI DSS responsibility assignment matrix;
•     Special conditions detailing the responsibilities of OVHcloud;
•     A specifications template for performing mandatory intrusion tests.