Caisses Desjardins du Québec and Caisses populaires de l'Ontario [Change site]

Business Home > Our solutions > Merchant solutions > PCI DSS certification

The PCI DSS standard

Now more than ever, protecting credit card holder information and ensuring the security of electronic payments must be approached with the needed stringency to ensure the customer's trust in the payment method. To this end, VISA, MasterCard, American Express and a few other payment networks have requested that all payment industry stakeholders adhere to the Payment Card Industry Data Security Standard (PCI DSS), which focuses on protecting credit card holder data.

At Desjardins, the following are PCI DSS certified and fully compliant:

  • point-of-sale terminals
  • integrated payment solutions
  • internal environment
What is PCI DSS and what is its purpose?
During a transaction, sensitive data including client credit card numbers is transmitted, processed and sometimes stored for brief periods of time. In order to adequately protect that sensitive data at all stages of the transaction, PCI DSS requires that all payment industry stakeholders adopt security measures.

The goal of the PCI DSS standard is to protect all data related to credit card use.

To whom does PCI DSS apply?
PCI DSS applies to all payment industry stakeholders who have access to credit card numbers, including card issuers, transaction acquirers and merchants.

All merchants who accept credit card payment and who store, process or transmit card numbers must comply with PCI DSS regardless of the number of transactions they process annually.

What are the PCI DSS requirements?
The 12 PCI DSS security standard requirements

To comply, payment industry stakeholders who store, process or transmit credit card numbers must meet the following 12 requirements:

Build and maintain a secure network

  1. Install and maintain a firewall configuration to protect credit card holder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect credit card holder data

  1. Protect stored cardholder data.
  2. Encrypt transmissions of cardholder data and sensitive information across open, public networks.
Maintain a vulnerability management program
  1. Use and regularly update anti-virus software.
  2. Develop and maintain secure systems and applications.

Implement strong access control measures

  1. Restrict access to cardholder data by business need-to-know.
  2. Assign a unique ID to each person with computer access.
  3. Restrict physical access to cardholder data.

Regularly monitor and test networks

  1. Track and monitor all access to network resources and cardholder data.
  2. Regularly test security processes and systems.

Maintain an information security policy

  1. Maintain a policy that addresses information security for all personnel.

Find out more

See the PCI DSS - Requirements and Security Assessment Procedures (PDF, 1 MB1).

1. We recommend high-speed access.

Which requirements apply to my situation?
Applying the PCI DSS Security Standard according to the payment solution used

The requirements that apply to your situation depend on the payment solutions you use and the extent of credit card number integration in your business processes.

DePOSiTEL telephone payment solution

By using our DePOSiTEL telephone payment solution, you considerably reduce credit card number exposure in your payment environments.

Simply ensure that you do not enter the credit card numbers in your computer systems to significantly lessen your PCI DSS requirements.

You must physically protect the receipts and papers that list credit card numbers, and ensure that you provide adequate support to your employees who handle credit card numbers.

See the PCI Security Standards Council's Self-Assessment Questionnaire A for an overview of the requirements applicable to your situation.
Payment terminals

By using Desjardins payment terminals, you considerably reduce credit card number exposure in your payment environments.

Ensure that you do not enter the credit card numbers in your computer systems to significantly lessen your PCI DSS requirements.

See the PCI Security Standards Council's Self-Assessment Questionnaire B for an overview of the requirements applicable to your situation.
Payment terminals for "card not present" transactions

If you accept "card not present" transactions, ensure that you do not store credit card numbers in your computer systems to significantly lessen your PCI DSS requirements.

You must physically protect the receipts and papers that list credit card numbers, and ensure that you provide adequate support to your employees who handle credit card numbers.

See the PCI Security Standards Council's Self-Assessment Questionnaire A for an overview of the requirements applicable to your situation.

FLEX Semi-integrated solution

The Desjardins FLEX semi-integrated solution allows you to partially interface your cash registers with the payment equipment without exposing your systems to credit card number theft.

Ensure that you do not enter the card numbers in your computer systems to significantly lessen your PCI DSS requirements.

See the PCI Security Standards Council's Self-Assessment Questionnaire B for an overview of the requirements applicable to your situation.
Fully encrypted integrated solutions

Desjardins' fully encrypted integrated solutions allow you to completely interface your cash registers with our payment equipment without exposing your systems to credit card numbers. With this option, card numbers go through your system but they are encrypted to ensure that you are never exposed to them. Desjardins assumes responsibility for protecting card numbers so you don't have to worry about it.

Simply ensure that you do not enter the card numbers in your computer systems to lessen your PCI DSS requirements.

See the PCI Security Standards Council's Self-Assessment Questionnaire B for an overview of the requirements applicable to your situation.
Partially encrypted integrated solutions

With integrated solutions, your systems are necessarily exposed to card numbers during transactions.

You must ensure that you store, process and transmit card numbers only to sites that are essential to your operations. You can also choose a fully encrypted solution that eliminates your systems' exposure to credit card numbers during transactions.

See the PCI Security Standards Council site for information on the requirements applicable to your environment, and see Self-Assessment Questionnaire C for an overview of these requirements.
Internet solution with hosted payment page

By using an Internet payment solution with a hosted payment page that redirects to third-party servers that are PCI DSS compliant, you significantly reduce your exposure to credit card numbers.

Simply ensure that you do not enter the credit card numbers in your computer systems to significantly lessen your PCI DSS requirements.

See the PCI Security Standards Council's Self-Assessment Questionnaire A for an overview of the requirements applicable to your situation.
Internet solution with non-hosted payment page

Internet payment solutions with a non-hosted payment page that redirects to third-party servers that are PCI DSS compliant require, by default, that your systems be exposed to credit card numbers during transactions.

You must ensure that you store, process and transmit card numbers only to sites that are essential to your operations. You can also choose our Internet payment solution with payment page hosted by a third-party that is PCI DSS compliant, which would eliminate the risk of exposure of your systems to credit card numbers during transactions.

See the PCI Security Standards Council site for additional information on the requirements applicable to your environment, and see Self-Assessment Questionnaire D for an overview of these requirements.

Batch payment solution

The batch payment solution (file transfer) requires, by default, that you store card numbers in your systems.

You must ensure that you store, process and transmit card numbers only to sites that are essential to your operations.

You must physically protect the receipts and papers that list credit card numbers, and ensure that you provide adequate support to your employees who handle credit card numbers.

See the PCI Security Standards Council site for additional information on the requirements applicable to your environment, and see Self-Assessment Questionnaire D for an overview of these requirements.

I know I must comply, but do I need to prove this compliance to my acquirer?
It depends on your merchant level, which is based on:
  • your annual number of VISA and MasterCard transactions
  • your type of business: do you have a storefront or e-commerce business?

Merchants are attributed a merchant level based on these criteria, ranging from Level 1 (highest) to Level 4 (lowest). It is important to note that the merchant level can vary from one payment network to another, since the annual number of transactions per card type differs. A merchant could be attributed one level by MasterCard and another by VISA. The level attributed should be the highest level, although this is at the acquirer's discretion.

PCI DSS compliance levels

PCI level
Number of annual transactions
Type of commerce
1
More than 6,000,000
All types
2
From 1,000,000 to 6,000,000
All types
3
From 20,000 to 1,000,000
E-commerce
4
Less than 1,000,000
Business with a storefront
4
Less than 20,000
E-commerce

Once the merchant level is established, the merchant must prove that it complies with the following PCI DSS requirements:

Level 1, 2 or 3 merchant

  • Desjardins contacts you to confirm that you are in compliance with the standard.

Level 4 merchant

  • You can confirm your compliance yourself, or hire a certified auditor or consultant to do so.
  • You do not need to inform Desjardins of the progress of your work or of your PCI DSS compliance status.
  • You do not need to prove your PCI DSS compliance to Desjardins each year.

Find out more

See the official list of auditors maintained by the PCI Council.

How would PCI DSS non-compliance affect me?
If it is proven that a merchant's credit card data were compromised and the merchant is not PCI DSS compliant, the merchant may face fines, be required to pay the cost of a possible investigation, and still be held liable for the fraud perpetrated. Accordingly, for the security of your business and of your clients, it is essential that you be PCI DSS compliant.
Why implement the PCI DSS control measures?
To preserve your image:
  • To increase customer loyalty and build your clientele

To develop a competitive edge:

  • A positive sales argument and a strategic advantage, particularly for cash register software manufacturers and distributors.

To increase employee awareness about protection of confidential data:

  • Fostering knowledge about data security while promoting best practices among all employees can only lead to success.

To protect yourself and consumers against fraud and potential disputes:

  • Everyone benefits from a climate of trust.
 

As a merchant, you are committed to offering your customers secure payment solutions. Thanks to the PCI DSS Security Standard, you can efficiently meet their expectations and increase their satisfaction with your services.


Download Adobe Reader for PDF files

Desjardins – Share this pageDesjardins – Rate this page

Suggested links