PCI DSS Merchants Guideline

OVERVIEW

All Merchants that accept cards and/or are involved with the processing, transmitting, or storing of card data must comply with the Payment Card Industry Data Security Standards (PCI DSS) .

Established in 2006 by the PCI Council , PCI DSS is a set of control requirements to protect payment data and ensure secure transactions. The ever-evolving threat landscape has made compliance crucial with extensive requirements, making it complex. To simplify, the Merchant Compliance Guide offers clear insights to empower Merchants in identifying their applicable controls and simplifying their path to compliance.

PCI DSS includes 12 main requirements with more than 300 sub-requirements that mirror security best practices.

This guideline will help you figure out which PCI DSS requirement applies to a Merchant based on the following factors: (a) Merchant Level, (b) Product, and (c) Integration.

This will also provide information on whether it’s necessary to hire a PCI Council-approved auditor (i.e., Qualified Security Assessor or Internat Security Assessor).

Scope

This guide covers the following:

  1. Merchants: Merchants processing more than 20,000 card transactions; and
  2. Products: Online Payment Solutions: Checkout i.e. (a) Full Redirection, (b) iFrame, (c) Plugin, (d) Vault, and (e) Invoice Payment via API integration.

Do Merchants really need to comply?

YES!


The fact that Maya is PCI DSS certified does NOT exempt Merchants from complying with the standard. Merchants are still responsible for securing their environment when they:

  1. Process, store, and/or transmit account data; AND/OR
  2. Have a direct integration with the payment checkout/gateway.

What are Account data?

Cardholder Data (CHD): At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date, and/or service code; and

Sensitive Authentication Data (SAD): Security-related information (including but not limited to card validation codes/values, full track data (from the magnetic stripe or equivalent on a chip), PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions.


STEPS TO COMPLIANCE

Step 1: Know Your Requirement

Identify your level and know your requirements.


MerchantsRequirements
Level 1 Merchants

1. Merchants that annually process more than 6 million transaction counts of Visa or Mastercard or more than 2.5 million for American Express; or

2. Are deemed "Level 1" by any card association (Visa, Mastercard etc.)
1. Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA ) – also commonly known as a Level 1 onsite assessment – or a PCI SSC-certified Internal Security Assessor (ISA ). Submitted to Maya every September.

2. Quarterly network scan by Approved Scan Vendor (ASV ). Submitted to Maya every March, June, September, and December.

3. Attestation of Compliance (AOC ) for Onsite Assessments–there are specific forms for merchants and service providers.
Level 2 Merchants

Merchants that process between 1 and 6 million transaction counts on an annual basis
1. Annual PCI DSS Self-Assessment Questionnaire (SAQ ) by a QSA or a PCI SSC-certified ISA. Submitted to Maya every September

ℹ️ Note: Refer to Applicable PCI DSS Requirements for Level 2 and 3 Merchants to determine the SAQ type.


2. Quarterly network scan by ASV Attestation of Compliance. Submitted to Maya every March, June, September, and December
Level 3 Merchants

Merchants that process between 20,000 and 1 million online transaction counts on an annual basis
1. Annual Self-signed PCI DSS SAQ . Submitted to Maya every September

ℹ️ Note: Refer to Applicable PCI DSS Requirements for Level 2 and 3 Merchants to determine the SAQ type.


2. Quarterly network scan by ASV Attestation of Compliance. Submitted to Maya every March, June, September, and December

Table 1. Merchant Compliance Table

Step 2: Determine the Product and Integration

This section will help readers determine the type of SAQ requirement applicable for Level 2 and 3 merchants by mapping the account data flow based on the product and integration used.

A simple depiction of the account data flow diagram between Merchant and Maya

A simple depiction of the account data flow diagram between Merchant and Maya

This guideline is tailored to the current products and integrations of Maya online solutions. Therefore, minimal effort is needed to understand the account data flow and determine the applicable SAQ requirements.

Determining the SAQ requirement is not a major concern for Level 1 Merchants. They are required to comply with and submit the three requirements stated in Step 1: Know Your Requirement (Table 1. Merchant Compliance) regardless of the product and integration used.

Account Data HandlingMerchant Level 2-3 Requirements
Merchants DO NOT process, store, and transmit Account Data.

  • Full Redirection
  • iFrame
  • Plugins
  • Vault SDK
  • Invoice Payment (API integration)
SAQ A
(containing 1-30 questions or control requirements)
Merchants transmit Account Data ONLY.

  • Vault - Self-Hosted Checkout Form [A]
SAQ A - EP
(containing 30 - 140 questions or control requirements)
Merchants process and/or store Account Data.

  • Vault - Self-Hosted Checkout Form [B]
SAQ D
(containing more than 140 questions or control requirements)

The detailed descriptions of account handling on full redirection, transmission, storage, and process are shown below.


PCI REQUIREMENT: SAQ A

Checkout - Full Redirection

Maya Checkout is implemented via redirection.

  1. The customer gets redirected to the Maya Checkout Page after finalizing the goods and services to be availed on your online shop.
  2. The customer inputs his payment details (i.e., cardholder data) for payment processing.
  3. The Maya Payment Gateway collects and processes the payment details.

PCI DSS Validation Detailed Requirements


Checkout - iFrame Implementation

Maya Checkout is implemented via iFrame fields.

  1. The customer inputs his payment details on your payment page via forms embedded in iFrames hosted by Maya Payment Gateway.
  2. Maya Payment Gateway collects and processes the payment details.

PCI DSS Validation Detailed Requirements


Checkout - Plugins

Maya Checkout is implemented via Plugins.

  1. The customer gets redirected to Maya Checkout Page after finalizing the goods and services to be availed on your online shop.
  2. The customer inputs his payment details (i.e., cardholder data) for payment processing.
  3. Maya Payment Gateway collects and processes the payment details.

PCI DSS Validation Detailed Requirements


Checkout - Vault SDK

Maya Checkout is implemented via SDK.

  1. The customer inputs his payment and customer details on your payment page. These details are forwarded from the browser directly to Maya Vault for card and customer details tokenization.
  2. Maya Vault collects and tokenizes these data. The card token is then forwarded back as a response. The token can be stored in the Merchant’s environment for future transactions.
  3. Maya Payment Gateway collects and processes card tokens.

PCI DSS Validation Detailed Requirements


Checkout - Invoice Payment via API Integration

Maya Checkout is implemented via API integration.

  1. The customer makes an order via your shop platform through conversational transactions (e.g., chatbot) and receives the payment link. The payment link will redirect the customer to Maya Checkout.
  2. The customer inputs his payment details (i.e., cardholder data) for payment processing.
  3. Maya Payment Gateway collects and processes card tokens.

PCI DSS Validation Detailed Requirements


PCI REQUIREMENT: SAQ A-EP

Checkout - Vault Self-Hosted Checkout Form [A]

Use Case A: Self-hosted Checkout form

  1. The customer inputs his payment and customer details on your payment page. These details are forwarded from the browser to Maya Vault for card and customer details tokenization.
  2. Maya Vault collects and tokenizes these data. The card token is then forwarded back as a response. The token can be stored in the Merchant’s environment for future transactions.
  3. Maya Payment Gateway collects and processes card tokens.

PCI DSS Validation Detailed Requirements

  1. Level 2 Merchants: SAQ A - EP filled out by a QSA or ISA (with ASV Scan ).
  2. Level 3 Merchants: SAQ A - EP self-signed (with ASV Scan ).

PCI REQUIREMENT: SAQ D

Checkout - Vault Self-Hosted Checkout Form [B]

Use Case B: Self-hosted Checkout form

  1. The customer inputs his payment and customer details on your payment page. These details are forwarded to your application server and then to Maya Vault for card and customer details tokenization.
  2. Maya Vault collects and tokenizes these data. The card token is then forwarded back as a response. The token can be stored in the Merchant’s environment for future transactions.
  3. Maya Payment Gateway collects and processes card tokens.

PCI DSS Validation Detailed Requirements

  1. Level 2 Merchants: SAQ D filled out by a QSA or ISA (with ASV Scan ).
  2. Level 3 Merchants: SAQ D self-signed (with ASV Scan ).

Step 3: Submit your Requirements

The Merchants can submit their PCI Requirements to their respective RMs via email. All queries regarding Merchants can be directed to their RMs as well.


SHARED RESPONSIBILITY

Maya, as the payment provider, is responsible for ensuring the security and compliance of the payment ecosystem, including its backend system components, data processing and handling, etc. This security is enforced through a compliance program that encompasses not only industry security standards like PCI DSS but also additional standards like ISO 27001 (Information Security) and ISO 27701 (Privacy Information Management System), as well as regulatory compliance with requirements like BSP circular 982 and the Data Privacy Act 2012

On the other hand, at minimum, merchants are responsible for safeguarding their API keys and dashboard credentials primarily by practicing security hygiene. Other security hygiene and best practices are found here . In terms of PCI DSS compliance, the level of responsibility for securing the payment ecosystem becomes broader depending on how merchants handle account data and their merchant level. As discussed previously, the SAQ type requirements show that for Merchant Levels 2 and 3, more control requirements should be implemented as account data reaches your environment. For Merchant Level 1, a comprehensive set of control requirements shall be complied with, regardless of how they handle account data.

Penalty

In some instances, Mastercard or Visa may send follow-up emails requesting specific documents from specific merchants, the failure of which may amount to non-compliance assessments worth ten thousand to twenty-five thousand US Dollars ($10,000 - USD 25,000). Should this occur, then Maya may exercise the right to pass this on to the merchant. Hence, there are both reputational and financial reasons for Maya and its merchants to ensure compliance with PCI-DSS requirements.

CONCLUSION

The number of controls merchants need to comply with varies depending on their Merchant Level and account data handling practices. This directly impacts the shared responsibility between Maya and the merchant, ensuring proportionate responsibility based on data flow. To gain a comprehensive understanding of the information you need to know about Merchant Guidelines and Requirements, please refer to the detailed Maya Merchant Guidelines available here .