PCI Compliance
Background
The Payment Card Industry (PCI) sets standards that must be followed by any entity that stores, processes, transmits, or could affect the security of credit card information (known as “cardholder data”). The best known of these is the Data Security Standard (PCI-DSS) which applies for merchants accepting credit cards in exchange for goods/services and service providers providing services associated with a merchant’s credit card related processes. ECHO falls underneath this as a service provider.
Compliance Responsibilities
In almost all cases, merchants are dependent on other 3rd parties to operate controls essential for their own PCI compliance. Under PCI, this does not absolve a business entity of responsibility for these controls; at minimum, they must obtain attestation from their 3rd party vendors that they are operating their own controls in full compliance with PCI.
Likewise, the business entity must understand which controls it is responsible for operating. A common misconception is that an entity can fully outsource its PCI responsibility by utilizing PCI compliant vendors. In almost every case, the entity will retain at least a small number of controls it must maintain, in conjunction with ensuring its vendors are PCI compliant.
With this understanding in mind, ECHO has developed the matrix below identifying who (ECHO, clients, or both) is responsible for operating to ensure PCI compliance.
How ECHO Provides Proof of Compliance
ECHO completes a PCI DSS compliance assessment annually by a PCI Qualified Security Assessor (QSA). The annual assessment is completed using the PCI provided Report on Compliance (ROC) template. Proof of completion of this assessment is provided to ECHO’s clients by emailing compliance@echohealthinc.com.
Overview of Scope
ECHO assists in the collection of payments on behalf of Payer Clients. Payment processing occurs as described below:
- The Payer client initiates the process to provide payment through one of two ways (depending on the line of business): (1) a link sent to the Payee via an email that takes the Payee to an ECHO hosted webpage (Payee Portal); or (2) via an iFrame present on a client hosted web page. Payees their claim information to log in and begin the payment process.
- The payment page is present from the ECHOVault via an iFrame through the client hosted web page or Payee Portal.
- For certain payment methods, Cardholder data is entered by the Payee and sent directly to the ECHOVault, which then passes it on to the applicable third-party for payment processing. Encrypted cardholder data is stored within the ECHOVault to provide the contracted services.
- Transaction validations are returned to Payees via the Payee Portal or Client hosted web page
Responsibility Matrix
If Client is leveraging their own hosted payment page directing Payees to the payment page hosted by the ECHOVault, they are responsible for applicable requirements outlined in the matrix below. This responsibility matrix assumes the Client is qualified for SAQ version A for this contracted service. Applicable requirements for Payer Clients to apply to their compliance scope include those noted as “Client” or “Shared.” Definitions for these designations are as follows:
- Client – compliance with this requirement is the responsibility of Payer customers for the service(s) provided.
- Shared – Each entity is responsible for attesting to compliance with the requirement for their respective compliance scope. Additional information can be found in the commentary column for each requirement.
Notes:
- This responsibility matrix applies only to the payment process outlined within this document. Clients are responsible for defining their own PCI compliance scope. Where applicable, Clients should seek guidance from a valid Qualified Security Assessor (QSA).
- The controls matrix below references PCI DSS 4.0.
- Controls not listed are the sole responsibility of ECHO.
PCI Requirement | Responsibility | Commentary |
2.2.2 Vendor default accounts are managed as follows:
Applicability Notes This applies to ALL vendor default accounts and passwords, including, but not limited to, those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, and Simple Network Management Protocol (SNMP) defaults. This requirement also applies where a system component is not installed within an entity’s environment, for example, software and applications that are part of the CDE and are accessed via a cloud subscription service. |
Shared |
Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
3.1.1 All security policies and operational procedures that are identified in Requirement 3 are:
|
Shared |
Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
3.2.1 Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following:
Applicability Notes |
Shared | Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
6.3.1 Security vulnerabilities are identified and managed as follows:
This requirement is not achieved by, nor is it the same as, vulnerability scans performed for Requirements 11.3.1 and 11.3.2. This requirement is for a process to actively monitor industry sources for vulnerability information and for the entity to determine the risk ranking to be associated with each vulnerability. |
Shared | Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows:
|
Shared | Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
6.4.3 All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows:
This requirement applies to all scripts loaded from the entity’s environment and scripts loaded from third and fourth parties. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment. |
Shared | Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
8.2.1 All users are assigned a unique ID before access to system components or cardholder data is allowed. Applicability Notes |
Shared | Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
8.2.2 Group, shared, or generic accounts, or other shared authentication credentials are only used when necessary, on an exception basis, and are managed as follows:
This requirement is not intended to apply to user accounts within point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals). |
Shared | Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
8.2.5 Access for terminated users is immediately revoked | Shared | Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
8.3.1 All user access to system components for users and administrators is authenticated via at least one of the following authentication factors:
Applicability Notes This requirement does not supersede multi-factor authentication (MFA) requirements but applies to those in-scope systems not otherwise subject to MFA requirements. |
Shared | Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
8.3.5 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they are set and reset for each user as follows:
|
Shared | Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
8.3.6 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity:
This requirement is not intended to apply to:
Until 31 March 2025, passwords must be a minimum length of seven characters in accordance with PCI DSS v3.2.1 Requirement 8.2.3. |
Shared | Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
8.3.7 Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used. Applicability Notes |
Shared | Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
8.3.9 If passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either:
This requirement applies to in-scope system components that are not in the CDE because these components are not subject to MFA requirements. This requirement is not intended to apply to user accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals). This requirement does not apply to service providers’ customer accounts but does apply to accounts for service provider personnel. |
Shared | Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
9.4.1 All media with cardholder data is physically secured. | Shared | Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
9.4.1.1 Offline media backups with cardholder data are stored in a secure location. | Shared | Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
9.4.1.2 The security of the offline media backup location(s) with cardholder data is reviewed at least once every 12 months. | Shared | Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
9.4.2 All media with cardholder data is classified according to the data’s sensitivity. | Shared | Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
9.4.3 Media with cardholder data sent outside the facility is secured as follows:
|
Shared | Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
9.4.4 Management approves all media with cardholder data that is moved outside the facility (including when media is distributed to individuals). Applicability Notes |
Shared | Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
9.4.6 Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons, as follows:
These requirements for media destruction when that media is no longer needed for business or legal reasons are separate and distinct from PCI DSS Requirement 3.2.1, which is for securely deleting cardholder data when no longer needed per the entity’s cardholder data retention policies. |
Client | Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
11.3.2 External vulnerability scans are performed as follows:
For initial PCI DSS compliance, it is not required that four passing scans be completed within 12 months if the assessor verifies: 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring scanning at least once every three months, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s). However, for subsequent years after the initial PCI DSS assessment, passing scans at least every three months must have occurred. ASV scanning tools can scan a vast array of network types and topologies. Any specifics about the target environment (for example, load balancers, third-party providers, ISPs, specific configurations, protocols in use, scan interference) should be worked out between the ASV and scan customer. Refer to the ASV Program Guide published on the PCI SSC website for scan customer responsibilities, scan preparation, etc. |
Shared | Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
11.3.2.1 External vulnerability scans are performed after any significant change as follows:
|
Shared |
Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
11.6.1 A change- and tamper-detection mechanism is deployed as follows:
Applicability Notes This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment. |
Shared |
Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
12.8.1 A list of all third-party service providers (TPSPs) with which account data is shared or that could affect the security of account data is maintained, including a description for each of the services provided. Applicability Notes |
Shared |
Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
12.8.2 Written agreements with TPSPs are maintained as follows: • Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE. • Written agreements include acknowledgements from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE. Applicability Notes The exact wording of an acknowledgment will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgment does not have to include the exact wording provided in this requirement. Evidence that a TPSP is meeting PCI DSS requirements (for example, a PCI DSS Attestation of Compliance (AOC) or a declaration on a company’s website) is not the same as a written agreement specified in this requirement. |
Shared |
Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
12.8.3 An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. |
Shared |
Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
12.8.4 A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months. Applicability Notes |
Shared |
Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
12.8.5 Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity. |
Shared |
Customer is responsible for the system component(s) presenting the iFrame and related people / process. |
12.10.1 An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident. The plan includes, but is not limited to: • Roles, responsibilities, and communication and contact strategies in the event of a suspected or confirmed security incident, including notification of payment brands and acquirers, at a minimum. • Incident response procedures with specific containment and mitigation activities for different types of incidents. • Business recovery and continuity procedures. • Data backup processes. • Analysis of legal requirements for reporting compromises. • Coverage and responses of all critical system components. • Reference or inclusion of incident response procedures from the payment brands. |
Shared |
Customer is responsible for the system component(s) presenting the iFrame and related people / process. |