JCB Data Security Program
The JCB Data Security Program is a program for Licensees to ensure
that they meet the PCI Data Security Standard (PCI DSS).JCB requires Licensees to ensure that the Licensees themselves, TPPs, IPSPs and
Merchants with access to cardmember data and transaction data comply with the JCB Data Security Program.PCI DSS - Payment Card Industry Data Security Standard -
Three Compliance
Validation ProceduresThere are three ways to validate the compliance of PCI DSS.
Self-Assessment
Answer the Self-Assessment Questionnaire to determine your current level of compliance with the PCI DSS. You can download the PCI DSS Payment Card Industry Self-Assessment Questionnaire on the PCI Security Standards Council web site.
Download PCI DSS Payment Card Industry Self-Assessment Questionnaire.
Security Scan
A PCI SSC Approved Scanning Vendor (ASV) performs a remote network security scan of your network and web applications to evaluate system vulnerabilities and misconfigurations to attempted intrusions over the Internet. The ASV will provide you with a scan report describing the security vulnerabilities identified and guidance on how to fix them. You can download the PCI DSS Security Scanning Procedures and find a list of ASVs on the PCI Security Standards Council web site. Contact your selected ASV for information on the cost and time required to perform the security scan.
On-Site Review
A PCI SSC Qualified Security Assessor (QSA) performs an on-site review of your information security including interviews, document inspection, and audit of system controls. The QSA will report to you in detail on the audit findings. You can download the PCI DSS Security Audit Procedures and find a list of QSAs on the PCI Security Standards Council web site. Contact your selected QSA for information on the cost and time required to perform the on-site review.
Due Date of PCI DSS Compliance
and Compliance Validation Procedures
Licensees, TPPs, IPSPs and Merchants with access to cardmember data and transaction data must comply with PCI DSS starting April 1, 2018, except for Attended Transactions and Cardmember Operated Terminal Transactions. For Attended Transactions and Cardmember Operated Terminal Transactions, Merchants must comply with PCI DSS starting April 1, 2020.
Starting April 1, 2018
Compliance with PCI DSS | Number of JCB transactions (per year) |
Compliance Validation Procedures | |||||
---|---|---|---|---|---|---|---|
Self-Assessment | Security Scan | On-Site Review | |||||
Merchants (including IPSPs) |
E-commerce Transaction, MO/TO Transaction, Phone Call Service Transaction |
Mandatory (On and after April 1, 2018) |
Merchants excluding IPSPs | One million or more | - | Quarterly | Yearly |
Less than one million | Yearly | Quarterly | - | ||||
IPSPs | Regardless of the number | - | Quarterly | Yearly | |||
Attended Transaction, Cardmember Operated Terminal Transaction |
Mandatory (On and after April 1, 2020) |
One million or more | - | Quarterly | Yearly | ||
Less than one million | Yearly | Quarterly | - | ||||
TPPs | Mandatory (On and after April 1, 2018) |
One million or more | - | Quarterly | Yearly | ||
Less than one million | Yearly | Quarterly | - | ||||
Acquirers | Mandatory (On and after April 1, 2018) |
Regardless of the number | - | - | - | ||
Issuers | Mandatory (On and after April 1, 2018) |
Regardless of the number | - | - | - |
-
*
If there are any applicable laws, regulations or industry standards regarding PCI DSS in the country in which the Merchant, TPP, Acquirer or Issuer is located, they shall prevail over this JCB Data Security Program.