JCB Data Security Program

The JCB Data Security Program is a program for Licensees to ensure
that they meet the PCI Data Security Standard (PCI DSS).

JCB requires Licensees to ensure that the Licensees themselves, TPPs, IPSPs and
Merchants with access to cardmember data and transaction data comply with the
JCB Data Security Program.

PCI DSS - Payment Card Industry Data Security Standard -

Three Compliance
Validation Procedures

There are three ways to validate the compliance of PCI DSS.

Self-Assessment

Answer the Self-Assessment Questionnaire to determine your current level of compliance with the PCI DSS. You can download the PCI DSS Payment Card Industry Self-Assessment Questionnaire on the PCI Security Standards Council web site.

Download PCI DSS Payment Card Industry Self-Assessment Questionnaire.

Security Scan

A PCI SSC Approved Scanning Vendor (ASV) performs a remote network security scan of your network and web applications to evaluate system vulnerabilities and misconfigurations to attempted intrusions over the Internet. The ASV will provide you with a scan report describing the security vulnerabilities identified and guidance on how to fix them. You can download the PCI DSS Security Scanning Procedures and find a list of ASVs on the PCI Security Standards Council web site. Contact your selected ASV for information on the cost and time required to perform the security scan.

Download PCI DSS Security Scanning Procedures

Download Approved Scanning Vendors List

On-Site Review

A PCI SSC Qualified Security Assessor (QSA) performs an on-site review of your information security including interviews, document inspection, and audit of system controls. The QSA will report to you in detail on the audit findings. You can download the PCI DSS Security Audit Procedures and find a list of QSAs on the PCI Security Standards Council web site. Contact your selected QSA for information on the cost and time required to perform the on-site review.

Download PCI DSS Security Audit Procedures

Download Qualified Security Assessors List

Due Date of PCI DSS Compliance
and Compliance Validation Procedures

Licensees, TPPs, IPSPs and Merchants with access to cardmember data and transaction data must comply with PCI DSS starting April 1, 2018, except for Attended Transactions and Cardmember Operated Terminal Transactions. For Attended Transactions and Cardmember Operated Terminal Transactions, Merchants must comply with PCI DSS starting April 1, 2020.

Starting April 1, 2018

Compliance with PCI DSS Number of JCB transactions
(per year)
Compliance Validation Procedures
Self-Assessment Security Scan On-Site Review
Merchants
(including IPSPs)
E-commerce Transaction,
MO/TO Transaction,
Phone Call Service Transaction
Mandatory
(On and after April 1, 2018)
Merchants excluding IPSPs One million or more - Quarterly Yearly
Less than one million Yearly Quarterly -
IPSPs Regardless of the number - Quarterly Yearly
Attended Transaction,
Cardmember Operated Terminal Transaction
Mandatory
(On and after April 1, 2020)
One million or more - Quarterly Yearly
Less than one million Yearly Quarterly -
TPPs Mandatory
(On and after April 1, 2018)
One million or more - Quarterly Yearly
Less than one million Yearly Quarterly -
Acquirers Mandatory
(On and after April 1, 2018)
Regardless of the number - - -
Issuers Mandatory
(On and after April 1, 2018)
Regardless of the number - - -
  • *

    If there are any applicable laws, regulations or industry standards regarding PCI DSS in the country in which the Merchant, TPP, Acquirer or Issuer is located, they shall prevail over this JCB Data Security Program.