Frequently Asked Question
This article is for highlighting Nochex PCI DSS compliance status and Information about which PCI DSS requirements are the responsibility of Nochex and which are the responsibility of the Merchant, including any shared responsibilities for any service Nochex provides that meets a PCI DSS requirement(s) on behalf of merchants or that can impact security of customers’ cardholder data and/or sensitive authentication data.
| Requirement | Payments Page | API Widget | MOTO |
| Requirement 1: Install and Maintain Network Security Controls | Nochex | Nochex | *Shared |
| Requirement 2: Apply Secure Configurations to All System Components | *Shared | *Shared | *Shared |
| Requirement 3: Protect Stored Account Data | Nochex | Nochex | Nochex |
| Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | Nochex | Nochex | Nochex |
| Requirement 5: Protect All Systems and Networks from Malicious Software | Nochex | Nochex | *Shared |
| Requirement 6: Develop and Maintain Secure Systems and Software | *Shared | *Shared | *Shared |
| Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know | Nochex | Nochex | *Shared |
| Requirement 8: Identify Users and Authenticate Access to System Components | * Shared | * Shared | *Shared |
| Requirement 9: Restrict Physical Access to Cardholder Data | Nochex | Nochex | *Shared |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | Nochex | Nochex | Nochex |
| Requirement 11: Test Security of Systems and Networks Regularly | * Shared | * Shared | Nochex |
| Requirement 12: Support information security with organizational policies and programs | * Shared | * Shared | *Shared |
* Merchants are responsible for meeting only those specific subsection of the requirement, which is detailed below;
* Requirement 2
Requirement 2 of PCI DSS means that you need to replace any default passwords or settings on your devices with secure, unique ones. Even if your payment provider processes the transactions, you are responsible for protecting your own systems to prevent unauthorized access to sensitive customer data.
* Requirement 6
Section 6 of PCI DSS means you must keep your systems and applications secure by regularly updating them with the latest patches. Even if your payment provider handles the transactions, your business is responsible for making sure your own software and devices are free from known vulnerabilities, which helps protect your customer data.
* Requirement 8
Requirement 8 of PCI DSS means you need to control who can access your systems by giving each user their own unique login and requiring strong authentication measures. Even if your payment provider handles transactions, your business must ensure that only authorized employees can access sensitive data, reducing the risk of a security breach.
* Requirement 11
Requirement 11 of PCI DSS means you need to regularly test your security systems and processes to ensure they are working effectively. This includes routine vulnerability scans and penetration testing to identify any weaknesses before attackers can exploit them. Even if your payment provider processes the transactions, your business is responsible for confirming that your defences are up-to-date and functioning properly.
* Requirement 12
Requirement 12 of PCI DSS requires your business to have a formal security policy and an incident response plan in place. This means establishing clear procedures for how to protect payment data and what to do in case of a security breach. While your payment provider may handle much of the processing, you are still accountable for setting, maintaining, and following these documented security practices to safeguard your customers’ information.