PCI DSS Payment Capture Rules

TL;DR

PCI DSS doesn’t *directly* dictate when you can capture a payment, but it heavily controls how and under what conditions. It’s about protecting cardholder data throughout the entire process – from when the customer initiates the transaction to when funds are settled. Focus on secure transmission, storage, and processing of data, and strong access control.

Understanding PCI DSS & Payment Capture

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to protect cardholder information. It doesn’t say ‘you can capture payments at X time’, but it sets rules that impact when and how you *safely* can.

Key PCI DSS Rules Affecting Payment Capture

1. Requirement 1: Secure Network – Your network must be secure. This impacts payment capture because a compromised network means stolen card data during transmission.
   • Firewalls are essential.
   • Regular vulnerability scans and penetration testing are required.
2. Requirement 2: Cardholder Data Protection – This is huge for payment capture.
   • Data at Rest: If you store card data (which you should avoid if possible!), it must be encrypted.
   • Data in Transit: All transmission of cardholder data must be encrypted using strong cryptography (TLS 1.2 or higher is the minimum). Check your SSL/TLS configuration:

     openssl s_client -connect yourdomain.com:443

3. Requirement 3: Vulnerability Management Program – Keep systems patched and up-to-date.
   • Outdated software is a major security risk during payment processing.
   • Automated patching tools can help.
4. Requirement 4: Strong Access Control Measures – Limit access to cardholder data.
   • Use strong passwords and multi-factor authentication (MFA).
   • Implement role-based access control (RBAC) – only give people the permissions they need.
5. Requirement 5: Regularly Monitor and Test Networks – Detect intrusions.
   • Use intrusion detection/prevention systems (IDS/IPS).
   • Log all access to cardholder data and review logs regularly.
6. Requirement 6: Maintain an Information cyber security Policy – Have a documented policy.
   • This should cover all aspects of payment processing, including capture procedures.
7. Requirement 7: Restrict Physical Access to Cardholder Data – Protect physical systems.
   • Control access to servers and data centres.
8. Requirement 8: Identify and Authenticate Access to System Components – Verify identities.
   • Unique user IDs for everyone accessing the system.
9. Requirement 9: Secure Physical Media – Protect data on physical media (if any).
   • Secure disposal of old tapes, hard drives etc.
10. Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data – Audit trails.
    • Log everything!
11. Requirement 11: Regularly Test Security Systems and Processes – Penetration testing, vulnerability scanning.
12. Requirement 12: Maintain a Policy That Addresses Information cyber security for All Personnel – Training is key.
    • Train staff on PCI DSS requirements and secure payment handling procedures.

Practical Implications for Payment Capture Timing

These rules mean you need to consider:

• Authorisation vs. Capture: Authorising a payment (checking funds are available) is different from capturing it (taking the money). Ensure both processes are secure.
• Real-time Processing: If processing in real-time, ensure your systems can handle encryption and security checks without causing undue delays.
• Batch Processing: For batch captures, protect the data file during transmission and storage.
• Tokenisation: Using tokenisation (replacing card numbers with unique tokens) reduces risk as you don’t store sensitive cardholder data directly.

Where to Find More Information

The official PCI DSS documentation is available at https://www.pcisecuritystandards.org