• PCI DSS requirements
• PNC PCI DSS Sweden
• Supporting Documents
• Security Specifications
• Swedish Specifications

The PNC PCI DSS compliance programme

Since 2007, the Swedish acquirers are running a programme to increase the security and to create a market for approved card payment products only. The programme is based on the security standard PCI DSS.

E2E Encryption

E2E-validated EMV POS terminals reduce the card data environment of the merchants and reduces the number of applicable PCI DSS requirements for the merchants.

Card present requirements
(For details please see the EMV and PA-DSS presentation (Swedish/English))

Current milestones:

• 1/1 2010 All newly-installed and reinstalled card interfaces (KI) and payment applications (KA) PA-DSS compliant
  Alternative 1: via PA-DSS self assessment.
  List of PA-DSS Self-assessed Payment Applications (16/7/2010)
  Alternative 2: via PA-DSS certification by PA-QSA.
  List of Validated Payment Applications
• 1/1 2010 All newly-installed and reinstalled POS, KI and KA shall support EMV
• 1/7 2010 All newly-installed and reinstalled POS, KI and KA shall either:
  Alternative 1: POS fulfil End-to-End Encryption and be PA-DSS certified by PA-QSA.
  (Please note: E2E reduces the merchants’ card data environment and reduces the number of applicable PCI DSS requirements for the merchant).
  List of E2E Validated EMV POS terminals (16/7/2010)
  Alternative 2: POS, KI and KA respectively be PA-DSS certified PA-QSA
  (Please note: No reduction of the merchant’s card data environment or in the number of applicable PCI DSS requirements for the merchant)
  List of Validated Payment Applications 
• 1/1 2011 All existing POS, KI and KA shall support EMV
• 1/7 2012 All existing POS, KI and KA shall either:
  Alternative 1: POS fulfil End-to-End Encryption and be PA-DSS certified by PA-QSA.
  Alternative 2: POS, KI and KA respectively be PA-DSS certified PA-QSA.

Earlier milestones:

As a first step, the acquirers were requesting Payment Service Providers, Sales Application Providers, Electronic Cash Register vendors and other vendors to make sure that their payment solutions store card data according to the standard. This had to be done before 31 December 2008.

List of prospects of Payment Applications working towards PCI-DSS and PA-DSS compliance (18/12/2009) Please note! This list is not valid for new installations after 31/12/2009.

E-commerce requirements
(For details please see the E-commerce presentation (English))

All existing solutions hosted or PCI DSS validated according to the requirements of the acquirer. CVV2 and CVC2 must be erased.

Messages and press-releases:

• Message E-commerce (Swedish) (31/3/2009)
• Press-release e-commerce (Swedish) (16/10/2008)
  
  
  
  
  

PAN-Nordic Card Association är en organisation för banker verksamma i den nordiska kortindustrin. PAN-Nordic Card Association är verksam i Sverige, Danmark, Norge, Finland och i de baltiska länderna. Organisationen bistår med information som stöder ambitionen att utveckla kortmarknaden. Medlemmarna är Nordea Bank, SWEDBANK, Danske Bank, Svenska Handelsbanken, Skandinaviska Enskilda Banken, Visa Sweden Förening, Föreningen Europay Sweden, PBS AS.