to the body of this page

JCB uses cookies to deliver the best possible web experience. By continuing and using this site, you agree that we may store and access cookies on your device. You may change your preference at any time by going to the "Set Cookie Preferences" section in our cookie policy.

Close

JCB

HOME  >  For Business Partners  >  Security  >  JCB Data Security Program

JCB Data Security Program

Industrywide Security Standards

The JCB Data Security Program is a program for Licensees to ensure that they meet the PCI Data Security Standard (PCI DSS).

JCB requires Licensees to ensure that the Licensees themselves, TPPs, IPSPs and Merchants with access to cardmember data and transaction data comply with the JCB Data Security Program.

Three Compliance Validation Procedures

There are three ways to validate the compliance of PCI DSS.

Self-Assessment

Answer the Self-Assessment Questionnaire to determine your current level of compliance with the PCI DSS. You can download the PCI DSS Payment Card Industry Self-Assessment Questionnaire on the PCI Security Standards Council web site.

Security Scan

A PCI SSC Approved Scanning Vendor (ASV) performs a remote network security scan of your network and web applications to evaluate system vulnerabilities and misconfigurations, faults that may lead to intrusions over the Internet. The ASV will provide you with a scan report describing the security vulnerabilities identified and guidance on how to fix them. You can download the PCI DSS Security Scanning Procedures and find a list of ASVs on the PCI Security Standards Council web site. Contact your selected ASV for information on the cost and time required to perform the security scan.

On-Site Review

A PCI SSC Qualified Security Assessor (QSA) performs an on-site review of your information security including interviews, document inspection, and audit of system controls. The QSA will report to you in detail on the audit findings. You can download the PCI DSS Security Audit Procedures and find a list of QSAs on the PCI Security Standards Council web site. Contact your selected QSA for information on the cost and time required to perform the on-site review.

Due Date of PCI DSS Compliance and Compliance Validation Procedures

Licensees, TPPs, IPSPs and Merchants with access to cardmember data and transaction data must comply with PCI DSS starting April 1, 2018, except for Attended Transactions and Cardmember Operated Terminal Transactions. For Attended Transactions and Cardmember Operated Terminal Transactions, Merchants must comply with PCI DSS starting April 1, 2020.

Until March 31, 2018

  Compliance with PCI DSS Number of JCB transactions
(per year)
Compliance Validation Procedures
Self-Assessment Security Scan On-Site Review
If you handle cardholder data and transaction data via the Internet or Internet-accessible network Merchants Recommended One million or more - Quarterly Yearly
Less than one million Yearly Quarterly -
Payment Processors Recommended Regardless of the number - Quarterly Yearly
If you don't handle cardholder data and transaction data via the Internet or Internet-accessible network Merchants Recommended One million or more - - Yearly
Less than one million Yearly - -
Payment Processors Recommended Regardless of the number - - Yearly

Starting April 1, 2018

  Compliance with PCI DSS Number of JCB transactions
(per year)
Compliance Validation Procedures
Self-Assessment Security Scan On-Site Review
Merchants
(including IPSPs)
E-commerce Transaction,
MO/TO Transaction,
Phone Call Service Transaction
Mandatory
(On and after April 1, 2018)
Merchants excluding IPSPs One million or more - Quarterly Yearly
Less than one million Yearly Quarterly -
IPSPs Regardless of the number - Quarterly Yearly
Attended Transaction,
Cardmember Operated Terminal Transaction
Mandatory
(On and after April 1, 2020)
One million or more - Quarterly Yearly
Less than one million Yearly Quarterly -
TPPs Mandatory
(On and after April 1, 2018)
One million or more - Quarterly Yearly
Less than one million Yearly Quarterly -
Acquirers Mandatory
(On and after April 1, 2018)
Regardless of the number - - -
Issuers Mandatory
(On and after April 1, 2018)
Regardless of the number - - -

* If there are any applicable laws, regulations or industry standards regarding PCI DSS in the country in which the Merchant, TPP, Acquirer or Issuer is located, they shall prevail over this JCB Data Security Program.

Back to Top

to the body of this page