For Business

Since its inception, JCB has strived to be much more than a credit card company. Our range of services grows each year to provide our customers worldwide with the safest and easiest payment system possible.

For BusinessFor Business
JCB Partner Online
Log in to download specifications, JCB logo images, and more.

Login

JCB Data Security Program

The JCB Data Security Program is a program for Licensees to ensure that they meet the PCI Data Security Standard (PCI DSS).
JCB requires Licensees to ensure that the Licensees themselves, TPPs, IPSPs and Merchants with access to cardmember data and transaction data comply with the JCB Data Security Program.

PCI DSS - Payment Card Industry Data Security Standard -

Three Compliance Validation Procedures

There are three ways to validate the compliance of PCI DSS.

Self-Assessment

Answer the Self-Assessment Questionnaire to determine your current level of compliance with the PCI DSS. You can download the PCI DSS Payment Card Industry Self-Assessment Questionnaire on the PCI Security Standards Council web site.

Download PCI DSS Payment Card Industry Self-Assessment Questionnaire.

Security Scan

A PCI SSC Approved Scanning Vendor (ASV) performs a remote network security scan of your network and web applications to evaluate system vulnerabilities and misconfigurations to attempted intrusions over the Internet. The ASV will provide you with a scan report describing the security vulnerabilities identified and guidance on how to fix them. You can download the PCI DSS Security Scanning Procedures and find a list of ASVs on the PCI Security Standards Council web site. Contact your selected ASV for information on the cost and time required to perform the security scan.

Download PCI DSS Security Scanning Procedures

Download Approved Scanning Vendors List

On-Site Review

A PCI SSC Qualified Security Assessor (QSA) performs an on-site review of your information security including interviews, document inspection, and audit of system controls. The QSA will report to you in detail on the audit findings. You can download the PCI DSS Security Audit Procedures and find a list of QSAs on the PCI Security Standards Council web site. Contact your selected QSA for information on the cost and time required to perform the on-site review.

Download PCI DSS Security Audit Procedures

Download Qualified Security Assessors List

Due Date of PCI DSS Compliance and Compliance Validation Procedures

Licensees, TPPs, IPSPs and Merchants with access to cardmember data and transaction data must comply with PCI DSS starting April 1, 2018, except for Attended Transactions and Cardmember Operated Terminal Transactions. For Attended Transactions and Cardmember Operated Terminal Transactions, Merchants must comply with PCI DSS starting April 1, 2020.

Until March 31, 2018

Compliance with PCI DSS Number of JCB transactions
(per year)
Compliance Validation Procedures
Self-Assessment Security Scan On-Site Review
If you handle cardholder data and transaction data via the Internet or Internet-accessible network Merchants Recommended One million or more - Quarterly Yearly
Less than one million Yearly Quarterly -
Payment Processors Recommended Regardless of the number - Quarterly Yearly
If you don't handle cardholder data and transaction data via the Internet or Internet-accessible network Merchants Recommended One million or more - - Yearly
Less than one million Yearly - -
Payment Processors Recommended Regardless of the number - - Yearly

Starting April 1, 2018

Compliance with PCI DSS Number of JCB transactions
(per year)
Compliance Validation Procedures
Self-Assessment Security Scan On-Site Review
Merchants
(including IPSPs)
E-commerce Transaction,
MO/TO Transaction,
Phone Call Service Transaction
Mandatory
(On and after April 1, 2018)
Merchants excluding IPSPs One million or more - Quarterly Yearly
Less than one million Yearly Quarterly -
IPSPs Regardless of the number - Quarterly Yearly
Attended Transaction,
Cardmember Operated Terminal Transaction
Mandatory
(On and after April 1, 2020)
One million or more - Quarterly Yearly
Less than one million Yearly Quarterly -
TPPs Mandatory
(On and after April 1, 2018)
One million or more - Quarterly Yearly
Less than one million Yearly Quarterly -
Acquirers Mandatory
(On and after April 1, 2018)
Regardless of the number - - -
Issuers Mandatory
(On and after April 1, 2018)
Regardless of the number - - -

* If there are any applicable laws, regulations or industry standards regarding PCI DSS in the country in which the Merchant, TPP, Acquirer or Issuer is located, they shall prevail over this JCB Data Security Program.