This website uses cookies. View our cookie policy
USA
Select regional store:

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) is a regulatory standard created by the PCI Security Standards Council. The purpose of the standard is to decrease the risk of payment card fraud online.

Any organization that stores, transmits, or processes card holder data must comply with the PCI DSS or risk paying "non-compliance" or "data compromise" fines.

The standard, and the fines, are enforced by the "acquiring bank'"—the bank that provides your merchant account services.

What are the PCI DSS Requirements?

The Standard essentially requires merchants and member service providers (MSPs) who store, process, or transmit cardholder data to:

  • Build and maintain a secure IT network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy
  • Merchant PCI DSS Compliance Criteria and PCI levels

Compliance requirements are dependent on a merchant's activity level.

The scope of PCI DSS

The PCI DSS regulations are applicable to all types of media that stores card data. That means it covers hard drives, CDs/DVDs, USB storage devices, cloud storage, etc., but it also applies equally to printed or handwritten papers containing the full card number. For example, merchants keeping paper records of transactions for voucher recovery purposes, or as evidence of the transaction, must ensure its security.

Merchants must also secure all other areas where card details may be stored, processed, or transmitted. For example, many EPOS systems take a copy of the card details (either swiped separately or extracted from EFT receipt data) and store them unencrypted within their own databases for reconciliation and reporting purposes.

The 4 PCI DSS Merchant Levels

  • Level 1—Merchants with over 6 million transactions a year
  • Level 2—Merchants with 1 to 6 million transactions a year
  • Level 3—Merchants with 20,000 to 1 million transactions a year
  • Level 4—Merchants with under 20,000 transactions a year

While Payment Brands (Visa, Mastercard, Amex, Discover, etc.) determine the compliance levels for their own brands, acquirers (the banks) are usually responsible for determining how they validate your compliance.

Whether or not transaction volume applies only to eCommerce transactions or to payments processed through all channels is decided separately by each payment brand but, in general, all transactions are included.

How do I comply with PCI DSS?

Level 1—Criteria Merchants are requited to undertake an "Annual Onsite Security Audit" (reviewed by a Qualified Security Assessor (QSA) company—of which IT Governance is one—or Internal Audit if signed by an officer of merchant company and pre-approved by acquirer) and quarterly network security scan.

Level 2—Criteria Merchants are required to undertake an Annual Self-Assessment Questionnaire and Quarterly Scan by an Approved Scanning Vendor (ASV).

Level 3—Criteria Merchants are required to undertake a Quarterly Scan by an Approved Scanning Vendor (ASV) and Annual Self-Assessment Questionnaire.

Level 4—Criteria Merchants are required to undertake an Annual Self-Assessment Questionnaire and Quarterly Scan by an Approved Scanning Vendor (may be recommended or required, depending on acquirer compliance criteria).

PCI DSS Benefits

Becoming compliant to the Payment Card Industry (PCI) Standard can help businesses protect their customer’s data, win new business, and protect their brand.

Law exist in various states, including Washington, Minnesota, Nevada, and Massachusetts, which states that businesses are not liable for unauthorized access to credit card information they stored so long as they were PCI-compliant. The PCI DSS Documentation Toolkit is the quickest way to become compliant.

The PCI DSS Documentation Toolkitool contains all the templates, tools, and policies you need to conduct your own PCI compliance project quickly and cost-effectively. It contains all the documents you need and essential guidance on how to achieve compliance.

PCI DSS Solutions

IT Governance offers a range of products to assist your organization in becoming PCI DSS compliant:

 

PCI DSS A Pocket Guide
ideal for those new to the subject

 

 

The PCI DSS Documentation Toolkit
 save time and money with PCI DSS templates

 

 

PCI DSS Staff Training
a cost-effective staff awareness solution

 

 

PCI Compliance and Support Contract
PCI DSS implementation tools with a full support and package