Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) is a regulatory standard created by the PCI Security Standards Council. The purpose of the standard is to decrease the risk of payment card fraud online.
Any organization that stores, transmits, or processes card holder data must comply with the PCI DSS or risk paying "non-compliance" or "data compromise" fines.
The standard, and the fines, are enforced by the "acquiring bank'"—the bank that provides your merchant account services.
What are the PCI DSS Requirements?
The Standard essentially requires merchants and member service providers (MSPs) who store, process, or transmit cardholder data to:
Build and maintain a secure IT network
Protect cardholder data
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test networks
Maintain an information security policy
Merchant PCI DSS Compliance Criteria and PCI levels
Compliance requirements are dependent on a merchant's activity level.
The scope of PCI DSS
The PCI DSS regulations are applicable to all types of media that stores card data. That means it covers hard drives, CDs/DVDs, USB storage devices, cloud storage, etc., but it also applies equally to printed or handwritten papers containing the full card number. For example, merchants keeping paper records of transactions for voucher recovery purposes, or as evidence of the transaction, must ensure its security.
Merchants must also secure all other areas where card details may be stored, processed, or transmitted. For example, many EPOS systems take a copy of the card details (either swiped separately or extracted from EFT receipt data) and store them unencrypted within their own databases for reconciliation and reporting purposes.
The 4 PCI DSS Merchant Levels
Level 1—Merchants with over 6 million transactions a year
Level 2—Merchants with 1 to 6 million transactions a year
Level 3—Merchants with 20,000 to 1 million transactions a year
Level 4—Merchants with under 20,000 transactions a year
While Payment Brands (Visa, Mastercard, Amex, Discover, etc.) determine the compliance levels for their own brands, acquirers (the banks) are usually responsible for determining how they validate your compliance.
Whether or not transaction volume applies only to eCommerce transactions or to payments processed through all channels is decided separately by each payment brand but, in general, all transactions are included.
How do I comply with PCI DSS?
Level 1—Criteria Merchants are requited to undertake an "Annual Onsite Security Audit" (reviewed by a Qualified Security Assessor (QSA) company—of which IT Governance is one—or Internal Audit if signed by an officer of merchant company and pre-approved by acquirer) and quarterly network security scan.
Level 2—Criteria Merchants are required to undertake an Annual Self-Assessment Questionnaire and Quarterly Scan by an Approved Scanning Vendor (ASV).
Level 3—Criteria Merchants are required to undertake a Quarterly Scan by an Approved Scanning Vendor (ASV) and Annual Self-Assessment Questionnaire.
Level 4—Criteria Merchants are required to undertake an Annual Self-Assessment Questionnaire and Quarterly Scan by an Approved Scanning Vendor (may be recommended or required, depending on acquirer compliance criteria).
PCI DSS Benefits
Becoming compliant to the Payment Card Industry (PCI) Standard can help businesses protect their customer’s data, win new business, and protect their brand.
Law exist in various states, including Washington, Minnesota, Nevada, and Massachusetts, which states that businesses are not liable for unauthorized access to credit card information they stored so long as they were PCI-compliant. The PCI DSS Documentation Toolkit is the quickest way to become compliant.
The PCI DSS Documentation Toolkitool contains all the templates, tools, and policies you need to conduct your own PCI compliance project quickly and cost-effectively. It contains all the documents you need and essential guidance on how to achieve compliance.
PCI DSS Solutions
IT Governance offers a range of products to assist your organization in becoming PCI DSS compliant: