What is PCI Compliance?

Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. Definition at: Wikipedia

The Payment Card Industry Data Security Standard (PCI DSS) applies to companies of any size that accept credit card payments. If your company intends to accept card payment, and store, process and transmit cardholder data, you need to host your data securely with a PCI compliant hosting provider.

The Current PCI DSS documents can be found on the PCI Security Standards Council website at: https://www.pcisecuritystandards.org/document_library

PCI DSS 12 requirements is a set of security controls that businesses are required to implement to protect credit card data and comply with the Payment Card Industry Data Security Standard (PCI DSS). The requirements were developed and are maintained by the Payment Card Industry (PCI) Security Standards Council.

The PCI DSS 12 requirements are as follows:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update antivirus software
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know
  8. Assign a unique ID to each person with computer access. 
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data. 
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.

What are PCI compliance levels and how are they determined?

Based on Visa:

All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’). In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level.

Merchant Level 1:

Any Merchant regardless of acceptance channel processing over 6M Visa transactions per Year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.

Merchant Level 2:

Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.

Merchant Level 3:

Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.

Merchant Level 4:

Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.

What happens if you are not PCI compliant?

If a data breach happens as a result of PCI non-compliance, the card networks may fine your processor for failing to maintain standards. Merchants ignoring the growing adoption of PCI DSS do so at their own peril as the penalties for non-PCI compliance are severe. Non-PCI compliant merchants and payment processors can face fines from $5,000 to $100,000 per month, depending on a variety of factors.