PCI DSS Program

PCI Compliance

PCI Compliance is adherence to Payment Card Industry Data Security Standard (PCI DSS) administered by the Payment card industry security standards council (PCI SSC). It was established in 2006 in collaboration with the different payment card brands: American Express, Discover, JCB, MasterCard and Visa. The requirements are designed to reduce payment card compromises and data theft by helping you secure your sensitive information and reduce your vulnerability to attacks.
PCI standards protect card information during and after a financial transaction. Hence PCI compliance is necessary for all card brands. All the members must adhere to these standards if they want to accept credit cards for payment. Failure to meet the compliance standards can result in fines from credit card companies and even lose the ability to process credit cards.

Businesses and merchants are required to process, store and transmit payment cardholder data in compliance with these requirements so that it is kept private and secure. PCI compliance has become crucial for any online transactions since credit card fraud continue to be major threats to businesses. That is the reason PCI Compliance is necessary right from the large stores to the small shops. All the players in the credit card payment process must be PCI compliant, including payment service providers and banks.

PCI Compliance requirements

There are six main requirements for PCI compliance. The vendor must:


Maintain a secure network

This standard refers to the actual network that cardholder data is exposed to.

• Install and maintain a hardware and software firewall to protect cardholder data.
• Ensure all security measures have been taken to protect the network.
• Use vendor recommended defaults for major security parameters.

Protect Cardholder Data

This standard focus on how cardholder data should be stored and transmitted.

• Protect stored cardholder data.
• Encrypt transmitted data across open, public networks so that even if someone gets access to the data may not decipher the information.
• Make sure the data transmitted is encrypted with at least a 128 bit SSL certificate to meet the standard.

Maintain a Vulnerability Management Program

This standard focus on keeping up to date with your systems.

• Regularly update anti-virus software.
• Regularly update computer hardware, operating systems and software.
• Develop and maintain secure systems and applications.
• Run regular virus scans if your systems is susceptible to vulnerabilities.

Implement Strong Access Control Measures

This standard focus on restricting physical access to cardholders data by limiting access to only those persons who need to use it.

• Assign a unique ID to each person with computer access.
• Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

This standard focus on monitoring and testing the network that store cardholder data on a regular basis

• Track and monitor all access to network resources and cardholder data.
• Regularly test security systems and processes.

Maintain an Information Security Policy

This standard identifies how it is important to draft and implement a company-wide information security policy.

• Maintain a policy that addresses information security.
• Make sure the employees know and understand their responsibilities with regards to cardholder data.

Various levels of PCI Compliance

All the merchants who process credit cards must be PCI compliant. These merchants fall under four categories depending on the number of electronic transactions they make each year. However each payment card brand has its own requirements and definitions of PCI compliance levels. Even though the PCI Security Standards Council (PCI SSC)  developed these standards, compliance is mandated by the individual payment card brands like Visa, MasterCard, American Express, Discover and JCB.

PCI compliance level definitions:

Level 1 - Merchants processing over 6 million transactions annually. Annual internal audit with a qualified PCI auditor is mandatory.

Level 2 - Merchants processing from 1 million to 6 million transactions annually on all channels. The merchant must complete an annual self-assessment questionnaire (PCI SAQ) in addition to a required quarterly network scan performed by an approved scanning vendor.

Level 3 - Merchants processing from 20,000 to 1 million e-commerce transactions annually. The merchant must conduct an annual risk assessment using self-assessment questionnaire (PCI SAQ).

Level 4 - Merchants processing less than 20,000  e-commerce transactions and less than 1 million other transactions annually. Level 4 businesses must complete an annual risk assessment using the appropriate PCI Self-Assessment Questionnaire (SAQ).

The nature of the questionnaires depends on PCI Compliance level, however basic requirements remains the same. The internet-based merchants at each PCI Compliance level must undergo a quarterly vulnerability scan performed by an approved scanning vendor.
 

What are my requirements?

As a merchant who stores, processes or transmits payment card data, you are required to be PCI DSS compliant by the payment brands and your merchant bank. To achieve PCI DSS compliance, you need to complete:

1. An annual Self-Assessment Questionnaire (SAQ) to determine if you are taking the proper precautions to protect your payment card data, similar to an insurance questionnaire, and
2. Quarterly security scans if your systems are connected to the Internet. The scans look for weaknesses that an attacker might use to access your systems. A PCI-certified Approved Scanning Vendor (ASV) must conduct these scans.

Failure to comply with the PCI DSS can result in data breaches and fines. You may also lose the ability to accept payment cards.

What if I have questions?

If you have any questions regarding the compliance program or require assistance, please contact Merchant Industry's team at info@merchantindustry.com or by calling 866.811.1005.