The Payment Card Industry Data Security Standard (PCI DSS) secures cardholder data that is stored, processed or transmitted by merchants and other organizations. The standard is managed by the PCI Security Standards Council (PCI SSC) and its founders -- American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
The DSS details 12 requirements that must be met by merchants to be considered "compliant". Compliance, however, is simply a metric for the true goal of the program: to ensure transaction safety for customers. These requirements are:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Each requirement has specific definitions for meeting it, all of which are detailed in the current version of the DSS specification.
Demonstrating Compliance
Consult the table to the right to determine your Merchant Level, and the compliance actions required of you. Many merchants will be able to demonstrate compliance by completing the Self Assessment Questionnaire (SAQ) and submitting it to their acquirer.
Does the PCI DSS apply to me?
Yes. Compliance with the PCI DSS is mandatory for all merchants who accept credit cards, regardless of sales volume. The only differences are in how much proof of compliance must be provided -- this depends on the Merchant Level (see below).
Why is this being implemented?
The DSS aims to protect our mutual customer: the cardholder. Fraud and identity theft harms all business, so protecting against it through security mandates in is everyone's interest.
If I don't comply and suffer cardholder data theft, what happens?
Visa and Mastercard both impose severe fines on merchants who are found to be PCI DSS non-compliant at the time of a data breach concerning cardholder information. Only through compliance can these fines be avoided.
What Merchant Level is my business?
Merchant Level*
Description
1
Merchants processing over 6 million Visa transactions annually (all channels) or global merchants identified as Level 1 by any Visa region**
Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
2
Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.
3
Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
4
Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.
* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.
How do I show compliance?
Level
Action
Validated By
1
Annual On-site PCI Data Security Assessment
Quarterly Network Scan
Qualified Security Assessor or Internal Audit if signed by Officer of the company
Approved Scanning Vendor
2
Annual PCI Self-Assessment Questionnaire
Quarterly Network Scan
Merchant
Approved Scanning Vendor
3
Annual PCI Self-Assessment Questionnaire
Quarterly Network Scan
Merchant
Approved Scanning Vendor
4*
Annual PCI Self-Assessment Questionnaire
Quarterly Network Scan (if applicable)
Merchant
Approved Scanning Vendor
*The PCI DSS requires that all merchants with externally-facing IP addresses perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants.
