PAYMENT CARD INDUSTRY-DATA SECURITY STANDARDS

Overview

On September 7, 2006 the major card brands such as Visa MasterCard and American Express collaborated to protect the consumer and merchant  from the breaches that have taken place. The result was the formation of  the Payment Card Industry Security Standards Council (PCI SSC) pcisecuritystandards.org . This council put forth in place the PCI DSS which is the proprietary information security standard for all organizations that store, process  or transmit all major credit cards. It contains a set of security  requirements that include everything from how your POS should be set up  under your wireless WAN to eCommerce and more. To become compliant, a  merchant would need to complete an annual self assessment questionnaire  and a quarterly network scan. 

PCI DSS

Merchant Levels

1) Understand Your Merchant Level. 

(Not to worry, as your provider, we will determine this.) 

Each  card brand has it’s own merchant level. To give you an example here is  Visa’s (the most widely used card). Visa is divided into 4 categories  based on Visa card transactions over 12 months. Your level will  determine how stringent your PCI Compliance program must be.

  • Level 1 – Process over 6 million Visa transactions a year.
  • Level 2 – Process between 1-6 million Visa transactions per year.
  • Level 3 – Process between 20k-1 million Visa transactions per year.
  • Level 4 – Process under 20k Visa transactions per year.

(Note; these are transactions not dollar amount.)  

Links to the card brands levels are listed here:

Complete Self Assessment Questionaire (SAQ)

This  is a set of documents that contain a set of questions based on the requirements of the PCI DSS. There are 12 requirements for compliance that are organized into 6 groups. Each requirement has sub-groups and  there are 9 variations of the SAQ. You will only have to complete one. The one that will be presented to you correlates to how your business handles credit cards. 

Attestation Of Compliance (AOC)

After the SAQ you will need to complete the  AOC, which is attached to your SAQ. This validates that you complied  with all the applicable steps.

The AOC also has 9 variations. Like the SAQ, you will only complete one. 

Submitting the Documents

Final step is to submit your filled SAQ and AOC along with any other documents such as an ASV scan reports.  

Validation of compliance is then performed annually, either by an  external Qualified Security Assessor (QSA)  that creates a Report on  Compliance (ROC) for organizations handling large volumes of  transactions or by Self-Assessment Questionnaire (SAQ) for companies  handling smaller volumes. 

Compliance Process Recap

  1. Determine your compliance level.
  2. Complete Self Assessment Questionnaire.
  3. Complete Attestation of Compliance form.
  4. If needed, complete and obtain evidence of passing the external vulnerability scans by an Approved Scanning Vendor (ASV).
  5. Submit all the above.

Is It Mandatory?

By federal law, PCI Compliance is not required. However, some states like Nevada has put PCI Compliance into their state law. 

Aside from that, businesses that are not PCI  Compliant may be subject to fines, sanctions and loss of privileges from  the clearinghouse that processes credit card payments. If the PCI  failure results in the loss of data, the business could face fines,  higher fees, and other sanctions from banks and other credit card  processors. Businesses can also be subject to lawsuits and government  prosecution for failing to protect customer data. If a data breach  occurs, your business will be liable for all damages if not PCI Compliant.

Summary

Becoming  PCI Compliance is necessary for anyone accepting credit cards. You will  be reminded as your compliance due date is approaching, either by email  or on your statement. Not to worry, our PCI Compliance partners are  available to assist you with completing this task.

Download Free e-book – “PCI for Dummies”