PAYMENT CARD INDUSTRY-DATA SECURITY STANDARDS
On September 7, 2006 the major card brands such as Visa MasterCard and American Express collaborated to protect the consumer and merchant from the breaches that have taken place. The result was the formation of the Payment Card Industry Security Standards Council (PCI SSC) pcisecuritystandards.org . This council put forth in place the PCI DSS which is the proprietary information security standard for all organizations that store, process or transmit all major credit cards. It contains a set of security requirements that include everything from how your POS should be set up under your wireless WAN to eCommerce and more. To become compliant, a merchant would need to complete an annual self assessment questionnaire and a quarterly network scan.
1) Understand Your Merchant Level.
(Not to worry, as your provider, we will determine this.)
Each card brand has it’s own merchant level. To give you an example here is Visa’s (the most widely used card). Visa is divided into 4 categories based on Visa card transactions over 12 months. Your level will determine how stringent your PCI Compliance program must be.
- Level 1 – Process over 6 million Visa transactions a year.
- Level 2 – Process between 1-6 million Visa transactions per year.
- Level 3 – Process between 20k-1 million Visa transactions per year.
- Level 4 – Process under 20k Visa transactions per year.
(Note; these are transactions not dollar amount.)
Links to the card brands levels are listed here:
Complete Self Assessment Questionaire (SAQ)
This is a set of documents that contain a set of questions based on the requirements of the PCI DSS. There are 12 requirements for compliance that are organized into 6 groups. Each requirement has sub-groups and there are 9 variations of the SAQ. You will only have to complete one. The one that will be presented to you correlates to how your business handles credit cards.
Attestation Of Compliance (AOC)
After the SAQ you will need to complete the AOC, which is attached to your SAQ. This validates that you complied with all the applicable steps.
The AOC also has 9 variations. Like the SAQ, you will only complete one.
Submitting the Documents
Final step is to submit your filled SAQ and AOC along with any other documents such as an ASV scan reports.
Validation of compliance is then performed annually, either by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
Compliance Process Recap
- Determine your compliance level.
- Complete Self Assessment Questionnaire.
- Complete Attestation of Compliance form.
- If needed, complete and obtain evidence of passing the external vulnerability scans by an Approved Scanning Vendor (ASV).
- Submit all the above.
Is It Mandatory?
By federal law, PCI Compliance is not required. However, some states like Nevada has put PCI Compliance into their state law.
Aside from that, businesses that are not PCI Compliant may be subject to fines, sanctions and loss of privileges from the clearinghouse that processes credit card payments. If the PCI failure results in the loss of data, the business could face fines, higher fees, and other sanctions from banks and other credit card processors. Businesses can also be subject to lawsuits and government prosecution for failing to protect customer data. If a data breach occurs, your business will be liable for all damages if not PCI Compliant.
Becoming PCI Compliance is necessary for anyone accepting credit cards. You will be reminded as your compliance due date is approaching, either by email or on your statement. Not to worry, our PCI Compliance partners are available to assist you with completing this task.