What is PCI?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store, or transmit credit card information maintain a secure environment.
Who created PCI compliance?
It was created in 2004 by Visa, MasterCard, Discover, American Express, and JCB. It is entirely enforced by card networks, banks, and merchant services providers, not law enforcement.
Who does PCI compliance impact?
If your company accepts, processes, stores, or transmits credit card data, you should adhere to PCI standards, regardless of your industry. While PCI compliance isn’t a legal mandate and your business cannot be subject to legal penalties for failing to maintain compliance, it is imperative to protect your customers (and business) from a data breach. As you know, data breaches can cost your business millions of dollars and loss of customer loyalty.
You can also be subject to fines for lack of compliance by payment brands themselves. They have been known to fine acquiring banks up to $100k per month for PCI compliance violations. These fines are then often passed along to the merchants (you) and may result in relationship termination or increased transaction fees.
What are the PCI compliance guidelines?
Standards
PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store, or transmit cardholder data and/or sensitive authentication data. It consists of steps that mirror security best practices:
GOALS PCI DSS REQUIREMENTS Build and Maintain a Secure Network and Systems - Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data - Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program - Protect all systems against malware and regularly update antivirus software or programs
- Develop and maintain secure systems and applications
Implement Strong Access Control Measures - Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
Regularly Monitor and Test Networks - Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an Information Security Policy - Maintain a policy that addresses information security for all personnel
Levels of compliance
The top credit card companies have different levels of compliance, dependent upon the volume of transactions your business processes each year. As an example, the Visa merchant levels have been provided below:
MERCHANT LEVEL DESCRIPTION 1
Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. 2
Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year. 3
Any merchant processing 20,000 to 1M Visa e-commerce transactions per year. 4
Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.