Payment Card Industry Data Security Standard (PCI DSS)
What is PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements mandated by major credit card providers intended to protect cardholder data and reduce fraud. The PCI DSS applies to all organizations involved in the processing of payment card information, including merchants, processors, acquirers, card issuers, and other service providers. Anyone involved in the storage, processing, or transmission of PCI Account Data is in-scope for the PCI DSS.
The 6 main objectives for PCI compliance are:
- Building and maintaining a secure network for processing cardholder data
- Protecting cardholder data both in transit and at rest
- Defining and maintaining a vulnerability management program
- Implementing strong access controls within the cardholder data environment
- Monitoring and testing for network vulnerabilities
- Maintaining an information security policy for corporate governance
Getting Certified
PCI DSS compliance is broken down into four levels.
Merchants
| Level 1 | More than 6 million transactions |
| Level 2 | 1-6 million transactions |
| Level 3 | 20,000 to 1 million transactions |
| Level 4 | Fewer than 20,000 transactions |
Service Providers
| Level 1 | More than 300,000 transactions |
| Level 2 | Fewer than 300,000 transactions |
Organizations that fall into Level 1 must provide a Report on Compliance (RoC), which is an assessment of its security controls. A RoC must be completed by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA).
Organizations in Levels 2-4 can complete a Self-assessment Questionnaire (SAQ).
To achieve certification, organizations must meet these 12 requirements, which all include a number of sub-requirements.
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
The Risk of Non-compliance
Failure to comply with the PCI Security Standards exposes your organization to financial, security, and reputational risks. The PCI Security Standards Council can fine non-compliant organizations up to $100,000 a month, depending on their volume of transactions.
Failing to implement PCI security requirements increases the chances of a data breach. A breach of cardholder data could result in financial losses due to litigation and a damaged reputation. The PCI Security Standards Council (SSC), which is made up of large credit card companies, may issue stiffer penalties, including the revocation of processing privileges, to non-compliant organizations after a data breach.
How We Can Help
PCI DSS certification can require organizations to meet as many as 350 controls, making it a daunting task for any business to tackle alone. CompliancePoint is an authorized Qualified Security Assessor (QSA). When you partner with us, you get an experienced partner that will guide you through every step of the certification process. We help organizations proactively identify their security gaps, build out frameworks to meet compliance requirements, and can manage their security program on an ongoing basis to maintain certification.
Credit card fraud in the US is at an all-time high. CompliancePoint experts are here to help your organization comply with PCI requirements, reduce the risk of a breach, gain competitive advantage, and increase credibility.
Frequently Asked Questions
All organizations that accept or process payment cards must comply with PCI DSS. The standard is comprised of four different levels. An organization’s level is determined by its number of payment card transactions. Level one certification is the most rigorous; it applies to organizations with more than six million transactions annually.
Organizations not compliant with PCI DSS face fines as large as $100,000 per month, depending on their transaction volume. The card brands and acquiring banks issue the fines.
PCI DSS was designed to protect payment card data in the cardholder data environment (CDE), which is where the data is stored, processed, or transmitted.
PCI 3DS is a security protocol developed specifically to enhance the security of online credit and debit card transactions to prevent fraud.
The PCI Security Standards Council (PCI SSC) is a global forum committed to developing security standards for account data protection. The PCI SSC founders are American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.
