What is the Payment Card Industry Data Security Standard (PCI DSS)?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International, and American Express. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance scheme aims to secure credit and debit card transactions against data theft and fraud.
While the PCI SSC has no legal authority to compel compliance, it is a requirement for any business that processes credit or debit card transactions. PCI certification is also considered the best way to safeguard sensitive data and information, thereby helping businesses build long-lasting and trusting relationships with their customers.
What are the PCI DSS compliance levels?
The PCI compliance is divided into four levels, based on the annual number of credit or debit card transactions a business processes. The classification level determines what an enterprise needs to do to remain compliant.
- Level 1: Applies to merchants processing more than six million real-world credit or debit card transactions annually. Conducted by an authorized PCI auditor, they must undergo an internal audit once a year. In addition, once a quarter they must submit to a PCI scan by an Approved Scanning Vendor (ASV).
- Level 2: Applies to merchants processing between one and six million real-world credit or debit card transactions annually. They’re required to complete an assessment once a year using a Self-Assessment Questionnaire (SAQ). Additionally, a quarterly PCI scan may be required.
- Level 3: Applies to merchants processing between 20,000 and one million e-commerce transactions annually. They must complete a yearly assessment using the relevant SAQ. A quarterly PCI scan may also be required.
- Level 4: Applies to merchants processing fewer than 20,000 e-commerce transactions annually, or those that process up to one million real-world transactions. A yearly assessment using the relevant SAQ must be completed and a quarterly PCI scan may be required.
What are the PCI DSS requirements?
The PCI SSC has outlined 12 requirements for handling cardholder data and maintaining a secure network. Distributed between six broader goals, all are necessary for an enterprise to become compliant.
The PCI SSC has outlined 12 requirements for handling cardholder data and maintaining a secure network. Distributed between six broader goals, all are necessary for an enterprise to become compliant.
The PCI DSS is composed of six goals and twelve requirements, as follows:
Goal #1: Building and maintaining a secure network
Requirements:
- Maintain a firewall configuration
- Ensure unique, original system passwords
Goal #2: Protect cardholder data
Requirements:
- Protect stored cardholder data
- Encrypt cardholder data transmitted across public networks
Goal #3: Maintain a vulnerability management program
Requirements:
- Use anti-virus software and keep it updated
- Develop secure systems and applications
Goal #4: Implement strong access control measures
Requirements:
- Restrict cardholder data on a need-to-know basis
- Assign a unique ID to each person in the organization with computer access
- Restrict physical access to cardholder data
Goal #5: Monitor and test networks
Requirements:
- Track and monitor any access to cardholder data and relevant network resources
- Regularly test security systems and processes
Goal #6: Maintain an information security policy
Requirements:
- Create an information security policy and enforce it in the organization
What are the Penalities for PCI Voilations?
PCI fines are not published or reported, and usually end up passed to the merchants. Banks pass the fines along as increased transaction fees or termination of business relationships.
Fines vary from $5,000 to $100,000 per month until the merchants achieve compliance. That kind of fine is manageable for a big bank, but it could easily put a small business into bankruptcy.