PCI DSS Services from Keep IT Secure.

PCI DSS

It is imperative that any business that uses Debit or Credit cards as methods of payment for their goods or services appraises themselves of PCI DSS which is explained below. The bottom line is that unless merchants gain compliance with this standard then it is they and not the Credit or Debit card companies who will in future incur the cost of cards being compromised or used fraudulently. Consequently the potential implications for businesses that do not gain compliance will be far reaching and costly. Read on....

Introduction

PCI DSS stands for Payment Card Industry Data Security Standard. It’s development was initiated by the major credit card companies Mastercard, Visa, American Express, Discover network and JCB Card and started as a guideline to help organizations that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats.

The standard is now established under the administration of an independent body, the PCI Security Standards Council (PCI SSC), and a company processing, storing, or transmitting payment card data must be PCI DSS compliant or risk losing their ability to process credit card payments and/or be fined. It is the banks and not the brands nor the PCI SSC who enforce compliance with the standards.

All merchants and payment card service providers must validate their compliance periodically. Above a set level of transactions processed this validation must be conducted by approved (by PCI SSC) third party auditors. PCI DSS Qualified Security Assessors (QSAs) assess the overall compliance with the standard, while Approved Scanning Vendors (ASVs) assess the technical measures in place to protect the credit card data. Smaller companies, processing less than about 20,000 transactions a year, are allowed to perform a self-questionnaire.

Requirements

The current version of the standard specifies 12 requirements for compliance, organized into the following 6 logically related groups called control objectives.

The control objectives are:

  • Build and Maintain a Secure Network
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy

Compliance requirements are dependent on a merchant's activity level. There are four levels, based on the annual number of credit/debit card transactions. The following are the guidelines, the card brands and banks determine the exact levels for their own merchants.

Level 1 Criteria - Merchants with over 6 million transactions a year, or merchants whose data has previously been compromised. Level 1 Requirements - Annual Onsite Security Audit and quarterly network security scan

Level 2 Criteria - Merchants with 1,000,000 to 6 million transactions a year (the base was 150,000, but VISA and MasterCard have both increased it to 1 million) Level 2 Requirements - Annual Self Assessment Questionnaire and a Quarterly Scan by an Approved PCI Scanning Vendor

Level 3 Criteria - Merchants with 20,000 to 1,000,000 transactions a year Level 3 Requirements - Quarterly Scan by an Approved PCI Scanning Vendor and an annual Self Assessment Questionnaire

Level 4 Criteria - Merchants with less than 20,000 transactions Level 4 Requirements - Annual Self Assessment Questionnaire

Quarterly Scan by an Approved Scanning Vendor (may be recommended or required, depending on acquirer compliance criteria)