PCI-DSS is a worldwide set of industry tools and measurements set up to help businesses process card payments and store sensitive cardholder information securely to reduce card fraud.
What is the Payment Card Industry (PCI) Data Security Standard (DSS)?
The PCI Data Security Standard is a common set of industry tools and measurements to help ensure the safe handling of sensitive cardholder information. Initially created by aligning Visa’s Account Information Security (AIS)/Cardholder Information Security (CISP) programs with MasterCard’s Site Data Protection (SDP) program, the standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents.
Why does PCI-DSS exist?
As data compromise becomes ever more sophisticated, it becomes ever more difficult for an individual merchant to stay ahead of the threats. The PCI Security Standards Council is constantly working to monitor threats and improve the industry’s means of dealing with them, through enhancements to PCI Security Standards and by the training of security professionals. When you stay compliant, you are part of the solution – a united, global response to fighting payment card data compromise.
Who is PCI-DSS for?
If you take card payments, you have to comply with the Payment Card Industry (PCI) Data Security Standard (DSS). This is a mandatory security requirement for all businesses that take card payments, whether that is in person, over the phone or online.
Does PCI-DSS apply to me?
PCI DSS applies to anyone involved in storing, processing or transmitting any cardholder data. What’s more, the standard doesn’t just apply to storing data electronically; it also covers manual processing and storage. You will belong to one of four merchant levels:
Level One – Any merchant processing over 6 million Visa or MasterCard transactions per year. Or who has suffered an attack that resulted in an account data compromise. Or who have been identified as Level 1 Independent Qualified Security Assessor or Internal Audit signed by Company Officer.
Level Two – Any merchant processing one to six million Visa or MasterCard transactions per year.
Level Three – Any merchant processing 20,000 to one million Visa or MasterCard e-commerce transactions per year.
Level Four – Any merchant processing fewer than 20,000 Visa or MasterCard transactions per year. Or all other merchants processing up to one million Visa or MasterCard transactions a year.
Why do I need to be compliant?
Compliance with PCI DSS means that your systems are secure, and customers can trust you with their sensitive payment card information. Compliance improves your reputation with acquirers and payment brands the partners you need in order to do business. According to payment brand rules, all merchants and their service providers are required to comply with the PCI Data Security Standard in its entirety.
What happens if I am not compliant?
Compromised data negatively affects consumers, merchants, and financial institutions Just one incident can severely damage your reputation and your ability to conduct business effectively, far into the future. Account data breaches can lead to catastrophic loss of sales, relationships and standing in your community, and depressed share price if yours is a public company. Possible negative consequences also include Lawsuits, Insurance claims, Payment card issuer fines and Government fines.
Do I just need to become complaint once?
Compliance is an on-going process, not a one-time event. It helps prevent security breaches and theft of payment card data, not just today, but in the future.
What are the Requirements?
It’s important to know the standards, as you may be storing cardholder information (e.g. receipts from terminals or emails that have cardholder details in them) in a way that the standard does not allow. The standard is broken down into six logical sections:
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
3. Protect stored cardholder data*.
4. Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
5. Use and regularly update antivirus software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors.
*To qualify for PCI compliance, Level 4 Clients (those with fewer than 20k transactions a year) will need to fill out their own Self Assessment Questionnaire.