Anyone who’s involved in the retail and/or hospitality market has probably heard something about the Payment Card Industry Data Security Standard (PCI DSS) and “PCI compliance.” However, confusion surrounding PCI DSS and PCI compliance remains. Let’s take a look at some of the most common questions about both.
What is the PCI DSS?
Managed by the Payment Card Industry Security Standards Council (PCI SSC), the PCI DSS is a set of policies and procedures designed to maximize the security of credit, debit, and cash card transactions and to protect consumers against misuse of their personal information. Visa, MasterCard, American Express, and Discover created the standard, which includes very specific directives for PCI compliance, in 2004.
To whom does the PCI DSS apply?
The PCI DSS applies to any merchant or organization that accepts, transmits, and/or stores any cardholder data. PCI compliance isn’t only for merchants that operate in physical locations; those that conduct business solely online or by telephone must also achieve it.
What are the PCI compliance levels, and how are they determined?
Under the PCI DSS, merchants are categorized by levels based on their Visa transaction volume (credit, debit, and prepaid) over a 12-month period. Merchants in each level must adhere to standards for that level in order to attain PCI compliance.
Merchant Level 1: Any merchant that processes more than six million Visa transactions annually. Also included in this category is any merchant that Visa, at its sole discretion, determines must meet Level 1 requirements to minimize risk to the Visa system. “Channel of acceptance” (e.g., in-store, online) has no bearing here.
Merchant Level 2: Any merchant whose Visa transaction volume ranges from one million to six million transactions per year. Again, channel of acceptance doesn’t apply.
Merchant Level 3: Any merchant with an annual Visa e-commerce transaction volume of 20,000 to one million.
Merchant Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year. This level also encompasses all other merchants that process up to one million Visa transactions per year—regardless of the channel of acceptance in which they operate.
One important caveat to remember here: Merchants that sustain a data breach may, if the incident results in an account data compromise, be escalated to the next compliance level.
How do I satisfy PCI DSS requirements?
There are six main requirements.
Build and maintain a secure network. This means installing and maintaining a firewall to protect cardholder data, as well as avoiding the use of vendor-supplied defaults for system passwords and other security parameters.
Protect cardholder data. Safeguarding stored cardholder information and encrypting cardholder data when it is to be transmitted across open public networks is essential.
Maintain a vulnerability management program. Vulnerability management practices include using and regularly updating anti-virus software, as well as developing and maintaining secure systems and applications.
Implement strong access control measures. For this aspect of PCI compliance, restrict access to cardholder data in accordance with whether employees need to view it in order to fulfill their job responsibilities. Each individual with computer access should be assigned a unique ID, and physical access to cardholder data must be restricted.
Regularly monitor and test networks. Access to network resources and cardholder data needs to be tracked and tested on a set schedule. Do the same with security systems and processes.
Maintain an information security policy.
What are the penalties for non-compliance with the standard?
All payment brands—i.e., Visa, MasterCard, American Express, and Discover—have the right to impose fines on acquiring banks for PCI compliance violations. These fines, which range from $500 to $5,000 monthly, are typically passed on to merchants.
In addition to fining merchants that do not adhere to the PCI DSS, banks frequently terminate their relationship with the client in question or, at the very least, raise their transaction fees. While these penalties are not widely discussed or publicized, they can spell ruin for small merchants. That’s why it’s a good idea to carefully review your merchant agreement, which can give you some idea of what to expect should you have a problem with PCI compliance.