PCI Security Compliance
What is PCI DSS?
Payment Card Industry (PCI) Data Security Standard (DSS), developed by the major credit card associations (Visa, MasterCard, American Express, Discover, and JCB), requires all merchants and service providers that store, process, or transmit cardholder data to adhere to its security guidelines. In addition, the requirements apply to all system components defined as any network component, server, or application included in, or connected to, the cardholder data environment.
The security guidelines are in place to help protect cardholder data from being compromised. With the increase in identity theft and security breaches it's more important than ever to ensure cardholder data is properly secured. A compromise carries severe consequences including reputation and financial risks. Financial risks can include, but are not limited to, fines from merchant banks, incident fees from the card associations, civil liability, and the added cost of providing identity theft protection. Simply failing to comply with the PCI DSS alone may result in stiff penalties, including substantial fines, restrictions, and permanent loss of credit card processing privileges.
REQUIREMENTS
The PCI standards listed below will help organizations protect cardholder data. The PCI Security Standards Council makes an in-depth version of the PCI DSS available. You can download it here.
| Build and Maintain a Secure Network |
Requirement 1: |
Install and maintain a firewall configuration to protect cardholder data. |
| Requirement 2: |
Do not use vendor-supplied defaults for system passwords and other security parameters. |
| Protect Cardholder Data |
| Requirement 3: |
Protect stored cardholder data. |
| Requirement 4: |
Encrypt transmission of cardholder data across open, public networks. |
| Maintain a Vulnerability Management Program |
| Requirement 5: |
Use and regularly update anti-virus software. |
| Requirement 6: |
Develop and maintain secure systems and applications. |
| Implement Strong Access Control Measures |
| Requirement 7: |
Restrict access to cardholder data by business need-to-know. |
| Requirement 8: |
Assign a unique ID to each person with computer access. |
| Requirement 9: |
Restrict physical access to cardholder data. |
| Regularly Monitor and Test Networks |
| Requirement 10: |
Track and monitor all access to network resources and cardholder data. |
| Requirement 11: |
Regularly test security systems and processes. |
| Maintain an Information Security Policy |
| Requirement 12: |
Maintain a policy that addresses information security. |
Merchant Levels and Requirements
All merchants, no matter how large or small, must comply with all parts of the PCI DSS. Validation requirements vary by business and are contingent based on the merchant levels in the chart below.
Merchant Levels |
Validation Actions |
Criteria |
On-Site Security Audit |
Self-Assesment Questionnaire |
Network Volunerability Scan |
L
E
V
E
L
1 |
VISA or MasterCard
• Process more than 6 million transactions annually from any channel
• Any merchant who has experienced a data compromise.
• Any merchant who is identified as a level 1 merchant with any card association. |
Required Annualy |
N/A |
Required Quarterly |
L
E
V
E
L
2 |
VISA or MasterCard
• 1 million to 6 million transactions annually from any channel
• Any merchant who is identified as a level 2 merchant with any card association. |
N/A |
Required Annualy |
Required Quarterly |
L
E
V
E
L
3 |
VISA or MasterCard
• 20,000 to 1 million ecommerce transactions annually |
N/A |
Required Annualy |
Required Quarterly |
L
E
V
E
L
4 |
VISA
• Less than 20,000 ecommerce transactions annually or up to 1 million transactions from any channel
MasterCard
• All other merchants |
N/A |
Required Annualy |
Required Quarterly |
Related Resources
For more detailed information on PCI DSS please visit the resources below:
* Adobe Acrobat is required to view this document. To download the latest version, click here.
|
