The Payment Card Industry Data Security Standard (PCI DSS) is a data security standard for organizations/establishments that handle all branded credit cards from the major card. The PCI Standard is delegated by the card brands and directed by the Payment Card Industry Security Standards Council.
What is PCI?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards intended to ensure that all establishments that accept, process, store or transmit credit card data maintain a secure environment. The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing progression of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was formed by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.). It is important to understand that the payment brands and appropriator are responsible for enforcing compliance, not the PCI council.
To whom does the PCI DSS apply?
The PCI DSS applies to any establishment, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
Where can I find the Payment Card Industry Data Security Standard (PCI DSS)?
The current Payment Card Industry Data Security Standard (PCI DSS) documents can be found on the PCI Security Standards Council website. (https://www.pcisecuritystandards.org/document_library)
What is the PCI compliance ‘levels’ and how are they determined?
All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’). In cases where a merchant corporation has more than one Doing Business As (‘DBA’), Visa appropriators must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the authentication level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple Doing Business As (‘DBA’), appropriators will continue to consider the Doing Business As (‘DBA’) individual transaction volume to determine the validation level.
If I only accept credit cards over the phone, does PCI DSS still apply to me?
Yes. All business that store, process or transmit payment cardholder data must be PCI Compliant.
Do organizations using third-party processors have to be PCI DSS compliant?
Yes. Simply using a third-party company does not eliminate a company from PCI DSS compliance. It may cut down on their risk exposure and subsequently reduce the effort to validate compliance. Nevertheless, it does not mean they can ignore the PCI DSS.
Our company doesn’t store credit card data, PCI compliance doesn’t apply to us, correct?
If you accept credit or debit cards as a form of payment, then PCI compliance applies to your establishment. The storage of card data is chancy, so if you don’t store card data, then becoming secure and compliant may be easier.
What are the penalties for non-compliance?
The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine along until it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your affiliation or rise transaction fees. Penalties are not openly discussed nor widely revealed, but they can be disastrous to a small business. It is important to be familiar with your merchant account agreement, which should summarize your exposure.
What is a vulnerability scan?
A vulnerability scan involves an automated tool that checks a merchant or service provider’s systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan identifies vulnerabilities in operating systems, services and devices that could be used by hackers to target the company’s private network. As provided by an Approved Scanning Vendors (ASV’s) such as ControlScan, the scan does not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed.
How often do I have to have a vulnerability scan?
Every 90 days/once per quarter, those who fit the above criteria are required to submit a passing scan. Merchants and service providers should submit compliance documentation (successful scan reports) according to the timetable determined by their acquirer. Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV) such as ControlScan. (https://www.controlscan.com/)
What if my business refuses to cooperate?
PCI is not a law. The standard was created by the major card brands Visa, MasterCard, Discover, AMEX and JCB. At their appropriators’/service providers’ discretion, merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach event occur.