thePCIHost.com - What is PCI DSS Compliance?

What is PCI-DSS?

The Payment Card Industry Data Security Standard (PCI DSS) Program is a mandated security initiative which was created to offer merchants and service providers a complete, unified approach to safeguarding credit cardholder information for all card brands.

In September of 2006, a group of five leading payment brands including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International jointly announced formation of the PCI Security Standards Council, an independent council established to manage ongoing evolution of the PCI standard. Concurrent with the announcement, the council released version 1.1 of the PCI standard.

What conditions must be met to be PCI DSS compliant?

The PCI Data Security Standard requirements apply to all payment card network members, merchants and service providers that store, process or transmit cardholder data, and affect all payment channels, these include all entities which store, process, or transmit cardholder data must be PCI compliant. Payment channels including retail (brick and mortar), mail/telephone order, and e-commerce organizations.

The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. Initially created by aligning Visa's Account Information Security (AIS)/Cardholder Information Security (CISP) programs with MasterCard's Site Data Protection (SDP) program, the standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents.

The updated version, version 1.2, developed by the founding members of the PCI Security Standards Council, became effective with the launch of the PCI Security Standards Council The PCI Data Security Standard is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

The PCI Data Security Standard is comprised of 12 general requirements designed to:

		Build and maintain a secure network.
		Protect cardholder data.
		Ensure the maintenance of vulnerability management programs.
		Implement strong access control measures
		Regularly monitor and test networks.
		Ensure the maintenance of information security policies.

PCI-DSS Validation Requirements

While the newly-established PCI Security Standards Council will manage the underlying data security standard, compliance requirements are set independently by individual payment card brands. While requirements vary between card networks, MasterCard's Site Data Protection Plan and Visa's Cardholder Information Security Program are representative.

They stipulate separate compliance validation requirements for merchants and service providers, which vary depending on the size of the company. Compliance levels are defined based on annual transaction volume and corresponding risk exposure as outlined in the figure below.

Merchant Level	Selection Criteria	Validation Actions	Validated By
Level 1	Any merchant - regardless of acceptance channel - processing more than 6,000,000 Visa transactions per year Any merchant that has suffered a hack or an attack that resulted in an account data compromise Any merchant identified by any card association as Level 1	Annual On-Site Security Audit AND Quarterly Network Scan	Independent Security Assessor or Internal Audit if signed by an Officer of the company Qualified Independent Scan Vendor Level 1 Merchants should have validated compliance by September 30, 2004


Level 2	1 million – 6 million Visa or MasterCard transactions per year.	Annual PCI Self-Assessment Questionnaire AND Quarterly Network Scan	Merchant Qualified Independent Scan Vendor Validation is required no later than June 30, 2005 *Merchants new to Level 2 as of 8/06 are required to validate by 9/30/07


Level 3	20,000 – 1 million Visa or MasterCard e-commerce transactions per year	Annual PCI Self-Assessment Questionnaire AND Quarterly Network Scan	Merchant Qualified Independent Scan Vendor Validation is required no later than June 30, 2005


Level 4	Less than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants processing up to 1 million Visa or MasterCards transactions per year	Recommended Annual PCI Self-Assessment Questionnaire* AND Quarterly Network Scan	Merchant Qualified Independent Scan Vendor Note Compliance is mandatory* for Level 4 Merchants. SAQ May be required by processor

What happens if my business does not comply with PCI Regulations?

PCI regulations provide strong incentives for acquiring banks to ensure their merchants and service providers achieve and maintain PCI compliance. In the event a breach of cardholder information occurs, any non-PCI compliant organization will suffer extremely damaging direct penalties handed down from these banks including but no limited to:

		Fines up to $500,000.00 per incident.
		Loss of the right to accept credit cards (often this is permanent)
		Responsibility of all financial losses that result from the breach
		Responsibilities can include theft, fraud, card replacement, etc.

Navigating the requirements for PCI compliance can be a daunting and time consuming

task. Let one of our experts show you how easy protecting your clients and your business

can be. Call us today at 1-800-903-HOST for a free consultation!

For more information on PCI DSS We suggest the following links:

Wall Street Journal on PCI and Small Business

PCI Security Standards Council Website

PCI Compliance Blog - from Practical Ecommerce