Payment Card Industry Data Security Standard, also known as PCI DSS, is the set of requirements established by an independent council that ensures when credit card data is processed, stored, or transmitted, it will stay in a secure environment. The PCI Security Standards Council (SSC) was launched in 2004 as the result of a collaboration between American Express, Discover, JCB, Mastercard, and Visa. There are four levels of PCI DSS compliance.
What is PCI DSS Level 1 compliance? Level 1 is the highest level of PCI standards for merchants that process more than six million card transactions annually across all channels, and for merchants that have suffered a data breach in the past.
The PCI SSC says that though it “is responsible for managing the data security standards, each payment card brand maintains its own separate compliance enforcement programs. Each payment card brand has defined specific requirements for compliance validation and reporting, such as provisions for performing self-assessments and when to engage a QSA (qualified security assessor).”
A merchant can prove compliance through:
In the event the payment brand is not satisfied by the documentation submitted, the SSC says the merchant can “perform remediation to address requirements that are not in place and provide an updated report.”
As the Council explains, merchant-based vulnerabilities can appear in a number of places within the credit card processing ecosystem including point-of-sale and mobile devices, on personal computers or servers, via wireless hotspots and remote access connections, in software applications, and more. However, vulnerabilities can also occur with companies, vendors, and partners of financial institutions. The reason for PCI DSS compliance is to “alleviate these vulnerabilities and protect cardholder data.”
Merchants that fall into Level 2 (processing between one and six million transactions annually), Level 3 (processing 20,000 to a million transactions annually), and Level 4 (processing less than 20,000 transactions annually) can upgrade to PCI DSS Level 1 Compliance if they choose to do so. Being Level 1 compliant can make you appear more trustworthy to customers, and can help businesses when they are negotiating with banks because it tells them your company takes personal data and credit card security seriously.
According to SSC, to be compliant a merchant needs to do the following:
⇒ Build and maintain a secure network and systems
Click here to learn more about the PCI Security Standards.
Keep in mind that the PCI DSS is a set of security standards, it is not a law. However, that doesn’t mean that failure to comply is not without its ramifications. Non-compliance is enforced through contracts between merchants, payment brands, and acquiring banks. What this means is that each payment brand (Discover, Visa, American Express, and MasterCard) can choose to penalize the acquiring banks for non-compliance with a fine, and these banks can withdraw the ability to accept card payments from the merchants that are non-compliant.
Want to know if your business is compliant with Payment Card Industry Data Security Standards? Reach out to us for expert guidance on a PCI self assessment or support with your ongoing cybersecurity compliance.