WHAT IS PCI Compliance?
“Of the 80 companies surveyed by The Security Division of EMC, 52.5 percent have not reported compliance, while 47.5 percent have done so. However, while 55 percent of merchants within Levels 1, 2 and 3 have met the requirements, compliance drops significantly within the Level 4 merchant community. In fact, only 19 percent of Level 4 merchants said they had reported compliance.”
Payment Card Industry Compliance 
The Payment Card Industry (PCI) Data Security Standard was created by major credit card companies to safeguard customer information. Visa, MasterCard, American Express, and other credit card associations mandate that merchants and service providers meet certain minimum standards of security when they store, process and transmit cardholder data.
The PCI Data Security Standard is comprised of 12 general requirements designed to:
- Build and maintain a secure network;
- Protect cardholder data;
- Ensure the maintenance of vulnerability management programs;
- Implement strong access control measures;
- Regularly monitor and test networks; and
- Ensure the maintenance of information security policies.
Payment Card Industry - (PCI) Compliance is an initiative which is being strongly enforced by the four major credit card companies (Visa, Mastercard, Discover and American Express). PCI Standards must be met by all businesses that take credit/debit or paycards from the top four major card industry providers: American Express, Discover, MasterCard and Visa. PCI Compliance Standards are not laws – they are contractual obligations with the credit card companies. Credit card companies may enforce the terms of their contracts by imposing fines and/or sanctions against companies who do no comply with the standards for each credit card company.
Starting on September 30, 2007 there will be immediate fines for companies that have not validated their PCI compliance.
What is Payment Card Industry (PCI) Compliance?
Payment Card Industry (PCI) Compliance is a set of security standards that were created by the major credit card companies (American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International) to protect their customers from increasing identity theft and security breaches.
Do I need to become compliant?
Any company that accepts, processes, or stores credit card information needs to comply with the standards set by the Payment Card Industry. In addition any company that hosts its website on server that also hosts a website that accepts, processes, or stores credit card information.
What are my requirements for PCI Compliance?
The requirements for becoming Payment Card Industry (PCI) Compliant are dependent upon the merchant level that a company falls under. Merchants are divided into four different levels based on the number of transactions they process throughout a year.
PCI Data Security Standard Compliance for Merchants
| Merchant Level |
Selection
Criteria |
Validation
Actions |
Validated By |
|
1
|
Any merchant - regardless of acceptance channel - processing more than 6,000,000 Visa transactions per year
Any merchant that has suffered a hack or an attack that resulted in an account data compromise
Any merchant identified by any card association as Level 1
|
Annual On-Site Security Audit and Quarterly Network Scan
|
Independent Security Assessor or Internal Audit if signed by an Officer of the company
Qualified Independent Scan Vendor
Level 1 Merchants should have validated compliance by September 30, 2004
|
|
2
|
1 million – 6 million Visa or MasterCard transactions per year
|
Annual PCI Self-Assessment Questionnaire
and Quarterly Network Scan
|
Merchant
Qualified Independent Scan Vendor
Validation is required no later than June 30, 2005
*Merchants new to Level 2 as of 8/06 are required to validate by 9/30/07
|
|
3
|
20,000 – 1 million Visa or MasterCard e-commerce transactions per year
|
Annual PCI Self-Assessment Questionnaire
and Quarterly Network Scan
|
Merchant
Qualified Independent Scan Vendor
Validation is required no later than June 30, 2005
|
|
4
|
Less than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants processing up to 1 million Visa or MasterCards transactions per year
|
Recommended Annual PCI Self-Assessment Questionnaire
and
Recommended Annual Network Scan
|
Merchant
Qualified Independent Scan Vendor
Note: While compliance is mandatory for Level 4 Merchants, validation is optional but strongly recommended
|
What kind of a scan needs to be performed?
Vulnerability Assessment Scans must be performed by Payment Card Industry Approved Scanning Vendors (ASV). The scan will be performed over all externally facing IP addresses that touch the credit card acceptance, transmission and storage process. Scans must be turned into the merchant bank on a quarterly basis.
How long does it take to become compliant?
The PCI compliance process can take anywhere from one day to two weeks. The amount of time it takes for a company to be considered PCI Compliant is dependent on the threats the PCI scan discovers and the amount of time it takes to complete the self assessment questionnaire.
How do I report compliance?
Both the passing PCI Scan and Annual Self Assessment Questionnaire should be turned into your merchant bank. Your merchant bank will then report back to the Payment Card Industry that your company is PCI Compliant.
What Happens If My Business Does Not Comply with PCI Compliance Regulations?
Visa has set strong incentives for acquiring banks to ensure their merchants and service providers achieve and maintain PCI compliance. In the event a breach of cardholder information occurs, any non-PCI compliant organization will suffer extremely damaging direct penalties handed down from these banks including but no limited to:
- Fines up to $500,000 per incident
- Loss of right to accept credit cards (often times, permanently)
- Responsibility of all financial losses that result from the breach
- Responsibilities can include theft, fraud, card replacement, etc
Links to More Information
 |
