PCI DSS stands for Payment Card Industry Data Security Standards. PCI has been established to offer the highest level of trust and security to customers using payment cards. These security standards apply to all companies that process, store or transmit card and related customer information.
According to Visa®, during the last two years, more than 80% of all known cases of identity theft have occurred in smaller businesses. As a result, major credit card companies developed the Payment Card Industry Data Security Standard for merchants.
Table of Contents
PCI DSS provides four levels of merchant classifications. A Level 4 Merchant is a merchant that processes less than 1MM of either Visa or MasterCard transactions or processes less than 20,000 Visa or MasterCard eCommerce transactions.
The Payment Card Industry mandates that all merchants must be certified under these Data Security Standards. However, many companies have found implementing PCI DSS requirements confusing. As a result, many companies do not yet meet PCI DSS requirements and face regulatory fines as well as potentially crippling losses of customer data – and customer trust.
About PCI Compliance
Security and protection are always an issue for merchants and business owners. As a result of increased payment card fraud, the Security Standards Council has made PCI compliance mandatory.
PCI compliance is the set of standards created to obstruct and prevent further theft of personal information at the merchant level. The PCI compliance requirements are strictly enforced by the payment card brands, including Visa and MasterCard. Therefore, all merchants who transmit, store, or process credit card information or transactions must comply.
PCI Security Implementation Guide
Check 1: Build and Maintain a Secure Network
IRN PCI has a firewall and router system to protect cardholder information. Firewall performs tests when configuration changes, identifies all connections to cardholder information, and reviews configuration rules every 6 months. In addition, a firewall prohibits unauthorized access from networks and hosts. It denies direct public access to any information about the cardholder.
Check 2: Protect Cardholder Data
Cardholder data is secured in a cryptographic form. All information is encrypted when transmitting data across public networks to prevent criminals from stealing personal information during the process.
We have to limit the accessibility of cardholder information by installing passwords and other security measurements to restrict access to cardholder data. The physical access to Cardholder data should be Monitored and restricted. All outdated cardholder information needs to be destroyed.
Check 3: Regularly Monitor and Test Networks
Keeps system activity logs that trace all activity and review daily. Internal and external networks should be scanned to identify any possible vulnerable areas in the system.
Additionally, ensure that all engines are up to date. Anti-virus software present on all computers associated with the network. In addition to anti-virus software, security patches have to be installed on each computer to avoid exposing cardholder data.
Check 4: Maintain an Information Security Policy
Merchants, processors, and PSPa need to establish a security policy covering all PCI DSS compliance requirements and includes annual procedures to recognize any security breaches and day-to-day security policies.
In addition, perform background checks on potential employees and educate new and current employees about the latest compliance regulations.
In today's economy, merchants are required to evaluate operating costs & processing fees thoroughly, all while operating and running a business. Therefore, companies and merchants of all sizes will save time and money by having the PCI process set up to monitor security standards and protection clauses.
How to Become PCI Compliant
Being PCI DSS compliant is not so simple. However, with the picture-guided questionnaire, convenient online network scan, and easy-to-understand requirements, any company, large or small, can be PCI compliant.
Frequently Asked Questions
- What is PCI DSS?
- Who does the PCI Data Security Standards Compliance Program apply to?
- What benefits does PCI compliance offer?
- What is "cardholder data"?
- Is compliance validation ever required from Level 4 merchants?
- What is a "High Risk" merchant?
- When is it allowed to store magstripe data?
- What is needed if a merchant does not store cardholder-sensitive data?
- Are there any fines for compromising cardholder data?
- What is the cost of completing the PCI DSS certification process?
What is PCI DSS?
Payment Card Industry Data Security Standard is a worldwide information security standard that defines increased controls around data and its exposure to help prevention of credit card fraud.
Who does the Payment Card Industry Data Security Standards Compliance Program apply to?
The program encompasses all merchants and third-party service providers that store, process, or transmit cardholder data.
What benefits does PCI compliance offer?
It is a good business practice to adhere to the PCI standards and protect cardholder information. Additionally, MasterCard®, Discover®, and Visa® Networks may impose fines on their member banking institutions when merchants do not comply with PCI Data Security Standards.
What is "cardholder data"?
Cardholder data is any personally identifiable data associated with a cardholder. For example: a social security number, account number, name, address, expiry date, etc. The account number is a critical component that makes the PCI Data Security Standards applicable. The PCI Data Security Standards applies to all cardholder data transmitted, stored, or processed.
Is compliance validation ever required from Level 4 merchants?
Yes. Suppose a Level 4 merchant is deemed to be a "High Risk" merchant. In that case, they are required to validate compliance with the PCI Data Security Standards.
What is a "High Risk" merchant?
Currently, merchants that are using non-compliant payment applications fall into this "High Risk" category. Those are applications that store magnetic stripe, Cardholder Verification Value (CVV / CVV2), Card Validation Code 2 (CVC2), or Card Identification (CID).
When is it allowed to store magstripe data?
It is not acceptable to retain magnetic stripe data subsequent to transaction authorization.
What is needed if a merchant does not store cardholder-sensitive data?
Suppose a merchant does not store cardholder data. In that case, the PCI Data Security Standards still apply to the environment that processes or transmits cardholder data. This includes services from any service provider(s) that a merchant uses.
Are there any fines for compromising cardholder data?
Yes. Suppose cardholder data that you are responsible for is compromised. In that case, the following liabilities and fines associated with non-compliance can be enforced:
- Potential fines of up to $500K (in the discretion of MasterCard, Visa, Discover Network, or other card companies).
- All fraud losses incurred based on the use of the compromised account numbers, from the date of compromise forward.
- Cost of all card re-issuing, that are associated with the compromise.
- Cost of any additional fraud prevention/detection activities required by the card associations (i.e., a forensic audit) or costs incurred by the card issuers associated with the compromise (i.e., additional monitoring for fraudulent activity).
What is the cost of completing the PCI DSS certification process?
Yes, there is a cost associated with the PCI DSS certification process. However, keep in mind that the nominal fee charged is nothing compared to the possible fines and penalties.
Here are some useful documents from the PCI website:
Author: Drasko Georgijev
I'm a financial technology professional with 15+ years of experience in payment cards, eCommerce, transaction processing and switching.
From time to time, I'm sharing some useful tips, tactics and news about Digital Commerce and Fintech.
So don't forget to share this post and subscribe to my mailing list.
Got questions? Ping me on LinkedIn.