Learn about PCI Compliance

What is PCI Compliance?

PCI stands for Payment Card Industry. The PCI DSS (Payment Card Industry Data Security Standard) is an initiative supported by credit card companies and merchants, which provides a unified strategy for the protection of credit card user information. The initiative aims to combat credit card fraud and related security breaches.

When did PCI compliance start?

American Express, Discover Financial Services, JCB International, Mastercard and Visa—introduced PCI DSS 1.0 in December 2004.

Who is subject to PCI compliance?

Businesses that directly deal with credit card data must adhere to 300+ requirements defined in the PCI security standard (organized into 12 high level requirements). Businesses that do not directly deal with card data need to adhere to fewer security requirements, as sensitive data is handled by third parties and not stored by the business.

How to become PCI Compliant?

To become PCI compliant, you must meet the 12 PCI compliance requirements, which are split up into 300 sub-requirements. The following PCI compliance requirements include security systems, organizational processes, testing and policies that can help protect cardholder data.

PCI Compliance Audit

A PCI compliance audit is a routine audit required of merchants that process credit card transactions to make sure that they are compliant with the Payment Card Industry Data Security Standard (PCI DSS) set up by various credit card companies. Merchants may undergo regular PCI compliance audits, or an alleged violation can trigger a particular audit.

See how VGS can help you with audits.

PCI DSS compliance checklist

PCI DSS offers a baseline of twelve (12) technical and operational requirements to use as an essential part of an organization’s validation process during a compliance assessment.

  1. Protect cardholder data with a firewall
  2. Change vendor-supplied default passwords and parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data
  5. Defend against malware and keep antivirus up-to-date
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by need-to-know
  8. Identify and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Monitor access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain an information security policy for all personnel

See the official quick reference guide for PCI DSS v3.2.1

What happens if you fail PCI Compliance?

Merchants agree to pay fees if they fail to comply with the PCI DSS when they sign a contract with a payment processor. Penalties can vary from payment processor to payment processor and are more extensive for companies with higher payment volumes. There will be no fines imposed on your payment processors or credit card companies for working with an unsuitable business. These companies will almost certainly transfer fines to your business to compensate for losses from your negligence. You can expect financial penalties from these companies anywhere from $ 5,000 to $ 10,000 per month for violating PCI compliance guidelines.

Who enforces PCI compliance?

Compliance validation involves the evaluation and confirmation that the security controls & procedures have been properly implemented as per the policies recommended by PCI DSS. In short, the PCI DSS, security validation/testing procedures are mutually a compliance validation tool. A PCI DSS assessment has the following entities.

  • Qualified Security Assessor (QSA)
  • Internal Security Assessor (ISA)
  • Report on Compliance (ROC)
  • Self-Assessment Questionnaire (SAQ)

Who certifies PCI compliance?

An Internal Security Assessor is an individual who has earned a certificate from the PCI Security Standards Company for their sponsoring organization. This certified person has the ability to perform PCI self-assessments for their organization. This ISA program was designed to help Level 2 merchants meet the new Mastercard compliance validation requirements.[11] ISA certification empowers a worker to do an inward appraisal of his/her association and propose security solutions/ controls for the PCI DSS compliance. As the ISAs are upheld by the organization for the PCI SSC affirmation, they are in charge of cooperation and participation with QSAs.

PCI vulnerability scan

PCI Scans are scans run using an automated web security scanner to check the merchant/ service provider/ payment gateway/ third-party payment processor’s systems and IT infrastructure for vulnerabilities. The scanner will test networks, web applications, OS, services, devices and so on to identify gaps and loopholes that an attacker may leverage to infiltrate the systems and gain access to confidential information.

PCI Compliance mandates two independent methods of vulnerability scanning – internal and external. These scans generate an extensive report of the vulnerabilities present, providing references for further research and recommendations for remediation. PCI SSC Approved Scanning Vendor (ASV) must conduct scanning, especially external scanning.

See how VGS can help you with PCI vulnerability scans.

PCI Compliance Levels

PCI Level 1 Compliance

Stated, PCI DSS Level 1 is a set of requirements designed to ensure the highest level of security for businesses that store, transmit, or process credit card data.

The highest compliance level, PCI DSS Level 1, identifies any merchant who processes more than 6 million Visa transactions per year. This high level of verification is granted only if the merchant, at Visa’s discretion, meets level 1 requirements set to minimize risk to the system.

PCI Compliance Level 1 is one of four PCI merchant compliance levels and two service provider compliance levels established to protect the security of credit card and cardholder data in e-commerce and in-store transactions.

A “Level 1” merchant is defined by the Payment Card Industry Data Security Standard (PCI DSS) as someone who processes at least 1 million, 2.5 million, or 6 million transactions per year, depending on which credit cards the merchant accepts. Therefore, PCI Compliance Level 1 is the highest and most stringent PCI DSS level.

Merchants and service providers exposed to a breach or cyberattack resulting in the compromise of credit card or cardholder data must meet PCI Level 1 requirements, regardless of size, processing, storage, or transmission.

PCI Level 1 Requirements

PCI Merchant Level 1 criteria depend on the merchant’s accepted brands of payment or credit cards:

  • Visa, Mastercard, and Discover identify Tier 1 merchants who process more than 6 million credit cards per year.
  • Level 1 requires at least 2.5 million transactions per year from American Express.
  • Level 1 of JCB starts with 1 million credit card transactions per year.

Merchants aren’t the only entities that need to be PCI compliant. For example, to accept payment cards, payment and internet service providers (ISPs) must also demonstrate ongoing and ongoing security of their cardholder environments against data breach and PCI compliance.

PCI Level 2 Compliance

Payment Card Industry Data Security Standard (PCI DSS) Level 2 merchants are those that process between 1 and 6 million Visa, Mastercard, and Discover transactions per year; 50,000 to 2 million sales using American Express, and fewer than 1 million JCB International credit card transactions.

Service providers–entities that process credit card payments for merchants and their financial institutions (also known as “acquiring banks”) or that handle card and cardholder data in some other capacity, such as data destruction–qualify as PCI Compliance Level 2 if they process, store, or transmit fewer than 300,000 total card transactions annually.

PCI Level 2 Requirements

Compliance verification requirements for PCI DSS level 2 merchants are as follows:

  • Annual Self-Assessment Questionnaire
  • Quarterly network scan by PCI SSC Approved Scanning Vendor
  • Approval of the Eligibility Form

The compliance criteria for PCI DSS level 2 service providers are as follows:

  • Process, store, or transmit less than 300,000 credit card transactions per year

Compliance verification requirements for PCI DSS level 2 service providers are as follows:

  • Annual Self-Assessment Questionnaire
  • Quarterly network scan by Approved Scan Vendor
  • Penetration test
  • Internal scanning
  • Approval of the Eligibility Form

PCI Level 3 Compliance

PCI DSS compliance Level 3 applies to mid-sized merchants, generally speaking, that process 20,000 to 1 million credit card transactions per year. However, as with all PCI compliance levels, the exact number of transactions that qualify a merchant for PCI Level 3 is highly dependent on which credit cards the merchant accepts. Also, for PCI Level 3, the number of e-commerce transactions versus in-store transactions is essential.

PCI Level 3 Requirements

Your organization qualifies as a PCI Level 3 merchant if it meets any of the following criteria:

  • Processes 20,000 to 1 million Visa e-commerce transactions per year
  • Processes 20,000 Mastercard e-commerce transactions per year, but less than or equal to 1 million total Mastercard transactions per year
  • Process 20,000 to 1 million Discover “cardless” (e-commerce) transactions per year
  • Processes less than 50,000 American Express transactions per year

Note that card provider JCB does not have Level 3. All sellers who process less than 1 million JCB transactions per year qualify as Level 2 merchants.

PCI Level 4 Compliance

PCI Compliance Level 4 is the lowest compliance level under the Payment Card Industry Data Security Standard (PCI DSS). PCI Level 4 applies to merchants who process fewer than 20,000 Visa or Mastercard e-commerce transactions per year or a total of up to 1 million Visa or Mastercard credit card transactions and are not subject to a data breach or hack that compromises card or cardholder data.

Discover, American Express or JCB neither have a PCI Level 4 designation. Instead, Discover and American Express stop at PCI Level 3; JCB, on the other hand, has only two trader levels.

PCI Level 4 Requirements

Vendors that qualify as PCI Level 4 must achieve PCI DSS compliance by meeting the purchasing bank’s requirements. Typically, what they should do is as follows:

  • Complete a Self-Assessment Questionnaire (SAQ)
  • Have a Approved Scanning Vendor (ASV) perform a quarterly network scan

PCI Level 4 self assessment

As a business that accepts credit cards, you will be required to complete a PCI DSS Self-Assessment Questionnaire (SAQ) to demonstrate that information security is a top priority.

Completing a PCI Self-Assessment Questionnaire (often called an SAQ) is part of your annual compliance process. The PCI SAQ is a validation tool that consists of questions related to the PCI DSS requirements.

When filling out your SAQ, you’ll need to answer a number of yes-or-no questions about each PCI DSS requirement. If you answer “no” to a question, you may need to provide details about why it is not applicable or the status of remediation efforts in progress.

It also comes with an attestation that includes your declaration of eligibility. Every business that is trying to show PCI DSS compliance must complete the appropriate Self-Assessment Questionnaire (unless your organization is at a higher compliance level which requires a Report on Compliance by a qualified security assessor in an on-site audit).

When do I need PCI compliance?

Is PCI compliance required by law?

There is not a regulatory mandate that requires PCI compliance, but it is regarded as mandatory through court precedent.

Is PCI compliance international?

The PCI DSS is the global data security standard that any business of any size must adhere to in order to accept payment cards.

Who needs PCI compliance?

In general, PCI compliance is required by credit card companies to make online transactions secure and protect them against identity theft. Any merchant that wants to process, store or transmit credit card data is required to be PCI compliant, according to the PCI Compliance Security Standard Council.