PCI stands for Payment Card Industry. The PCI DSS (Payment Card Industry Data Security Standard) is an initiative supported by credit card companies and merchants, which provides a unified strategy for the protection of credit card user information. The initiative aims to combat credit card fraud and related security breaches.
American Express, Discover Financial Services, JCB International, Mastercard and Visa—introduced PCI DSS 1.0 in December 2004.
Businesses that directly deal with credit card data must adhere to 300+ requirements defined in the PCI security standard (organized into 12 high level requirements). Businesses that do not directly deal with card data need to adhere to fewer security requirements, as sensitive data is handled by third parties and not stored by the business.
To become PCI compliant, you must meet the 12 PCI compliance requirements, which are split up into 300 sub-requirements. The following PCI compliance requirements include security systems, organizational processes, testing and policies that can help protect cardholder data.
A PCI compliance audit is a routine audit required of merchants that process credit card transactions to make sure that they are compliant with the Payment Card Industry Data Security Standard (PCI DSS) set up by various credit card companies. Merchants may undergo regular PCI compliance audits, or an alleged violation can trigger a particular audit.
See how VGS can help you with audits.
PCI DSS offers a baseline of twelve (12) technical and operational requirements to use as an essential part of an organization’s validation process during a compliance assessment.
See the official quick reference guide for PCI DSS v3.2.1
Merchants agree to pay fees if they fail to comply with the PCI DSS when they sign a contract with a payment processor. Penalties can vary from payment processor to payment processor and are more extensive for companies with higher payment volumes. There will be no fines imposed on your payment processors or credit card companies for working with an unsuitable business. These companies will almost certainly transfer fines to your business to compensate for losses from your negligence. You can expect financial penalties from these companies anywhere from $ 5,000 to $ 10,000 per month for violating PCI compliance guidelines.
Compliance validation involves the evaluation and confirmation that the security controls & procedures have been properly implemented as per the policies recommended by PCI DSS. In short, the PCI DSS, security validation/testing procedures are mutually a compliance validation tool. A PCI DSS assessment has the following entities.
An Internal Security Assessor is an individual who has earned a certificate from the PCI Security Standards Company for their sponsoring organization. This certified person has the ability to perform PCI self-assessments for their organization. This ISA program was designed to help Level 2 merchants meet the new Mastercard compliance validation requirements. ISA certification empowers a worker to do an inward appraisal of his/her association and propose security solutions/ controls for the PCI DSS compliance. As the ISAs are upheld by the organization for the PCI SSC affirmation, they are in charge of cooperation and participation with QSAs.
PCI Scans are scans run using an automated web security scanner to check the merchant/ service provider/ payment gateway/ third-party payment processor’s systems and IT infrastructure for vulnerabilities. The scanner will test networks, web applications, OS, services, devices and so on to identify gaps and loopholes that an attacker may leverage to infiltrate the systems and gain access to confidential information.
PCI Compliance mandates two independent methods of vulnerability scanning – internal and external. These scans generate an extensive report of the vulnerabilities present, providing references for further research and recommendations for remediation. PCI SSC Approved Scanning Vendor (ASV) must conduct scanning, especially external scanning.
See how VGS can help you with PCI vulnerability scans.
Stated, PCI DSS Level 1 is a set of requirements designed to ensure the highest level of security for businesses that store, transmit, or process credit card data.
The highest compliance level, PCI DSS Level 1, identifies any merchant who processes more than 6 million Visa transactions per year. This high level of verification is granted only if the merchant, at Visa’s discretion, meets level 1 requirements set to minimize risk to the system.
PCI Compliance Level 1 is one of four PCI merchant compliance levels and two service provider compliance levels established to protect the security of credit card and cardholder data in e-commerce and in-store transactions.
A “Level 1” merchant is defined by the Payment Card Industry Data Security Standard (PCI DSS) as someone who processes at least 1 million, 2.5 million, or 6 million transactions per year, depending on which credit cards the merchant accepts. Therefore, PCI Compliance Level 1 is the highest and most stringent PCI DSS level.
Merchants and service providers exposed to a breach or cyberattack resulting in the compromise of credit card or cardholder data must meet PCI Level 1 requirements, regardless of size, processing, storage, or transmission.
PCI Merchant Level 1 criteria depend on the merchant’s accepted brands of payment or credit cards:
Level 1 is the highest level of compliance and applies to merchants who process more than 6 million Visa e-commerce transactions per year, or any merchant that has suffered a data breach resulting in the compromise of cardholder data. To achieve PCI DSS Level 1 compliance, a company must meet all of the requirements for Level 2, 3, and 4 compliance, as well as the following additional requirements:
In addition to these requirements, Level 1 merchants are also required to undergo quarterly network scans by a PCI SSC-approved scanning vendor (ASV). These scans are designed to detect vulnerabilities in the merchant's network that could be exploited by attackers to gain access to cardholder data.
Merchants aren’t the only entities that need to be PCI compliant. For example, to accept payment cards, payment and internet service providers (ISPs) must also demonstrate ongoing and ongoing security of their cardholder environments against data breach and PCI compliance.
Payment Card Industry Data Security Standard (PCI DSS) Level 2 merchants are those that process between 1 and 6 million Visa, Mastercard, and Discover transactions per year; 50,000 to 2 million sales using American Express, and fewer than 1 million JCB International credit card transactions.
Service providers–entities that process credit card payments for merchants and their financial institutions (also known as “acquiring banks”) or that handle card and cardholder data in some other capacity, such as data destruction–qualify as PCI Compliance Level 2 if they process, store, or transmit fewer than 300,000 total card transactions annually.
Compliance verification requirements for PCI DSS level 2 merchants are as follows:
The compliance criteria for PCI DSS level 2 service providers are as follows:
Compliance verification requirements for PCI DSS level 2 service providers are as follows:
PCI DSS compliance Level 3 applies to mid-sized merchants, generally speaking, that process 20,000 to 1 million credit card transactions per year. However, as with all PCI compliance levels, the exact number of transactions that qualify a merchant for PCI Level 3 is highly dependent on which credit cards the merchant accepts. Also, for PCI Level 3, the number of e-commerce transactions versus in-store transactions is essential.
Your organization qualifies as a PCI Level 3 merchant if it meets any of the following criteria:
Note that card provider JCB does not have Level 3. All sellers who process less than 1 million JCB transactions per year qualify as Level 2 merchants.
Level 3 is the second-highest level of compliance and applies to merchants who process between 20,000 and 1 million Visa e-commerce transactions per year. To achieve PCI DSS Level 3 compliance, a company must meet all of the requirements for Level 4 compliance, as well as the following additional requirements:
In addition to these requirements, Level 3 merchants are also required to undergo a quarterly network scan by a PCI SSC-approved scanning vendor (ASV). This scan is designed to detect vulnerabilities in the merchant's network that could be exploited by attackers to gain access to cardholder data.
It's important to note that these requirements are just the minimum required for PCI DSS Level 3 compliance. Depending on the specific nature of a company's business and the types of transactions it processes, additional security measures may be necessary.
PCI Compliance Level 4 is the lowest compliance level under the Payment Card Industry Data Security Standard (PCI DSS). PCI Level 4 applies to merchants who process fewer than 20,000 Visa or Mastercard e-commerce transactions per year or a total of up to 1 million Visa or Mastercard credit card transactions and are not subject to a data breach or hack that compromises card or cardholder data.
Discover, American Express or JCB neither have a PCI Level 4 designation. Instead, Discover and American Express stop at PCI Level 3; JCB, on the other hand, has only two trader levels.
Level 4 is the lowest level of compliance and applies to merchants who process fewer than 20,000 Visa e-commerce transactions per year. To achieve PCI DSS Level 4 compliance, a company must meet the following requirements:
It's important to note that these requirements are just the minimum required for PCI DSS Level 4 compliance. Depending on the specific nature of a company's business and the types of transactions it processes, additional security measures may be necessary.
As a business that accepts credit cards, you will be required to complete a PCI DSS Self-Assessment Questionnaire (SAQ) to demonstrate that information security is a top priority.
To complete a PCI DSS Level 4 self assessment, your business will need to follow these steps:
It's important to note that self-assessment is just one step in the PCI DSS compliance process. Depending on the specific nature of your business and the types of transactions you process, you may also need to undergo a more formal assessment by a PCI SSC-approved Qualified Security Assessor (QSA).
There is not a regulatory mandate that requires PCI compliance, but it is regarded as mandatory through court precedent.
The PCI DSS is the global data security standard that any business of any size must adhere to in order to accept payment cards.
In general, PCI compliance is required by credit card companies to make online transactions secure and protect them against identity theft. Any merchant that wants to process, store or transmit credit card data is required to be PCI compliant, according to the PCI Compliance Security Standard Council.