PCI Compliance

In 2006, the Payment Card Industry Security Standards Council (PCI SSC) was created by major payment card brands to manage the continuing evolution of the Payment Card Industry’s security standards and address the threats to security in the transaction process. The PCI Data Security Standard (PCI DSS) is a set of requirements designed to ensure that any company processing, storing or transmitting credit card information maintains a secure environment. It is the payment brands and acquirers, however, that enforce compliance, not the PCI council. The same is also true for non-compliance penalties.

The cost of becoming PCI DSS Compliant depends on a number of factors. These include what type of business you run, the number of transactions processed annually, existing IT infrastructure, and current payment card processing and storage practice. But nothing is more important than keeping a customer’s payment card information safe. Just look at the class-action lawsuits cropping up against brands such as Marshalls for breaches.

In a snapshot, there are three main steps a merchant must take to adhere to the PCI DSS: Assess: Identify cardholder data, take an inventory of your IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose cardholder data. Remediate: Fix vulnerabilities and do not store cardholder data unless necessary. Report: Compile and submit required remediation validation records (if applicable), and submit compliance reports to the Acquiring Bank and any card brands with which you conduct business.

There are four different PCI “levels” that merchants fall into, depending on their businesses. The fourth level has the fewest transactions and only processes up to $1M Visa transactions. You will have to refer to your merchant bank for their specific validation requirements and deadlines. PCI compliance is an ongoing effort for each merchant. All deadline enforcement will come from your merchant bank. But validation of the compliance must be made annually. This will be performed either by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.