The Payment Card Industry Data Security Standard, or PCI DSS for short, is a set of requirements that all businesses—regardless of size—must adhere to in order to accept payment cards. The purpose is to ensure the security of cardholder data and to help prevent credit card fraud, hacking, and other security issues. It is enforced by the major credit card companies that make up the Payment Card Industry Security Council —American Express, Discover, JCB, MasterCard and Visa. WMS's partners reside on the board of the PCI Security Standards Council and are equipped to help you understand and comply with PCI DSS, whether you are a software provider or a merchant.
The twelve PCI DSS requirements catalog best practices businesses should follow when handling customers’ payment cards or payment card information. They are broken down into six different categories:
Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security
Merchants fall under four categories of PCI compliance, depending on the number of transactions they process each year, and whether those transactions are performed from a brick and mortar location or over the Internet. All merchants that process credit cards—whether small or large—must be PCI compliant.
Which level are you on? ( Brick & Mortar )The PCI DSS level a merchant falls into depends both on the number of transactions they process each year, and whether those transactions are performed from a “brick and mortar” location or over the Internet. If a merchant suffers a security breach that compromises cardholder data, they can automatically be moved into higher level. What PCI DSS means to merchants who perform transactions primarily from a physical location:
Level 1. Any merchant processing more than six million transactions per year.
Level 2. Any merchant processing between one million and six million transactions a year.
Level 3. Any merchant processing between 20,000 and one million transactions per year.
Level 4. Any other merchant who processes up to one million transactions per year.
Assessment Requirments: For most merchants, an annual on-site PCI security assessment conducted by a qualified security assessor (QSA). (Some level one merchants can perform a self-assessment, with their permission of their payment processor and their card brand.) They must also undergo a quarterly vulnerability scan of their network by an approved scanning vendor.
Merchants in levels two, three and four must all complete an annual self assessment questionnaire (SAQ) and a quarterly network scan conducted by an approved scanning vendor. While the same basic requirements apply, the nature of the questionnaires, and the deadlines for reaching compliance, vary among levels two, three and four.
Penalties for Non-Compliance: Credit card associations may move merchants who have suffered a security breach up to Merchant Level One, triggering more expensive compliance requirements.
- Acquirers (banks which issue credit cards) can impose fines on processors, who may then try to pass on fines to merchants.
- Acquirers or processors may impose higher processing fees on merchants who have suffered an outage.
- Merchants who have suffered an outage may have to pay tens of thousands of dollars in forensic inspections, litigation or negotiation with acquirers and/or processing firms triggering more expensive compliance requirements.
- Merchants may lose the ability to accept payment cards, essentially crippling their business.