The Payment Card Industry Security Standards Council (PCI SSC or just PCI) is an organization that was started by the five major credit card providers to develop an across the board standard for payment card security. The standard they developed will be put into force by these companies—American Express, JBC, VISA, MasterCard, Discover—in July of 2010. If you take credit cards online then you will need to be in compliance by then. Here is what you will need to know.
The Standards
Before you can be PCI compliant, you need to have a grasp of the standards you will have to meet.
PCI DSS : The Payment Card Industry Data Security Standards. These are the standards that the industry put into place to fight data theft and they are broken down into 12 main security requirements. To be truly PCI DSS Compliant, you will have to adhere to all of them, but the extent to which you will have to meet them really depends on how many transactions your company processes in a year. These twelve standards, broken down into 6 areas are:
- Build and Maintain a Secure Network
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect Cardholder Data
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
- Maintain a Vulnerability Management Program
- Requirement 5: Use and regularly update anti-virus software
- Requirement 6: Develop and maintain secure systems and applications
- Implement Strong Access Control Measures
- Requirement 7: Restrict access to cardholder data by business need-to-know
- Requirement 8: Assign a unique ID to each person with computer access
- Requirement 9: Restrict physical access to cardholder data
- Regularly Monitor and Test Networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
- Maintain an Information Security Policy
- Requirement 12: Maintain a policy that addresses information security
PA DSS : This means Payment Application Data Security Standards and they apply specifically to companies that develop or operate Payment Applications that online merchants (like yourself) use to process transactions, shopping carts for example. These standards make sure that your shopping cart's payment application software processes your client's credit cards using the proper security specifications, to protect against fraud and theft.
Complying with the Standards
What is required by way of compliance is based on which one of four different merchant levels you fall into. These levels are based on the number of transactions you process each year. Compliance is determined through an auditing process which involves a Report on Compliance, which can be written for you by an outside assessor or a self-assessment questionnaire, and a procedure called PCI Scanning.
Report On Compliance . This report is submitted to your acquirer—the bank or processing company you contracted with to be able to process credit cards—and it demonstrates that you are, in fact, compliant. The scope of this report will vary, depending on the merchant level you fall into.
PCI Scanning . This is done quarterly and involves a third party PCI ASV (Approved Scanning Vendor) scan all of the publicly accessible IP addresses that have to do with the transaction process, which is usually your IP address as well as the IP address of any third-party shopping cart hosted by your shopping cart provider during the checkout process because the entire transaction needs to be conducted under the PCI DSS and PA DSS.
The Four Merchant Levels. To know what you will need to do to comply with the PCI standards, check which of the four merchant levels you fall into:
Level 1: Over 6,000,000 transactions a year.
- Use an onsite assessor called a QSA to evaluate your security and write an in-depth Report On Compliance for you.
- Quarterly PCI Scans.
Level 2 Between 1,000,000 and 6,000,000 transactions a year.
- Complete a Self-Assessment Questionnaire (SAQ).
- Quarterly PCI Scans.
- Credit card information report (a one-page form stating that you don't keep certain types of credit card information on file).
Level 3 Between 20,000 and 1,000,000 transactions a year.
- Complete a Self-Assessment Questionnaire (SAQ).
- Quarterly PCI Scans.
Level 4 Between 1 and 20,000 transactions a year.
- Complete a Self-Assessment Questionnaire (SAQ).
- Quarterly PCI Scans.
If you are wondering what the ROI on doing all of this will be, aside from being able to process credit and debit cards in a safe and secure way, it really boils down to public perception. When consumers see that your website is secure, they are more apt to trust doing business there and that translates into more sales for you. It is an investment you can’t afford to miss. For more information, visit PCI at www.pcisecuritystandards.org/