The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that store or process any of the following credit cards: American Express, Discover, JCB, MasterCard, and Visa. PCI DSS compliance is mandated by these card brands and steep fines can result for non-compliance. Depending on the circumstances, non-compliant merchants may have to pay anywhere from $5,000 to $100,000 every month until all compliance issues are addressed.

To achieve PCI DSS compliance, an organization must meet all applicable PCI DSS requirements. Technology and business operations inherently change over time. Thus, PCI DSS compliance is a continuous process. This process starts with assessing the current environment against the PCI DSS requirements. From the initial assessment, there will invariably be items needing to be added/changed/removed within the cardholder data environment (CDE) to enhance security and bring the organization closer into alignment with PCI DSS.

Before Partners in Regulatory Compliance (PIRC) performs an assessment with your organization, we’ll consult with you to determine which Self-Assessment Questionnaire (SAQ) type applies to you. The applicable SAQ type depends on your environment such as if you have a telephone-only point-of-sale terminal, if your CDE involves an IP-based network, if you have eCommerce as part of the mix, and so forth. The abbreviated table below illustrates this concept. “X” means “applies to”.

There are 12 main PCI requirements with sub-requirements in each section. The applicability of each main and sub-requirement will depend on the SAQ type your organization must fill out each year.

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update antivirus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.

In addition to the SAQ types, it is important to know what merchant level applies to your organization. There are four merchant levels. Each level has different requirements as defined below.

Level 1

Criteria:

  • Merchants processing more than 6 million Visa, Mastercard, or Discover transactions annually via any channel
  • Merchants processing more than 2.5 million American Express transactions annually
  • Merchants processing more than 1 million JCB transactions annually
  • Merchants that have suffered a data breach or cyberattack that resulted in cardholder data being compromised
  • Merchants that have been identified by another card issuer as Level 1

Validation Requirements:

  • Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance Form

Level 2

Criteria:

  • Merchants processing between 1 million and 6 million Visa, Mastercard, or Discover transactions per year via any channel
  • Merchants processing between 50,000 to 2.5 million American Express transactions annually
  • Merchants processing less than 1 million JCB transactions annually

Validation Requirements:

  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance Form

Level 3

Criteria:

  • Merchants processing between 20,000 and 1 million Visa e-commerce transactions annually
  • Merchants processing 20,000 Mastercard e-commerce transactions annually, but less than or equal to 1 million total Mastercard transactions annually
  • Merchants that process 20,000 to 1 million Discover card-not-present only transactions annually
  • Less than 50,000 American Express transactions

Validation Requirements:

  • SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

Level 4

Criteria:

  • Merchants processing less than 20,000 Visa or Mastercard e-commerce transactions annually
  • All other merchants processing up to 1 million Visa or Mastercard transactions annually

Validation Requirements:

  • These largely depend on the requirements of the merchant’s acquiring bank
  • Typically include an SAQ and Quarterly Network Scan by ASV