Understanding PCI Compliance
Understanding PCI compliance is essential for any business that accepts card payments, but what is PCI Compliance? PCI DSS (Payment Card Industry Data Security Standard) is a set of standards established by the PCI Security Standards Council with the aim of protecting credit card data and reducing the risk of fraud.
Any business that accepts card payments must comply with the guidelines and requirements set, which means handling and maintaining cardholder’s information including card details in a way that keeps them secure.
PCI Compliance Covers 6 Main Areas:
Build and Maintain a Secure Network and Systems
- Install and maintain a firewall
- Don’t use vendor defaults for passwords and security parameters
Protect Cardholder Data
- Securely stored cards
- Encrypt transmission of cardholder data
Maintain a Vulnerability Management Program
- Protect against malware and regularly update anti-virus software
- Develop and maintain security systems and applications
Implement Strong Access Control Measures
- Restrict cardholder data on a need-to-know basis
- Identify and authenticate access to systems
- Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an Information Security Policy
- Maintain a policy that addresses information security for all personnel
Who Is Subject to PCI Compliance?
The PCI council created PCI Self-Assessment Questionnaires to validate your compliance. There are four different levels of PCI compliance. Which level of compliance your organization must meet is based primarily on the volume of credit card transactions you process in a 12 month period.
Level 1
Organizations that process more than 6 million transactions via Visa or MasterCard, or more than 2.5 million for American Express. OR have experienced a data breach. OR are deemed Level 1 by a card association, such as Visa, MasterCard or Amex.
Level 1 PCI DSS Requirements:
- Annual Report on Compliance by a Qualified Security Assessor (Also known as a onsite assessment or QSA )
- Quarterly network scan by Approved Scan Vendor (ASV)
- Attestation of Compliance for Onsite Assessments (AOC)
Level 2
Organizations that process between 1 to 6 million transactions annually.
Level 2 PCI DSS Requirements:
- Annual PCI DSS Self-Assessment Questionnaire (SAQ)
- Quarterly network scan by Approved Scan Vendor (ASV)
- Attestation of Compliance for Onsite Assessments (AOC)
Level 3
Organizations that process between 20,000 to 1 million online transactions annually. OR organizations that process less than 1 million total transactions annually.
Level 3 PCI DSS Requirements:
- Annual PCI DSS Self-Assessment Questionnaire (SAQ)
- Quarterly network scan by Approved Scan Vendor (ASV)
- Attestation of Compliance for Onsite Assessments (AOC)
Level 4
Organizations that process fewer than 20,000 online transactions annually. OR Organizations that process 1 million or fewer total transactions annually.
Level 4 PCI DSS Requirements:
- Annual PCI DSS Self-Assessment Questionnaire (SAQ)
- Quarterly network scan by Approved Scan Vendor (ASV)
- Attestation of Compliance for Onsite Assessments (AOC)
Page 18 of the Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire will help you choose the right SAQ and AOC for your organization.
PCI Compliance May Not Cover All Requirements
To find out more about what payment compliance means for your business, read Payment Processing Compliance Explained.