Businesses across the country take different types of payment options from customers when supplying services and products. During those early days of your operations, you may focus on strictly taking cash payments and personal checks. Yet there may come a time when you decide to expand the types of payment options that will be accepted at checkout.
Now you have entered the world of credit card payments and the security standards set forth by the Payment Card Industry Data Security Council (PCI-DSS). To help you understand what exactly is PCI-DSS — as well as the newer version PCI-DSS v3.2 — and some of the misconceptions that businesses have about these credit card security standards, we’ve gathered some important information into this easy FAQ list.
What is PCI-DSS?
Major credit card companies such as MasterCard, Visa, Discovery, American Express, and JCB International created the Payment Card Industry Security Standards Council (PCI SSC) to help companies globally with their security systems when transmitting, receiving, using and storing cardholder information. To prevent security breaches and fraud, the PCI SSC has maintained and promoted the Payment Card Industry Data Security Standards (PCI-DSS) as a way for businesses and merchants to improve their payment account security protocols and network systems.
The PCI-DSS standards are based on 12 requirements that deal with network security and internal controls. Due to the introduction of PCI-DSS v3.2.1, there have been several new requirements and changes added. The PCI-DSS standards will be further discussed in the PCI-DSS v3.2.1 section below.
Fact: There Are Multiple Compliance Levels of PCI-DSS
Compliance levels for PCI-DSS are based on the volume of credit card payment transactions that are made within a 12-month period. There are 4 merchant compliance levels defined by the Visa credit card brand as these validation levels also apply to the aggregated number of transactions for the other credit card brands and associations. These merchant levels apply to all forms of payment acceptance portals such as telephone transactions, point-of-sale transactions, mailed-in transactions, and e-commerce transactions.
Merchant Level 1
Any business that processes over 6-million Visa transactions per year regardless of the payment acceptance portal. Visa can also designate certain businesses that need to meet this merchant compliance level regardless of the number of transactions that the business makes per year.
Merchant Level 2
Any business that processes 1-million to 6-million Visa transactions per year regardless of the payment acceptance portal.
Merchant Level 3
Any business that processes 20,000 to 1-million Visa transactions per year via ecommerce channels.
Merchant Level 4
Any business that processes less than 20,000 ecommerce Visa transactions per year, and all other businesses that process up to 1-million Visa transactions per year regardless of the payment acceptance portal.
Fact: There are Penalties for Non-Compliance
Yes. Based on the discretion of the credit card company, acquiring banks can be fined from $5,000 up to $100,000 per month. Banks may pass off this fine to the business or merchant as well as increase transaction fees for the business or terminate their business relationship.
What is PCI-DSS v3.2.1?
PCI-DSS v3.2.1 is the newest standard version that was released on May 31, 2018. It is a relatively minor version to add to the collection, and essentially includes clarification updates and a correction to previous requirements.. It revised and changed several of the standard requirements that were a part of the original PCI-DSS. You can view a summary of changes here.
What is the Prioritized Approach?
The Prioritized Approach groups the 12 PCI-DSS standard requirements into 6 milestones to provide a road-map in developing, implementing and monitoring security protocols and policies. It also helps assessors in evaluating security controls so there is more consistency in their auditing methods.
What are the 6 milestones?
The 6 milestones for Prioritizing PCI DSS Compliance are:
- Removing authentication data from network storage devices and to limit the amount of data that is retained
- Protecting points of access for systems and networks and responding to system breaches
- Securing payment card applications within application servers, processes and controls
- Monitoring and controlling all authorized access into networks and systems
- Protecting stored data with key protection mechanisms
- Completing all PCI DSS requirements as well as finalizing related processes, procedures and policies
What are the 12 PCI-DSS standards?
The 12 requirements for PCI-DSS v3.2.1 are:
- Installing/maintaining a firewall configuration for networks and systems
- Avoid using vendor-supplied defaults for passwords and other security procedures
- Protecting cardholder data during storage
- Using encryptions during cardholder data transmissions in open and public networks
- Using and updating anti-virus software
- Developing and maintaining secure network systems and applications
- Restricting user access to cardholder data
- Creating a unique ID for users who need to access cardholder data
- Restricting any physical access to cardholder information
- Tracking and monitoring all access to network systems and data
- Testing security processes and systems
- Maintaining information security policies
Each requirement is further broken down into multiple standards that helps to provide comprehensive details to improve your security systems and methods. By following the standards, you can mitigate risks to your security systems and further protect cardholder data.
Misconceptions about PCI-DSS
Over the years, there have been many misconceptions in regards to PCI-DSS compliance. Here are a few common myths about these security standards.
PCI-DSS is voluntary.
No. Any business that engages in credit card transactions must follow PCI-DSS requirements to safeguard cardholder information
PCI-DSS only applies to businesses that store credit card information.
Any business or merchant that accepts credit card payments, transmits cardholder data, processes transactions and/or stores cardholder information falls under PCI-DSS requirements.
My business can stay PCI-DSS compliant if I use a single vendor and product, or if I outsource the card processing tasks.
No single vendor or product will cover all 12 PCI-DSS requirements or meet several minimal standards. Instead, you should create a comprehensive security strategy that reaches PCI compliance and then use products and vendors that further complement your network system security to provide enhanced protection.
If you decide to outsource your credit card transactions, you will still need to meet PCI-DSS compliance when transmitting cardholder data to the outsourced company. You also need to ensure that the outsourcing company you use meets PCI-DSS compliance.
Read about more misconceptions about PCI-DSS here.
Meet PCI-DSS Security Standards with Auditing Assessments
These PCI-DSS standards provide tools and training for businesses to assess their current security methods and institute procedures for greater payment account security. To help you comply with the standards, I.S. Partners has a team of Qualified Security Assessors who have been certified by the PCI Security Standards Council to perform audits on your security controls, systems and policies. Send us a message or call us at 215-675-1400 today to find out how we can help you maintain PCI-DSS compliance.
Editor’s Note: This post was originally published in July 2017 and has been updated for accuracy and comprehensiveness.