credit card processing, merchant services, merchant accounts, payment systems, merchant processing, payment processing

PCI Compliance

The payment Card Industry Data Security Standard (PCI DSS) is a mandatory global standard established by the major card associations to ensure the protection of cardholder data.  Based on twelve guidelines, the PCI DSS requires merchants to make their physical and virtual environments secure to ensure protection of cardholder data.  As a merchant accepting credit cards as a form of payment, you are required by the card associations to adhere to the PCI DSS.  The PCI DSS encompasses the security programs from Visa and MasterCard, Cardholder Information Security Program (CISP) and Site Data Protection (SDP), respectively.

The PCI DSS sets technology requirements such as the use of data encryption, end-user access control, and activity monitoring and logging.  It also includes procedural mandates, such as the need to implement formal and documented security policies and vulnerability-management programs.  They were developed to ensure that cardholder data is protected throughout the transaction process.  Compliance with the standard applies to all types of merchants, retail, MO/TO, and Internet.  All merchants need to follow best practices for storage and destruction of all paper or electronic records containing account numbers or cardholder data.  Additionally, merchant service providers processing credit cards need to be PCI compliant.

Importance of PCI Data Security Standard Compliance and/or Certification:

It is clear that ensuring the safety of your customers' cardholder information can help your business strive to create and maintain a positive image, enhance customer confidence and even assist in improving your bottom line.  Additional benefits include:

  • By adhering to the data security regulation businesses can significantly reduce their exposure to fraud losses resulting from the theft of cardholder data.
  • Compliance with the programs can lead to enhanced consumer confidence, which can result in higher sales.
  • Compliance with the PCI DSS is mandatory.  If you and your service providers are not compliant with the PCI DSS, the card associations could levy fees and fines against you and your credit card processing services could be terminated

PCI Assessment Requirements

The more credit card transactions a merchant processes, the more stringent the compliance procedure.  For most merchants, compliance consists of passing quarterly or annual network scans and completing an annual self-assessment questionnaire.  If you process more than 20,000 e-commerce or 6 million total V/MC transactions per DBA annually, you will need to provide evidence of ertification from a V/MC certified vendor.


The PCI Data Security Standard

All merchants that accept credit cards are required to comply with the PCI DSS including retail stores (card present transactions) and Internet or mail order/telephone order businesses (card-not-present transactions).  PCI Security Standards Council

  • Build and Maintain a Secure Network
    - Install and maintain a firewall configuration to protect data
    - Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect Cardholder Data
    - Protect stored data
    -Encrypt transmission of cardholder data and sensitive information across public networks
  • Maintain a Vulnerability Management Program
    - Use and regularly update anti-virus software
    - Develop and maintain secure systems and applications
  • Implement Strong Access Control Measures
    - Restrict access to data by business need-to-know
    - Assign a unique ID to each person with computer access
    - Restrict physical access to cardholder data
  • Regularly Monitor and Test Networks
    - Track and monitor all access to network resources and cardholder data
    - Regularly test security systems and processes
  • Maintain an Information Security Policy
    - Maintain a policy that addresses information security