DOWNLOAD: Spectra for PCI solution brief >>

PCI Data Security Standard

PCI DSS stands for Payment Card Industry (PCI) Data Security Standard (DSS). The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

PCI DSS is maintained and evolved by the PCI Security Standards Council who works to promote its broad industry adoption and provides tools needed for compliance with the standard. The organization was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International.

A company processing, storing, or transmitting credit card numbers must be PCI DSS compliant or they risk losing the ability to process credit card payments.

PCI Requirements

The PCI DSS imposes requirements on merchants to safeguard consumers' credit card information from hackers and other identity thieves.

• Build and Maintain a Secure Network
• Install and maintain a firewall configuration to protect data
• Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect Cardholder Data
• Protect stored data
• Encrypt transmission of cardholder data and sensitive information across public networks
• Maintain a Vulnerability Management Program
• Use and regularly update anti-virus software
• Develop and maintain secure systems and applications
• Implement Strong Access Control Measures
• Restrict access to data by business need-to-know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder information
• Regularly Monitor and Test Networks
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
• Maintain an Information Security Policy

At a high level, these requirements appear straightforward. Note, however, that these 12 Payment Card Industry Data Security (PCI DSS) requirements include over 200 detailed tasks that need to be met.

The payment card industry is now enforcing PCI compliance. Non-compliance can result in fines, restrictions or possibly permanent expulsion from card acceptance programs. If your business depends on accepting credit cards, then you have no choice than to become PCI compliant.

Merchant & Service Provider Levels and Validation Requirements

Merchant PCI levels are dependent on the number of transactions that take place annually. The levels are defined as follows:

Level 1 - More than 6 million transactions per year or merchants whose data has been compromised

Level 2 - 1 million to 6 million transactions per year

Level 3 - 20,000 to 1 million transactions per year

Level 4 - Less than 20,000 transactions per year

Service providers are organizations that process, store, or transmit cardholder data on behalf of the credit card company members, merchants, or other service providers. Service provider levels are defined as:

Level 1 - All processors and payment gateways

Level 2 - Any Service Provider not in Level 1 and stores, processes or transmits more than 1 million accounts or transactions annually

Level 3 - Any Service Provider not in Level 1 and stores, processes or transmits less than 1 million accounts or transactions annually

To validate compliance with the PCI DSS, all merchants, regardless of credit card transaction volume, must have their Internet facing systems scanned quarterly by an approved scanning vendor. In addition, all merchants with the exception of level 1 are required to submit an annual self-assessment questionnaire. Level 1 merchants and Level 1 and 2 service providers are required to have an annual onsite security audit by a qualified security assessor.

PCI Security Vendor Alliance

The PCI Security Vendor Alliance was formed to provide products and services for the members of the payment card industry including retailers, e-Commerce companies, financial institutions, payment processors, POS vendors and any other organizations that must achieve compliance with the PCI Data Security Standards.

The PCI Security Vendor Alliance complements the objectives of the major card payment brands by helping educate the businesses affected by the PCI DSS about the requirements and business value of the Payment Card Industry (PCI) Data Security Standard, a global benchmark intended to improve security throughout the entire payment card transaction process.

The PCI Security Vendor Alliance is an independent group of vendors who see tremendous value in the standards managed by the council, but the PCI SVA is not formally a member of the PCI Security Standards Council™. Compliance Spectrum is proud to be a member of the PCI SVA. As a member, we are committed to education and the delivery of solutions including Spectra for PCI that streamlines the lifecycle of PCI DSS compliance process through automation.

For more solutions click on the compliance standards below:

Contact us to learn more >>