WDTalk

One of the most misunderstood requirements as a merchant offering any type of credit or debit card services are the new security standards released by the Payment Card Industry.

Essentially, the PCI DSS (Payment Card Industry Data Security Standard) must be met by all organizations (merchants and service providers) that transmit, process or store credit card data. The PCI DSS (sometimes referred to as a compliance standard) is not a law, rather a contractual obligation applied and enforced (by means of fines or other restrictions) directly by the payment providers (e.g., Visa & MasterCard) themselves. See a list of validated service providers here.

PCI security standards are technical and operational requirements that were created to help organizations that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats.
The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Compliance requirements are dependent on a merchant’s activity level.

There are four activity levels, based on the annual number of credit/debit card transactions.

In general:

Level 1 Criteria
Merchants with over 6 million transactions a year, or merchants whose data has previously been compromised
Level 1 Validation Requirements
Annual Onsite Security Audit (reviewed by a QSA or Internal Audit if signed by officer of merchant company and pre-approved by acquirer) and quarterly network security scan

Level 2 Criteria
Merchants with 1,000,000 to 6 million transactions a year
Level 2 Validation Requirements
Annual Self Assessment Questionnaire
Quarterly Scan by an Approved Scanning Vendor (ASV)

Level 3 Criteria
Merchants with 20,000 to 1,000,000 transactions a year
Level 3 Validation Requirements
Quarterly Scan by an Approved Scanning Vendor (ASV)
Annual Self Assessment Questionnaire

Level 4 Criteria
Merchants with less than 20,000 transactions
Level 4 Validation Requirements
Annual Self Assessment Questionnaire

Quarterly Scan by an Approved Scanning Vendor (may be recommended or required, depending on acquirer compliance criteria)

For further information

For comprehensive information about eCommerce and PCI DSS requirements, please visit the PCI Security Standards Council website.