PCI Compliance 101 - About the Standards

What is Payment Card Industry (PCI) Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) Program is a mandated security initiative which was created to offer merchants and service providers a complete, unified approach to safeguarding credit cardholder information for all card brands.

In September of 2006, a group of five leading payment brands including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International jointly announced formation of the PCI Security Standards Council, an independent council established to manage ongoing evolution of the PCI standard. Concurrent with the announcement, the council released version 1.1 of the PCI standard.

What Are the PCI Compliance Standards?

The PCI Data Security Standard requirements apply to all payment card network members, merchants and service providers that store, process or transmit cardholder data, and affect all payment channels, these include all entities which store, process, or transmit cardholder data must be PCI compliant. Payment channels including retail (brick and mortar), mail/telephone order, and e-commerce organizations.

The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. Initially created by aligning Visa's Account Information Security (AIS)/Cardholder Information Security (CISP) programs with MasterCard's Site Data Protection (SDP) program, the standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents.

The updated version, version 1.1, developed by the founding members of the PCI Security Standards Council, became effective with the launch of the PCI Security Standards Council The PCI Data Security Standard is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

The PCI Data Security Standard is comprised of 12 general requirements designed to:

Build and maintain a secure network;
Protect cardholder data;
Ensure the maintenance of vulnerability management programs;
Implement strong access control measures;
Regularly monitor and test networks; and
Ensure the maintenance of information security policies.

Validation Requirements

While the newly-established PCI Security Standards Council will manage the underlying data security standard, compliance requirements are set independently by individual payment card brands. While requirements vary between card networks, MasterCard's Site Data Protection Plan and Visa's Cardholder Information Security Program are representative.

They stipulate separate compliance validation requirements for merchants and service providers, which vary depending on the size of the company. Compliance levels are defined based on annual transaction volume and corresponding risk exposure as outlined in the figure below.

Table A: PCI Data Security Standard Compliance for Merchants

Merchant Level	Selection Criteria	Validation Actions	Validated By
1	Any merchant - regardless of acceptance channel - processing more than 6,000,000 Visa transactions per year Any merchant that has suffered a hack or an attack that resulted in an account data compromise Any merchant identified by any card association as Level 1	Annual On-Site Security Audit and Quarterly Network Scan	Independent Security Assessor or Internal Audit if signed by an Officer of the company Qualified Independent Scan Vendor Level 1 Merchants should have validated compliance by September 30, 2004
2	1 million – 6 million Visa or MasterCard transactions per year	Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan	Merchant Qualified Independent Scan Vendor Validation is required no later than June 30, 2005 *Merchants new to Level 2 as of 8/06 are required to validate by 9/30/07
3	20,000 – 1 million Visa or MasterCard e-commerce transactions per year	Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan	Merchant Qualified Independent Scan Vendor Validation is required no later than June 30, 2005
4	Less than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants processing up to 1 million Visa or MasterCards transactions per year	Recommended Annual PCI Self-Assessment Questionnaire and Recommended Annual Network Scan	Merchant Qualified Independent Scan Vendor Note: While compliance is mandatory for Level 4 Merchants, validation is optional but strongly recommended

What if the PCI Compliance scan result shows that my site has vulnerabilities?

Complete instructions for patching all vulnerabilities are available within your Vulnerability Management Portal. This information can be easily made available directly to your web host or IT staff using your ControlScan PCI Passport account.

What Happens If My Business Does Not Comply with PCI Compliance Regulations?

Visa has set strong incentives for acquiring banks to ensure their merchants and service providers achieve and maintain PCI compliance. In the event a breach of cardholder information occurs, any non-PCI compliant organization will suffer extremely damaging direct penalties handed down from these banks including but no limited to:

Fines up to $500,000 per incident
Loss of right to accept credit cards (often times, permanently)
Responsibility of all financial losses that result from the breach
Responsibilities can include theft, fraud, card replacement, etc

More ControlScan Senty PCI Compliance 1-2-3 Features

Order ControlScan's approved scanning vendor solution

An Introduction to ControlScan's Sentry PCI Solution

Features & Benefits for ControlScan's Sentry PCI Solution

ControlScan's Sentry PCI Scanning Technology

Pricing

PCI Compliance 101 - About the PCI Standards

External PCI Compliance Resource Links

Pricing Information