The Payment Card Industry Data Security Standards (PCI DSS) play a crucial role in safeguarding consumers against identity theft and credit card fraud. This overview provides insights into the PCI DSS framework, its levels, and the requirements for compliance.
PCI DSS Overview and Levels
PCI DSS was established by major credit card companies such as Visa, Mastercard, American Express, JCB, and Discover to ensure that merchants processing credit cards adhere to a comprehensive set of security standards. Noncompliance can result in penalties ranging from $5,000 to $100,000 per month, with fines as high as $500,000 per security breach.
There are four levels of PCI compliance based on the annual number of credit card transactions processed:
PCI Level 1: Over 6 million transactions per year
PCI Level 2: 1 million to 6 million transactions per year
PCI Level 3: 20,000 to 1 million transactions per year
PCI Level 4: Less than 20,000 transactions per year
Vendors can determine their PCI compliance level by coordinating with service providers or utilizing reporting tools specific to the credit card companies they work with.
Breakdown of PCI DSS Levels
Each PCI level has specific requirements for achieving compliance:
PCI Level 1 compliance (over 6 million transactions per year):
- Annual Report on Compliance (ROC) by a qualified security assessor (QSA) or internal security assessor (ISA)
- Quarterly network scan by an approved vendor
- Annual penetration test
- Submission of an Attestation of Compliance (AOC) form
PCI Level 2 compliance (1 million to 6 million transactions per year):
- Completion of a Self-Assessment Questionnaire (SAQ)
- Quarterly network scan by an approved vendor
- Submission of an AOC form
- Annual penetration test
PCI Level 3 compliance (20,000 to 1 million transactions per year):
- Completion of an SAQ
- Quarterly network scan for vulnerabilities
- Submission of an attestation compliance form
PCI Level 4 compliance (less than 20,000 transactions per year):
- Absence of data breaches or cyberattacks
- Completion of an SAQ
- Quarterly network scan for vulnerabilities
- Submission of an attestation compliance form
Different SAQ Types
The PCI DSS framework includes eight different types of SAQs, catering to various merchant scenarios. The SAQ types range from card-not-present merchants to those using specific payment terminals or virtual terminal solutions. Each SAQ type addresses different security considerations and requirements.
|
SAQ |
Description |
|
A |
Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. -Not applicable to face-to-face channels. Card-not-present merchants (e-commerce or mail/telephone-order) that have fully |
|
A-EP* |
E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. -Applicable only to e-commerce channels. |
|
B |
Merchants using only: • Imprint machines with no electronic cardholder data storage; and/or • Standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels. |
|
B-IP* |
Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels. |
|
C-VT |
Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels. |
|
C |
Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels. |
|
P2PE-HW |
Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels. |
|
D |
SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types as well as service providers considered eligible to complete an SAQ. |
Control Breakdown of PCI DSS Requirements
PCI DSS consists of approximately 300 security controls. To maintain a secure system, protect cardholders, and manage vulnerabilities, merchants must fulfill 12 primary requirements. These include protecting cardholder data, implementing access controls, encryption, regular updates and patching, and maintaining strong information security policies.
| 1. Protect cardholder data by installing and maintaining firewalls | 7. Access to cardholder data should be on a need-to-know basis |
| 2. Change default passwords and other security settings upon receipt of your payment infrastructure from your vendor | 8. Establish appropriate authorization levels among personnel for better accountability |
| 3. Protect cardholder data by making it unreadable using encryption and other technologies | 9. Limit physical access to cardholder data |
| 4. Ensure that cardholder data is encrypted during transmission of data | 10. Closely monitor access to cardholder data and network resources |
| 5. Regularly update antivirus and antimalware software to protect all systems | 11. Regularly test security systems and processes |
| 6. Ensure software updates are promptly installed and all security vulnerabilities are patched | 12. Implement a policy that emphasizes information security to all personnel |
Validate PCI Secure Software Standards
The PCI Security Standards Council certifies independent Software Security Framework Assessors to validate the security of payment software. These assessors evaluate the software lifecycle and confirm its compliance with PCI standards. A list of qualified companies can be found on the PCI Security Standards Council's website.
Fines for Noncompliance
Noncompliance with PCI DSS can result in severe consequences, including substantial fines and penalties determined by the payment card brands. Failure to comply with the industry rules may also lead to reputational damage and the loss of the ability to process credit cards.
Please note that the content provided in this article is based on Carbide's understanding of the PCI DSS framework and information available on the official PCI Security Standards Council's website. PCI DSS 3.2 can be found here.