Is your company collecting, using, storing, processing, or transmitting payment cardholder data? If that's the case, you've probably heard of PCI DSS, or Payment Card Industry Data Security Standard. The PCI DSS is a standard, developed by major credit card companies, that establishes particular rules for merchants and service providers to follow in order to safeguard payment cardholder data.
This is a tough criterion to meet, and guaranteeing PCI compliance is no easy effort, especially as the framework applies to businesses of different sizes and processing capacities. Within the PCI DSS (Payment Card Industry Data Security Standard), there are four levels of standards for PCI compliance.
In this article, we’ll break down how these four compliance levels work, who they apply to, and how to meet PCI compliance within your organization.
The Payment Card Industry Data Security Standard (also known as PCI DSS) is a collection of security guidelines meant to guarantee that ALL businesses who accept, handle, store, or transmit credit card data do so in a safe manner.
On September 7th, 2006, the Payment Card Industry Security Standards Council (PCI SSC) was formed to oversee the continued advancement of the Payment Card Industry (commonly known as PCI) security standards, with an emphasis on strengthening payment account security throughout the transaction process. The PCI DSS is overseen and controlled by the PCI SSC, a non-profit organization founded by major credit card companies such as Visa and MasterCard. It's vital to highlight that it's the payment brands and acquirers, not the PCI council, who are in charge of ensuring compliance.
PCI DSS applies to all enterprises that receive, transmit, or retain credit card data, regardless of their company size. PCI compliance is divided into four tiers, each of which is assessed by the number of Visa transactions a merchant executes within a given year:
Based on Visa transaction volume over a twelve-month period, all merchants will be assigned to one of four merchant tiers. The total number of Visa transactions, including credit, debit, and prepaid, from a merchant Doing Business As (also known as "DBA") is used to calculate transaction volume. Visa acquirers must evaluate the aggregate amount of transactions stored, processed, or sent by the corporate entity when determining the validation level when a merchant company has more than one DBA. If data isn't aggregated, meaning a corporate entity doesn't store, process, or send cardholder data on behalf of several DBAs, acquirers will continue to base their validation level on the DBA's individual transaction volume.
Various degrees of compliance have different requirements. Any company that comes under Level One must have an internal auditor conduct an annual on-site inspection and a network scan performed by an approved scanning provider. Businesses in Levels Two, Three, and Four must complete the PCI DSS Self-Assessment Questionnaire once a year and conduct quarterly network security checks with an approved scanning provider. The PCI website features this evaluation questionnaire.
Are you wondering how to meet compliance for the PCI DSS? If so, you have many options. We recommend implementing these tips and best practices into your existing compliance plan, regardless of the PCI DSS level your organization is at:
In general, we would recommend working with a risk and compliance company like Accountable HQ to streamline your compliance processes and ensure everything is done correctly. PCI DSS compliance can be complex, so it’s best to trust the professionals.