What is a PCI compliance? I haven't come across this term before? And is it applicable for all countries?
One of the most misunderstood requirements as a merchant offering any type of credit or debit card services are the new security standards released by the Payment Card Industry (PCI).
Essentially, the PCI DSS (Payment Card Industry Data Security Standard) must be met by all organizations (merchants and service providers) that transmit, process or store credit card data. The PCI DSS (sometimes referred to as a compliance standard) is
not a law, rather a
contractual obligation applied and
enforced (by means of fines or other restrictions)
directly by the payment providers (e.g., Visa & MasterCard) themselves.
PCI security standards are technical and operational requirements that were created to help organizations that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats.
The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Compliance requirements are dependent on a merchant’s activity level.
There are four activity levels, based on the annual number of credit/debit card transactions.
In general:
Level 1 Criteria
Merchants with over 6 million transactions a year, or merchants whose data has previously been compromised
Level 1 Validation Requirements
Annual Onsite Security Audit (reviewed by a QSA or Internal Audit if signed by officer of merchant company and pre-approved by acquirer) and quarterly network security scan
Level 2 Criteria
Merchants with 1,000,000 to 6 million transactions a year
Level 2 Validation Requirements
Annual Self Assessment Questionnaire
Quarterly Scan by an Approved Scanning Vendor (ASV)
Level 3 Criteria
Merchants with 20,000 to 1,000,000 transactions a year
Level 3 Validation Requirements
Quarterly Scan by an Approved Scanning Vendor (ASV)
Annual Self Assessment Questionnaire
Level 4 Criteria
Merchants with less than 20,000 transactions
Level 4 Validation Requirements
Annual Self Assessment Questionnaire
Quarterly Scan by an Approved Scanning Vendor (may be recommended or required, depending on acquirer compliance criteria)
For further information
For comprehensive information about eCommerce and PCI DSS requirements, please visit the PCI Security Standards Council website.