Each party related to processing, storing, or transmitting cardholder data must comply with the Payment Card Industry Data Security Standard (PCI DSS) administered by the Payment Card Industry Security Standards Council. It offers merchants a comprehensive framework for identifying and effectively tackling payment card data security risks. The Standard makes merchants accountable for making their business environment secure as well as for business policies (or their absence) and any actions that can lead to a data breach.
While the PCI Council doesn’t check every business for PCI compliance, non-compliance can lead to severe consequences. In case a data breach happens, and it’s discovered that the company didn’t comply with the regulations at that moment, it will be liable for heavy fines and face reputational damage.
PCI DSS is a pack of requirements set to ensure that all organizations dealing with credit card data provide a secure environment. The PCI DSS came into action on 7 September 2006. It is managed by the PCI Security Standards Council (PCI SSC), an independent body founded by MasterCard, Visa, American Express, Discover, and JCB.
There are four PCI compliance levels based on the merchants’ annual card transaction volumes
In addition, if a merchant experiences a breach that leads to account data compromise, their business may be escalated to a higher compliance level. Merchants can identify their PCI compliance level and ensure compliance by partnering with PCI compliance providers.
Level 1 of PCI compliance applies to businesses processing more than 6M card transactions annually. While other levels only mandate filling out a Self-Assessment Questionnaire (SAQ), Level 1 of PCI compliance requires annual reports prepared by a qualified security assessor (QSA) or an internal security assessor (ISA). Merchants that have suffered a data breach compromising payment card data are also liable to an external audit, even if they don’t belong to Level 1 merchants.
Next, Level 1 businesses must have quarterly scans of their networks performed by an approved vendor, including servers, computers, cloud, etc. Moreover, they need to have a penetration test (also known as a pen test) performed at least once a year. This is a simulated cyber attack aimed at checking your systems for exploitable vulnerabilities.
For the Level 1 PCI audit, you’ll have to provide an Attestation of Compliance (AOC) form stating that you have complied with the PCI DSS requirements.
You’re a PCI Level 2 merchant if you process from 1M to 6M credit card transactions per year. Businesses classified as PCI Level 2 merchants are not subject to any audits, except in the event that they suffer from a data breach or your acquiring bank views it as necessary.
Level 2 merchants need to fill out a Self-Assessment Questionnaire, have a quarterly scan of their networks done by an approved vendor, and complete an Attestation of Compliance (AOC). In addition, PCI Level 2 merchants are obliged to do an annual penetration test. However, keep in mind that service providers are subject to biannual penetration tests (PCI Requirement 11.3.4.1).
Merchants processing 20K to 1M transactions annually belong to Level 3 of PCI compliance. Similar to Level 2 merchants, to stay PCI Level 3 compliant, you need to complete an SAQ, conduct network scans on a quarterly basis, and present an attestation compliance form. However, this level doesn’t require penetration tests.
This PCI compliance level applies to any merchant processing fewer than 20K eCommerce transactions annually and all other merchants, no matter the acceptance channel, processing up to 1M Visa transactions per year. PCI Level 4 merchants aren’t required to do audits, submit ROC, and may even not need AOC forms. Level 4 organizations are only subject to completing an annual Self Assessment Questionnaire (SAQ) and performing quarterly network scans.
A PCI SAQ, or Self-Assessment Questionnaire, is a merchant’s statement of PCI compliance, validating that the merchant is taking the necessary measures to secure cardholder data.
Filling out a PCI Self-Assessment Questionnaire is part of the compliance process. It involves answering several yes/no questions concerning PCI DSS requirements. There are different types of SAQ. The type you need to submit depends on your level and how you process payment card data.
Regardless of which PCI compliance level your organization falls into or what type of merchant you are, staying PCI compliant should be one of your major priorities. Secure systems translate into greater customer trust and improve your reputation with payment brands. More importantly, PCI compliance helps prevent data breaches and strengthens corporate security strategies.
Michael is a security enthusiast who has been in the pen testing space for over a decade. In his spare time he likes to stay abreast of new happenings in this ever-changing industry through reading and writing cyber security related articles.
document.getElementById( “ak_js_1” ).setAttribute( “value”, ( new Date() ).getTime() );
latesthackingnews.com 2011 – 2022 All rights reserved
Social Media