PCI-DSS Overview

Improving security and cutting fraud

Card schemes – such as MasterCard and Visa – need to make sure merchants have protection in place to deter hackers and criminals. Cardholder data is a tempting target for fraudsters – and there’s been a series of recent high-profile security breaches around the world.

What is PCI DSS?

The PCI Security Standards Council manages the security standards for the payment cards industry. The council was formed by Visa, MasterCard, American Express, JCB and Discover.

It works across five main areas:

  • Develop and maintain a global, industry-wide technical data security standard to protect card-holders’ account information

  • Reduce costs and lead times to implement the Data Security Standard. The council works to establish and ensure compliance with common technical standards and audit procedures

  • Providing a list of globally available, qualified security solution providers on its web site to help the industry become compliant.

  • Lead training, education, and a streamlined process for certifying Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs). This provides a single source of approval recognised by all five founding members.

  • Provide a transparent forum, where all stakeholders can contribute to the ongoing development, enhancement and dissemination of data security standards.

Compensating Controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints but has sufficiently mitigated the risk associated with the requirement through implementation of other controls.

 

LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4

Any merchant processing over six million Visa or MasterCard transactions per year AND any merchant compromised in the last year, or identified by a card scheme as a level 1 merchant.

  • Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA) or;

  • Annual Report on Compliance (ROC) by an Internal Security Assessor(ISA)

  • Quarterly network scan by an Approved Scan Vendor (ASV)

  • Attestation of Compliance Form

Any merchant processing between one and six million Visa or MasterCard transactions per year.

  • Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA) or;

  • Annual Report on Compliance (ROC) by an Internal Security Assessor (ISA)

  • Quarterly network scan by an Approved Scan Vendor (ASV)

  • Attestation of Compliance Form

Any merchant processing between 20,000 and one million Visa or MasterCard eCommerce transactions per year.

  • Annual Self Assessment Questionnaire (SAQ)

  • Quarterly network scan by an Approved Scan Vendor (ASV) - if applicable

  • Attestation of Compliance Form – found within the SAQs

 

Any merchant processing less than 20,000 Visa or MasterCard eCommerce transactions per year, and all other merchants processing up to one million Visa or MasterCard transactions per year.

  • Annual Self Assessment Questionnaire (SAQ)

  • Quarterly network scan by an Approved Scan Vendor (ASV) – if applicable

  • Attestation of Compliance Form found within the SAQs

If you are not compliant to the Payment Card Industry Data Security Standards (PCI DSS) you will be responsible for any losses through fraud, and may also face considerable fines. Your customers will suffer if their card details are compromised.

Your business reputation will suffer as a result. Taking responsibility for PCI compliance forms part of your merchant Terms & Conditions.