PCI is not a regulation. The term PCI stands for Payment Card Industry. What people are referring to when they say PCI is actually the PCI Data Security Standard (DSS), currently at version 1.1.
PCI Co’s charter provides oversight to the development of PCI security standards on a global basis. It formalizes many processes that existed informally within the card brands. PCI Co published the updated DSS, now at version 1.1, which is accepted by all brands and international regions, and it refreshed most of the supporting documentation.
PCI Co is technically an independent industry standards body, and its exact organizational chart is published on its Web site. Yet it remains a relatively small organization, primarily comprised of the employees of the brand members. In fact, the role of answering e-mails sent to info@pcisecuritystandards.org rotates every month among the representatives of the card brands.
The industry immediately felt the positive impact of PCI Co. The merchants and service providers can now play a more active role in the compliance program and the evolution of the standard, while the Qualified Security Assessor Companies (QSACs) and Approved Scanning Vendors find it much easier to train their personnel.
Merchant Level Requirements
| Merchant Level | Description |
|---|---|
| Level 1 | Any merchant that processes more than 6 million Visa or MasterCard transactions annually.Any merchant that processes more than 2.5 million American Express transactions annually. |
| Level 2 | Any merchant that processes between 1 million and 6 million Visa transactions annually.Any merchant that processes more than 150 thousand MasterCard e-commerce transactions annually.Any merchant that processes between 50 thousand and 2.5 million American Express transactions annually. |
| Level 3 | Any merchant that processes between 20 thousand and 1 million Visa e-commerce transactions annually.Any merchant that processes more than 20 thousand MasterCard e-commerce transactions annually.Any merchant that processes less than 50 thousand American Express transactions annually. |
| evel 4 | All other Visa and MasterCard merchants. |
Service Provider Levels
| Level | MasterCard | Visa USA |
|---|---|---|
| Level 1 | All third-party providers (TPPs)All data storage entities (DSEs) that store, process, or transmit cardholder data for Level 1 and Level 2 merchants | Any VisaNet processorAll payment gateways |
| Level 2 | All DSEs that store, process, or transmit cardholder data for Level 3 merchants | Any service provider that stores, processes, or transmits one million or more Visa accounts or transactions annually |
| Level 3 | All other DSEs | Any service provider that stores, processes, or transmits less than one million Visa accounts or transactions annually |
| Level | American Express | MasterCard | Visa USA |
|---|---|---|---|
| Level 1 | October 31, 2006 | June 30, 2005 | June 30, 2004 |
| Level 2 | March 31, 2007 | June 30, 2004 | June 30, 2007 |
| Level 3 | N/A | June 30, 2005 | June 30, 2005 |
| Level 4 | N/A | N/A | N/A |
| Note | Visa USA’s target compliance date of June 30, 2007 is applicable to new Level 2 merchants only. If you have not changed levels, you probably do not qualify. Visa Canada, Discover, and JCB compliance dates for merchants are not well defined. Please check with your acquirer for more information. |
| Level | MasterCard | Visa USA |
|---|---|---|
| Level 1 | June 30, 2005 | September 30, 2004 |
| Level 2 | June 30, 2005 | September 30, 2004 |
| Level 3 | June 30, 2005 | September 30, 2004 |
Compliance Validation for Merchants
| Level | American Express | MasterCard | Visa USA |
|---|---|---|---|
| Level 1 | Annual on-site review by QSA (or internal auditor if signed by officer of merchant company)
Quarterly scan by ASV |
Annual on-site review by QSA
Quarterly scan by ASV |
Annual on-site review by QSA (or internal auditor if signed by officer of merchant company)
Quarterly scan by ASV |
| Level 2 | Quarterly scan by ASV | Annual Self-assessment
Questionnaire Quarterly scan by ASV |
Annual SAQ
Quarterly scan by ASV |
| Level 3 | Quarterly scan by ASV (recommended) | Annual SAQ
Quarterly scan by ASV |
Annual SAQ
Quarterly scan by ASV |
| Level 4 | N/A | Annual SAQ (recommended)
Quarterly scan by ASV (recommended) |
Annual SAQ (recommended)
Quarterly scan by ASV (recomm |
Compliance Validation for Service Providers
| evel | American Express | MasterCard | Visa USA |
|---|---|---|---|
| Level 1 | Annual on-site review by QSA (or internal auditor if signed by officer of service provider company)
Quarterly scan by ASV |
Annual on-site review by QSA
Quarterly scan by ASV |
Annual on-site review by QSA
Quarterly scan by ASV |
| Level 2 | N/A | Annual onsite review by QSA
Quarterly scan by ASV |
Annual on-site review by QSA
Quarterly scan by ASV |
| Level 3 | N/A | Annual SAQ
Quarterly scan by ASV |
Annual SAQ
Quarterly scan by ASV |
Brand Security Programs
| Card Brand | Additional Program Information |
|---|---|
| American Express | Web: www.americanexpress.com/datasecurity E-mail: American.Express.Data.Security@aexp.com |
| Discover | Web: www.discovernetwork.com/resources/data/data_security.html E-mail: askdatasecurity@discoverfinancial.com |
| JCB | Web: www.jcb-global.com/english/pci/index.html E-mail: riskmanagement@jcbati.com |
| MasterCard | Web: www.mastercard.com/sdp E-mail: sdp@mastercard.com |
| Visa USA | Web: www.visa.com/cisp E-mail: cisp@visa.com |
| Visa Canada | Web: www.visa.ca/ais |
Solutions Fast Track
PCI
* PCI is used synonymously with PCI DSS.
* If you are not compliant already, you are late. Most compliance deadlines have already passed.
* PCI is not perfect, so be prepared for bumps in the road.
* PCI compliance cannot be a project—it is a process. Keep your project on a more manageable level, perhaps one for each DSS requirement.
Get an Advice From Someone Who Knows
* Seek the help of a trusted advisor who can help steer your compliance efforts.
* PCI DSS requirements are often misinterpreted. Validate what you believe to be true or what you are being told.
* When selecting a trusted advisor, look for the reputation and stability before you look at cost. The two of you might have to team up in the courtroom, so build a relationship.
Get the Facts
* Get an assessment by a QSAC. If your company is close to being compliant, it will take very little additional effort to turn an assessment report in to a ROC.
* Contract the services of the ASV for performing the quarterly perimeter scans and penetration tests.
* Consider using the same company for both assessments and scans. That way you have better communication.
* Deal directly with a QSAC, not with a middle man.
Start at the Top
* Get an endorsement from the company’s senior management and business stakeholders.
* Start your remediation efforts with higher level concepts: first the policy, then the process, then standards and procedures.
* Don’t forget to document everything!
January 13, 2009 at 8:52 pm
Great info on PCI. PCI compliance is super important for online businesses as well. Not only are you protecting your customers information, which results in return customers and more sales, but you are protecting your business from liability. Thanks for the post.