Skip to content

PCI What is it? Who needs to Comply, Dates and Validation

January 13, 2009

PCI is not a regulation. The term PCI stands for Payment Card Industry. What people are referring to when they say PCI is actually the PCI Data Security Standard (DSS), currently at version 1.1.

PCI Co’s charter provides oversight to the development of PCI security standards on a global basis. It formalizes many processes that existed informally within the card brands. PCI Co published the updated DSS, now at version 1.1, which is accepted by all brands and international regions, and it refreshed most of the supporting documentation.

PCI Co is technically an independent industry standards body, and its exact organizational chart is published on its Web site. Yet it remains a relatively small organization, primarily comprised of the employees of the brand members. In fact, the role of answering e-mails sent to info@pcisecuritystandards.org rotates every month among the representatives of the card brands.

The industry immediately felt the positive impact of PCI Co. The merchants and service providers can now play a more active role in the compliance program and the evolution of the standard, while the Qualified Security Assessor Companies (QSACs) and Approved Scanning Vendors find it much easier to train their personnel.

Merchant Level Requirements

Merchant Level Description
Level 1 Any merchant that processes more than 6 million Visa or MasterCard transactions annually.Any merchant that processes more than 2.5 million American Express transactions annually.
Level 2 Any merchant that processes between 1 million and 6 million Visa transactions annually.Any merchant that processes more than 150 thousand MasterCard e-commerce transactions annually.Any merchant that processes between 50 thousand and 2.5 million American Express transactions annually.
Level 3 Any merchant that processes between 20 thousand and 1 million Visa e-commerce transactions annually.Any merchant that processes more than 20 thousand MasterCard e-commerce transactions annually.Any merchant that processes less than 50 thousand American Express transactions annually.
evel 4 All other Visa and MasterCard merchants.

Service Provider Levels

Level MasterCard Visa USA
Level 1 All third-party providers (TPPs)All data storage entities (DSEs) that store, process, or transmit cardholder data for Level 1 and Level 2 merchants Any VisaNet processorAll payment gateways
Level 2 All DSEs that store, process, or transmit cardholder data for Level 3 merchants Any service provider that stores, processes, or transmits one million or more Visa accounts or transactions annually
Level 3 All other DSEs Any service provider that stores, processes, or transmits less than one million Visa accounts or transactions annually
Level American Express MasterCard Visa USA
Level 1 October 31, 2006 June 30, 2005 June 30, 2004
Level 2 March 31, 2007 June 30, 2004 June 30, 2007
Level 3 N/A June 30, 2005 June 30, 2005
Level 4 N/A N/A N/A
Note Visa USA’s target compliance date of June 30, 2007 is applicable to new Level 2 merchants only. If you have not changed levels, you probably do not qualify. Visa Canada, Discover, and JCB compliance dates for merchants are not well defined. Please check with your acquirer for more information.
Compliance Dates for Service Providers

Level MasterCard Visa USA
Level 1 June 30, 2005 September 30, 2004
Level 2 June 30, 2005 September 30, 2004
Level 3 June 30, 2005 September 30, 2004

Compliance Validation for Merchants

Level American Express MasterCard Visa USA
Level 1 Annual on-site review by QSA (or internal auditor if signed by officer of merchant company)

Quarterly scan by ASV

Annual on-site review by QSA

Quarterly scan by ASV

Annual on-site review by QSA (or internal auditor if signed by officer of merchant company)

Quarterly scan by ASV

Level 2 Quarterly scan by ASV Annual Self-assessment

Questionnaire

Quarterly scan by ASV

Annual SAQ

Quarterly scan by ASV

Level 3 Quarterly scan by ASV (recommended) Annual SAQ

Quarterly scan by ASV

Annual SAQ

Quarterly scan by ASV

Level 4 N/A Annual SAQ (recommended)

Quarterly scan by ASV (recommended)

Annual SAQ (recommended)

Quarterly scan by ASV (recomm

Compliance Validation for Service Providers

evel American Express MasterCard Visa USA
Level 1 Annual on-site review by QSA (or internal auditor if signed by officer of service provider company)

Quarterly scan by ASV

Annual on-site review by QSA

Quarterly scan by ASV

Annual on-site review by QSA

Quarterly scan by ASV

Level 2 N/A Annual onsite review by QSA

Quarterly scan by ASV

Annual on-site review by QSA

Quarterly scan by ASV

Level 3 N/A Annual SAQ

Quarterly scan by ASV

Annual SAQ

Quarterly scan by ASV

Brand Security Programs

Card Brand Additional Program Information
American Express Web: www.americanexpress.com/datasecurity
E-mail: American.Express.Data.Security@aexp.com
Discover Web: www.discovernetwork.com/resources/data/data_security.html
E-mail: askdatasecurity@discoverfinancial.com
JCB Web: www.jcb-global.com/english/pci/index.html
E-mail: riskmanagement@jcbati.com
MasterCard Web: www.mastercard.com/sdp
E-mail: sdp@mastercard.com
Visa USA Web: www.visa.com/cisp
E-mail: cisp@visa.com
Visa Canada Web: www.visa.ca/ais

Solutions Fast Track
PCI

* PCI is used synonymously with PCI DSS.
* If you are not compliant already, you are late. Most compliance deadlines have already passed.
* PCI is not perfect, so be prepared for bumps in the road.
* PCI compliance cannot be a project—it is a process. Keep your project on a more manageable level, perhaps one for each DSS requirement.

Get an Advice From Someone Who Knows

* Seek the help of a trusted advisor who can help steer your compliance efforts.
* PCI DSS requirements are often misinterpreted. Validate what you believe to be true or what you are being told.
* When selecting a trusted advisor, look for the reputation and stability before you look at cost. The two of you might have to team up in the courtroom, so build a relationship.

Get the Facts

* Get an assessment by a QSAC. If your company is close to being compliant, it will take very little additional effort to turn an assessment report in to a ROC.
* Contract the services of the ASV for performing the quarterly perimeter scans and penetration tests.
* Consider using the same company for both assessments and scans. That way you have better communication.
* Deal directly with a QSAC, not with a middle man.

Start at the Top

* Get an endorsement from the company’s senior management and business stakeholders.
* Start your remediation efforts with higher level concepts: first the policy, then the process, then standards and procedures.
* Don’t forget to document everything!

Advertisements
One Comment leave one →
  1. websiteverification permalink
    January 13, 2009 8:52 pm

    Great info on PCI. PCI compliance is super important for online businesses as well. Not only are you protecting your customers information, which results in return customers and more sales, but you are protecting your business from liability. Thanks for the post.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: