For those of you that don’t know, PCI DSS is the Payment Card Industry’s (PCI) Data Security Standard. Which essentially is the standard created by the credit card industry to protect consumers against credit card and identity theft. I think we call all universally agree that creating a standard for managing and securing customer data is a great idea so I’m not going to get into the pros and cons of the concept of PCI, but I do have a beef with the way compliance is currently being done. Before I get into that let me give you the 30 second history on PCI DSS.
The beginnings of the program can be traced back to completely separate security standards created by VISA, MasterCard, American Express and Discover. Each program had its own set of rules and regulations that merchants had to adhere too. The Payment Card Industry Security Standards Council (PCI SSC) was formed with the intent of creating a universal standard for securing data and on December 15th, 2004 the newly formed entity released its uniform set of standards which became what we now know as PCI DSS.
Without getting into too much detail there are essentially 4 different levels of PCI compliance, with most merchants falling into level 4.
Here’s the breakout:
Level 1 – Any merchant – regardless of acceptance channel – processing over 6,000,000 Visa transactions per year. Any merchant that has suffered a hack or an attack that resulted in an account data compromise. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. Any merchant identified by any other payment card brand as Level 1
Level 2 – Any merchant processing 150,000 to 6,000,000 Visa e-commerce transactions per year.
Level 3 – Any merchant processing 20,000 to 150,000 Visa e-commerce transactions per year.
Level 4 - Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants processing up to 6,000,000 Visa transactions per year.
The current version of the standard specifies 12 requirements for compliance, organized into 6 logically related groups, which are called “control objectives.” You can verify these requirements by doing a “self-assessment” or though one of many Qualified Security Assessors (QSAs). The good news is these QSA’s will walk you through the compliance process, step-by-step. I’ve personally gone through the compliance process with two rather large QSA’s, Control Scan and Scan Alert for a couple of reasons. For starters I wanted our company to be better educated on the process so we could answer any questions that our customers may have as they become compliant, but also I wanted to better understand the dreaded “false positive” syndrome surrounding compliance.
Stay tuned for my experiences in PCI Compliance part II!Posted on: No Comments