PCI-DSS Compliance: Protecting Merchants and Their Customers.
When we talk about PCI-DSS compliance (sometimes shortened simply to PCI compliance), the conversation usually centers on the need for merchants to be “up to code.” In other words, for merchants to meet all the mandated requirements and comply with a set of standardized data protection protocols.
That sounds simple enough…at least at first glance. There’s a lot more to the equation than one or two rules, though. In this article, we’ll take a detailed look at PCI-DSS, where it came from, and what it means to be PCI compliant.
What Is PCI-DSS?
Collectively called the Payment Card Industry Data Security Standard, the PCI-DSS is an information security standard used by organizations that handle branded payment cards. PCI-DSS sets standards for how to securely store and transmit cardholder data to prevent loss or fraud.
[noun]/* pi ● si ● aɪ ● di ● ɛs ● ɛs/
Concerns about the security and integrity of cardholders’ personal data arose as credit card use increased in popularity. Card networks individually recognized the need to for greater protection. In response, many enacted network-wide security measures, including:
- Cardholder Information Security Program (Visa)
- Site Data Protection (MasterCard)
- Data Security Operating Policy (American Express)
- Information Security and Compliance (Discover)
- Data Security Program (Japan Credit Bureau)
Since the programs obviously had similar intents, it made sense for the individual networks to combine their efforts and create a standardized system. PCI-DSS 1.0 was released in 2004; by 2006, the Payment Card Industry Council was formed to administer and govern the continued development of PCI standards.
The Council still exists and remains the controlling body over PCI-DSS regulations. They have the power to update, override, or change PCI standards at any time.
We’re All About Data Protection.
We’ll also help you reduce chargebacks and up your ROI. Click to learn more.
The overall goal of PCI-DSS is to create and maintain standardized security regulations. There are currently 12 compliance requirements, broken up into six control objectives:
|Control Objectives||Compliance Requirements|
|Build and maintain a secure network||1. Install and maintain a firewall configuration to protect cardholder data|
|2. Do not use vendor-supplied defaults for system passwords and other security parameters|
|Protect cardholder data||3. Protect stored cardholder data|
|4. Encrypt transmission of cardholder data across open, public networks|
|Maintain a vulnerability management program||5. Use and regularly update anti-virus software or programs|
|6. Develop and maintain secure systems and applications|
|Implement strong access control measures||7. Restrict access to cardholder data by business need-to-know|
|8. Assign a unique ID to each person with computer access|
|9. Restrict physical access to cardholder data|
|Regularly monitor and test networks||10. Track and monitor all access to network resources and cardholder data|
|11. Regularly test security systems and processes|
|Maintain an information security policy||12. Maintain a policy that addresses information security for all personnel|
Understanding the Levels of Compliance
PCI-DSS implementation is required for any organization that accepts, transmits, or stores any cardholder data. This is true regardless of the organization’s size or the number of transactions. That said, the required level of implementation will vary for different parties, based on factors such as the number of transactions.
Which compliance level a merchant falls under is important, as it dictates the actions needed to remain compliant. Unfortunately, these levels are not standardized across the industry. Each credit card brand has its own specific compliance requirements, based on transactions for that particular card brand.
This is further complicated by the fact each network also defines its levels and compliance validation requirements differently. We can see from the following chart, for example, that what Visa calls a Level 2 merchant differs dramatically from a Level 2 merchant as defined by American Express.
|Classification Level||Merchant Characteristics||Compliance Requirements|
|Merchants who process more than 6 million Visa, MasterCard, or Discover transactions, or more than 2.5 million American Express transactions annually||An annual onsite assessment conducted by a third-party vendor; quarterly scans|
|Merchants who process between 1 and 6 million Visa, MasterCard, or Discover transactions, or between 50,000 and 2.5 million American Express transactions annually||Annual self-assessment; quarterly scans|
|Merchants who process between 20,000 and 1 million Visa, MasterCard, or Discover transactions, or less than 50,000 American Express transactions annually||Annual self-assessment; quarterly scans|
|Merchants who process less than 20,000 Visa, MasterCard, or Discover transactions annually||Annual self-assessment; annual scans|
Merchants can consult the specific card network in question for general compliance information. Note, however, that acquiring banks have the final say concerning their merchants’ levels, which will likely change as the business grows and expands. To ensure strict PCI compliance, it’s best to verify level status with the acquirer.
PCI-DSS Compliance and Service Providers
Outsourcing tasks to service providers, vendors, and other third parties can help merchants operate more efficiently, saving them time and money. However, they must also ensure that those providers don’t jeopardize the merchant’s compliance efforts.
Undercard network regulations, a service provider is any group that stores, processes, or transmits cardholder data on a merchant’s behalf. PCI-DSS compliance is mandatory for all organizations, but PCI validation of compliance may or may not be. Service providers may only be compliant with certain aspects of the regulations, while some may not be PCI-DSS compliant at all.
The end result is a potential vulnerability to the merchant. Many data breaches originate with a service provider, rather than the merchant. Regardless of where the breach happens, though, the merchant will still be held responsible. Merchants will also take the bulk of the blame from customers if such a breach occurs.
This is why PCI standards require merchants to monitor not only their own compliance but that of their service providers as well. This includes web hosting services, shopping cart platforms, anti-fraud tools, and more. That sounds fairly straight forward, but the situation is often complicated by the fact that service providers themselves may outsource to other service providers, much like a sub-contractor.
Merchants and their service providers can follow all regulations internally. But, if even one provider in the chain is not compliant, none of the businesses in that chain are compliant, either. Merchants, unfortunately, frequently don’t know about PCI security issues until it’s too late.
Compliance Levels for Service Providers
As with merchants, PCI compliance for service providers is split into different levels. Many service providers are Level 2 compliant, giving them limited authorization to handle sensitive customer data. Level 1 compliance, however, demands much stricter security standards and is far less common.
Level 1 involves on-site audits by a Qualified Security Assessor—expert security professionals trained in complex PCI-DSS regulations. Auditing by a QSA is a lengthy, complicated, and expensive process, but it’s necessary to ensure total compliance with the highest security standards. Without this in-depth verification, merchants’ customer data is at risk of being compromised by a service provider’s inadequate security protocols.
To ensure compliance on all fronts, merchants should maintain a current list of all the service providers they use. This information must also be sent to the acquiring bank, which then registers each service provider with Visa and Mastercard.
Beyond keeping up-to-date on all service providers, the key to ensuring PCI-DSS security on the merchant’s end is an Attestation of Compliance (AOC). The AOC is a form used by merchants and service providers to corroborate the results of a PCI-DSS assessment.
Merchants can request an AOC from their service providers at any time. As mentioned above, validation is not always mandatory, so service providers may respond that they are not required to verify compliance. In these situations, merchants may request an AOC from that business’s relevant service providers.
It takes a bit of effort on the part of the merchant. But, if a validated and registered service provider is used, the merchant won’t be liable for breaches involving that business. The merchant would be absolved by the PCI Security Standards Council and not fined for failing standards. That said, the merchant would still need to reimburse victims of fraud, which could be many millions—or even billions—of dollars, depending on the scale of the incident.
Is Chargebacks911® PCI Compliant?
Chargebacks911 is entirely PCI-DSS Level 1-compliant.
We consider the security of our clients to be one of our highest priorities. To protect our customers—and their customers—our facilities undergo a regular, meticulous audit process designed to ensure consistent compliance with PCI standards. All employees receive training in proper data security behaviors and are required to adhere to security best practices.
Our servers, software, and internal practices are designed to meet or exceed PCI-DSS compliance. The use of our turnkey solution means that merchants never need to worry about PCI-DSS regulations impacting their approach to chargeback mitigation.
Don’t take responsibility for your service provider’s missteps. Chargebacks911—along with all the services and industry integrations we contract—is your resource for PCI-compliant chargeback mitigation. Contact us to learn more about protecting your business and your customers.