Author
Andrea Tappe
The Payment Card Industry Data Security Standard (PCI DSS) is possibly one of the most critical, but also least publicised and least understood, industry standards currently in existence today. The purpose of this article is to give you a brief overview of PCI DSS and explain how it applies to your organisation.
A short history
The major card companies (Visa, Mastercard, AMEX, Discover and JCB) have always had security policies which they expected their merchants to adhere to. In 2004, the five companies decided to combine their standards to form a single, international standard which would apply to all organisations that accepted card payments. That includes your organisation!
The standard is administered by the Security Standards Council (SSC), which is made up of representatives of the five brands. Other organisations can register to participate in Special Interest Groups to have input into the development and evolution of the standard.
The first version of the PCI DSS was released in 2004. Since then, there have been seven updates to the standard, reflecting changes in security best practice. Originally, updates were released every two years, but recently the SSC has begun to release updates more frequently, reflecting the rapidly changing security landscape.
The purpose of PCI DSS is to protect cardholders’ financial information by setting a minimum security standard that all merchants must meet or exceed. The standard is set by experts, and is designed to minimise the risk of data theft in most scenarios.
What is in the standard?
The PCI DSS sets out the security requirements that merchants must comply with to protect their customers’ card data. The standard has evolved over the years, but the same basic goals have applied across all versions of the standard:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy.
Under each control objective, the standard sets out a group of requirements and sub-requirements to guide merchants’ compliance activities.
How is compliance assessed?
The SSC allows low risk merchants to assess their own compliance and requires higher risk merchants to arrange a qualified third party audit each year.
The type of assessment to be completed is determined based on:
- The number and value of transactions processed by the merchant every year. This is used to categorise the merchant into one of four levels and determines whether or not they can self assess or must use an accredited external auditor.
- The processes which the merchant uses to process card payments. This determines which Self-Assessment Questionnaire (SAQ) the merchant is eligible to complete.
Levels
Merchants are classified into levels based on the volume and value of their transactions.
- Level 1 merchants have more than six million MasterCard and Maestro transactions annually AND/OR meet the Visa level 1 criteria OR have been identified by MasterCard as being required to meet level 1 standards. A merchant who has experienced a security breach would also be classified as level 1.
- Level 2 merchants have between one and six million MasterCard and Maestro transactions annually AND/OR meet the Visa level 2 criteria.
- Level 3 merchants have between 20,000 and one million MasterCard and Maestro transactions annually AND/OR meet the Visa level 3 criteria
- All other merchants are classified as level 4 merchants.
Level 1 merchants must arrange an independent third party audit every year, to be performed by a qualified PCI DSS auditor.
Level 2 merchants may arrange an external audit or may choose to self-assess. Level 3 and 4 merchants may self-assess.
All merchants must complete quarterly network security scans from an accredited scanning vendor (ASV). ASVs complete security scans of varying thoroughness on the merchant’s network and provide them with a report identifying any risks they have uncovered.
Self-Assessment Questionnaires
In recognition of the fact that different payment management practices involve different levels of risk, the PCI DSS security requirements are broken down into four Self-Assessment Questionnaires (SAQs). Broadly:
- SAQ D is the most complex SAQ and includes all the PCI DSS requirements and sub-requirements.
- SAQ A is the simplest SAQ. It includes four of the 12 requirements and 25 sub-requirements.
Merchants must complete the SAQ which is appropriate for their payment management processes.
- Merchants who outsource their payments to an accredited third party and who do not store, process or transmit data on their systems or premises may complete SAQ A. E-commerce merchants must complete SAQ A-EP.
- Merchants who use a payment terminal and are not e-commerce merchants may complete SAQ B or SAQ B-IP, provided that their terminals do not store card data. If the merchant uses a P2PE terminal, they must complete SAQ P2PE.
- Merchants who use an online card payment system that is hosted by an accredited third party and that does not store card data may complete SAQ C-VT or SAQ C.
- Merchants who store, process or transmit data on their networks must complete SAQ D. There is also a version of SAQ D which applies to payment service providers.
How does this affect me?
If you accept card payments, you must complete the appropriate SAQ and meet all the requirements. If your organisation does not meet a requirement, you will usually be given some time to resolve the issue.
However, if your organisation continues not to meet the PCI DSS requirements, your payment card service provider may decide that your organisation is too high a risk. They may terminate their contract with you, effectively preventing you from accepting card payments.