Demystifying PCI DSS standards: Myths and merchant responsibilities
If you accept credit cards, you should be familiar with PCI DSS standards. For the uninitiated, "PCI DSS" refers to the Payment Card Industry Data Security Standard, and it's important for business owners to understand what these standards mean.
Merchants are large targets for fraud and data compromise and the PCI DSS Standards exist to ensure merchants are doing everything they can to protect cardholder data and reduce the risk of fraudulent payments. You might have questions about these standards, including what they are and how to remain compliant.
Let's get to it.
What is PCI DSS?
The PCI DSS are requirements for merchants, software developers and payment device manufacturers that aim to protect cardholder data and reduce credit card fraud.
What are the requirements?
There are 12 requirements that span the following 6 groups:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
What is the PCI SSC?
This refers to the PCI Security Standards Council, the organization that manages the PCI DSS standards. Enforcement actually falls to the founding members of the council, which includes American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
How do I become compliant?
According to the PCI SSC, there is a three-step process for becoming compliant. These steps include:
Step 1: Assessment. Identifying cardholder data, taking an inventory of IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.
Step 2: Remediation. Fixing vulnerabilities and eliminating the storage of unprotected cardholder data.
Step 3: Reporting. Compiling and submitting required reports to the appropriate acquiring bank and card brands.
How do I know if I'm compliant?
There are a few ways to confirm compliance. The first is to engage a qualified security assessor or an approved scanning vendor to evaluate your procedures. These organizations can scan your system for vulnerabilities and its risk for fraud. The PCI SSC offers a list of approved vendors to get you started.
Another option is to perform a self-evaluation to assess your compliance. The PCI SSC offers a self-assessment questionnaire to help you understand areas where you're compliant and where you might need additional support.
Do I have to validate my compliance?
While every merchant that processes, stores or transmits cardholder data must comply with PCI DSS standards, not every merchant has to validate compliance. The credit card brands have their own rules about what "level" of merchants need to validate compliance. These levels are based on the number of annual transactions the merchant processes. You can find more information on validation requirements with the following card brands:
What if I don't comply?
PCI DSS compliance isn't required by federal law, but some states have laws on the books that refer to the standards. Those merchants who do not comply with the standard could be on the hook for hefty fines from the major card brands and could be held liable if their cardholder data is compromised.
If you still have questions about PCI DSS requirements be sure to check out the council's PCI DSS Quick Reference Guide for more information.