Learn about PCI Compliance

What is PCI Compliance?

PCI stands for Payment Card Industry. The PCI DSS (Payment Card Industry Data Security Standard) is an initiative supported by credit card companies and merchants, which provides a unified strategy for the protection of credit card user information. The initiative aims to combat credit card fraud and related security breaches.

When did PCI compliance start?

American Express, Discover Financial Services, JCB International, Mastercard and Visa—introduced PCI DSS 1.0 in December 2004.

Who is subject to PCI compliance?

Businesses that directly deal with credit card data must adhere to 300+ requirements defined in the PCI security standard (organized into 12 high level requirements). Businesses that do not directly deal with card data need to adhere to fewer security requirements, as sensitive data is handled by third parties and not stored by the business.

How to become PCI Compliant?

To become PCI compliant, you must meet the 12 PCI compliance requirements, which are split up into 300 sub-requirements. The following PCI compliance requirements include security systems, organizational processes, testing and policies that can help protect cardholder data.

PCI Compliance Audit

A PCI compliance audit is a routine audit required of merchants that process credit card transactions to make sure that they are compliant with the Payment Card Industry Data Security Standard (PCI DSS) set up by various credit card companies. Merchants may undergo regular PCI compliance audits, or an alleged violation can trigger a particular audit.

See how VGS can help you with audits.

PCI DSS compliance checklist

PCI DSS offers a baseline of twelve (12) technical and operational requirements to use as an essential part of an organization’s validation process during a compliance assessment.

1. Protect cardholder data with a firewall
2. Change vendor-supplied default passwords and parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data
5. Defend against malware and keep antivirus up-to-date
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by need-to-know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
10. Monitor access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain an information security policy for all personnel

See the official quick reference guide for PCI DSS v3.2.1

What happens if you fail PCI Compliance?

Merchants agree to pay fees if they fail to comply with the PCI DSS when they sign a contract with a payment processor. Penalties can vary from payment processor to payment processor and are more extensive for companies with higher payment volumes. There will be no fines imposed on your payment processors or credit card companies for working with an unsuitable business. These companies will almost certainly transfer fines to your business to compensate for losses from your negligence. You can expect financial penalties from these companies anywhere from $ 5,000 to $ 10,000 per month for violating PCI compliance guidelines.

Who enforces PCI compliance?

Compliance validation involves the evaluation and confirmation that the security controls & procedures have been properly implemented as per the policies recommended by PCI DSS. In short, the PCI DSS, security validation/testing procedures are mutually a compliance validation tool. A PCI DSS assessment has the following entities.

• Qualified Security Assessor (QSA)
• Internal Security Assessor (ISA)
• Report on Compliance (ROC)
• Self-Assessment Questionnaire (SAQ)

Who certifies PCI compliance?

An Internal Security Assessor is an individual who has earned a certificate from the PCI Security Standards Company for their sponsoring organization. This certified person has the ability to perform PCI self-assessments for their organization. This ISA program was designed to help Level 2 merchants meet the new Mastercard compliance validation requirements.[11] ISA certification empowers a worker to do an inward appraisal of his/her association and propose security solutions/ controls for the PCI DSS compliance. As the ISAs are upheld by the organization for the PCI SSC affirmation, they are in charge of cooperation and participation with QSAs.

PCI vulnerability scan

PCI Scans are scans run using an automated web security scanner to check the merchant/ service provider/ payment gateway/ third-party payment processor’s systems and IT infrastructure for vulnerabilities. The scanner will test networks, web applications, OS, services, devices and so on to identify gaps and loopholes that an attacker may leverage to infiltrate the systems and gain access to confidential information.

PCI Compliance mandates two independent methods of vulnerability scanning – internal and external. These scans generate an extensive report of the vulnerabilities present, providing references for further research and recommendations for remediation. PCI SSC Approved Scanning Vendor (ASV) must conduct scanning, especially external scanning.

See how VGS can help you with PCI vulnerability scans.

PCI Compliance Levels

PCI Level 1 Compliance

Stated, PCI DSS Level 1 is a set of requirements designed to ensure the highest level of security for businesses that store, transmit, or process credit card data.

The highest compliance level, PCI DSS Level 1, identifies any merchant who processes more than 6 million Visa transactions per year. This high level of verification is granted only if the merchant, at Visa’s discretion, meets level 1 requirements set to minimize risk to the system.

PCI Compliance Level 1 is one of four PCI merchant compliance levels and two service provider compliance levels established to protect the security of credit card and cardholder data in e-commerce and in-store transactions.

A “Level 1” merchant is defined by the Payment Card Industry Data Security Standard (PCI DSS) as someone who processes at least 1 million, 2.5 million, or 6 million transactions per year, depending on which credit cards the merchant accepts. Therefore, PCI Compliance Level 1 is the highest and most stringent PCI DSS level.

Merchants and service providers exposed to a breach or cyberattack resulting in the compromise of credit card or cardholder data must meet PCI Level 1 requirements, regardless of size, processing, storage, or transmission.

PCI Level 1 Requirements

PCI Merchant Level 1 criteria depend on the merchant’s accepted brands of payment or credit cards:

• Visa, Mastercard, and Discover identify Tier 1 merchants who process more than 6 million credit cards per year.
• Level 1 requires at least 2.5 million transactions per year from American Express.
• Level 1 of JCB starts with 1 million credit card transactions per year.

Level 1 is the highest level of compliance and applies to merchants who process more than 6 million Visa e-commerce transactions per year, or any merchant that has suffered a data breach resulting in the compromise of cardholder data. To achieve PCI DSS Level 1 compliance, a company must meet all of the requirements for Level 2, 3, and 4 compliance, as well as the following additional requirements:

• Conduct an annual on-site assessment by a PCI SSC-approved Qualified Security Assessor (QSA).
• Submit a Report on Compliance (ROC) to the acquiring bank and the card brands.
• Implement a formalized incident response plan.
• Conduct an annual penetration test of the cardholder data environment.

In addition to these requirements, Level 1 merchants are also required to undergo quarterly network scans by a PCI SSC-approved scanning vendor (ASV). These scans are designed to detect vulnerabilities in the merchant's network that could be exploited by attackers to gain access to cardholder data.

Merchants aren’t the only entities that need to be PCI compliant. For example, to accept payment cards, payment and internet service providers (ISPs) must also demonstrate ongoing and ongoing security of their cardholder environments against data breach and PCI compliance.

PCI Level 2 Compliance

Payment Card Industry Data Security Standard (PCI DSS) Level 2 merchants are those that process between 1 and 6 million Visa, Mastercard, and Discover transactions per year; 50,000 to 2 million sales using American Express, and fewer than 1 million JCB International credit card transactions.

Service providers–entities that process credit card payments for merchants and their financial institutions (also known as “acquiring banks”) or that handle card and cardholder data in some other capacity, such as data destruction–qualify as PCI Compliance Level 2 if they process, store, or transmit fewer than 300,000 total card transactions annually.

PCI Level 2 Requirements

Compliance verification requirements for PCI DSS level 2 merchants are as follows:

• Annual Self-Assessment Questionnaire
• Quarterly network scan by PCI SSC Approved Scanning Vendor
• Approval of the Eligibility Form

The compliance criteria for PCI DSS level 2 service providers are as follows:

• Process, store, or transmit less than 300,000 credit card transactions per year

Compliance verification requirements for PCI DSS level 2 service providers are as follows:

• Annual Self-Assessment Questionnaire
• Quarterly network scan by Approved Scan Vendor
• Penetration test
• Internal scanning
• Approval of the Eligibility Form

PCI Level 3 Compliance

PCI DSS compliance Level 3 applies to mid-sized merchants, generally speaking, that process 20,000 to 1 million credit card transactions per year. However, as with all PCI compliance levels, the exact number of transactions that qualify a merchant for PCI Level 3 is highly dependent on which credit cards the merchant accepts. Also, for PCI Level 3, the number of e-commerce transactions versus in-store transactions is essential.

PCI Level 3 Requirements

Your organization qualifies as a PCI Level 3 merchant if it meets any of the following criteria:

• Processes 20,000 to 1 million Visa e-commerce transactions per year
• Processes 20,000 Mastercard e-commerce transactions per year, but less than or equal to 1 million total Mastercard transactions per year
• Process 20,000 to 1 million Discover “cardless” (e-commerce) transactions per year
• Processes less than 50,000 American Express transactions per year

Note that card provider JCB does not have Level 3. All sellers who process less than 1 million JCB transactions per year qualify as Level 2 merchants.

Level 3 is the second-highest level of compliance and applies to merchants who process between 20,000 and 1 million Visa e-commerce transactions per year. To achieve PCI DSS Level 3 compliance, a company must meet all of the requirements for Level 4 compliance, as well as the following additional requirements:

• Implement strong cryptography for authentication and transmission of cardholder data.
• Use at least one of the following methods to secure wireless transmissions:
  • Encrypt all cardholder data transmitted wirelessly.
  • Use a secure wireless solution such as a virtual private network (VPN) or WPA2.
  • Use a secure wireless access point (AP).

In addition to these requirements, Level 3 merchants are also required to undergo a quarterly network scan by a PCI SSC-approved scanning vendor (ASV). This scan is designed to detect vulnerabilities in the merchant's network that could be exploited by attackers to gain access to cardholder data.

It's important to note that these requirements are just the minimum required for PCI DSS Level 3 compliance. Depending on the specific nature of a company's business and the types of transactions it processes, additional security measures may be necessary.

PCI Level 4 Compliance

PCI Compliance Level 4 is the lowest compliance level under the Payment Card Industry Data Security Standard (PCI DSS). PCI Level 4 applies to merchants who process fewer than 20,000 Visa or Mastercard e-commerce transactions per year or a total of up to 1 million Visa or Mastercard credit card transactions and are not subject to a data breach or hack that compromises card or cardholder data.

Discover, American Express or JCB neither have a PCI Level 4 designation. Instead, Discover and American Express stop at PCI Level 3; JCB, on the other hand, has only two trader levels.

PCI Level 4 Requirements

Level 4 is the lowest level of compliance and applies to merchants who process fewer than 20,000 Visa e-commerce transactions per year. To achieve PCI DSS Level 4 compliance, a company must meet the following requirements:

• Install and maintain a firewall configuration to protect cardholder data.
• Do not use vendor-supplied defaults for system passwords and other security parameters.
• Protect stored cardholder data.
• Encrypt transmission of cardholder data across open, public networks.
• Use and regularly update anti-virus software.
• Develop and maintain secure systems and applications.
• Restrict access to cardholder data by business need-to-know.
• Assign a unique ID to each person with computer access.
• Restrict physical access to cardholder data.
• Track and monitor all access to network resources and cardholder data.
• Regularly test security systems and processes.
• Maintain a policy that addresses information security for all personnel.

It's important to note that these requirements are just the minimum required for PCI DSS Level 4 compliance. Depending on the specific nature of a company's business and the types of transactions it processes, additional security measures may be necessary.

PCI Level 4 self assessment

As a business that accepts credit cards, you will be required to complete a PCI DSS Self-Assessment Questionnaire (SAQ) to demonstrate that information security is a top priority.

To complete a PCI DSS Level 4 self assessment, your business will need to follow these steps:

• Review the PCI DSS requirements: Familiarize yourself with the requirements for PCI DSS Level 4 compliance. These can be found in the PCI DSS Self-Assessment Questionnaire (SAQ) or in the PCI DSS documentation.
• Gather documentation: You will need to provide documentation to demonstrate that your business is meeting the PCI DSS requirements. This may include network diagrams, policies and procedures, and documentation of security measures such as firewalls and anti-virus software.
• Complete the self-assessment questionnaire: The PCI DSS Self-Assessment Questionnaire (SAQ) is a tool used to assess your business's compliance with the PCI DSS requirements. The SAQ is available on the PCI Security Standards Council website.
• Review the results of the self-assessment: Once you have completed the SAQ, review the results to determine if your business is compliant with the PCI DSS requirements. If you are not compliant, you will need to make the necessary changes to your systems and processes to achieve compliance.
• Attest to your compliance: Once you have completed the self-assessment and made any necessary changes, you will need to attest to your compliance by signing a declaration stating that your business is compliant with the PCI DSS requirements.

It's important to note that self-assessment is just one step in the PCI DSS compliance process. Depending on the specific nature of your business and the types of transactions you process, you may also need to undergo a more formal assessment by a PCI SSC-approved Qualified Security Assessor (QSA).

When do I need PCI compliance?

Is PCI compliance required by law?

There is not a regulatory mandate that requires PCI compliance, but it is regarded as mandatory through court precedent.

Is PCI compliance international?

The PCI DSS is the global data security standard that any business of any size must adhere to in order to accept payment cards.

Who needs PCI compliance?

In general, PCI compliance is required by credit card companies to make online transactions secure and protect them against identity theft. Any merchant that wants to process, store or transmit credit card data is required to be PCI compliant, according to the PCI Compliance Security Standard Council.