While data breaches did not always receive the level of attention they garner today, they presented pressing problems to both businesses and credit card companies as far back as the 1990s.
Although the card providers had made attempts to resolve these issues on their own, it was not until December of 2004 that industry leaders released a cooperative assessment tool. Known as the Payment Card Industry Data Security Standard (PCI DSS), it is now globally recognized. Compliance with its provisions is required for all entities that process electronic payments.
PCI DSS Requirements
PCI standards apply to all users and systems elements involved in the cardholder data environment (CDE). There are 12 main compliance requirements that every business and company must meet:
- Protect cardholder data with a firewall that you regularly maintain.
- Change system defaults for all software and security systems.
- Implement procedures to safeguard the cardholder data you store.
- When transmitting data across open, public networks, have mechanisms in place to encrypt it.
- Protect your systems against malware and viruses with appropriate, effective software and security strategies.
- Develop and implement systems and applications that are secure.
- Restrict access to cardholder data on a need-to-know basis.
- Implement measures to authenticate the identities of all users accessing your systems and information.
- Put physical mechanisms in place to restrict unauthorized access to data.
- Monitor and log all access to systems and data.
- Conduct regular tests of your security processes and systems.
- Write and maintain a comprehensive information security policy.
During the compliance process, each of these requirements must be described in terms of how it is defined, how it will be tested and its objectives.
PCI Compliance Levels
Complying with PCI DSS is not a one-size-fits-all proposition. There are four different compliance levels, each with its own set of conditions. They include the following:
- Level 1. Businesses that process over 6 million transactions annually. Because of their size and volume of transactions, organizations in this category must meet additional security requirements, e.g., a full on-site assessment by a Qualified Security Assessor and the completion of a Report on Compliance showing that they are adhering to credit card security measures.
- Level 2. Medium to large organizations that process between 1 and 6 million payments. They must conduct an annual PCI self-assessment.
- Medium to small businesses that process between 20,000 and 1 million transactions. A PCI self-assessment must be conducted annually, and a quarterly scan must be performed by a Qualified Scanning Vendor.
- Smaller entities that process less than 20,000 payments. While these companies must remain PCI compliant at all times, they are not required to file reports.
Clearly, the large corporations that qualify as level 1 entities possess systems environments and protective measures that are infinitely more complex than those of their smaller counterparts. As a result, it stands to reason that a PCI DSS compliance assessment for a level 1 firm would take much longer than would a much simpler compliance evaluation for a level 3 or 4 company.
Adhering to the many requirements of PCI DSS is a complex process that means different things to different companies. In all cases, however, one fact remains true: avoiding the assessment is a bad idea that can lead to heavy fines and could even cause your company to be barred from accepting electronic payments. In terms of time, the PCI compliance process can last anywhere from one day to two weeks depending on the complexity of your systems, the size of your company, and how long you take to complete the self-assessment.
Once you have done so, you will go through a PCI compliance scan and send the results to your merchant bank, which passes it on to the Payment Card Industry. While compliance may seem like just one more unnecessary bureaucratic ordeal, the data protection and assurance it provides to you and your customers is actually worth their weight in gold.