The Payment Card Industry Data Security Standard (PCI DSS) is designed to help organizations protect their customer’s credit and debit card data. Businesses are held accountable for PCI compliance and must pay heavy fines if they don't meet the standards. This article offers basic PCI DSS information to help you answer the question, "Do I have to be PCI compliant?".
The PCI DSS is a standard developed and maintained by the PCI Security Standards Council. PCI DSS specifies the security controls that an organization needs to implement to protect cardholder data.
The PCI DSS standard is designed to protect the account information of credit and debit card users. For this reason, the standard applies to any organization that processes, stores, or transmits cardholder data and to any organization that can affect the security of that data.
If your organization accepts cardholder data, you are responsible for ensuring that the data is protected by the necessary security controls throughout its entire lifecycle.
This includes ensuring that any vendors that process, store, or transmit data collected by you or vendors that can affect the security of that data are doing so in compliance with the PCI DSS standards.
Related Reading: Remaining PCI Compliant While Reopening Following COVID-19
There are four merchant levels of PCI compliance as mandated by the payment card brands largely based on credit card processing volume. They are as follows:
Merchants accepting mostly EMV chip-enabled payment cards may be assigned a special merchant level.
Service Providers are organizations that process, store or transmit cardholder data on behalf of a merchant or that can affect the security of the merchant’s handling of cardholder data. Service providers are also categorized into one of two compliance levels.
Special Note: Payment brands may require that a merchant or service provider report as level 1, especially if a breach has previously occurred.
We cannot stress enough: A company’s compliance level significantly affects how its security must be accessed. If you are unsure how your company should be assessed, you can contact Avertium for guidance.
PCI compliance reports come in two different types. The type of reports that your organization must complete is generally based upon the ways your organization processes cardholder data and the volume of card transactions processed each year.
However, this is at your merchant bank’s discretion and can change depending on several factors, including a company’s history of reporting compliance and the status of that reporting.
If your organization handles any payment card data or can affect the security of such handling (i.e. is subject to PCI DSS), then as a minimum you are required to complete an SAQ. The PCI Security Standards Council provides SAQs to help organizations determine the PCI DSS security controls with which they need to comply.
There are several different levels of SAQ labeled A through P2PE. SAQ A requires the fewest security controls to be implemented and SAQ D is the most stringent. An Attested SAQ requires a qualified security assessor to be involved.
The determination of which SAQ applies to your organization can be found here.
If your organization is a Level 1 merchant or service provider, you are required to complete a PCI DSS Report on Compliance (ROC). A payment card brand or your acquiring bank may instruct you to complete a ROC.
The reporting template for a ROC assessment is provided by the PCI Council and is a good starting point for determining the security controls required for your organization.
Qualified Security Assessor (QSA) is a designation conferred by the PCI Security Standards Council to professionals it deems qualified to perform PCI assessments and consulting services.
A person must meet specific information security education and experience requirements, have taken the appropriate training from the PCI Security Standards Council, and is an employee of a Qualified Security Assessor Company (QSA company) in order to perform PCI compliance assessments.
QSA training and certification are rigorous, designed by the PCI council to ensure deep knowledge and understanding of PCI compliance requirements to be able to carry these standards forward. QSAs must invest a significant number of training/learning hours each year and are tested annually by the Council to requalify as a QSA.
The PCI Council has also created the designation of Associate QSA (AQSA) to help meet the demand for PCI compliance professionals and to provide a path to enable QSA companies to develop new resources into fully qualified QSA employees. AQSAs are qualified by the Council to support QSA employees on PCI DSS assessments.
After determining that your organization is subject to the PCI DSS standard, the next step is determining the appropriate reporting type. The requirements vary between an SAQ and a ROC report and between the varying levels of SAQs. Understanding the exact requirements that your organization needs to meet to achieve PCI compliance is important for appropriate allocation of time and resources.
Avertium offers PCI compliance services to either assess your company or to help you determine, develop, and deploy the controls to keep your company secure and compliant. Our QSAs and AQSAs can assist you throughout the compliance process using their knowledge of PCI standards to apply controls to your business.