What Merchants Need to Know
The Payment Card Industry (PCI) Data Security Standard (DSS) is an important standard that all merchants who process, store, or transmit credit card information must achieve. Any merchant who has been issued a Merchant ID (MID) must become PCI compliant. Being PCI compliant ensures that the merchant is taking all the right measures to protect their clients’ credit card information by maintaining a secure environment.
PCI DSS requirements are managed by The Payment Card Industry Security Standards Council (PCI SSC) and are an independent body created by major credit card brands. The PCI SSC does not enforce PCI compliance. Card acquirers and payment brands are responsible for enforcing data security compliance.
There are six core principles of PCI-DSS:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Test and Monitor Networks
- Maintain an Information Security Policy
Any merchant processing, storing, or transmitting credit card information must be PCI DSS compliant now. On-going PCI compliance validation is required for level 1-3 merchants, and may be required for some level 4 merchants. The total number of Visa transactions/year determines a merchants level. Validation requirements include annual self-assessment questionnaires (SAQ); quarterly network scans by an approved scan vendor (ASV), and attestation of compliance forms. A copy of the PCI self-assessment questionnaire and letter of attestation can be found at: https://www.pcisecuritystandards.org/saq/index.shtml
In addition to PCI DSS compliance validation, acquirers must ensure that their merchants, VNP’s, and agents are compliant with Payment Application Data Security Standard (PA-DSS). PA-DSS ensures that vendors are supplying software systems that are PCI DSS compliant and are not storing sensitive cardholder data. PA-DSS was formerly known as Visa’s Payment Application Best Practices (PABP).
Beginning July 1, 2010 merchants (new and existing) are required to have validated third party payment applications. Failure to comply could result in fines from credit card associations, acquirers, or banks; it could also lead to merchant account termination and the inability to process credit cards. Find a list of PCI Security Standards Council validated payment applications at: https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml.
PCI compliance requirements and validation are helping to keep consumers personal credit card information secure. Merchants, payment application developers, acquirers, and banks are creating and maintaining secure environments. Protecting their customers from data breeches and potential fraud.