The Payment Card Industry Data Security Standard (PCI DSS) is a security standard that includes requirements for security management, policies, procedures, network setup, software design, and other protective measures.The PCI Security Standards Council (PCI SSC) is a forum comprised of members from each of the card companies. The PCI DSS provides a common standard with which the payment industry must adhere.
Merchants Choice LLC. would like to remind our customers, you must meet the requirements of PCI DSS by properly safeguarding cardholder data. It is critical your business adheres to the security requirements to ensure the highest standard of care to help keep sensitive cardholder data from hackers and fraudsters. The following highlights the 12 main standards (please refer to the PCI SSC for complete requirements):
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data and sensitive information across open public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software`
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security
All businesses will fall into one of four levels based on transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa, MasterCard and Discover transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (DBA). In cases where a corporation has more than one DBA, the aggregate volume of transactions stored, processed or transmitted by the corporate entity will be used to determine the validation level. Other restrictions and conditions may apply. Merchant levels are defined as:
Any business-regardless of acceptance channel-processing over 6,000,000 Visa© or MasterCard© transactions per year.
Any business, regardless of acceptance channel, processing 1,000,000 to 6,000,000 Visa or MasterCard transactions per year.
Any business processing 20,000 to 1,000,000 Visa or MasterCard e-commerce transactions per year.
Any business processing fewer than 20,000 Visa or MasterCard e-commerce transactions per year, and all other businesses, regardless of acceptance channel, processing up to 1,000,000 Visa or MasterCard transactions per year.
*Subject to change at any time by the card associations or PCI DSS council.
**Any business involved in an account-data compromise breach may be escalated to a higher validation level
Compliance Documentation Defined
QSA - Qualified Security Assessor. QSAs are certified by the PCI SSC. A QSA serves as an advisor to businesses seeking or maintaining compliance with the PCI DSS. Merchants Choice LLC. customers can work with Trustwave. Approved QSAs are listed on the PCI SSC web site.
ASV - Approved Scanning Vendor. ASVs are certified by the PCI SSC. ASVs complete the required quarterly network scans and serve as advisors on achieving compliance. Approved ASVs are listed on the PCI SSC web site.
ROC - Report on Compliance. Level 1 businesses must submit a ROC annually completed by a QSA.
SAQ - Self-Assessment Questionnaire. Annual SAQs must be submitted by businesses not required to submit a ROC.
Quarterly Vulnerability Scans - Scans must be done quarterly by either a QSA or ASV.
CORA - Confirmation of Report Accuracy. Required annually for Level 1, 2 and 3 businesses.
Businesses using a vendor, payment application or third party software and/or hardware are required to use only compliant payment applications. For a list of compliant service providers visit the PCI DSS council web site.
Each card association and the PCI DSS provide educational programs including brochures and webinars on their web sites and lists of compliant service providers.
Additional information is available at:
In the event of a security incident, please contact Merchants Choice LLC. immediately. Members, businesses and service providers must take immediate action to investigate the incident, limit the exposure of cardholder data, and notify the card associations to report investigation findings. Guides are available to assist in the event of a breach at the web sites listed above.
Disclaimer: This document contains a compilation of information received from various sources. This information is presented solely for the convenience of the reader and should not be used as a substitute for your own research and reference to actual regulations and/or other official documents, or as a substitute for consulting your legal advisor. Merchants Choice LLC. and its parents and affiliates are not responsible for inaccurate, outdated, or incomplete information. All information contained herein is subject to change.
Learn about the Payment Card Industry Data Security Standard (PCI DSS), a security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. The speaker is Ward Spangenberg, Delivery Director at IOActive.
A former waiter at a Country Club Plaza restaurant has been indicted on charges of credit card fraud and identity theft. more info