The Payments 101 series explores PCI compliance, its overall requirements and what developers and their merchant customers should be aware of when choosing to accept card payments.
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of comprehensive requirements for enhancing payment account data security. Developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the standard was designed to foster the broad adoption of consistent data security measures among organizations in the payments ecosystem, including merchants, service providers, financial institutions and payment application developers.
PCI Requirements
The PCI-DSS includes a combination of base principles and associated requirements covering security management, policies, procedures, network architecture, software design, and other protective measures that apply to all entities that store, process, and/or transmit cardholder data.
The data security standard consists of twelve specific requirements organized into six groups called “control objectives”, which include build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy. For direct information regarding the requirements we encourage everyone to visit the PCI-SSC site to review this information.
Depending on a business’s annual transaction volume, it will fall into one of two Service Provider Levels which will determine the type of validation action required to achieve PCI compliance. Larger entities may require an annual on-site assessment and corresponding Report on Compliance (ROC) from a Qualified Security Assessor (QSA), while smaller businesses may simply be required to submit an annual Self-Assessment Questionnaire (SAQ). In either case, regular reports are required for PCI compliance. Be aware of potential partners who over promise or whose programs don’t reflect competency in PCI requirements.
It is important to note that the PCI-SSC in not responsible for PCI compliance. Merchants and processors must submit reports to the acquiring bank and card payment brands they do business with. When a merchant can successfully demonstrate that it meets all required security standards regarding the processing, storage, and transmittal of credit card data, they are found to be PCI compliant.
Though PCI compliance is not a federal law, there is a substantial amount of state legislation that outlines components of the PCI-DSS. Additionally, if a company breaches the PCI’s requirements and cardholder data is compromised, it is subject to sizable fines from the payment brands.
As you might suspect, the software application a merchant uses to facilitate card transactions can have a significant impact on the scope of PCI requirements that apply to them. In fact, with the proper guidance and foresight, many PCI requirements can be easily addressed within the software application itself. More on this when we explore the Payment Application Data Security Standard (PA-DSS).
If you have any questions about this Payments 101 topic or have a specific question, you can reach us by completing our Contact Us form.
Stay up to date with the conversation and sign up to follow the Payments 101 series and PaymentsAPI.com via Twitter, RSS or bookmark us. We look forward to hearing your thoughts.
