PCI Compliance: To Whom Are You Compliant?
by Sean Kramer, President and CEO of Element Payment Services
A few years ago, in response to a growing number of data security breaches, the major credit card brands formed the Payment Card Industry Security Standards Council (PCI SSC). Since then the PCI SSC has developed a set of security requirements for all businesses that handle payment cards.
The three major standards are the Payment Card Industry Data Security Standard (PCI DSS), for merchants and processors, the Payment Application Data Security Standard (PA-DSS), for software developers and integrators, and PIN Transaction Security (PTS), for manufacturers.
One of the most frequent points of confusion around PCI compliance is to whom merchants, software developers and manufacturers are actually compliant. And while the answer is simple, the process can feel quite complex.
Even though the PCI Security Standards Council (PCI SSC) developed these standards, compliance is actually mandated by each individual payment card brand - Visa, MasterCard, American Express, Discover and JCB International. Each credit card company has their own cardholder data security program and deadlines for validation of compliance:
- Visa Cardholder Information Security Program (CISP)
- Mastercard Site Data Protection (SDP) Program
- American Express Data Security
- Discover Information Security & Compliance (DISC)
- JCB International
To become compliant, first become familiar with the standard applicable to you, whether it is the PCI DSS, PA-DSS or PTS, on the PCI SSC Web site. Next, visit each payment card brand's site and figure out what level of compliance you fall under. Each brand has different criteria for compliance levels. For instance, American Express has three merchant compliant levels, while Discover, Visa and MasterCard have four levels for merchant compliance. Each card brand has different criteria for each level of compliance.
Depending on your level, the data security program requirements you will need to fulfill for each payment card brand may differ. To give you a general idea of what you would need to do as a merchant to comply with Visa's CISP program, here are Visa's PCI requirements for merchants:
- Level 1 Merchants
- Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)
- Quarterly network scan by Approved Scan Vendor (ASV)
- Attestation of Compliance Form Level 2 and 3 Merchants
- Annual Self-Assessment Questionnaire (SAQ)
- Quarterly network scan by ASV
- Attestation of Compliance Form Level 4 merchants
- Annual SAQ recommended
- Quarterly network scan by ASV if applicable
Compliance validation requirements set by acquirer Read the steps to validation for each card brand carefully. Generally validation must be sent to your acquirer, as is frequently the case for merchants; other times validation documents must be sent directly to the payment card brand.
Stick to this process — of really drilling down into each payment card brand's data security program and the requirements of each — and the path to compliance will become a little clearer.
Sean Kramer is the President and CEO of Element Payment Services and has years of experience in the payment processing industry. Element Payment Services provides secure, reliable and innovative payment processing solutions directly to merchants through partnership with leading business management software providers.