Home    Best Practices    Optimize    The Difference    Newsletter & News    Contact Us   
News Release

Demystifying Credit Card Security for Merchants (PCI Compliance)

Livermore, CA - January 21, 2010 - Credit card security is a never-ending battle. The presence of hackers and thieves continue to increase each year. In order to battle the threats and reduce fraud payment card companies continue to increase security requirements. This is good news for those of us who use payment cards. The downside is that it is becoming more difficult for merchants to support the required security.

The PCI requirements provide "good business practices" for securing sensitive card information when it is stored, processed and transmitted. There is no discrimination. The PCI requirements are the same for merchants and the companies which provide hardware and software associated with payment cards.

The PCI requirements are the same for everyone but the required steps for validating PCI compliance is different between merchants, service providers and vendors that license or sell hardware or software. This article covers the merchant requirements and we will keep that focus.

The validation requirements for merchants are determined by the "Level" into which a merchant falls. In the eyes of the payment card industry there are four levels merchants. Visa, MasterCard, Amex and JPA have slight variations in determining a merchant level so checking with your card provider is recommended.

In order to determine what level Merchant you are you need to know:

  • The volume of transactions processed by each card, annually.
  • The dollar amount of the transactions processed by each card, annually.
  • The number of transactions processed through ecommerce, annually.
  • The dollar about of transactions processed through ecommerce, annually.
Once those factors are know you can determine the "level" and respective validation requirements that meet your business.

Level
VISA Annual Criteria
Validation Requirements
Validation Costs
Level 1
Merchants processing over 6 million
Visa transactions (all channels) 		*  Annual Report on Compliance (ROC) by a Qualifies Security Assessor (QSA)
*  Quarterly network scan by Approved Scan Vender (ASV)
*  Attestation of Compliance Form
$12,500 - $100k+
Free to $300 +++
Free
Level 2 Merchants processing 1 million to 6
million Visa transactions (all channels) 		*  Annual Self-Assessment Questionnaire (SAQ)
*  Quarterly network scan by ASV
*  Attestation of Compliance Form
 Free
Free to $300 +++
Free
Level 3 Merchants processing 20k to 1 million
ecommerce transactions 		*  Annual Self-Assessment Questionnaire (SAQ)
*  Quarterly network scan by ASV
*  Attestation of Compliance Form
 Free
Free to $300 +++
Free
Level 4 Merchants processing less than 20k
Visa ecommerce transactions 		*  Annual Self-Assessment Questionnaire (SAQ) (recommended)
*  Quarterly network scan by ASV if applicable
 Free
Free to $300 +++
Note: A merchant qualifying in the Level 4 category may be escalated to submit quarterly security scans if they experience a breach that resulted in an account data compromise, even if they do not meet the annual volume of required transactions.

It is worth repeating that we are all required to meet the PCI Security Requirements. It is the "required Validation" requirements that vary. Most merchants qualify as Level 4 (see the chart above).

Level 4 Merchants need to do four things to validate their PCI Compliance?
  1. Meet the PCI requirements (the same rules apply to everyone)
  2. Sign up for quarterly network scans
  3. Confirm the Validation of all third-party service providers, software and hardware venders:
    a.   Show proof that the software/hardware and network venders are PCI-PADSS certified (no exceptions). All venders selling
          or licensing software are required to complete extended validation called PCI-PADSS.
    b.   Show proof that service providers are PCI compliant to the level required by the respective service provider.
Purchase or Licensed Solutions that store, process or transmit cardholder information need to check with the software / hardware provider to confirm the applications or device has passed the PA-DSS process. The provider/developers of the cash register systems (aka "Point of Sale" or POS), club and shopping cart solutions which are sold or licensed are required to pass the PA-DSS annually.

Services Providers fall into the category of either PCI-DSS or PCI-DASS validation depending on the volume of transactions processed annually.

Why Bother with PCI? Payment card companies and processors are requiring proof of compliance. Failure to show compliance results in processors denying approval of a merchant's ability to accept payment cards. Additionally, if a breech occurs the penalty for non-compliance could be a loss of the ability to accept payment cards, six and seven-digit fines can be imposed, or both. Companies with security breeches also face the embarrassment and loss of trust from customers. If clients do not trust a merchant to protect their card information, many will find other places to do business.

Understanding the PCI requirements and validation process requires reading. The PCI document boils down to 70+ pages of details. It addresses the concerns of merchants of all levels, software, hardware, wireless, etc. The lingo is also full of acronyms that can make the process of understanding the requirements murky. (a quick reference list of the common acronyms is provided at the end of this document.) But if you buckle down, read through the requirements you may find that that the requirements are basic practices of good business. Many companies will find that they have most if not all the requirements met or can meet the requirements with a few minimal changes.

BEWARE! PCI Compliance has become an industry of sharks which are happy to charge tens and thousands of dollars for their services to help you comply. Taking the time to read the information provided at www.pcisecuritystandards.org which is available for FREE can save you thousands of dollars and several headaches. If you need help from an outside source take heed that the price variations between companies are significant and some venders are more than happy to sell you more than what you the PCI validation process actually requires. A small investment in PCI requirements can save a company tens, even hundreds of thousands of dollars.

The requirements are not outlandish by any means. They are standards for good business practices and security. The High-level PCI DSS Requirements are detailed at the PCI website and include, securing networks, protecting cardholder information, having a vulnerability management program, controlling access to data on a "need to know" basis, monitoring and testing and maintaining a security policy.

PCI Acronym Reference ----------
  • PCI        Payment Card Industry
  • DSS        Data Security Standards
  • PA-DSS        Payment Applications - Data Security Standards (for payment applications that are sold, licensed to third parties and which store, process or transmit cardholder information) i.e. Point of Sale, club and shopping cart solutions.
  • ASV        Approved Scanning Venders (for the PCI-DSS required scans)
  • QSA        Qualifies Security Assessors (for the PA-DSS security audits)
  • PA-QSA        Payment Application Qualifies Security Assessors
  • PTS PIN        Transaction Security (required for payment security devices, testing is performed at PCI-recognized laboratories)
  • ROC       Annual Report On Compliance
  • SAQ        Self-Assessment Questionnaire

Contact: Active Club Management
www.activeclubmanagement.com
Toll Free: 1-866-450-CLUB (2582)
925-447-CLUB (2582)