|October 11th, 2021|
What is PCI Compliance and who does it apply to?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.
The PCI DSS applies to every organization irrespective of size or number of transactions, that accepts, transmits, or stores any cardholder data.
The 4-Merchant Compliance Levels
There are 4-merchant compliance levels sorted on the basis of VISA transaction volume over a 12-month period.
Merchant levels are defined as:
1. Level 1 – Any merchant — irrespective of acceptance channel — processing over 6 million transactions per year.
2. Level 2 – Any merchant — irrespective of acceptance channel — processing between 1 million to 6 million transactions per year.
3. Level 3 – Any merchant — irrespective of acceptance channel — processing between 20,000 to 1 million transactions per year.
4. Level 4 – Any merchant — irrespective of acceptance channel — processing less than 20,000 transactions per year.
The 12 requirements for PCI DSS Compliance
1.Installing and Maintaining Firewalls
Firewalls ensure that attempts by foreign entities to access private data remain blocked.
2.Password Protection and Avoiding Generic Passwords
Vendor-supplied generic passwords are not permissible. It is mandatory to maintain an inventory of all the systems, and configuration/hardening procedures.
3.Protection of Cardholder Data
Card Data must be encrypted with industry-accepted algorithms. Along with card data encryption, this requirement also needs a PCI DSS encryption key management process.
4.Encryption of Transmitted Cardholder Data
The card data must be secured when it is transmitted over an open or public network.
5.Using and Updating Anti-Virus Software
Anti-virus or anti-malware programs should be installed to detect known malware. It is important to maintain an updated anti-malware program.
6.Maintaining Updates of Software
All software involved in maintaining security and other necessary allied services must be often updated. Security patches if any should be installed immediately to fix the vulnerability.
7.Restricting Access to Cardholder Data
The concept of need-to-know needs to be used here. Third parties, staff, etc., who do not require access to data should not be given access to such data.
8.Unique Access ID
For individuals with access to the cardholder data, every individual must have a unique access ID in order to decrease vulnerability.
9.Physical Restrictions to Cardholder Data
Cardholder data must be kept in a secured physical location. Surveillance and log should also be maintained so as to ensure security on who has access to such data.
10.Maintaining Access Logs to Cardholder Data
An access log must be maintained at all times for any activity on cardholder data and primary account numbers.
11.Test System for Vulnerabilities
Malfunctions, out-of-date software, and human errors must be checked regularly so as to ensure a foolproof system.
All the above pointers can only be suitably implemented if proper documentation for each of them is maintained, right from access logs to all the compliances.
PCI compliance is essential and a necessity. It is mandatory for anyone who is processing cards and obtaining or storing information of any cardholder. It is automatically stated that one will adhere to PCI DSS when they sign up with payment processing companies.