Emelin Ringuette and Dax Fugue
What is PCI-DSS Compliance?
Payment Card Industry Data Security Standards
PCI-DSS Compliance is the common shorthand for adherence to the Payment Card Industry Data Security Standards. These standards are set by the Payment Card Industry Security Standards Council, comprised of employees from MasterCard, Discover, Visa, JCB, and American Express. Together with registered participating organizations, the council develops and publishes a set of data security protection guidelines for any services handling payment information or customer PII (Personal Identifiable Information). You can find more information at their site PCI Security Standards Org.
The PCI-DSS security standard was created by the original council to address the problem of credit card fraud. Major card issuers developed their own propriety standards to ensure cardholder data was safely stored, transmitted, and processed, but differing standards were not always compatible. The council merged existing standards to create a single operable, maintainable guideline of compliance solutions allowing any site to have secured payment transactions with all major credit cards.
Who benefits from PCI-DSS compliance?
Everyone! Consumers benefit from compliance because they can trust that their payment and personal information are protected. Merchants and service providers benefit from the legal protections of validated compliance in case of a security breach. Finally, payment card issuers themselves benefit from PCI-DSS compliance, as it reduces cases of payment fraud and the amount of work required if one of their customers is a victim of fraud. Compliance ensures all parties are working to minimize fraud by ensuring a safe way to do business online.
When do PCI-DSS controls apply?
Any time a merchant or service provider accepts, transfers, or processes credit card payment information for customer transactions. While this obviously includes all eCommerce stores, it covers physical stores that accept credit card payments or any service that processes or transmits payment information. Everything from point-of-sale devices to banks is subject to these standards because banking info is processed through the web even for in-store purchases.
The number of payment card transactions processed annually determines the level of scrutiny applied. Merchants are split by transactions into four levels for validation requirements, while service providers only have two.
How are PCI-DSS controls validated?
PCI-DSS controls for Level 1 service providers—like Virid—are inspected and validated by compliance auditors; qualified directly by the PCI-DSS council. Users can complete a PCI SAQ, or self-assessment questionnaire, to determine whether they meet the standards of PCI, but do not certify the merchant. To be PCI-DSS verified a qualified auditor must review the site for security measures.
Compliance Auditors meet standards and requirements with training, continued education, and keeping extensive audit records. A qualified auditor works with an internal PCI-DSS owner who gathers proof of compliance to over 300 individual controls throughout the year. While a major audit happens yearly, controls may be checked as often as daily to ensure compliance is ongoing.
Where can PCI-DSS compliance be confirmed?
Major payment processors like Visa and MasterCard keep searchable lists of verified compliant service providers. However, being listed is an additional cost per list for a service provider, and many choose to forgo listing. The best way to confirm validated compliance is to ask for a service provider Attestation of Compliance. This document contains details such as the qualifications of the auditor, any exceptions to standards applied, and any remediation actions the service provider needed to take to be compliant.