Industry Standard Resources
What is the Payment Card Industry Data Security Standard (PCI DSS)?
PCI DSS (or just PCI, for short) was established in 2004 by the five founding brands of the PCI Security Standards Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The objective of PCI is to increase controls on payment (debit/credit) card data to reduce organizations’ exposure to payment card theft.
The process of validating PCI compliance varies based on an organization’s annual payment card transaction volume. Merchants that process more than 6 million Visa and/or MasterCard transactions or more than 2.5 million American Express transactions annually (categorized as level 1 merchants) must hire a PCI Security Standards Council-approved qualified security assessor (QSA) to conduct an annual assessment, which results in a Report On Compliance (ROC). Merchants that process fewer payment card transactions annually (level 2, 3 and 4 merchants) may validate compliance by completing a Self-Assessment Questionnaire (SAQ).
THEWEBWhether self-assessing or submitting to a QSA-driven assessment, an organization whose payment systems are networked must submit quarterly vulnerability scans of its Internet-facing systems, performed by an Approved Scanning Vendor (ASV). To determine whether a vendor is an ASV, connect to: https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php.
Although PCI isn’t law, payment card companies enforce compliance by providing more-favorable exchange rates and/or imposing contractual penalties and sanctions, including revocation of a merchant’s right to accept their brand of payment cards.
Click here to access all PCI documentation