PCI Data Security Standards

In 2004 the Payment Card Industry Security Standards Council, a regulatory body for the credit card industry, launched a new security initiative referred to as the Payment Card Industry (PCI) Data Security Standards (DSS). The PCI Data Security Standards were developed by the major card brands – Visa, MasterCard, American Express and Discover – in an effort to address the rising number of identity theft cases and to ensure the protection of your customers’ personally identifiable information.

The standards set forth by the council require ALL businesses operating in the U.S. that accept Visa, MasterCard, American Express or Discover achieve annual compliance through a certified PCI audit program. To assist our Merchants with attaining compliance, Merchant Services has partnered with an industry leader to provide a comprehensive program.

As your service provider, we take the protection of your customer and payment data very seriously because we understand the risks and financial costs that a compromise poses to your business. A data breach can result in a massive loss of revenue, impacts the confidence of your customers, and can result in substantial fines for failure to protect confidential credit card data.

In addition to providing our merchants with access to a certified PCI audit program, our comprehensive Data Protection Program covers all three critical areas of data protection: 1) Annual PCI Audit 2) Data Breach Coverage 3) Data Breach Reporting Assistance.

According to data provided in a 2011 Data Breach Investigations Report – an annual study conducted by the Verizon Business RISK Team:

  • IN 2010, 4 MILLION RECORDS WERE COMPROMISED – 96% of those breaches were avoidable through simple or intermediate controls.
  • 64% of breaches occurred at businesses with 100 or fewer employees
  • 89% of breach victims were not PCI compliant – The typical breached business met less than a third of the PCI Requirements.
  • 40 % of breaches were in the Hospitality Industry, 25% of breaches were in Retail Industries, and 22% were in the Financial Services Industry.
  • 17% of breaches were caused by ‘internal’ sources – 85% of those were caused by a non-management level employee and 93% of those breaches were deliberate.
  • 92% of ‘attacks’ were committed by attackers that were considered to have a low or nonexistent set of special computer knowledge or skills.
  • 33% of breaches occurred in only ‘minutes’ - 41% of breaches took more than a month to be ‘discovered’

Think data leaks only happen to the big guys? Think again:

May 2011 - bankinfosecurity.com - "Second Suit Filed Against Michaels"  Full Story

September 2007 - Wall Street Journal -“In Data Leaks, Culprits Often Are Mom, Pop…” Full Story

September 2007 - ABC News Pittsburgh -“Call 4 Action: Greensburg Gander Mountain Announces Theft Of Customer Info” Full Story

April 2005 - San Francisco Chronicle - “Data Theft Reported at Park Service Outlet” Full Story

The Basics on Protecting Your Business

PCI – Payment Card Industry
DSS – Data Security Standards

PCI compliance regulations and standards have been in place for quite some time, however, recent security breaches have necessitated more aggressive actions to ensure data security.

PCI DSS originally began as five different programs: Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program.

Each company’s intentions were similar: to create an additional level of protection for card issuers by ensuring that Merchants meet minimum levels of security when they store, process and transmit cardholder data.

The Payment Card Industry Security Standards Council (PCI SSC) was formed, and on December 15th, 2004, these companies aligned their individual policies and released the Payment Card Industry Data Security Standards (PCI DSS).

Visa and MasterCard have outlined specific regulations concerning how businesses handle card holder data. These regulations apply to all businesses within the U.S. who accept credit cards as a form of payment.

PCI Data Security Standards

The primary mission of the PCI Security Standards Council is to develop, maintain, enhance and disseminate security standards for payment card data protection. The PCI Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security. These materials include a framework of specifications, tools, measurements and support resources to help organizations ensure the safe handling of cardholder information at every step. The PCI Data Security Standard (PCI DSS),provides an actionable framework for developing a robust payment card data security process –one that includes prevention, detection and appropriate reaction to security incidents.

Getting Started with the PCI Data Security Standards

PCI security for merchants and payment card processors is the result of applying the information security best practices in the Payment Card Industry Data Security Standard (PCI DSS). The standard includes 12 requirements for any business that stores, processes or transmits payment cardholder data. These requirements specify the framework for a secure payments environment; for purposes of PCI compliance, their essence can be laid out in three steps:

1. Assess

2. Remediate

3. Report

To Assess is to take an inventory of your business processes and IT assets for payment card processing and analyze them for vulnerabilities that could expose cardholder data. The Remediate step is the process of fixing those vulnerabilities. The Report step entails compiling records required by PCI DSS to validate remediation and submitting compliance reports to the acquiring bank and global payment brands that issue and support your customers’ credit cards. Carrying out these three steps is an ongoing process for continuous compliance with the PCI DSS requirements. These steps also help to ensure payment card data safety.

PCI DSS version 2.0 is the global data security standard that any business of any size must adhere to in order to accept payment cards, and to store, process, and/or transmit cardholder data. It presents common-sense steps that mirror best security practices.

Step 1 – Assess

The primary goal of an assessment is to identify the weaknesses within your operation, its policies and procedures and all technology and process vulnerabilities that pose risks to the security of cardholder data that is transmitted, processed or stored by your business. Study the Payment Card Industry Data Security Standard (PCI DSS) for a detailed explanation of all the requirements. It describes IT infrastructure and processes that access the payment account infrastructure. Determine how cardholder data flows from beginning to end of the transaction process – including PCs and laptops that access critical systems, storage mechanisms for paper receipts, etc. Check the versions of personal identification number (PIN) entry terminals and software applications used for payment card transactions and processing to ensure they have passed PCI compliance validation.

Note: your liability for PCI compliance also extends to third parties involved with your business operations, so you must also confirm that they are compliant. A comprehensive assessment is a vital part of understanding what elements may be vulnerable to security exploits and where to direct remediation.

Self-Assessment Questionnaire (SAQ).The SAQ is a validation tool for merchants and service providers who are not required to do on-site assessments for PCI DSS compliance. Four SAQs have been developed – your PCI auditor will help you determine which SAQ best fits your business model.

Qualified Assessors.The Council provides programs for two kinds of independent experts to help with your PCI assessment: Qualified Security Assessors (QSA)and Approved Scanning Vendors (ASV). QSAs have trained personnel and processes to assess and prove compliance with the PCI DSS. ASVs provide commercial software tools to perform vulnerability scans for your systems. Click here for details and links to qualified assessors.

Step 2 – Remediate

Remediation is the process of fixing vulnerabilities – including technical flaws in software code or unsafe practices in how an organization processes or stores cardholder data. Steps include:

  • Scanning your network with software tools that analyze infrastructure and spot known vulnerabilities
  • Review and remediation of vulnerabilities found in on-site assessments (if applicable) or through the Self-Assessment Questionnaire process
  • Classifying and ranking the vulnerabilities to help prioritize the order of remediation, from most serious to least serious
  • Applying patches, fixes, workarounds, and changes to unsafe processes and workflow
  • Re-scanning to verify that remediation actually occurred

Step 3 – Report

Regular reports are required for PCI compliance; these are submitted to the acquiring bank and global payment brands that you do business with. The PCI Security Standards Council is not responsible for PCI compliance. Some merchants and processors, including those with a web presence, must submit a quarterly scan report, which must be completed by a PCI Security Standards Council-approved Scanning Vendor (ASV). Businesses with a high volume of credit card transactions must do an annual on-site assessment completed by a PCI Security Standards Council-approved Qualified Security Assessors (QSA) and submit the findings to each acquirer. Businesses with a low volume of credit card transactions may be required to submit an annual report within the Self-Assessment Questionnaire (SAQ). For more details, talk to your acquirer.

PCI Data Security Standard Requirements

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

Card Issuer Requirements:

Merchant Definition


Onsite Assessment

Self Assessment

Network Security Scan

Level 1

Any merchant that has experienced an account data compromise

Any merchant having greater than 6 million Visa, MasterCard or Discover transactions or more than 2.5 million American Express transactions per year

Any merchant that Visa or MasterCard, in their sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system

Required Annually

Not Required

Required Quarterly1

Level 2

Any merchant with 1 to 6 million Visa, MasterCard or Discover transactions or 50,000 to 2.5 million American Express transactions per year

At Merchant Discretion

Required Quarterly1

Level 3

Any merchant processing 20,000 to 1 million Visa, MasterCard or Discover e-commerce transactions per year

Not Required

Required Quarterly1

Level 4

Any merchant processing fewer than 20,000 Visa, MasterCard or Discover e-commerce transactions per year, and all other merchants up to 1 million Visa, MasterCard or Discover transactions per year

Not Required

Required Quarterly1

Quarterly Network Scans must be conducted by a PCI Security Standards Council (SSC) Approved Scanning Vendor (ASV)

For more information on PCI compliance and the security standards all U. S. businesses accepting credit cards are required to meet, please visit the Payment Card Industry Security Standards Council website at www.pcisecuritystandards.org.


Please complete the form below