PCI DSS stands for Payment Card Industry Data Security Standard. A collaboration between top reputed credit card brands such as American Express, Discover, JCB, Mastercard, and Visa in 2004 resulted in PCI-DSS launch. Organizations who store or process, or transmit the cardholder data either as clear or in an encrypted manner should comply with PCI regulations.
A short survey showed that most people give the above description when quizzed about PCI-DSS. When we further probed them about the levels present in this compliance, we came up short. So, we came up with a quick read of the PCI-DSS compliance levels.
PCI DSS Compliance levels
Divided into four levels, the PCI Compliance levels are based on the number of credit or debit card transactions processed by a business annually. These levels determine what needs to be done by an enterprise to remain compliant.
Level 1:
Applies to merchants who process more than six million real-world credit or debit card transactions annually. An authorized PCI Qualified Security Assessor will conduct an annual internal audit and an on-site evaluation of the organization to:
· Authenticate the assessment’s scope;
· Evaluate technical information and documentation;
· See whether the PCI-DSS standards are being met;
· Assist and guide the compliance process and
· Also, evaluate the compensating controls
On successful evaluation, the QSA will present an RoC (Report on Compliance) to the organization’s acquiring bank, thereby demonstrating its compliance.
Level 2:
Applies to merchants who process between one and six million real-world credit or debit card transactions. Security testing reports on network hosts and applications should be completed on a defined frequency. The RoC is also applicable for level 2 organizations.
Level 3:
Applies to merchants who process annually between 20,000 and one million e-commerce transactions. A yearly assessment must be done using the relevant SAQ (Self-Assessment Questionnaire)along with a quarterly PCI scan.
Level 4:
Applies to merchants who process annually fewer than 20,000 e-commerce transactions or those who process up to one million real-world transactions. They must complete a yearly assessment using the SAQ and a quarterly PCI scan.
What is this Self-assessment questionnaire?
PCI-DSS lists several kinds of SAQs for every level, and it is also based on how the merchant processes card information. Given below are some of the types of SAQs applicable to levels 2–4:
SAQ A: Merchants who outsource their entire card data processing to certified third parties. The transactions also include e-commerce transactions.
SAQ A-EP: Applies to E-commerce merchants who outsource their payment processing but not the site’s administration.
SAQ B: Applies to E-commerce merchants who don’t receive cardholder data, but they have control over the process through which data is redirected to a third-party payment processor.
SAQ B-IP: It applies to merchants who don’t store cardholder data in electronic form but will use IP-connected point-of-interaction devices. These merchants may handle either card-present or card-not-present transactions.
SAQ C-VT: Applies to merchants who process cardholder data via a virtual payment terminal.
You must select the right SAQ because every level has compliance requirements based on how payment card data is processed.
How to become a PCI DSS compliant
The PCI DSS specifies six control objectives for an organization to achieve compliance:
1. Build and maintain a secure network
2. Protect cardholder data
3. Maintaining a vulnerability management program
4. Implementing strong access control measures
5. Regular monitoring and testing of networks
6. Maintaining an information security policy
The penalties of non-compliance
As cardholder data is considered personal data, a PCI DSS breach can also be regarded as equal to a GDPR breach. If PCI regulations are not adhered to, organizations will face severe financial penalties or even lose their facility to accept card payments.
In short, PCI-DSS is a standard that ensures trust, business continuity, and safety of the cardholder data.
Subscribe to our newsletter and get the latest fintech news, views, and insights, directly to your inbox.
Follow us on LinkedIn and Twitter for insightful fintech tales curated for curious minds like you.
0 Comments