PCI Compliance 101 – We, in information security, toss around a lot of terms and acronyms. It becomes clear to me when I’m around non-security folks (like when I’m with family over the holidays), that sometimes we need to put our work into plain-speak. So, here’s how I would explain PCI to my mom.
Prior to coming to work for an information security services company, did I ever think twice about whipping out my credit card to pay for a purchase? Not really.
I was more concerned that my credit cards may be physically stolen, and the thieves could run up false charges. Nowadays, electronic theft is much more likely, which is why the PCI Data Security Standard was created.
The Payment Card Industry Data Security Standard (PCI DSS) is a very detailed set of information security standards that the card issuers require any merchant or service provider to adhere to, if they accept, store, or transmit cardholder data. The merchants and service providers are ranked by levels according to the annual volume of credit card transactions. That’s # of transactions, not dollar volume.
Depending on the rank of the merchant or service provider (1-4 for Merchants), (1-2 for Service Providers) they may or may not need to have an annual on-site validation by a Qualified Security Assessor (QSA). This is a validation that the merchant is compliant to the PCI DSS.
The QSA has been trained and certified on their knowledge of the PCI Data Security Standard, and is equipped to verify that the merchant is indeed compliant to the Data Security Standard, or not. It’s pretty straightforward, the merchant has to meet ALL of the standards that apply to them. Not just some of them. All of them.
All levels of merchants are expected to be compliant to all of the data security standard that is applicable to them. The only difference in the various levels of merchants is how they validate their compliance.
The card issuers enforce compliance to the standard via the acquiring banks. The merchant has their merchant # through their acquiring bank. So, it’s the acquiring bank’s job to make sure that all their merchants are compliant. There are fines involved for non-compliance. And, if a breach occurs, a forensic investigation is triggered, along with possible fines.
When you’re shopping, it’s tempting to ask if the merchant is PCI compliant. Some internet sites post something to show they’re compliant. It’s a smart marketing move, I think. In a brick & mortar store, the store clerk may not know for sure if their company is PCI compliant, but they should be familiar with credit card security. One of the requirements of the PCI DSS is to implement a formal security awareness program to make all employees aware of the importance of cardholder data security.
Sr. Account Executive