So what's all this talk about data security?
The Payment Card Industry (PCI) Data Security Standard
(DSS) is a set of requirements for enhancing payment
account data security. These standards were developed
by the PCI Security Standards Council, which was founded
by American Express, Discover Financial Services, JCB
International, MasterCard Worldwide and Visa, Inc. to
facilitate industry-wide adoption of consistent data
security measures on a global basis.
I have never heard of PCI Compliance before. Is this
No. The framework of the PCI DSS has existed in different
forms for some time now, and the standard continues
to evolve. You may be more familiar with the following
programs, which promote the implementation of the PCI
MasterCard: Site Data Protection (SDP) program
Visa: Cardholder Information Security Program (CISP)
Discover Network: Discover Information Security &
American Express: Data Security Operating Policy
Do the card associations require merchants to be
Simply put, Visa, MasterCard and other major card associations
require all entities that store, process or transmit
cardholder data to comply with the PCI DSS. The standard
exists to protect businesses and consumers. When merchants
certify their compliance with the PCI DSS, they demonstrate
their commitment to data security, in addition to reducing
exposure to fraud and the costs associated with it.
Compliance is a priority for the card associations and
The Visa Web site (www.visa.com/cisp) states:
PCI DSS compliance is required of all merchants and
service providers that store, process, or transmit Visa
cardholder data and applies to all payment channels,
including retail (brick-and-mortar), mail/telephone-order,
In addition, the Visa site explains:
If a member, merchant or service provider does not comply
with the security requirements or fails to rectify a
security issue, Visa may fine the responsible member
or Impose restrictions on the merchant or its agent.
Visa may waive fines in the event of a data compromise
if there is no evidence of non-compliance with PCI DSS
and Visa rules. To prevent fines, a member, merchant,
or service provider must maintain full compliance at
all times, including at the time of breach as demonstrated
during a forensic investigation. Additionally, a member
must demonstrate that prior to the compromise the compromised
entity had already met the compliance validation requirements,
demonstrating full compliance.
The following information is posted on the MasterCard
Web site (www.mastercard.com/sdp):
While all merchants are required to comply with the
Payment Card Industry Data Security Standard, merchants
that store, process or transmit MasterCard account data
may also be required to validate compliance with their
The MasterCard site also states:
If a merchant does not meet the applicable compliance
requirements of the SDP Program, then MasterCard may
levy a non-compliance assessment on the responsible
What do my merchants have to do to become PCI compliant?
Typically, a merchant must complete at minimum a PCI
DSS self-assessment questionnaire annually. If the merchant
electronically stores cardholder information, or if
his or her processing systems have any Internet connectivity,
a quarterly scan by an approved scanning vendor is also
What about merchants who are not processing? Why
do they have to be PCI compliant?
All merchants, whether small or large, need to be PCI
compliant. The payment brands have collectively adopted
PCI DSS as the requirement for organizations that process,
store or transmit cardholder data.
Why do merchants using "PCI compliant" terminals/gateways
have to certify their PCI compliance?
The PCI Security Standards Council has various requirement
programs. The Payment Application Data Security Standard
(PA-DSS) is a set of requirements that helps software
vendors and others develop PCI DSS-compliant applications
that do not store prohibited data, such as full magnetic
stripe, CVV2 or PIN data.
Use of a terminal/gateway that runs PA-DSS certified
software is one of many components that are evaluated
in the assessment of a merchant's PCI DSS compliance.
What is an approved scanning vendor?
An approved scanning vendor is an organization that
validates adherence to certain PCI DSS requirements
by performing vulnerability scans of a merchant's Internet-facing
Check with your Merchant Account Provider to make sure
you have taken the proper course of action to be in
compliance. This avoids monthly "non-compliance fees".