Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Payment Card Industry Data Security Standard (PCI DSS)

What is the Payment Card Industry Data Security Standard (PCI DSS)?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.


The PCI DSS is managed by the Payment Card Industry Security Standards Council (PCI SSC), an independent body created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB and launched in September 2006.


To whom does the PCI DSS apply and what are the various compliance levels?

The PCI DSS applies to any organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. All merchants fall into one of the four merchant compliance levels based on transaction volume over a 12-month period. Transaction volume is based on the aggregate number of transactions (including credit, debit and prepaid) from a merchant Doing Business As (DBA). Merchant corporations with more than one DBA must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level.


If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level. Each level entails specific compliance validation requirements and it’s critical that merchants understand that level classifications under one card brand may differ from those under other card brands. The four merchant compliance levels defined by Visa, for example, range from level 4 for merchants processing fewer than 20,000 Visa transactions per year to level 1 for merchants processing more than 6 million transactions per year.


How should merchants that take credit cards by telephone comply with PCI DSS?

There are three ways in which companies can address card security risk in telephone transactions. First, a merchant can combat people risk by creating a culture of security in its organization. This primarily consists of offering security awareness training for all users who come into contact with cardholder data, or sensitive data in general. Second, a merchant should ensure the process is documented, making sure representatives know how to handle data securely and that the people behind the technology over which the data traverses have secured that technology appropriately. Lastly, it’s important to secure the equipment, including access control, patching, network controls, anti-virus, security testing (all found in PCI DSS).



Do organizations using third-party processors have to be PCI DSS compliant?

Yes. Using a third-party company does not exclude a company from PCI DSS compliance. It may cut down on a company’s risk exposure and consequently reduce the effort to validate compliance. However, it does not mean it can ignore the PCI DSS.


Does having a Secure Socket Layer (SSL) Certificate make a merchant PCI compliant?

No. SSL certificates, which keep an Internet connection secure and safeguard any sensitive data being sent between two systems, do not secure a web server from malicious attacks or intrusions. High-assurance SSL certificates provide the first tier of customer security and reassurance such as the below, but there are other steps to achieve PCI compliance.


If a company wants to store credit card data, which methods should it use?

Most merchants that need to store credit card data do so for recurring billing. The best way to store credit card data for recurring billing is by using a third-party credit card vault and tokenization provider. Use of a vault removes the card data from the merchant’s possession in exchange for a “token” that can be used for the purpose of recurring billing. By using a third party, a company moves the risk of storing card data to someone who specializes in doing that and has all of the security controls in place to keep the card data safe.


If a company needs to store the card data itself, the bar for self-assessment is very high and may require that a Qualified Security Assessor come onsite and perform an audit to ensure the company has all of the controls in place necessary to meet the PCI DSS specifications.

GRC Announcements Blog

New solution helps companies reclaim lost data

GRC Announcements | June 17, 2016

Ground Labs, a global security software company, announced the release of Enterprise Recon 2.0. The solution scans for 100 different data points and personally identifiable information, allowing organizations to protect critical information at every endpoint without relying on antiquated perimeter security methods.

News Article

Latest PCI Standard Pushes Toward Risk Management

Joe Mont | January 13, 2015

Version 3.0 of the PCI Data Security Standard goes into effect this month—and maybe, just possibly, it will strengthen companies’ discipline against credit card data theft. The new standard prods companies to approach security as a continuous risk monitoring duty. “You can’t have smooth implementation until you start to think about this more broadly, like you would any other business problem,” says Christopher Avery of the law firm Davis Wright Tremaine.

News Article

PCI Guidance Provides Clarity to Payment Card Industry

Jaclyn Jaeger | August 26, 2014

Companies that rely on third-party service providers to handle their customers’ credit card data can rest a little easier. Um, assuming those providers play by the rules, that is. The Payment Card Industry Security Standards Council has issued new guidance on how to ensure that payment card data entrusted to third parties is securely maintained. It walks companies through the steps to verify that security measures are in place. More inside.