PCI DSS Standards

FAQs


When the credit card brands American Express, Discover Financial Services, JCB International, Mastercard, and Visa, Inc. established the Payment Card Industry (PCI) Data Security Council (PCI SSC), they wanted to protect credit card information from data breaches. As such, they created the Payment Card Industry Data Security Standard (PCI DSS).

The standard established four levels of PCI compliance surrounding information security. Each of the PCI compliance levels is based on the amount of card transactions per year. Level 1 is for merchants processing over 6 million Visa and/or Mastercard transactions per year. Level 2 is for merchants processing between 1 million and 6 million Visa and/or Mastercard transactions per year. Level 3 is for merchants processing between 20,000 and 1 million Mastercard and/or Visa transactions per year. Level 4 is for merchants processing less than 20,000 Visa and/or Mastercard transactions per year. Thus, the first step when completing the self-assessment questionnaire (SAQ) is for companies to determine their merchant levels.

PCI compliance requires companies who accept, process, store or transmit credit card information to create a secure environment. Cardholder data must be stored on a network with no access to the public internet.

Additionally, PCI DSS compliance requires merchants to hire a qualified security assessor (QSA) whose independent attestation of compliance ensures that the merchant is PCI compliant. This report on compliance incorporates a review of the merchant’s security controls across the twelve requirements, including vulnerability management. Some merchants or service providers use approved scanning vendors (ASV) to manage their vulnerability scans since it can seem an overwhelming task.

PCI noncompliance can lead to card data theft, fines or the refusal of acquiring banks to allow a merchant or service provider to accept payments.