What is the PCI DSS compliance standard?
The PCI Data Security Standard (PCI DSS) is a set of security and business requirements designed to ensure that companies that process, store or transmit credit card information maintain a secure environment.

The standard is administered by the PCI Security Standards Council, an independent body created by the main payment card brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.). The council oversees the administration and management of the standard, which can be found on the PCI SSC’s website: www.pcisecuritystandards.org.

A U.S. or Canadian company processing, storing, or transmitting card numbers MUST be PCI DSS compliant or it risks losing the ability to process credit card payments. Merchants and service providers must validate PCI compliance with an audit by a PCI Qualified Assessor Company.

What are PCI compliance “levels” and how are they determined?
Each organizations type has different level requirements. Service providers also have their own levels. Visa levels tend to be the most restrictive and therefore are often used as the de facto level for merchants.

Merchant Level	Description
1	Any merchant -- regardless of acceptance channel -- processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
2	Any merchant -- regardless of acceptance channel -- processing 1M to 6M Visa transactions per year.
3	Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
4	Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants -- regardless of acceptance channel -- processing up to 1M Visa transactions per year.

What do I need to do to comply?
The yearly Self-Assessment Questionnaire (SAQ), consisting of 75 questions that address 12 security requirements must be submitted to your processor. All questions must be honestly answered YES, even questions that seem to have no bearing on a particular merchant.

To comply with PCI DSS, you must possess a series of written security policies, procedures, employee handouts, and training aids all related to the secure handling and processing of credit card data. You must also enforce those policies with procedures in your organization and prove that you do so with proper logging and security trails.

I’m a small, Level 4 merchant. Must I comply?
Yes, all merchants, regardless of size, must implement a Payment Card Industry (PCI)-compliant security system and document their adherence each year. In order to take and process credit card payments, most merchants have some type of POS system as well as a merchant account with a bank. However, their store network is often not adequately protected from hackers. This is usually the most devastating point of attack for credit card and identity theft.

If I only accept credit cards over the phone – or debit cards only -- does PCI still apply to me?
Yes. All businesses that store, process, or transmit cardholder payment data MUST be PCI compliant. This includes any debit, credit, and pre-paid card branded with one of the five associations that participate in the PCI SSC: American Express, Discover, JCB, MasterCard and Visa International.

Am I compliant if I hold an SSL certificate?
No. SSL certificates do not safeguard your web server from cyperbandits; they merely provide the first tier of customer security.

How tough are the penalties if we don’t comply?
They’re very tough. Failure to comply with PCI-DSS requirements can result in stiff contractual penalties or sanctions from members of the payment card industry, including:

• Fines of $500.000 per data security incident
• Fines of $50,000 per day for non-compliance with published standards
• Liability for all fraud losses incurred from compromised account numbers
• Liability for the cost of reissuing cards associated with the compromise
• Suspension of merchant accounts
  
  

Are there other dangers of noncompliance?
Yes. One restaurant franchise incurred fines and charges of $500K from Visa and $200K from MasterCard IN ADDITION TO the set fines and penalties. The negative publicity resulting from a data breach usually results in lost customers and prospects.

In addition, you will be subject to mandatory, expensive, and time-consuming security audits. For a minimum of several days, your business will be brought to a standstill as examiners go through your policies, records, systems, and employees. At the end of the day, you will need to pay for the cost of the forensics examination whether there was a breach or not.

Any level-4 merchant whose data has been breached will automatically be upgraded to a level 1 merchant. And that means from that point forward, an annual PCI compliance audit from a qualified assessor will be required at an annual cost of $15,000 to $25,000. The costs are high enough to place many merchants out of business.

What happens if I am breached?
Currently, 38 states have enacted some sort of breach disclosure law. In general, most state laws follow the basic tenets of California’s original law, enacted in 2002.

Companies who are breached must immediately disclose the data breach to customers, usually in writing. They must also notify their processor who will, in turn, notify the bank. At that point, the processor or bank will initiate a PCI DSS audit on the merchant to determine if the merchant was, in fact, PCI DSS compliant at the time of the breach.

Failure of the merchant to disclose a known breach creates the appearance that the merchant is involved in the breach, placing the merchant in a potential criminal defense position. At present, there are no known cases of a fully PCI DSS compliant merchant actually being breached.

So how can Compliance Services help us with this complex PCI compliance?
We offer a number of customized solutions through our proven PCI Compliance Program. In addition, we provide an affordable monthly fixed-fee PCI compliance monthly intrusion scan, which is quickly and easily implemented. Through our services, you reduce the chance that you will be victim of a devastating data breach that can result in millions of dollars in fines as well as exorbitantly expensive civil litigation. Click here to review our programs.