PCI Compliance
What is PCI Compliance?
PCI stands for Payment Card Industry. The PCI standard in controlled by the Security Standards Council, which is an organization established by the five major credit card companies, (American Express, Discover, JCB, MasterCard, and Visa). The organization was formed to facilitate the broad adoption of consistent data security measures on a global basis.
This council in turn publishes a PCI DSS (Payment Card Industry Data Security Standards) that are then used to create, monitor and report on compliance to this security standard. Included are requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
The PCI Security Standards Council maintains a quick reference guide, see Understanding the Payment Card Industry Data Security Standard for more information.
Is there an easy way for me to become PCI Compliant and move on with running my business?
For most website owners, the answer is 'yes'. Here's a quick painless way to get through it.
- Confirm you process under 20,000 Visa e-commerce transactions annually
- Sign up for a PCI Compliance assessment
- Fix any issues the PCI Compliance assessment requires. Re-scans are free for 30 days.
- Done! We will send you a PCI Compliance certificate that you may show to any entity requiring proof.
You may be asked by your Merchant provider to provide an SAQ (Self-Assessment Questionnaire), they will either provide this or they may refer you to the PCI DSS Self-Assessment Questionnaire.
Who needs to be PCI Compliant?
In many cases website owners first hear about PCI Compliance from their credit card Merchant provider who has informed them that they must become compliant. But more specifically, please see the below chart on Merchant levels for more information.
What are the PCI Compliance ‘levels’ and how are they determined?
All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As ("DBA"). In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level.
The PCI DSS requires that all merchants with externally-facing IP addresses perform quarterly, external network scans to achieve compliance. Acquirers may require submission of the quarterly scan reports and/or questionnaires by level 4 merchants.
| Merchant Level | Description |
| 1 | Any merchant -- regardless of acceptance channel -- processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. |
| 2 | Any merchant -- regardless of acceptance channel -- processing 1M to 6M Visa transactions per year. |
| 3 | Any merchant processing 20,000 to 1M Visa e-commerce transactions per year. |
| 4 | Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants -- regardless of acceptance channel -- processing up to 1M Visa transactions per year. |
| Any merchant that has suffered an attack that resulted in an account data compromise may be escalated to a higher validation level. | |
What are some of the basic rules established by PCI Compliance?
| Control Objectives | # | PCI DSS Requirements |
|---|---|---|
| Build and Maintain a Secure Network | 1. | Install and maintain a firewall configuration to protect cardholder data |
| 2. | Do not use vendor-supplied defaults for system passwords and other security parameters | |
| Protect Cardholder Data | 3. | Protect stored cardholder data |
| 4. | Encrypt transmission of cardholder data across open, public networks | |
| Maintain a Vulnerability Management Program | 5. | Use and regularly update anti-virus software on all systems commonly affected by malware |
| 6. | Develop and maintain secure systems and applications | |
| Implement Strong Access Control Measures | 7. | Restrict access to cardholder data by business need-to-know |
| 8. | Assign a unique ID to each person with computer access | |
| 9. | Restrict physical access to cardholder data | |
| Regularly Monitor and Test Networks | 10. | Track and monitor all access to network resources and cardholder data |
| 11. | Regularly test security systems and processes | |
| Maintain an Information Security Policy | 12. | Maintain a policy that addresses information security |
How are the PCI Compliant tests conducted?
ScanSafeguard works with several leading Approved Scanning Vendor (ASV) to provide PCI Compliance scanning and certification if the site passes.
Unlike most ASVs, our model allows us to provide you guidance on how to address any issues being flagged by the certification process.
How much does PCI Compliance scanning cost?
ScanSafeguard offers PCI Compliance scanning, with a free certificate for sites that pass, for only $25 per quarter.
This is a less expensive, and in some cases, a lot less expensive, than practically any PCI Compliance certificate. We are happy to offer this service at this price as we would like you to consider ScanSafeguard for all of your website security needs.
Sign Up