March 21, 2009

The PCI DSS and What It Means to Small Businesses

Overview of the PCI DSS (Payment Card Industry Data Security Standard)
-The PCI DSS is a standard set of controls established by the major issuers of credit cards, including Visa and Mastercard, Amex, Discover, and others.
-The standard applies to any business that accepts credit card payments.
-The current version is 1.2, effective October, 2008.
-The standard is broken down into 12 requirements, grouped into 6 areas
– The standard was created and is maintained by PCI Security Standard Council. This body does not enforce the standard and does not impose any consequences for non-compliance. This function is performed by the card brands.
– There are 4 levels of compliance criteria. Merchants at levels 1-3 are required to have quarterly vulnerability scans. These scans are performed by a Authorized Scanning Vendor.
– Most small business will be Level 4 merchants (merchants that process less than 20.000 transactions per year). Level four merchants are not required by the PCI DSS to have quarterly scans, but scans may be recommended or required by processing providers.
– The compliance of Level 4 merchants is determined by using a self-assessment questionnaire. There are four questionnaires. The questionnaire which applies is determined by the methods that hte merchant uses to process payments. Merchants that store credit card data on their systems are subject to a much larger number of requirements.
– There are 4 types of questionnaires – A,B,C, and D.
– The Type A and B questionnaires are for merchants that do not store any cardholder data on their systems, use only dial-in processing terminals which are not connected to the internet or any other network, or use only manual imprint machines. Most small businesses will use these self-assessment questionnaires. Even these small merchants are subject to some of the PCI DSS requirements:
— Requirement 3-Protect cardholder data: Certain card information should never be stored in any form. This includes the full magnetic track data, the three or four-digit card validation (also called CVV) codes, and PIN data. The full card number should also not be displayed on receipts or in any place where it can be viewed by anyone who does not have a legitimate business need to view it.
— Requirement 4-Encrypt the transmission of cardholder data across open, public networks: POLICIES, practices, and procedures must be in place to preclude the sending of unencrypted credit card numbers through EMAIL.
— Requirement 7-Restrict access to cardholder data by business need-to-know.
— Requirement 9-Restrict physical access to cardholder data: Access to data must be strictly controlled, cardholder data must be marked as confidential, and data must be destroyed when it is no longer needed for business purposes (paper copies must be crosscut shredded, incinerated, or pulped)
— Requirement 12-Maintain a policy that addresses information security for employees and contractors: This means WRITTEN policies, security awareness training, incident reporting procedures, and contractual agreements with service providers
Note that this is one more reason that EVERY business needs to have some sort of WRITTEN security policies in place.
At this point there is no PCI compliance police force that visits every merchant that processes credit card payments. Compliance enforcement is the responsibility of the card brands, and this responsibility gets passed down the chain through the payment processors. Eventually, merchants will be expected to comply and compliance will be enforced.
In the meantime, the PCI DSS provides a standard for data security. ANY merchant, no matter how small, has a responsibility to protect cardholder data and can be held liable if they fail to do so. In the past, we have discussed DUE DILIGENCE and its importance in limiting liability. ANY small business that does not take the steps to comply with the PCI DSS standard is subjecting itself to greater levels of risk and liability.
If you want more information about the PCI DSS, here are a few websites to get you started:,289483,sid14_gci1293836,00.html

Dennis H in West Virginia, US

Homepage: Nerds On Site

Blog Home: Blog

Artile: The PCI DSS and What It Means to Small Businesses

Sort By Category