The credit card and debit card data that power global transactions are a prime target for hackers. To ensure merchants and organizations protect this sensitive information, the Payment Card Brands (Visa, Mastercard etc.) established the Payment Card Industry Data Security Standard (PCI DSS). Organizations and merchants that utilize payment cards must comply. This FAQ explains the basics of obtaining PCI DSS Certification.

What is the PCI-DSS certification?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of policies and procedures designed to ensure that all organizations and merchants that accept, process, store and/or transmit credit card information maintain a safe and secure environment, especially in the context of protecting payment card information. Any organization, regardless of size or number of transactions, that handles any kind of payment card processing, must be PCI-DSS certified.

What is required to obtain PCI-DSS Certification?

The PCI DSS includes a total of 12 requirements and roughly 251 sub-requirements that must be implemented to fully address the growing cybersecurity threats to payment card information.  The path to a PCI-DSS certification includes incorporating a number of commonly known best practices including but not limited to:

• Installing and maintaining a robust firewall
• Protecting stored cardholder data using strong encryption
• Using a robust anti-virus software
• And other such best practices

What are the benefits of PCI-DSS certification?

PCI-DSS certification provides customers with confidence that an organization has the necessary cybersecurity controls in place for protection of payment card data, as stipulated by the PCI DSS. It  helps assure the organization has a mature and reasonable cybersecurity foundation in place.

Who created the PCI DSS standard?

In 2004, when incidents of payment card fraud began to rise, credit card industry leaders including Visa, MasterCard, Discover and American Express, convened to develop a common set of security standards to protect the payment card industry and its customers from fraud, both online and offline. They introduced the first version of PCI DSS in in December 2004.

In 2006, as cybercrime started to evolve, they formed the independent Payment Card Industry Security Standards Council (PCI SSC) to upgrade the PCI-DSS standard and to oversee implementation. The latest version of PCI DSS is v3.2.1. The PCI Council is currently working on Version 4.0.

Is PCI Certification required by law?

PCI DSS is a standard, not a law. But if your organization does not comply with the standard, the Payment Brands won’t allow you to process payment cards.

How do I know if my organization needs PCI-DSS certification?

If you process, store or transmit any payment card data, you need to get the PCI-DSS certification. It does not matter how many transactions you process in a year, or how big or small your organization is – you must be PCI DSS certified.

What are the risks of not adequately securing credit-card data?

Payment card merchants can lose their ability to process credit cards. If a data breach occurs, they may be subject to regulatory fines,  expensive forensic audits, brand damage, loss of customers, etc.

What are the benefits of PCI certification?

PCI DSS certification includes benefits that extend beyond the ability to process credit cards. The PCI DSS ensures that you continually identify vulnerabilities and threats that could potentially impact your organization.

Here are some of the benefits of having a PCI DSS certification beyond the compliance imperative:

• Ensures robust cybersecurity foundation for your organization
• Assures customers they can trust you with their sensitive data
• Assures potential customers and partners that you prioritize data security
• Helps avoid fines charged for non-compliance
• Improves brand reputation and aids business sustainability
• Establishes groundwork for compliance with other relevant regulations

What are the PCI compliance “levels” and how are they determined?

Merchants must validate (demonstrate) their compliance in different ways based on volume of transactions. The higher the volume of transactions, the more stringent the controls. Generally speaking, smaller merchants can self-assess their compliance with PCI DSS, while larger merchants must hire professionals to conduct formal compliance audits. Here the compliance levels:

• Level 1: Transactions per year > 6 Million
• Level 2: Transactions per year: 1 Million – 6 Million
• Level 3: Transactions per year: 20,000 – 1 Million
• Level 4: Transactions per year < 20,000

How does PCI-DSS compliance differ for small vs. larger merchants?

• Smaller organizations and merchants who fall under levels 2, 3 and 4 need only fill out a Self-Assessment Questionnaire (SAQ) to attest that the organization has implemented all the cybersecurity measures required by the PCI DSS. Organizations under these PCI compliance levels may hire a PCI DSS expert to complete the SAQ, although this is not mandatory.
• Large organizations and merchants (Level One) must hire a Payment Card Industry Qualified Security Assessor (PCI QSA) to conduct a security audit attesting that the organization meets the PCI security standards. These organizations need to complete an annual Report on Compliance (ROC) as well.

What else must merchants do to become PCI-DSS certified?

Generally speaking, smaller merchants (Levels 2,3 & 4) fill out the Self-Assessment Questionnaire attesting to their compliance and submit it to their acquiring bank and/or Payment Brands. Additionally, they must pass a Vulnerability Scan of their external networks every 90 days. The scan, which identifies vulnerabilities that could expose credit card data, is conducted by an Approved Scanning Vendor (ASV), a company approved for such work by the PCI Council.

Level 1 merchants must additionally undergo a formal security audit once a year to ensure they comply with the PCI standards and sub requirements. This audit is conducted by a Qualified Security Assessor (QSA) credentialed by the PCI Council.

For more information, see our blog post on “The Four Steps to Achieve PCI DSS certification.”

Do Service Providers need PCI DSS certification?

Service providers are entities that process, store or transmit cardholder data on behalf of other businesses. Typically, these include payment processers,  payment gateways, managed services providers, hosting providers etc. All of them could impact the security of cardholder data, so they are subject to PCI DSS.

What are the validation requirements for Service Providers?

Payment brand criteria can vary, but generally, they are:

• Level 1 service providers that store, process or transmit more than 300,000 credit card transactions annually have the following requirements:
  • Annual Report on Compliance by a Qualified Security Assessor
  • Quarterly network scan by an Approved Scanning Vendor
  • Submission of an Attestation of Compliance

• Level 2 service providers that store, process or transmit fewer than 300,000 credit card transactions a year have the following requirements:
  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by an Approved Scanning Vendor
  • Submission of an Attestation of Compliance

Does PCI DSS certification guarantee my business won’t be breached?

The one-word answer to this question is ‘No.’ The answer is the same for all compliance rules, regulations, laws and standards. But the PCI DSS does provide your organization with a very robust cybersecurity foundation that can be continuously built upon. Remember that your goal is good cybersecurity, not just compliance.

Are companies outside the U.S. required to get PCI-DSS certification?

The PCI DSS requirements apply to all organizations handling payment card data worldwide. These standards were designed to safeguard payment card data, regardless of the location. Payment card leaders such as MasterCard and Visa have their merchants spread all over the world, and the standards enforced by the PCI SSC apply to all organizations using their brand to process payment card data.

How has PCI-DSS certification evolved?

Compliance initiatives in the payment card industry started in 2004 when incidents of payment card fraud began to rise. The payment brands introduced the PCI DSS 1.0 in December 2004. Since then all merchants, service providers, and organizations accepting, transmitting or processing credit card data have been required to comply with the new standard. The latest version, Version 3.2.1, was released in May 2018. The PCI Council is now developing Version 4.0.

Each time the PCI Security Standards Council releases a new version of PCI-DSS, the control requirements undergo an upgrade with an increased focus on good payment card cybersecurity in the context of the most current risks, threats, and countermeasures.

These have included an increased emphasis on security education and awareness among all employees of organizations that handle payment cards, enhanced authentication methods, and a renewed focus on the security of third-party service providers.