PCI DSS Compliance: The Basics
What is PCI DSS Compliance?
Over the years, retailers have lost millions of dollars to fines and in compensation to customers as a result of compromised credit cards and personal information. These losses, moreover, do not take into account the hidden costs of lost sales and damage to merchant brands. In response to this increase of credit card hackers and thieves, American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc came together in 2006 to launch a global forum called the PCI Security Standards Council. Together they developed the Payment Card Industry Data Security Standard (PCI DSS) requirements.
According to the PCI Security Standards Council website, “The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.”
PCI DSS compliance is not an option but a requirement for all merchants — whether small or large — that process credit cards. In other words, if your organization plans to accept credit card payments prior to and/or at your event auction – e.g. for online ticket sales, online cash donations, as payment for items won in an online auction, and as payment for items won at your event auction – then it must be PCI DSS compliant.
What is required for PCI DSS compliance?
Your organization’s “Merchant Level” determines your requirements for PCI DSS compliance. The number of transactions your organization processes each year and whether those transactions are performed from a brick and mortar location or via the Internet help determine which of four merchant levels it falls under.
Keep in mind, even though the PCI Security Standards Council developed the PCI DSS standards, compliance is actually mandated separately by the individual payment card brands (Visa, MasterCard, etc.). Accordingly, each payment card brand determines its own definitions of Merchant Levels and has its own set of compliance requirements.
To give you a general idea of how to determine your PCI compliance level, here are Visa’s PCI compliance merchant level definitions:
- PCI Compliance Level 1 — Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region
- PCI Compliance Level 2 — Merchants processing 1 million to 6 million Visa transactions annually (all channels)
- PCI Compliance Level 3 — Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
- PCI Compliance Level 4 — Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually
In a future article, I will discuss the 12 PCI DSS requirements for becoming PCI DSS compliant and the importance of two technologies – end-to-end encryption and Tokenization – that help your organization achieve compliance.
As a merchant who accepts credit cards, it is your responsibility to ensure the security of your customers’ credit card and personal information. Therefore, you should evaluate your level of PCI DSS compliance, determine if you are meeting all requirements, and if not, what you need to do to become PCI DSS compliant. Your merchant processor is a great resource. They should help you determine which merchant level your organization belongs to and how to achieve PCI DSS compliance.