In the first part of this article, we looked at the 6 control objectives and the 12 requirements of the PCI DSS guidelines. In the second part, we will delve upon the different PCI compliance levels, the validation requirements and the risks of not maintaining PCI compliance.
Today, all credit card brands use the Payment Card Industry Data Security Standard (PCI DSS) and hence all the merchants, irrespective of whether big or small, are required to follow the security measures and the auditing procedures specified in PCI DSS. Though the security measures are same for all types of merchants, the auditing procedures vary depending on the number and type of transactions the merchant processes in a year. Hence, there are different PCI compliance levels or merchant categories.
PCI Compliance Levels
There are four levels or categories of PCI compliance namely:
Merchants who process more than 6 million credit card transactions per year belong to this category. It includes those merchants as well identified by any card company as Level 1. Even those merchants who have suffered an attack leading to account data compromise belong to this category.
Level 2 comprises of those merchants who process 1 million to 6 million credit card transactions per year.
It includes those merchants who process anywhere between 20,000 and 1 million eCommerce transactions each year.
Those merchants who process less than 20,000 eCommerce transactions and up to 1 million credit card transactions per year belong to this category.
PCI Validation Requirements
The validation requirements vary depending upon the level to which the merchants belong. As per the validation requirements, an independent security assessor must perform annual on-site security audit while a qualified independent scan vendor must do quarterly network security scans. In the case of audits, internal audit will do if and only if signed by an officer of the company.
1. Level 1 merchant must undergo annual on-site security audit and perform quarterly network security scans.
2. Level 2 and Level 3 merchants must complete an annual PCI Self-Assessment questionnaire and perform quarterly network security scans.
3. Level 4 merchants must complete an annual PCI Self-Assessment questionnaire. In addition,they are recommended to perform quarterly network security scans.
Since credit card fraud is a multi-billion dollar industry, non-compliance with PCI guidelines are strictly dealt with. Penalties include fines and account termination. The card associations punish the non-compliant merchant directly or indirectly. The card associations fine the acquirer under which the merchant processes transactions, who then passes the fine on to the merchant. Moreover, those merchants whose accounts have been terminated would find it difficult to get a new account, as their names would be put on MATCH, a blacklist in the credit card processing industry.
As we come to the end of the second and final part of this article, we understand that achieving PCI compliance is not as easy as it sounds,since PCI DSS comprises of 200-plus sub policies, procedures and technical nuances. Hence, what is needed is an effective PCI compliance and vulnerability management solution that helps small, medium and large businesses to be PCI DSS compliant.