There is no PCI DSS certificate, per se, because credit card and cardholder data security—the focus of the Payment Card Industry Data Security Standard—is an ongoing process, not a one-and-done deal.
Larger merchants, however, will need to attain a yearly Report on Compliance from a Qualified Security Assessor (QSA) or Internal Security Assessor. Under PCI DSS requirements, vendors processing 1 to 6 million or more credit card transactions per year and qualifying as Level 1 or 2 with major credit card brands such as American Express, Visa, Mastercard, JCB and Discover must attain this proof of PCI DSS compliance.
Passing a yearly audit for PCI compliance is a must for any organization that processes large amounts of credit card data. Smaller merchants do not need a full-blown audit, but can answer a self-assessment questionnaire.
Service providers to merchants and banks, (known as “acquiring banks”) also need to comply with PCI DSS. A service provider is an enterprise that processes, stores, or transmits cardholder data on behalf of another business, or that provides services that could affect cardholder data security. Examples include businesses providing managed firewalls, intrusion detection systems, intrusion protection systems, data destruction services, and web hosting providers.
The compliance levels for service providers differ from merchant levels established by PCI DSS. The framework requires a Report on Compliance only for service providers processing 300,000 credit card transactions annually.
The rules differ from level to level–there are four levels for merchants and two for service level providers. But the PCI Security Standards Council (PCI SSC), representing financial institutions, merchants, processor companies, software developers, and point-of-sale vendors, requires that all merchants and service providers be PCI compliant. The penalties for noncompliance can be stiff: hefty fines each month until compliance is reached, or, possibly worse, the loss of credit card transaction privileges.
It’s all about information security
An increase in the size and scope of payment cardholder data breaches was the impetus for the PCI Data Security Standard. It stipulates the precise steps you must take to protect payment card transactions in your cardholder data environment (CDE). The CDE includes:
- Point-of-sale devices
- Mobile devices, personal computers, and servers
- Wireless hotspots
- Ecommerce applications
- Paper-based storage systems
- The transmission of cardholder data to service providers
- Remote-access connections
PCI DSS’s 281 requirements in 12 categories can make for an intimidating list, but remember: not every organization needs to comply with every mandate. Determining your organization’s scope is the first, crucial step you’ll want to take to prepare for your audit or self-assessment. Other steps you can take include:
- Adjusting your firewall configuration to isolate your CDE from the rest of your networks, especially public networks
- Ensuring that you have anti-virus software and that it is up to date
- Restricting physical access as well as digital access to cardholder data so that only those who need it can see it
- Ensuring that accepted system passwords meet the PCI DSS minimum requirements for complexity
- Ensuring that you use only PCI SSC-approved secure systems and applications throughout your cardholder environment
Preparing for a PCI DSS audit can be time-consuming and expensive, especially if you’re using spreadsheets. Fortunately, we have a great tool available to do much of the work for you, walk you through the rest, and help you stay on top of PCI DSS compliance continuously until the next audit. Worry-free, hassle-free compliance: That’s the Zen way.