Originally the five main payment card brands, Visa, MasterCard, American Express, Discover, and JCB, all had their own security programs.
Each of these five brands had the same goal: to create another layer of security for their customers in order to limit their liability
for credit card data theft. As time went by, all of these brands realized this need should be a collaborative effort, thus forming
the PCI Security Standards Council (SSC). From this point, the council created the PCI Data Security Standard (DSS) which
was based on all of the requirements and security programs of the major five brands. On September 15, 2004, the first published version of the PCI DSS was issued. After the first version was issued, three updated versions followed: version 1.1 which was released in September 2006, version 1.2 which was released in October 2008, and version 2.0 which was released in October 2010. This brings us to the second portion of the above mentioned question: why do I need it?
There are several reasons why there is a need for compliance with PCI DSS.
The first reason is because credit card companies mandate it, and your business could be placed in jeopardy if compliance is not met.
The second reason is because PCI compliancy is now considered to be a business enabler.
If your business does not meet these standards, it is considered to be a diminishing option. As business continues, it will become increasingly difficult to operate without PCI compliance. The final reason for why there is a need for PCI compliance is to have protections in place for your business and your customers.
Businesses that do not protect their customers’ financial data are not viewed legitimately and are considered to be careless in nature.
A business can hire any consultant or professional they choose to help with PCI DSS preparation.
There are numerous domestic and international firms that provide services including gap analysis, PCI preparation, audit preparation, firewall compliancy, policy compliancy, and more.
It is necessary to choose a company that is considered to be a Qualified Security Assessor (QSA) when undergoing a certified PCI DSS audit.
A company that is certified as an Approved Scanning Vendor (ASV) must be used when undergoing quarterly network scans.
GRSee Consulting is proud to be a Qualified Security Assessor who provides a wide range of services such as Gap analysis, PCI preparation projects and PCI audits. As part of our full service PCI packages, we also provide network scans which are conducted by an ASV.
Merchant levels are the categories defined by the payment brands for all businesses accepting credit cards.
There are four main levels: Merchant Level 1 This level applies to:
- Any merchant who processes more than 6,000,000 Visa transactions per year.
- Any merchant who has suffered a hack or an attack which resulted in a compromise of account data.
- Any merchant who the payment card brands, at their sole discretion, determine should fall into Level 1 merchant status in order to minimize the risk to the payment card brands.
Merchant Level 2 This level applies to any merchant processing 1,000,000 to 6,000,000 credit card transactions per year.
Merchant Level 3 This level applies to any merchant processing 20,000 to 1,000,000 credit card e-commerce transactions per year.
Merchant Level 4 This level applies to any merchant processing fewer than 20,000 credit card e-commerce transactions per year, and all other merchants, regardless of acceptance channel, processing up to 1,000,000 Visa transactions per year. Disclaimer – Merchant levels may change at the sole discretion of the payment brands.
To learn more about merchant levels please check with the payment brands.
The payment card brands have set forth the following requirements for merchants:
Merchant Level 1 An annual on-site security audit that is to be conducted by a qualified security assessor (QSA).
A quarterly network scan conducted by an independent scan vendor (ASV).
Merchant Level 2 An annual on-site security audit that is to be conducted by a qualified security assessor (QSA), or an internal audit that is signed by an internal officer who is qualified as internal security auditor (ISA).
A quarterly network scan conducted by an independent scan vendor (ASV). Merchant Level 3 An annual PCI self assessment questionnairethat is validated by the merchant.
A quarterly network scan conducted by an independent scan vendor (ASV) Merchant Level 4 A recommended annual PCI self assessment questionnaire that is validated by the merchant.
A recommended quarterly network scan conducted by an independent scan vendor.