Payment Card Industry Data Security Standards (PCI DSS) for Merchants

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) represents a common set of industry standards or best practices that help ensure the safe handling of sensitive information. These standards were established by the five Global Payments brands: American Express®, Discover®, MasterCard®, JCB® and Visa®. PCI DSS is a set of 12 comprehensive requirements; common sense steps that mirror best practices and provide a framework for a secure payment environment. PCI DSS compliance validation is required for all merchants that process store or transmit payment card data, regardless of size or point-of-sales (POS) solution. A merchant’s processing volume, card-handling processes and processing environment determine which PCI DSS requirements apply to their business.

PCI DSS Merchant Categories

Level 1

CATEGORY DESCRIPTION

Any merchant (regardless of acceptance channel) processing over 6,000,000 Visa or MasterCard transactions per year. Any merchant that has suffered a hack or an attack that resulted in an account data compromise. Any merchant that either Visa or MasterCard, in their sole discretion, determine should meet the Level 1 merchant requirements to minimize risk to the system

Level 2

Any merchant (regardless of acceptance channel) processing

1,000,000 to 6,000,000 Visa or MasterCard transactions per year.

Level 3

Any merchant processing 20,000 to 1,000,000 Visa or MasterCard ecommerce transactions per year.

Level 4

Any merchant processing fewer than 20,000 Visa or MasterCard ecommerce transactions per year, and all other merchants (regardless of acceptance channel) processing up to 1,000,000 Visa or MasterCard transactions per year.

PCI DSS Compliance Requirements

PCI DSS REQUIREMENTS
GOALS

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Card Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Secure Policy

12. Maintain a policy that addresses information security for all personnel

Why Comply

PCI DSS is also a critical component in securing your customers’ payment card data and safeguarding your business. Compliance helps you create and maintain a positive image and enhance consumer confidence. Failure to comply can result in fines, cancelled accounts and reputational impacts to your business.

How to Comply

To begin the compliance process you will need to engage the services of a Qualified Security Assessor (QSA). A QSA is a data security firm that has been trained and is certified by the PCI Security Standards Council to assess compliance to the PCI DSS. To further assist you, Global Payments has partnered with SecurityMetrics for the provision of PCI compliance services. SecurityMetrics has extensive PCI experience. Since 2001, they have helped over one million merchants, having developed methods and expert tools that simplify PCI compliance. As a QSA and Approved Scanning Vendor (ASV), SecurityMetrics assists merchants in validating compliance and implementing the PCI Data Security Standard. SecurityMetrics is certified to perform PCI scans, onsite PCI audits, payment application software audits, point-of-sale terminal security audits, penetration tests and forensic analysis to help prevent and assess card data compromises. As technology and card processing situations change, SecurityMetrics can help merchants achieve and maintain PCI compliance.

Questions?

Should have any questions regarding the PCI DSS requirements or compliance process, please contact a Global Payments representative at 1-800-361-8170, a member of Global Payments’ Canadian compliance department at cdn.pcicompliance@globalpay.com, or SecurityMetrics at 1-877-364-9172.

For additional information on PCI DSS, you may wish to refer to the following resources:

PCI Security Standards Council (PCI SSC)

PCI Quick Reference Guide

Approved Companies and Providers