The Payment Card Industry Data Security Standards (PCI DSS) is a set of requirements designed to ensure that companies that process, store and transmit sensitive credit and debit card information maintain a secure environment. The regulations are administered and managed by an independent Security Standards Council created by major credit and debit card brands, including American Express, Discover, JCB, MasterCard and Visa. It is the responsibility of merchants and processing companies to consistently maintain secure standards by scanning for threats, failures and security risks.
PCI applies to any company, organization or merchant that accepts, transmits or stores credit card data for the purpose of commercial transaction regardless of company size or number of transactions.
For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.
The PCI DSS Council categorizes Merchants and Service Providers according to the dollar amount of credit card transactions processed.
- Level 1 Merchants process more than 6,000,000 credit card transactions per year
- Level 2 Merchants process 1,000,000 to 6,000,000 credit card transactions per year
- Level 3 Merchants process 20,000 to 1,000,000 credit card transactions per year
- Level 4 Merchants process less than 20,000 credit card transactions per year
Yes, every Merchant and Service Provider needs to complete a SAQ. The table below outlines which SAQ needs to be completed dependent on the Merchant Description.
| Validation Type | Merchant Description | SAQ v1.2 |
| 1 | Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. | A |
| 2 | Imprint-only merchants with no electronic cardholder data storage | B |
| 3 | Stand-alone terminal merchants, no electronic cardholder data storage | B |
| 4 | Merchants with Point-of-Sale (POS) systems connected to the Internet, no electronic cardholder data storage | C |
| 5 | All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ. | D |
All merchants, whether small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data. PCI SSC is responsible for managing the security standards while each individual payment brand is responsible for managing and enforcing compliance to these standards. For questions regarding compliance validation requirements and deadlines as well as compliance reporting requirements, we recommend that you contact your acquirer.
Every Merchant or Service Provider needs to complete a SAQ, and undergo Quarterly (every 90 days) PCI Scans by an Approved Scanning Vendor (ASV). Clone Systems is a PCI ASV authorized by the Data Security Standard (DSS) to provide certified Quarterly PCI Scans. Level 1 Merchants are also required to undergo an onsite visit by a Qualified Security Assessor (QSA) who will then provide a Report of Compliance (ROC) for submission to the acquiring bank. You can save 25% by subscribing to our Annual PCI Compliance Scanning Service. Larger companies can benefit from our flat-rate PCI Network Scan.
A PCI scan checks a service provider's system for security risks. The tool conducts a non-intrusive scan to remotely review networks and Web applications based on Internet Protocol (IP) addresses provided. The scan identifies potential threats to the operating system, services and devices used for financial transactions. A PCI Scan performed with an advanced scanning engine will generate a detailed report listing server and network vulnerabilities. The merchant or processor can then properly resolve the vulnerabilities, to protect against external hackers and threats.
Clone Systems PCI scans discover potential threats to your public facing network. If left undiscovered, such threats may be exploited by hackers who can damage and disrupt a payment system regardless of the size of a company or number of transactions being executed. It's important to protect against these and other risks to maintain a safe environment for customers and to operate in compliance with PCI guidelines set forth by major credit and debit card partners.
Companies that process, store and transmit sensitive credit and debit card information are required to conduct a Quarterly PCI Scan (every 90 days) by a PCI SSC Approved Scanning Vendor (ASV). The Executive Summary Report from the scan should then be submitted to the acquiring bank.
Payment brands may fine non-compliant parties at their discretion for every month the merchant or processor is in violation of the standards. If fined, a bank may terminate its relationship with a transaction company or merchant.
Security breaches can be detected in several ways. Monitor unknown or unexpected outgoing network traffic, look for unknown IP addresses on the network, look for unknown services and applications, sweep for unknown files, software and devices on the system, determine if anti-virus programs are malfunctioning or disabled, monitor failed log-in attempts and suspicious after-hours activity, and check for unexplained system rebooting and shut down.
Take immediate action by investigating the incident, limit the exposure of cardholder data and report the investigative findings to credit and debit card partners. Do not access or alter the compromised system. Instead, isolate the breach and preserve any logs which may be required for forensic review.
Review the Clone Systems PCI Compliance Guide for additional PCI information, or visit the official website of the PCI Security Standards Council.
A few notable examples are:
Bank of America announced that more than 1.2 million customer records had been lost.
CardSystems was sued in a series of class actions which claimed it had failed to protect the personal information of more than 40 million customers. Visa and American Express subsequently ended their business relationship with the company, which effectively brought its business to a halt.
The Boston Globe and The Worcester Telegram and Gazette expose 240,000 credit and debit card records and routing information for personal checks. The information was disseminated on recycled paper used for wrapping newspapers for distribution.
It is reported than nearly 200,000 debit card accounts had been disclosed by unidentified retailers, including accounts held at such large institutions as Wells Fargo and CitiBank.
MoneyGram confirmed that a company server had been unlawfully accessed exposing personal information for 79,000 customers.
TJX Companies Inc acknowledges that one of its systems had been unlawfully accessed and that at least 45.7 million credit and debit card numbers had been exposed, leading to more than 20 class action lawsuits.
