The Payment Card Industry Data Security Standard (The PCI DSS)
This set of comprehensive requirements for enhancing payment account data security was developed to help facilitate the broad adoption of consistent data security measures on a global basis. The Payment Card Industrry Data Security Standard is not a law. It is a contractual obligation applied and enforced by means of fines or other restrictions directly by the payment providers themselves.
The Payment Card Industrry Data Security Standard (The PCI DSS) includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures; this comprehensive standard is intended to help businesses proactively protect customer account data.
If you accept online or telephone payments, then you must comply with the PCI DSS or risk losing your facility for taking payments online.
Principles and Requirements
The PCI DSS lays out a group of requirements which relate to how you handle payment details. The main obligations are that businesses should:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
If you do not comply with the PCI DSS, your right to accept online and telephone mail order payments may well be revoked.
Compliance requirements are dependent upon your business’ activity level. There are four levels, based on the annual number of credit / debit card transactions processed, as follows:
- Merchants with over 6 million transactions a year, or whose data has previously been compromised
- Merchants with 150,000 to 6 million transactions a year
- Merchants with 20,000 to 150,000 transactions a year
- Merchants with less than 20,000 transactions a year
Further information
Further information about the PCI DSS can be found at www.pcisecuritystandards.org.