Payment Card Industry Data Security Standard (PCI DSS)

Customers worry about theft of their data.
You should worry about business fallout.

More than 340 million computer records containing sensitive personal information have been involved in security breaches in the U.S. since 2005.1 Now criminals are shifting sights to small merchants because many have lax security for cardholder data. More than 80% of attacks target small merchants. If you are at fault for a security breach, business fallout can be severe:

Fallout from a data breach

As a small merchant, you face the potential of many negative forces from a breach of cardholder data:

  • Fines and penalties
  • Termination of ability to accept payment cards
  • Lost confidence, so customers go to other merchants
  • Lost sales
  • Cost of reissuing new payment cards
  • Legal costs, settlements and judgments
  • Fraud losses
  • Higher subsequent costs of compliance
  • Going out of business

What data thieves are after

The object of desire is cardholder data. By obtaining the Primary Account Number (PAN) and sensitive authentication data, a thief can impersonate the cardholder, use the card, and steal the cardholder’s identity.

Sensitive cardholder data can be stolen from many places:

  • Compromised card reader
  • Paper stored in a filing cabinet
  • Data in a payment system database
  • Hidden camera recording entry of authentication data
  • Secret tap into your store’s wireless or wired network

Defining “sensitive cardholder data”

Everything at the end of a red arrow is sensitive cardholder data. Anything on the back side and CID must never be stored. Everything else you store must be for a good business reason, and that data must be protected. PCI DSS explains how. Read more.

Types of Data on a Payment Card

Q: What is PCI?
A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.  Essentially any merchant that has a Merchant ID (MID).

Q: To whom does PCI apply?
A: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

Q: What are the PCI compliance ‘levels’ and how are they determined?
A: All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’). In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level.
Merchant levels as defined by Visa:

Merchant Level Description
1 Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
2 Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.
3 Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
4 Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.

 * Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.


What does a small-to-medium sized business (Level 4 merchant) have to do in order to satisfy the PCI requirements?

A: To satisfy the requirements of PCI, a merchant must complete the following steps:

  • Identify your Validation Type as defined by PCI DSS – see below .  This is used to determine which Self Assessment Questionnaire is appropriate for your business.
  • Complete the Self-Assessment Questionnaire according to the instructions in the Self- Assessment Questionnaire Instructions and Guidelines.
  • Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV).  Note scanning does not apply to all merchants.  It is required for Validation Type 4 and 5 – those merchants with external facing IP addresses.  Basically if you electronically store cardholder information or if your processing systems have any internet connectivity, a quarterly scan by an approved scanning vendor is required.
  • Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool).
  • Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer.
  • I’m a small merchant with very few card transactions; do I need to be compliant with PCI DSS?

All merchants, small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data.

Q: If I only accept credit cards over the phone, does PCI still apply to me?
A: Yes. All business that store, process or transmit payment cardholder data must be PCI Compliant.

Q: Do organizations using third-party processors have to be PCI compliant?
A: Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance.  However, it does not mean they can ignore PCI.

Q: My business has multiple locations, is each location required to validate PCI Payment Card Industry Data Security Standard Compliance?
A: If your business locations process under the same Tax ID, then typically you are only required to validate once annually for all locations. And, submit quarterly passing network scans by an PCI SSC Approved Scanning Vendor (ASV), if applicable.

Q: Are debit card transactions in scope for PCI?
A: In-scope cards include any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC – American Express, Discover, JCB, MasterCard, and Visa International.

Q: Am I PCI compliant if I have an SSL certificate?
A: No.  SSL certificates do not secure a Web server from malicious attacks or intrusions. High assurance SSL certificates provide the first tier of customer security and reassurance such as the below, but there are other steps to achieve PCI Compliance. 

  • A secure connection between the customer’s browser and the web server
  • Validation that the Website operators are a legitimate, legally accountable organization

Q: What are the penalties for noncompliance?
A: The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees.  Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business.

It is important to be familiar with your merchant account agreement, which should outline your exposure.


Evaluate with a Self-Assessment Questionnaire

Most small merchants can use a self-validation tool to assess their security for cardholder data. The tool includes a short list of yes-or-no questions for compliance. Click on the Self-Assessment Questionnaire number that best describes how you accept payment cards.

SAQ How do you accept payment cards?
A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage.
C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage.
C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ.




Get a Quick Quote:



Mobile Payments Surging in 2012

More than one-third of consumers used a mobile phone to make a purchase in 2012, up from less than 20 percent a year ago, according to a new report from Massachusetts-based consultancy IDC Financial Insights. In its eighth annual Consumer mobile paymentsPayments Survey, IDC identified PayPal Mobile, Amazon Payments and iTunes as the most popular mobile payment services.

IDC found mobile payments are spread essentially evenly among payments made via smartphone apps, mobile browser, contactless payments and text message. At least 30 percent of respondents reported being interested in making payments through each of the four methods. So, while the report says that statistic “bodes well for the growth of the various digital and mobile wallets that have been introduced last year…it appears that consumers have not decided on a favorite mode, so scheme operators will have to continue supporting a variety of modes and platforms.”

Contrary to its expectations, IDC also found that more consumers used mobile devices to purchase physical goods (about 72 percent) than digital goods (65 percent) or online services (61 percent). The report says “this is good news for companies that are focused on working with brick-and-mortar merchants, such as LevelUp, PayPal, and Square.”


firearms payment processing