 |
| The Fundamentals of PCI Compliance |
| |
AMG is dedicated to ensuring that you are fully apprised of data security requirements and the actions you are required to take for compliance. As a PCI compliant merchant services provider, AMG urges all of our valued customers to carefully review the information to insure your organization is in compliance with the established security mandates.
PCI Overview
Every consumer wants to know their credit card account information is secure. Offering your customers a safe and secure payment method is no longer just good business practice it is a requirement of doing business. As a business accepting credit cards as payments for goods or services, you are responsible for safeguarding cardholder information, and, ultimately, you can be held liable for any breaches in security. Fines for non-compliance can cost a business thousands of dollars.
The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard assembled by the founding payment brands of the Payment Card Industry Security Standards Council (PCI SSC), including American Express®, Discover® Financial Services, JCB International, MasterCard® Worldwide and Visa™ Inc. International. The PCI DSS is a set of comprehensive requirements designed to help organizations proactively protect customer account data.
Does this apply to every business?
PCI compliance mandates apply to ALL organizations that store, transmit or process cardholder data (i.e. Visa™ , MasterCard®, American Express®, Discover® ) regardless of the payment channel - in person, online, by mail or telephone. The degree of proof of compliance will be determined by your organizations merchant level (see information below)
What are the requirements of PCI DSS?
There are 6 objectives and 12 requirements which are categorized below |
| Objective |
Requirements |
| |
|
| Build and Maintain a Secure Network |
01. Install and maintain
a firewall configuration
to protect cardholder
data
02. Do not use vendor-
supplied defaults for
system passwords and
other security payments |
| |
|
| Protect Cardholder Data |
03. Protect stored
cardholder data
04. Encrypt
transmission of
cardholder data and
sensitive information
across open public
networks |
| |
|
| Maintain a Vulnerability Management Program |
05. Use and regularly
update anti-virus
software
06. Develop and
maintain secure
systems and
applications |
| |
|
| Implement Strong Access Control Measures |
07. Restrict access to
cardholder data by
business need-to-know
08. Assign a unique ID
to each person with
computer access
09. Restrict physical
access to cardholder
data |
| |
|
| Regularly Monitor and Test Networks |
10. Track and monitor
all access to network
resources and
cardholder data
11. Regularly test
security systems and
processes |
| |
|
| Maintain an information Security Policy |
12. Maintain a policy
that addresses
information security |
|
Validation of Compliance
The mandate to comply with the PCI DSS requires each entity to verify and demonstrate their compliance status. Validation of compliance identifies and corrects vulnerabilities, and further protects customers by ensuring that appropriate levels of cardholder information security are maintained.
Merchant Levels of Compliance
Merchant
validation levels vary by processing volume and it's important for you to know what actions you need to take to validate your compliance. Visa™ and MasterCard® have both imposed severe fines on merchants who are found to be PCI DSS non-compliant at the time of a data breach concerning cardholder information. Avoiding these severe fines is easy to do. AMG has entered into an agreement with Security Metrics to implement the appropriate actions. There is an annual $79 fee to work with Security Metrics which will be billed directly to your merchant account.
What Merchant Level is my business? |
|
| Merchant Level * |
Description |
| |
|
| 1 |
Merchants regardless of acceptance channel, processing over
6,000,000 Visa™ transactions annually or global merchants identified as Level 1 by any Visa™ region |
| |
|
| |
Any merchant that Visa™ , at its sole discretion can determine if
merchant is required to meet the Level 1 merchant requirements to mitigate risk to the Visa™ system |
| |
|
| 2 |
Merchants regardless of acceptance channel, processing 1,000,001 to 6,000,000 Visa™ transactions annually |
| |
|
| 3 |
Merchants processing 20,000 to 1,000,000 Visa™ e-commerce
transactions annually |
| |
|
| 4 |
Merchants processing fewer than 20,000 Visa™ e-commerce
transactions annually and all other merchants regardless of
acceptance channel, processing up to 1,000,000 Visa™ transactions annually |
|
|
* Any merchant that has suffered a hack that resulted in an account data breach may be escalated to a higher merchant level. |
|
| |
|
| What level of action to I need to take? |
|
| |
|
| Merchant Level |
Action Required |
Validated by |
| 1 |
Annual on-site PCI data security assessment |
Qualified security assessor or internal audit if signed by an officer of the company |
| |
Quarterly network scan |
Approved scanning vendor |
| |
|
|
| 2 |
Annual PCI self assessment questionnaire |
Merchant |
| |
Quarterly network scan |
Approved scanning vendor |
| |
|
|
| 3 |
Annual PCI self assessment questionnaire |
Merchant |
| |
Quarterly network scan |
Approved scanning vendor |
| |
|
|
| 4 ** |
Annual PCI self assessment questionnaire |
Merchant |
| |
Quarterly network scan (if applicable) |
Approved scanning vendor |
|
|
** The PCI DSS requires that all merchants with externally facing IP addresses perform external network scanning to achieve compliance. Submission of scan reports and/or questionnaires by Level 4 merchants may be required.
As always if you have any additional questions about PCI compliance, please call our customer support department.
Additional Resources
www.pcisecuritystandards.org
usa.visa .com/merchants/risk_management/cisp.html
www.mastercard.com/us/merchant/support/merchant_education.html |
|
Click here to Download PDF |
| |
Go To Top |
|
|
