Payment Card Industry Data Security Standards Explained
The phrase PCI Compliance gets used quite a bit in the payment processing industry. We’re here to help explain to you what PCI Compliance is all about and give some insight into where the fee comes from and how it relates to your business.
The acronym PCI DSS stands for Payment Card Industry Data Security Standards. PCI Compliance is essentially the process of adhering to the standards set forth by the Payment Card Industry Data Security Standards Council (PCI DSS). You can review those standards in greater detail here. Essentially the standards are a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment.
The Payment Card Industry Security Standards Council was formed September 7, 2006 to manage the ongoing evolution of the Payment Card Industry security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI Security Standards Council, an independent body comprised of the major payment card brands Visa, MasterCard, American Express, Discover and JCB. It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI DSS Council.
Sometimes referred to as a PCI DSS Compliance Fee, the PCI Compliance Fee is a fee imposed by the Payment Card Industry Data Security Standards Council. This organization is responsible for overseeing and enacting data security policies for the credit card processing industry. Since the Council does not enforce PCI Compliance, the primary way it ensures payment brands and acquirers keep up to date with the standards is through this fee. The fee covers a set of standards and requirements that ensure that all companies that process, store or transmit credit card information maintain a secure environment.
PCI applies to all organizations or merchants, regardless of size or number of transactions, that accept, transmit or store cardholder data. This data could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted. So basically PCI DSS Compliance needs to be maintained by an organization if any customer of that organization ever pays a merchant directly using a credit card or debit card.
The initial PCI Compliance Fee is actually charged to the merchant account provider each year. Those collected fees go to PCI DSS Council to fund on-going security and fraud fighting actvities. Merchant Account Providers typically pass this fee (or part of it) on to the business owner.
For Compliance requirements, all merchants are grouped into one of four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (including credit, debit and prepaid card transactions) from a merchant. Merchant levels as defined by Visa are:
It is important to note that any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level for their compliance standard.
Continue Reading – PCI Security Standards, Part 2