PCI Compliance Is "Industry Self-Regulation"
The major credit card companies, Visa, MasterCard, Discover and American Express, have collaborated on minimum payment-processing security requirements. These requirements make up the Payment Card Industry Data Security Standard (PCI DSS). Merchants and merchant account providers who work with each of those four credit card companies must follow these standards. In that sense, the PCI standard is not law, but industry self-regulation steps that the credit card companies have adopted.
We asked a PCI compliance expert, Sweta Duseja, to explain these standards to us. Duseja is Product Marketing Manager for nCircle, a security risk and compliance management firm.
PeC: PCI compliance is not a law, but self-regulation by the credit card industry. Can you explain?
DUSEJA: Many different industries have requirements that dictate security and privacy. Some of these are laws and regulations – mandates passed by federal government and by individual state governments – and others are self-regulatory standards. For example, the medical industry has the Health Insurance Portability and Accountability Act, or HIPAA, which is a law that governs the transmission and storage of medical records. Public companies are governed by the Sarbanes Oxley Act, which is a law that governs financial reporting issues. The PCI Data Security Standard is not a law or regulation. It’s a standard that the four major credit card companies have adopted that tells merchants, essentially, if you want to collect payments from customers using credit and debit cards you must adhere to the PCI standard.
PeC: How do the credit card companies enforce these standards on merchants?
DUSEJA: The credit card companies rely on merchant banks to enforce the standards on their merchant. If a network breach is discovered, a merchant may be fined heavily by one of the credit card companies. This has been sporadic at best because network breaches, unless they are high profile, are usually not publicized. The real driver here is the loss of customers’ trust in a merchant. The fear that their credit or debit card data may be stolen and used without their authorization is a far greater incentive to make sure that customers do business with only trusted merchants. On the other hand, VISA has rewarded merchant banks with lower interchange fees (fees paid to VISA to use its network to process customer payments) that have proven high or complete compliance among their merchants.
PeC: Summarize for us what is required of merchants to meet the standards.
DUSEJA: For a general understanding, merchants should always follow four basic rules:
- Collect only data that is needed for a transaction or order;
- Store only that customer card data that does not violate the requirements stated very specifically in the PCI standard;
- Make sure that all customer card data is stored securely;
- Make sure that card data is securely transmitted from a customer to a merchant via the merchant payment gateway.
PeC: How can a merchant prove compliance with these standards?
DUSEJA: The PCI standard categorizes merchants into four different levels based on the number of payment transactions they generate. All merchants, regardless of size, must retain an Approved Scan Vendor, certified by the PCI Security Standards Council, the body that governs the PCI standard, to perform and submit a quarterly scan of their externally-facing payment network. In addition, the very largest of the merchants, Level 1 Merchants, must submit to an annual onsite audit performed by a Qualified Security Assessor also certified by the Council. Level 2, 3 and 4 merchants are required to fill out and submit an annual self-assessment questionnaire which is no less thorough than an onsite audit. All of this, and more, is explained at the PCI website, Pcisecuritystandards.org.