| S | M | T | W | T | F | S |
|---|---|---|---|---|---|---|
| « Feb | ||||||
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | 31 | |||
- February 7, 2007: New Techniques for Guarding Financial Data
- February 6, 2007: Increased Scrutiny From Card Associations in 2007
- January 28, 2007: The State of PCI Compliance 2007
- January 23, 2007: Background Checks on IT Personnel
- January 5, 2007: 100 Million Notifications of Data Breaches in US
- December 17, 2006: Inside Jobs: The Risk of Data Breach From Insider Threats
- December 12, 2006: Card Associations Step Up PCI Enforcement
- December 1, 2006: CompTIA Survey Emphasizes Importance of Security Training
- December 1, 2006: CompTIA Survey Emphasizes Importance of Security Training
- November 16, 2006: Average data breach costs $5 million
Credit Card Companies
FAQ
Helpful Sites
PCI Compliance for Merchants FAQ
We are a small company or organization with a fairly low volume of transactions. Do we have to comply with PCI?
Absolutely. The credit card companies have made it clear that ANY entity that stores, processes, or transmits cardholder data must comply with the PCI requirements. Furthermore, the merchant agreement typically has language that binds the merchant to comply with PCI. The specific PCI compliance requirements for merchants vary based on the transaction volume of the merchant.
While the compliance requirements are somewhat relaxed for smaller merchants, there are still many complexities that even a small merchant should consider, and I will mention only three major ones here. First, every merchant must comply with all of the various card companies’ requirements (see this post for more detail), so someone in the organization must invest time in understanding and complying with the maze of these requirements. Second, every merchant must validate compliance by hiring an Approved Scanning Vendor and completing a security compliance assessment. The scanning vendors charge widely ranging fees for their services, and many merchants may find it necessary to hire a security consultant to complete the assessment, not to mention the costs of purchasing hardware, software, or consulting to meet the PCI standards. Third, every merchant is subject to the data breach laws of any state whose resident(s) the merchant has collected information that is subject to these laws. Clearly, the costs of PCI compliance should be considered before a merchant undertakes any project involving cardholder data.
Is there any way for a merchant to avoid complying with PCI?
Well, sort of. Visa and the other companies have made it clear both on their websites and in their merchant agreements that the merchant has primary responsibility for complying with the PCI requirements. The easiest way for a merchant to comply is to outsource the handling of cardholder information to a Service Provider that is fully PCI compliant. The best way to find such a company is the List of Compliant Service Providers published by Visa.
We already use a service provider for accepting online payments. Does this ensure that we are PCI compliant?
It depends. Unfortunately, many service providers do not fully understand PCI compliance. In fact, some service providers that claim to be PCI compliant have not completed the validation and registration requirements. The only way to ensure that you are complying with the PCI requirements is to use a Service Provider that is on the List of Compliant Service Providers published on Visa’s website.
We already use SSL on our website pages that transmit cardholder data. Does this make us PCI compliant?
No. The Payment Card Industry (PCI) Data Security Standard (DSS) is comprised of twelve general requirements. SSL encryption is essential, but it merely satisfies only a small part of one of the twelve requirements (#4).
We do not store any cardholder data. Does this make us PCI compliant?
No, even if you do not store cardholder data, you must still be fully compliant with all of the PCI DSS. Visa directly states this in their Frequently Asked Questions (see question 3).
We process credit cards on a server that is behind a firewall on our in-house network. Does this make us PCI compliant?
No. A firewall is certainly required for PCI compliance, but it only addresses one of the twelve general requirements. Furthermore, the PCI DSS places very rigorous requirements on the functionality of the software applications on that server and on the configuration and management of that server. Visa does publish a List of Validated Payment Applications, yet the document includes a blatant disclaimer that use of an application on the list does not yield PCI compliance. Although running payment applications on an in-house server may offer some business advantages, this approach may substantially increase the complexities of PCI compliance because it then mandates compliance for the entire internal network.
What advantages does a merchant gain by using a validated PCI-compliant Service Provider?
To be clear, any service provider that has completed the PCI compliance process is named on Visa’s List of Compliant Service Providers. By using one of these Service Providers, a merchant is deemed to be fully PCI compliant. Furthermore, by using such a Service Provider, a merchant can qualify for Safe Harbor, thereby eliminating liability in the event of a data compromise.