PCI Compliance Guide
PCI/DSS Security Overview
What is the PCI Data Security Standard (PCI DSS)?
The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures associated with credit card account data. This comprehensive standard is intended to help organizations proactively protect customer credit card account data that is either stored, processed, or transmitted.
All merchants, regardless of the annual transaction volume (merchant level assigned) are required by the various card brands (Visa, MasterCard, American Express, Discover, JCB) to follow the standard. Merchants not adhering to the standard are subject to substantial fines levied by the card associations.
What are CISP and SDP?
Compliance with the PCI DSS is in addition to the requirements specified by each card association’s “validation” program (Visa’s CISP and MasterCard’s SDP). CISP stands for “Cardholder Information Security Program,” and SDP stands for “Site Data Protection."
Therefore, PCI DSS refers to “compliance,” while CISP and SDP refer to “validation” of that compliance. The validation of compliance requirements are those of CISP and SDP, which are incorporated into the card associations’ rules. Merchants are required contractually to adhere to all card association rules.
What are Merchant Levels?
In accordance with Visa’s CISP and MasterCard’s SDP, each merchant is assigned a “merchant level,” to help an acquirer determine what procedures are to be taken by the merchant to demonstrate “validation” of the merchant’s compliance with the PCI DSS. The level assigned to a merchant is based primarily upon the merchant’s annual transaction volume, taking into account e-commerce transactions only, and all transactions regardless of acceptance channel.
What is a level 1 merchant?
Level 1 is the most stringent level and is assigned to a merchant with all Visa transactions exceeding 6 million annually, or with all MasterCard transactions exceeding 6 million annually, or any merchant that has experienced a security breach that resulted in an account compromise. A level 1 merchant is required to have an annual on-site PCI security audit performed annually, while the other three levels do not require such on-site annual audit. Currently, there are not any government agencies in North Carolina having volume high enough to be considered a level 1 merchant.
What is a level 2 merchant?
A level 2 merchant is one, regardless of acceptance channel, processing 1,000,000 to 6,000,000 Visa or MasterCard transactions per year. Level 2 merchants are required to complete an annual self-assessment questionnaire, and to perform a vulnerability network scan at least quarterly (for external-facing IP addresses).
The NC DMV is the only government agency in North Carolina considered a level 2 merchant, by virtue of it exceeding one million transactions annually.
What is a level 3 merchant?
A level 3 merchant is one processing 20,000 to 1,000,000 Visa or MasterCard e-commerce transactions per year. Level 3 merchants are required to complete an annual self-assessment questionnaire, and to perform a vulnerability network scan at least quarterly (for external-facing IP addresses).
No date has yet been established for a level 3 merchant to provide an attestation to Visa of its compliance.
What is a level 4 merchant?
A level 4 merchant is a merchant that has either - fewer than 20,000 Visa or MasterCard e-commerce transactions annually; or one, regardless of acceptance channel, fewer than one million Visa or Mastercard transactions.
Completion of the annual Self-Assessment questionnaire and conducting of a quarterly vulnerability network scan (same as required of a level 2 and 3 merchant) are recommended by Visa and MasterCard, but may be required by the merchant’s acquirer (STMS or other processor).
No date has yet been established for a level 4 merchant to provide an attestation to Visa of its compliance.