Can you imagine doing business without credit, debit, and gift cards?
If you offer your customers the convenience of using a payment card whether it is a credit card, debit card, gift card, or a special card with your logo on it, you need to comply with the Payment Card Industry Data Security Standards (PCI DSS).
What is PCI DSS?
PCI is an industry group created by Visa Inc., MasterCard Worldwide, American Express, Discover Financial Services, and JCB International. To protect their cardholders from the increasing number of incidents of identity theft and security breaches, they have developed Data Security Standards (DSS) by which all organizations, small and large, that accept, process, transmit, or store credit card data must comply.
Who needs to comply?
Or put simply, if you accept any kind of payment card, PCI DSS compliance is required. To date, the Payment Card Industry has focused compliance on larger merchants. However, due to recent increases in identity theft incidents, the card issuers are moving toward enforcing full PCI DSS compliance by all affected organizations.
PCI DSS compliance levels
(# of transactions per annum)
Self Assessment Questionnaire
Network Security Scan by an ASV
On-Site Audit by a QSA
|1 More than 6 million
||Required Annually |
|2 1 to 6 million
|3 20,000 to 1 million
|4 All others
* This is Visa, Inc.'s standard
Penalties for noncompliance are steep
Penalties for noncompliance with PCI DSS requirements include a hold on your ability to accept payment card payments; increased scrutiny for the next year; and fines which can be as high as $500,000 or more per incident. Plus you open yourself up to potential legal liability from effected card holders due to lack of compliance with required payment card data handling security standards.
How can Plante & Moran help?
We are a PCI Approved Scanning Vendor (ASV) and a PCI Qualified Security Assessor (QSA). Our PCI specialists can help determine your PCI DSS compliance level, walk you through the self-assessment questionnaire, and/or complete the quarterly network security scans. Our services include:
A glossary of terms:
- PCI DSS health check, including determining the level of compliance
- Network security scans (external, internal, wireless, etc.)
- Penetration testing (external and internal)
- Web application testing
- Annual compliance certification
- PCI: Payment Card Industry
- DSS: Data Security Standards
- QSA: Qualified Security Assessor
- ASV: Approved Scanning Vendor
- SAQ: Self Assessment Questionnaire