Can you imagine doing business without payment cards?
If you are a merchant, auto dealer, healthcare provider, educational institution, online store, or an organization that depends on the convenience of payment cards including debit cards, credit cards, gift cards, or any payment card with a merchant logo, you need to comply with the Payment Card Industry Data Security Standards (PCI DSS).
What is PCI DSS?
PCI is an industry group created by Visa Inc., MasterCard Worldwide, American Express, Discover Financial Services, and JCB International. To protect their cardholders from the increasing number of incidents of identity theft and security breaches, they have Data Security Standards (DSS) by which all organizations, small and large, that accept, process, transmit, or store credit card data must comply.
Who needs to comply?
Or put simply, if you accept direct payments via payment cards, PCI DSS compliance is required. To date, the Payment Card Industry has focused compliance on larger merchants. However, due to recent increases in identity theft incidents, the card issuers are moving toward enforcing full PCI DSS compliance by all affected organizations.
PCI DSS compliance levels
(# of transactions per annum)
Self Assessment Questionnaire
Network Security Scan by an ASV
On-Site Audit by a QSA
|More than 6 million
||Required Annually |
|1 to 6 million
|20,000 to 1 million
*This is Visa, Inc.'s standard
Penalties for noncompliance are steep
Penalties for noncompliance with PCI DSS requirements include a hold on your ability to accept payment card payments; increased scrutiny for the next year; and fines up to $500,000 per incident. Plus you open yourself up to potential legal liability from effected card holders due to lack of compliance with required credit card data handling security standards.
How can Plante Moran help?
We are a PCI Qualified Security Assessor (QSA) and a PCI Approved Scanning Vendor (ASV). Our team can help you determine your PCI DSS compliance level, walk you through the self-assessment questionnaire, and/or complete the quarterly network security scans. Our services include:
A glossary of terms:
- PCI DSS health check, including determining the level of compliance
- Network security scans (external, internal, wireless, etc.)
- Penetration testing (external and internal)
- Web application testing
- Annual compliance certification
- PCI: Payment Card Industry
- DSS: Data Security Standards
- QSA: Qualified Security Assessor
- ASV: Approved Scanning Vendor
- SAQ: Self Assessment Questionnaire