PCI Compliance 101: Everything You Need to Know about PCI DSS Audits
You hear a lot about PCI compliance and data breaches in the news, but do you have what you need to pass a PCI DSS audit? And more importantly, do you actually have the technology in place to protect your organization and your customers’ data?
Here’s everything you need to know about PCI compliance levels and how you can safeguard your data against potential threats.
What is the PCI SSC?
The Payment Card Industry Security Council, or PCI SSC, is the organization that manages and decides the rules that govern security standards. This includes the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS).
What is a PCI compliance audit?
The PCI auditing process determines whether a business is compliant with PCI DSS. For larger merchants audits must be performed by a qualified security assessor or QSA. All other merchants are eligible to provide their PCI DSS compliance by completing a self-assessment questionnaire.
What are PCI compliance levels and what do they mean?
The amount of credit card transactions an organization processes each year determines its PCI Merchant Level:
Level 1 – Over 6 million transactions per year
Level 2 – 1 to 6 million transactions per year
Level 3 – 20,000 to 1 million transactions per year
Level 4 – Fewer than 20,00 transactions per year
Level 1 Merchants are required to pass a yearly, on-site audit by a QSA, as well as a network scan by an approved scanning vendor, or ASV. Meanwhile, Level 2, 3 and 4 of Merchants can complete a PCI DSS Self-Assessment Questionnaire and perform quarterly network security scans with an ASV.
The PCI DSS provides a full list of approved scanning vendors.
Who needs to have a PCI Audit?
The PCI DSS is intended for all organizations that process payments. Each of the PCI SSC’s founding payment brands (American Express, Discover, JCB International, MasterCard and Visa) determines their own PCI compliance programs that must be followed by affiliates.
Ultimately, the payment brand your organization does business with determines what you must do to achieve PCI compliance. A smaller business with smaller amounts of cardholder data and fewer payment systems will likely require less effort to achieve PCI DSS compliance than a large corporation with a variety of sales channels and systems.
What happens to organizations that don’t comply with the PCI DSS?
If a business violates PCI compliance, a payment brand may fine the company anywhere from $5,000 to $100,000 per month. It’s also likely that your affiliated bank will raise transaction fees or even terminate your relationship altogether.
Does PCI compliance mean that my organization’s data is secure?
You can pass a PCI audit and still experience a data breach. So, what’s the answer? Replacing credit card information with tokens or a surrogate value to ensure you’re protecting your customers’ data.
That’s where Paymetric’s XiIntercept™ solution comes in. With our data intercept solution, you can:
- Capture card data as soon as possible in the workflow
- Prevent exposure of unsecured cardholder data within your enterprise systems
- Replace credit card number with tokens, rendering the data useless to thieves
- Mitigate the risk of fees, fines, and legal costs associated with a data breach.
Contact a Paymetric representative today to find out how our payment solutions can help keep your data safe from hackers.