By: Juliana Cipolla

The Payment Card Industry (PCI) Data Security Standards (DSS) is a global card brand requirement designed to prevent fraud through the increased control of credit card data. While the PCI DSS has no legal authority to compel compliance, it becomes binding when inserted into merchant card processing contracts used by Visa, Mastercard, Discover Financial Services, JCB International, and American Express.

PCI compliance is divided into four levels, based on the annual number of credit or debit card transactions a business processes, determining what an enterprise requires to remain compliant.

Level 1: Applies to merchants processing more than six million real-world credit or debit card transactions annually. Level 1 merchants must conduct an internal audit one a year and submit to a PCI scan by an Approved Scanning Vendor one a quarter.

Level 2: Applies to merchants processing one to six million real-world credit or debit card transactions annually. Level 2 merchants are required to complete an assessment one a year using a Self-Assessment Questionnaire and may be required to conduct a quarterly PCI scan.

Level 3: Applies to merchants processing between 20,000 and one million e-commerce transactions annually. Level 3 merchants are required to complete a yearly assessment using the relevant Self-Assessment Questionnaire and may require a quarterly PCI scan.

Level 4: Applies to merchants processing fewer than 20,000 e-commerce transactions annually, or those that process up to one million real-world transactions. Level 4 merchants are required to complete the Self-Assessment Questionnaire and may be required to complete a quarterly PCI scan.

Additionally, it is necessary for compliance across all enterprises handling cardholder data and maintaining a secure network to have: a secure network, secure cardholder data, vulnerability management, access control, network monitoring and testing, and information security, among other nuanced requirements. In some instances, businesses and organizations may leverage third-party service providers to achieve their objectives. However, leveraging a third-party does not relieve an entity of its responsibility for PCI DSS compliance, nor exempt the entity from accountability and obligation from ensuring cardholder data and the components of the cardholder data environment are secure. Ultimate responsibility for compliance with the entity, regardless of how specific responsibilities may be allocated.

It is essential for merchants and financial institutions will handle this data securely to prevent theft and help make the cardholder data environment both safe and secure. Merchants and other financial solutions should be aware of the PCI DSS requirements to help store and safeguard collected data. At The Beckage Firm, we have a team of technologists and seasoned attorneys who can help your organization meet the compliance standards required by the PCI DSS.