How to become PCI DSS compliant

In this blog we are going to talk about what is PCI DSS, to whom do these standards apply and how can one become PCI DSS compliant.

Let’s see what we understand by PCI DSS.

PCI DSS: Payment Card Industry Data Security Standard (PCI DSS) is managed by Payment Card Industry Security Standards Council (PCI SSC). PCI SSC was launched on 7th September 2006 to improve the security of the payment account throughout transactional processes. PCI DSS helps in building and maintaining a secure environment for all companies that accept, process, store or transmit credit or debit card information.

PCI DSS applies to any organization that accepts, processes, stores or transmits cardholder data (CHD). It does not depend on the number of people working in an organization. Even if there is a single transaction which involves transmitting CHD, the organization has to be PCI DSS compliant.

PCI DSS compliance: Merchants are categorized into 4 different levels of compliance as defined by Visa. Categorizing the merchants into different levels is a tough task and can raise many questions. To avoid this, Visa recommends the merchants to contact their acquiring banks and with the help of the bank merchants can complete the following steps:

• Determine the Merchant Level based on the most recent annual Visa transaction
• Understand the requirements which are necessary for PCI compliance
• If needed, hire an Approved Scanning Vendor (ASV), who will guide the merchants to adhere to the validation requirements of PCI DSS

PCI compliance levels and requirements: There are 4 different levels of PCI compliance defined by Visa. All merchants fall under one of the four Merchant Levels based on the volume of their annual financial transactions. The following table gives a brief description of each Merchant Level:

    *Note: Compliance validation requirements are set by the acquirer.

Understanding the requirements validation:

• On-site or Self-Assessment: On-site or Self-Assessment is also known as Report on Compliance (ROC). This assessment is usually performed by a PCI SSC certified Quality Security Assessor (QSA) or by a certified Internal Security Assessor (ISA). The acquiring bank can treat this assessment as a validation, that the organization / merchant is handling the card data as per the PCI DSS. This is applicable to Level 1 and 2 merchants.
• Self-Assessment Questionnaire (SAQ): This self-evaluation tool is used by merchants and service providers to understand their compliance with the PCI DSS. This is applicable to Level 2, 3, and 4 merchants. The following chart helps the organization / merchant to understand their compliance with the PCI DSS.

    (Note: The above chart is available @pcicomplianceguide.org)

• External Vulnerability Scan: A PCI SSC Approved Scanning Vendor (ASV) performs vulnerability scanning of all the systems components which interact with the system and are a part of or provide the path to Cardholder Data Environment. This applies to all merchants.

The merchant must submit the validations requirement to its acquiring bank once they have been verified as compliant. The acquiring bank then submits the compliance status of the Merchant to Visa.

Conclusion: 

This blog helps us in understanding different requirements for a merchant to be PCI DSS compliant. Once a merchant follows all the requirements and the details are submitted to Visa by the acquiring bank, they can be termed as PCI DSS compliant.

About Author:

Akash Poojary is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, he actively contributes to the areas of Technology and Information Security. He can be contacted at:    akash.poojary@spluspl.com