Payment Card Industry - Data Security Standard FAQs

Payment Card Industry - Data Security Standard FAQs

What is PCI DSS?

It is a set of best practices used to protect card holder data. There are 12 core requirements with many more sub items under each requirement. Smaller merchants (generally called level 4 merchants with transaction volume between 20,000 and 1,000,000) are required to answer roughly 75 questions for self assessment; while Level 1 merchants and processors with more than 6 million transactions must go through a yearly on-site audit by a qualified security assessor and perform quarterly scans.

Who created and monitors this standard?

Prior to September 2006, different credit card brands had their own versions of security standards to protect card holder data. However in September of 2006, they formed an organization called the PCI Security Standards Council that combined all best practices into one standard. The organization was founded by American Express Financial Services®, Discover Financial Services®, JCB, MasterCard Worldwide®, and Visa International®. The PCI Security Standards Council's mission is to enhance payment account data security by fostering broad adoption of the PCI Security Standards.

Why does the ARA and CTDRA include references to credit card data security?

PCI auditors have recommended that ARC add language that makes agents aware of the responsibility to protect credit card holder data. It is no different than guidelines provided by ARC in the past to secure paper tickets. Due to the fact that e-tickets purchased with credit cards have seen an increase in identity theft and other credit card fraud, the payment card industry is asking everyone in the payment chain to follow best practices to protect consumer data.

Is this one-size-fits-all or are there differences between small and large merchants?

Currently there are 4 levels of merchants based on total number of credit card transactions per year as per VISA® and MasterCard®.

For example, according to VISA (see linked chart below), if you are a merchant processing fewer than 20,000 e-commerce (internet based) transactions per year or are a merchant processing up to 1,000,000 VISA transactions per year, regardless of acceptance channel, you are considered a Level 4 merchant.

If you have a credit card merchant account with an acquiring bank, the bank will determine your compliance validation requirements.

Please click on the individual links below for definitions of merchant levels:

As a travel professional issuing and selling airline tickets, am I considered a merchant?

For all airline transactions processed through a GDS and ARC, the airline is considered the merchant, not the travel agent.

Is there a deadline for Level 4 to be PCI compliant?

If you have a credit card merchant account with an acquiring bank, the bank will determine your compliance validation requirements.

Where can I find more information related to PCI?