In previous articles we have examined government legislation aimed at protecting the data privacy rights of consumers both in the European Union and the state of California, via the GDPR and the CCPA, respectively. Also, we examined another key piece of legislation known as the CMMC, in which defense contractors have to be certified by the Department of Defense (DoD) before they can handle classified information.
In this article, we now focus upon the private sector through yet another crucial legislation in the US: the Payment Card Industry Data Security Standard (PCI DSS).
The Background of the PCS DSS
The Payment Card Industry Data Security Standard has been set forth by the major credit card companies Visa, Master Card, American Express, and Discover to create and execute a common set of standards and best practices for businesses of all sizes to secure credit processing on behalf of their customers. The first version of this was passed on December 15th, 2004, with the most recent version released in May 2018.
Although the major credit card companies enforce the PCC DSS, it is administered centrally through am organization known as the Payment Card Industry Security Standards Council.
The Compliance Levels of the PCI DSS
At the present time, there are four levels of compliance, depending upon the volume of credit card transactions that a business processes annually. The levels can be described as follows:
- Level 1:
This level applies to organizations that process 6 million or greater transactions per year. The business must be audited by an officer of the Council, and this has to be conducted at least once per year. The business must also pass a test known as a “PCI Scan” that is administered by an Approved Scanning Vendor (also known as an “ASV”) on a quarterly basis.
- Level 2:
Level 2 is designed for businesses that conduct between 1 and 6 million credit card transactions per year. But rather than go through a comprehensive audit, these organizations simply have to submit a Self-Assessment Questionnaire (also known as the “SAQ”). Additionally, they may be selected for a PCI Scan on a random basis.
- Level 3:
This level of compliance targets entities that process between 20,000 and 1 million credit card transactions yearly. They are not required to undergo an audit, but they submit a lighter version of the SAQ, which is just an assessment of the controls they have implemented to secure the credit card information and processing details. They may also be subject to a PCI Scan.
- Level 4:
This only applies to businesses that process under 20,000 credit card transactions per year. The compliance requirements are the same as for Level 3.
These compliance levels are illustrated in the diagram below:
In our next article, we will outline the security requirements set forth by the PCI DSS.