GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

The ACH, staking new channel claims


Industry Update

Tepid summer for many Gulf Coast merchants

Can the IRS legally attach levies to ISO reserve accounts?

Trade Association News


GS Advisory Board:
Merchant retention, taking the initiative - Part 2

Selling Prepaid

Prepaid in brief

Dynamics of the youth card market

Gift cards: Value multiplier for merchants

Thom Aldredge
World Gift Card


Securing a place for electronic payments

Patti Murphy
The Takoma Group

The allure of end-to-end encryption

Scott Henry
VeriFone Inc.

Uncle Sam might want to pin worker misclassification on you

Sarah Weston
Jaffe, Raitt, Heuer & Weiss PC


Street SmartsSM:
Who will benefit when the Durbin Amendment dust settles?

Ken Musante
Eureka Payments LLC

The importance of PCI DSS compliance

Nicholas Cucci
Network Merchants Inc.

Is there any such thing as loyalty?

Nancy Drexler
SignaPay Ltd.

Need intelligence? Tap the feet on the street

Dale S. Laszig
Castles Technology Co. Ltd.

Succeeding at PCI compliance - Part 3: Implementing the rollout

Dawn M. Martinez
First Data Corp.

Global acquiring and fraud Q&A

Caroline Hometh

Company Profile

Netcom PaySystem

New Products

RDC on the fly

QwikDeposit To Go
Bluepoint Solutions

Multipayment and multimedia at the POS



Nothing fancy needed


10 Years ago in
The Green Sheet


Resource Guide


A Bigger Thing

The Green Sheet Online Edition

July 26, 2010  •  Issue 10:07:02

previous next

The importance of PCI DSS compliance

By Nicholas Cucci

If you're new to the payments industry, you might wonder what the fuss over the Payment Card Industry (PCI) Data Security Standard (DSS) and related security standards is all about.

The PCI DSS was developed by the five major card companies (Visa Inc., MasterCard Worldwide, American Express Co., JCB International Co. Ltd. and Discover Financial Services) to develop a set of standards and one unified approach to prevent credit card fraud and other security vulnerabilities. All merchants who process, store or transmit card data must be compliant with the PCI DSS. Failure to comply can result in expensive fees, including fees imposed by merchant banks, as well as the loss of the ability to process bankcards. The risks of remaining noncompliant can be devastating to any business.

All merchants must comply

It is each merchant's responsibility to find service providers that are and will remain PCI DSS compliant. And service providers must offer their merchants safe, reliable PCI-compliant solutions.

Merchants classified under PCI as Level 1 (all merchants, regardless of acceptance channel, who have Visa and MasterCard transactions totaling 6 million and up per year, as well as any merchant who has experienced a data breach) must adhere to the strictest level of PCI standards. But those at Levels 2 through 4 are also under scrutiny and must adhere to the standards that apply to them.

Also merchants must realize PCI compliance is more than simply partnering with a compliant service provider. It may also require a change in the way merchants operate their businesses. Failure to fully adapt can be very costly.

Precautions can prevent theft

Some precautions merchants must have in place under the PCI DSS include:

The PCI DSS is crucial in protecting consumers from theft by fraudsters. It focuses on protecting cardholder data when it is transmitted, as well as stored. Business owners who must store cardholder information have an obligation to protect that data.

Any business that stores card details must store them as encrypted and masked, so that even if fraudsters access the database, they will not be able to use the data because they will not have the means to decrypt it.

Proper management is essential

Maintaining a vulnerability management program is another important aspect of PCI. It is fairly straightforward: keeping anti-virus software up to date and running frequent scans. Encourage your merchant customers to ensure their software is always the latest version and to conduct regular vulnerability scans to maintain network security.

Control measures are one of the most important parts of maintaining a secure business. The human element is the hardest part to protect. PCI limits access to cardholder data to minimize the risk of sensitive data being stolen.

Access to sensitive data should be designated only to people who have a business case for access. Not only should a limited number of people be allowed to view sensitive information, but each authorized person must be required to input a unique ID to view the information and have a full audit trail for each user granted access.

Resources are available

I've just given the first steps in becoming PCI DSS compliant. Following are six required actions excerpted from Milestones for Prioritizing PCI DSS Compliance Efforts authored by the PCI Security Standards Council.

  1. Remove sensitive authentication data and limit data retention.
  2. Protect the perimeter, internal and wireless networks.
  3. Secure payment card applications.
  4. Monitor and control access to your systems.
  5. Protect stored cardholder data.
  6. Finalize remaining compliance efforts, and ensure all controls are in place.

The full document, as well as updated information pertaining to all of the industry's data security standards, is at

Nicholas Cucci is the Marketing Director for Network Merchants Inc. He is a graduate of Benedictine University. Prior to joining NMI, Mr. Cucci worked in the payment processing division for a Fortune 500 company and has advised several large retailers on credit card fraud protection, screening and risk assessment. He can be reached at or 800-617-4850.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Board Studios