GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Diversification versus specialization: Which is better?


Industry Update

NetBank bubble bursts over mortgage loans

Feds propose rules on Internet gambling

Merchants give Congress their take on interchange

Kinks at the QSR drive-thru

Is the PCI DSS pie in the sky? The NRF's Hogan wants to know

Ontario nixes 'use it or lose it' gift cards


The skinny on trade associations

U.K. banks push contactless tech, despite consumer demand for cash

Ron Delnevo
Bank Machine Ltd.


The assault on interchange widens

Patti Murphy
The Takoma Group

Coping with the credit crunch

Biff Matthews
CardWare International

Clich├ęs, monsters and a dog named Spot


Street SmartsSM:
Next stop: Tradeshows

Dee Karawadra
Impact PaySystem

Using e-mail effectively: Managing lists

Nancy Drexler
Marketing Moguls

Don't let security slide

Steve Schwimmer
Renaissance Merchant Services

PCI DSS implementation: A concise review

Robert Heinrich
Alpha Card Services Inc.

Dam spam with secure e-mail

Michael Petitti

The next ISO widow could be yours

Adam Atlas
Attorney at Law

Company Profile

Comstar Interactive

New Products

PIN protection for online purchases

PIN Debit Service
ATM Direct

A payment plug-in quick as a hare

Skipjack Payment Plug-in
Skipjack Financial Services, Inc.


Optimism is an inside job





Resource Guide


A Bigger Thing

The Green Sheet Online Edition

October 22, 2007  •  Issue 07:10:02

previous next

PCI DSS implementation: A concise review

By Robert Heinrich

The dramatic increase in credit and debit card usage has been accompanied by an exponential rise in bankcard fraud. The well-publicized March 2007 TJX Companies Inc. disclosure that debit and credit card data from at least 45.6 million of its customers were stolen by hackers is an example of the damage a breach in just one network can cause.

All businesses handling credit and debit card data now must comply with strict security guidelines known as the Payment Card Industry (PCI) Data Security Standard (DSS).

The PCI DSS was developed by Visa Inc., MasterCard Worldwide, American Express Co., Discover Financial Services LLC, and JCB International Credit Card Co. to protect cardholders by ensuring that merchants meet minimum levels of security when they store, process or transmit primary account numbers (PANs).

A company processing, storing, or transmitting credit card numbers must be PCI DSS compliant or it risks fines, liability and losing the ability to process credit card transactions in the event of a data breach.

The accompanying table illustrates commonly used elements of cardholder data, whether storage of each is permitted and if each data element must be protected. The minimum account information that must be unreadable is the PAN. Any of these methods may be used: one-way hash functions (hashed indexes); truncation; index tokens and pads; and cryptography with associated management processes and procedures.

Interchange Chart
* Data elements must be protected if stored with the PAN. The protection must meet PCI DSS requirements.
* * Sensitive authentication data can't be stored subsequent to authorization even if it is encrypted.

Promoting PCI DSS

The PCI Security Standards Council was founded in June 2005 as an independent industry standards body providing management of the PCI DSS on a global basis.

The council is not a policing organization. It maintains and promotes PCI DSS, as well as publishes a list of certified assessors and vendors to help assure customers that their credit card data is safe from hackers or any malicious intrusion when given to a PCI compliant merchant.

PCI compliance requires that all merchants and service providers that handle, transmit, store or process information concerning any of these cards, or related card data, enact specific safeguards. If they are not compliant, they can face monetary penalties, be held liable for any data breach and have their card processing privileges terminated by the credit card issuers. Drilling down The main purpose of PCI is to force merchants and third-party service providers to embrace common security controls to protect credit card data and reduce fraud and theft. Following are the six primary control areas and 12 specific requirements of the PCI DSS. A single violation of any of the below requirements will result in a noncompliant status.

Build and maintain a secure network:

Protect cardholder data: Maintain a vulnerability management program: Implement strong access control measures: Regularly monitor and test networks: Maintain an information security policy:

Defining the levels

Following are descriptions of established merchant levels, along with their respective PCI compliance validation requirements:

Level 1 comprises all merchants, regardless of acceptance channel, who have Visa and MasterCard transactions totaling 6 million and up per year, as well as any merchant who has experienced a data breach.

Level 2 comprises all merchants, regardless of acceptance channel, whose Visa and MasterCard transaction total is from 1 million to 6 million per year.

Level 3 comprises all merchants whose Visa and MasterCard e-commerce transaction total is from 20,000 to 1 million per year.

Level 4 comprises all merchants who do not fall into the other levels: merchants processing fewer than 20,000 Visa or MasterCard e-commerce transactions per year, as well as all other merchants processing up to 1 million Visa or MasterCard transactions per year.

Compliance mandates have typically focused on level 1, 2 and 3 merchants since they clear the largest volume of transactions. However, level 4 merchants are now receiving more scrutiny in terms of PCI compliance because they are using POS terminals connected to high speed Internet connections, which are vulnerable to hackers.

Level 4 merchants process fewer transactions than merchants at other levels, but they account for more than 99% of the merchants who accept Visa and MasterCard.

For the most part, level 4 merchants do not have the technical expertise to properly secure cardholder data. It is up to the acquirer to make sure that its level 4 merchants understand the need for being PCI compliant.

Minding the regs

In May 2007, Visa released a new level 4 merchant compliance program. It requires acquirers to develop and submit to Visa a formal written compliance plan, which will identify, prioritize and manage overall risk with their Level 4 merchant portfolios.

Companies are constantly at risk of losing sensitive cardholder data. A breach, loss or theft can result in fines, legal action and bad publicity.

This will, in turn, lead to lost business. Achieving compliance with the PCI DSS needs to be high on the agenda for all merchants and service providers that handle, transmit, or store credit card data.

The following Web site contains pertinent reference material:

Robert Heinrich is President of Sales for Alpha Card Services Inc, a registered ISO of HSBC Bank, National Association. Named by Inc. magazine the 99th fastest growing privately held company in America, ACS has more than 30 years' experience providing expertise to ISOs and merchant level salespeople seeking to expand their portfolios. For more information, visit or e-mail

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Board Studios