GS Logo
The Green Sheet, Inc

Please Log in

A Thing

PCI is hot: Don't get burned

By W. Ross Federgreen

Everybody is talking about the Payment Card Industry Data Security Standard, better known as PCI. What is it and why should I care? you might ask. PCI is the uniform standard designed to improve the security of electronic transactions. It is accepted by Visa U.S.A., MasterCard International, American Express Co. and Discover Financial Services.

It is not restricted to e-commerce, and it does not apply only to large merchants. By definition, PCI applies to any U.S. merchant or service provider that stores, processes or transmits cardholder data. If a merchant is not based in the United States, the Visa International Account Information Security Standard applies.

Why you should care about PCI

If your merchants cannot process, you cannot make money. Further, if you want to differentiate yourself from other ISOs or merchant level salespeople in a highly competitive environment, knowledge of PCI is an important arrow in your quiver. Remember, the value of your portfolio is affected by the compliance level of the merchants it contains.

The safe-harbor concept is very important: As an agent of a processor or financial institution, you help protect the entity you serve from fines and, ultimately, from loss of program participation.

To obtain safe-harbor status a member, merchant or service provider must maintain full compliance at all times. To demonstrate full compliance, a member bank must show that before a data compromise, the merchant involved had already met the compliance validation requirements.

Acquirers must obtain the required PCI-validation requirements from their merchants. Merchant documentation must be available to each of the card Association brands, upon request.

Five questions to ask every merchant

Asking merchants these questions will help significantly with PCI compliance:

  1. How many transactions do you process per year?
  2. How many transactions are e-commerce?
  3. Do you have written policies, procedures and protocols?
  4. Have penetration scans been done?
  5. Have you completed the required PCI validation?

Following is a discussion of each question.

1. How many transactions do you process per year?

PCI compliance is divided into four major levels based upon the number of transactions a merchant processes in a given year. Transaction volume is based on the aggregate number of transactions from an entity doing business under an assumed business name or a chain of stores. If a corporation owns more than one chain of stores, each chain's volume is measured and categorized separately.

Level 1 merchants are defined as merchants, regardless of acceptance channel, processing over 6 million transactions per year; merchants who have suffered a hack or an attack that resulted in an account data compromise; merchants who Visa, at its sole discretion, determines should meet Level 1 merchant requirements to minimize risk to the Visa system; or merchants identified by any other payment card brand as Level 1.

Level 2 merchants process 150,000 to 6 million e-commerce transactions per year. Level 3 merchants process 20,000 to 150,000 e-commerce transactions annually. Level 4 merchants are those processing fewer than 20,000 e-commerce transactions per year and all other merchants processing up to 6 million total transactions annually.

2. How many transactions are e-commerce?

The number of e-commerce transactions processed per year determines Level 2, 3 and 4 merchant categories. However, it is important to remember that all merchants are affected by PCI. Therefore, if a business processes zero e-commerce transactions, it is a Level 4 merchant if the total number of transactions is fewer than 6 million. The business is a Level 1 merchant if the total number of transactions is 6 million or greater. Remember, any merchant can be designated Level 1 at the sole discretion of any card brand.

3. Do you have written policies, procedures and protocols?

PCI sets forth 12 requirements, all of which have multiple components. These 12 core requirements can be organized into six categories: building and maintaining a secure network; protecting cardholder data; maintaining a vulnerability management program; implementing strong access control measures; regularly monitoring and testing networks; and maintaining an information security policy. It's impossible for a merchant to fulfill PCI requirements without a codified set of policies, procedures and protocols to address them. There are a significant number of programs that can help merchants get through the process of creating them.

Details of these PCI documents can vary, depending on merchant requirements. But it's important to remember that they must be in place, and there is no such thing as too much when it comes to policies, procedures and protocols.

4. Have penetration scans been done?

Under PCI requirements, certain classes of merchants must obtain penetration scans from qualified independent scan vendors. A list of qualified scan vendors can be found at All Level 1, 2 and 3 merchants are required to have penetration scans quarterly. Level 4 merchants may be required by their acquirers to have quarterly penetration scans.

5. Have you completed the required PCI validation?

In addition to penetration scans, validation of compliance requires documentation. Although all companies can validate their own results through various mechanisms, outside experts should be brought in: The consequences of failing a self-reporting questionnaire or fabricating results can be fatal to a merchant.

Level 1 merchants are required to have annual, on-site PCI data security assessments. Either a qualified data security company must validate the assessment, or an officer of the company must sign an internal audit letter. This requirement has been in effect since Sept. 30, 2004.

Level 2 and 3 merchants must complete annual self-assessment PCI questionnaires. Merchants can validate these themselves. This requirement has been in effect since June 30, 2005. Level 4 merchants are required to do the same documentation as Level 2 and 3 merchants; however, the compliance due date is determined by the merchants' acquirers.

Knowledge is power. You can help merchants and distinguish yourself on sales calls by knowing the PCI basics. And by making sure that your merchants are PCI compliant, you will enhance the value of your portfolio.

W. Ross Federgreen is founder of CSRSI, The Payment Advisors, a leading electronic payment consultancy specifically focused on the merchant. He can be reached at 866-462-7774, ext. 23 or

Article published in issue number 060701

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Back Next Index © 2006, The Green Sheet, Inc.