PCI DSS A Concise Explanation

Visa, MasterCard, and other card schemes must ensure that merchants protect customers from criminals and hackers. Many fraudulent individuals target cardholder data with several recent, high-profile breaches of security taking place around the globe.

PCI DSS Explained

In the payment cards industry, security standards are managed by the PCI Security Standards Council created by American Express, Discover, JCB, MasterCard, and Visa.

The Council works within five major areas:

  • Developing and maintaining an industry-wide, global security standard for technical data that protects account information of cardholders
  • Reducing lead times and costs for Data Security Standard implementation. The council aims to create and ensure compliance with general technical standards and auditing procedures.
  • Publishing an online list of qualified and globally available providers of security solutions to assist with industry compliance
  • Leading education, training, and a streamlined certification process for Approved Scanning Vendors (ASVs) and Qualified Security Assessors (QSAs). This results in all five founding members recognizing the same source of approval.
  • Providing a transparent environment for the contribution of data security standard development, enhancement, and distribution on an ongoing basis

When a legitimate documented business or technical constraint renders an entity unable to explicitly meet a state requirement but the entity has implemented other controls to mitigate associated risk, compensating controls may be taken into consideration.

Level 1

A merchant with more than six million MasterCard or Visa transactions annually AND identified as a level 1 merchant by a card scheme or compromised within the past year.

  • Quality Security Assessor (QSA) Annual Report on Compliance (ROC) or
  • Internal Security Assessor (ISA) Annual Report on Compliance (ROC)
  • Attestation of Compliance Form
  • Quarterly network scan conducted by an Approved Scan Vendor (ASV)

Level 2

A merchant processing one to six million MasterCard or Visa transactions annually.

• Quality Security Assessor (QSA) Annual Report on Compliance (ROC) or

• Internal Security Assessor (ISA) Annual Report on Compliance (ROC)

• Attestation of Compliance Form

• Quarterly network scan conducted by an Approved Scan Vendor (ASV)

Level 3

A merchant processing 20,000 to one million MasterCard or Visa eCommerce transactions annually.

  • Annual Self Assessment Questionnaire (SAQ)
  • Attestation of Compliance Form (included in the SAQ)
  • If applicable: Quarterly network scan conducted by an Approved Scan Vendor (ASV)

Level 4

A merchant processing fewer than 20,000 MasterCard or Visa eCommerce transactions annually and other merchants processing a maximum of one million MasterCard or Visa transactions annually

  • Annual Self Assessment Questionnaire (SAQ)
  • Attestation of Compliance Form (included in the SAQ)
  • If applicable: Quarterly network scan conducted by an Approved Scan Vendor (ASV)

If your business is not compliant with Payment Card Industry Data Security Standards (PCI DSS), you will be responsible for fraud-related losses and may face substantial fines. Customers will be affected by a compromise of their card details.

As a result, the reputation of your business will suffer. Merchant Terms & Conditions include PCI compliance responsibility.