Home > Uncategorized > PCI-DSS Compliance: Part 1

PCI-DSS Compliance: Part 1

The Payment Card Industry Data Security Standard (PCI-DSS) is a global information security standard that the Payment Card Industry Security Standards Council (PCI SSC) created to help thwart credit card fraud by requiring organizations that collect, process and store credit card data to deploy appropriate security measures. Of all the information security regulations that exist today, the PCI-DSS is on more organizations’ proverbial radar than any other compliance standard. This is not to say that HIPAA, SoX, Gramm-Leach-Bliley, NERC, and other standards are not important. It’s just that wherever credit card transactions occur, and they occur just about everywhere, PCI-DSS applies. This means that even institutions such as universities with long-established reputations for being lax when it comes to information security, are now being held to the same data security standards as are merchants that do the same volume of credit card processing. At the same time, the effort and resources needed to achieve PCI-DSS compliance depend on the amount of credit cards transactions. Level 1 (high credit card volume) merchants are held to considerably higher compliance standards than are level 4 merchants (see www.visa.ca/en/merchant/fraudprevention/ais/merchlevels.cfm). Level 1 merchants must achieve compliance by having and passing an annual independent assessment of the security of credit card data perfomed by a Qualified Security Assessor (QSA). Merchants that have considerably smaller volumes of credit card processing need only complete a Self Assessment Questionnaire (SAQ)

How compliance must be achieved depends on the volume of credit card transactions. Organizations that handle large volumes of transactions must have their compliance annually assessed by an independent assessor termed a “Qualified Security Assessor” (QSA), whereas companies that handle much smaller volumes have the option of self-certification via a Self-Assessment Questionnaire (SAQ).

One would think that once a Level 1 merchant passed a QSA audit, the merchant’s compliance status would be good for one full year. Although this is normally true, glaring exceptions, one with WorldPay and another with Heartland Payment Systems, have recently surfaced. In both cases, the PCI-DSS powers-that-be declared these companies to be non-compliant after they experienced massive data security breaches. These powers-that-be have made outstanding decisions over the years, but revoking a merchant’s compliance status as the result of a data security breach is a pill that is a bit tough to swallow. WorldPay and Heartland Payment Systems ostensibly had good security in place at the time of their data security breaches. (The good news is that Heartland Payment Systems was declared compliant once again only a few weeks after it was ruled not compliant.)


There is no such thing as perfect security. As good as it is, the PCI-DSS standard does not require anything close to perfect data security, nor is any audit, even an audit performed by the most qualified QSA, anywhere near 100 percent comprehensive. Residual risk will always be present as long as computing systems are turned on, and this risk only escalates if they are connected to a network. Therefore, experiencing a data security breach should not in and of itself be the reason for revoking any merchant’s PCI-DSS compliance status.


Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.