Payment Card Industry - PCI - Compliance
Payment Card Industry (PCI) Compliance is an initiative which is being strongly enforced by the four major credit card companies (Visa, Mastercard, Discover and American Express). Currently, being PCI compliant means that YOU are in compliance with the four major credit card companies. We're going to try to explain how these policies came about, and how you can be complaint.
The History of PCI Compliance
The program originally began as four different programs.
- Visa - CISP (Cardholder Information Security Program)
- Mastercard - SDP (Site Data Protection)
- American Express - DSS (Data Security)
- Discover - DISC - (Data Security Guidelines)
We all know that data security is a good idea, and like when any good idea is found - unification isn't always first in the process. Each company, Visa, American Express, Discover and Mastercard all went their own ways, creating their own security programs. Each program exists today still, and technically you could just become "Discover DISC Compliant", assuming you processed only Discover cards in your business or AMEX DSS compliant, assuming you only process American Express, and so on...
Basically, on December 15, 2004 - card associations created a set of "Industry Security Requirements", which are refered to as "PCI Compliance" - (Payment Card Industry Compliance). The agreement amongst the industry was that, if a merchant is VISA CISP compliant, all other companies, Mastercard, AMEX and Discover would honor your CISP compliance, and consider your company PCI Compliant.
How Does My Company Become PCI Compliant?
As with any new type of program, many companies emerge - telling you different information, trying to sell you things... This program is rather simple. You as a merchant don't need to sign up with the first company that comes your way telling you that you need their services to become PCI compliant.
When PCI compliance became an issue, Solid Cactus did a lot of research. We wanted to find out for our merchants - How can we help you become compliant? How expensive does this need to be for your company? What do you need to do?
We started by asking the new PCI Compliance companies what their services are. Basically we had them "sell themselves" to us. Then we started talking to different vendors, different processors, and even the credit card companies themselves. Solid Cactus did the research for you. Our findings follow...
Determining your PCI Compliance Level
There are four levels of PCI Compliance. The chart below shows the different levels.
| CISP Level | Qualification of Level | Annual On-Site Security Audit | Quarterly System Perimeter Scan | Annual Compliance Questionaire | Deadline to Comply | |
| Level 1 | Any merchant - regardless of acceptance channel - processing over 6,000,000 Visa transactions per year. Any merchant that has suffered a hack or an attack that resulted in an account data compromise. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. Any merchant identified by any other payment card brand as Level 1 | Required | Required | Required | Sept. 30, 2004 |  |
| Level 2 | Any merchant processing 150,000 to 6,000,000 Visa e-commerce transactions per year. | Not Required | Required | Required | June 30, 2004 | |
| Level 3 | Any merchant processing 20,000 to 150,000 Visa e-commerce transactions per year. | Not Required | Required | Required | June 30, 2004 | |
| Level 4 | Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants processing up to 6,000,000 Visa transactions per year. | Not Required | Recommended | Recommended | None | |
