As ecommerce began to grow in popularity in the late 1990’s, credit card companies quickly began to realize the need for a security standard that would protect both cardholders and the merchants running their cards. After a few years of trial and error, the Payment Card Industry Data Security Standards, or PCI-DSS, were created.
The PCI-DSS are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. They apply to all entities that store, process, and/or transmit cardholder data. So, if you are a card accepting merchant – regardless of whether you are retail or ecommerce, Card Present or Card Not Present – you must take the PCI Self-Assessment Questionnaire (SAQ) to verify your PCI-DSS compliance. This SAQ must be completed annually, to ensure that merchants are always up-to-date on the current security standards and know how to best implement these protections. Completing your questionnaire will also save you from getting hit with a non-compliance fee!
The Payment Card Industry has not always been unified in its attempts to combat fraud. In the late 90’s, VISA was the first credit card company to begin searching for a method to standardize security requirements for merchants, calling it their Cardholder Information Security Program. The other companies soon followed suit, each naming their program something different: MasterCard’s Site Data Protection, American Express’ Data Security Operating Policy, and Discover’s Information Security and Compliance. Since most merchants accept all of these different credit cards, that would mean that you would need to complete compliance for each of these separate organizations annually! Luckily, all of these companies joined together at the end of 2004 to present the PCI-DSS as we now know it, with a single compliance test that applies to all cards.
The PCI Security Standards Council also has additional fail safes in place to make sure you are really following all of the security standards laid out in the SAQ. They require that all businesses with more than 6 million credit card transactions per year undergo an annual PCI audit conducted by a qualified auditor. Small businesses – those who process less than 1 million credit card transactions annually – will most likely only receive a PCI audit if they have suffered a data breach, though it could occur for other reasons as well.
The team at eCMS has become proficient in assisting merchants achieve PCI compliance from our many years in the credit card processing industry. If you have any questions about PCI compliance, please feel free to call us at 888.277.3332.