"The PCI Security Standards Council is committed to helping everyone involved in the payment chain protect consumer payment data." Bob Russo, General Manager of the PCI Security Standards Council

About the Payment Card Industry Data Security Standard

(Greenwich, CT) Will Morton has been in the restaurant business for almost five years and his restaurant was a victim of merchant credit card fraud. As a merchant processing credit and debit card transactions through Payment Alliance International, he was automatically participating in the PAI Secure program. Without the PAI Secure program, Will Morton's Rotisserie would have been liable for tens of thousands of dollars in fines and forensics investigations. In this video, Will shares what the restaurant experienced and how the PAI Secure program helped him through what could have been a very costly and stressful process.

(Fort Lauderdale, FL) An experienced restaurateur, Leone Padula, experienced a data security breach. A virus on his computer was used by hackers to steal credit card information from his point-of-sale card processing system. PAI Secure helped pay for the required investigations, fines, forensic audits and fees totaling over $50,000 (approximately $14,000 had been incurred at the time of this video). As a merchant processing credit and debit card transactions through Payment Alliance International, he was automatically participating in the PAI Secure program. "It saved me a lot of money, the fact that I had PAI Secure," Leone said. This video gives you a look into the seriousness of what Leone's restaurant experienced.

View the video above to see a merchants perspective on the importance of PCI DSS compliance.

12 key requirements for protecting cardholder data

While these minimum data management standards are mandatory and required of all card accepting merchant locations, simply fulfilling these requirements WILL NOT fully protect you from all fines and losses resulting from theft or loss of cardholder data (data breach). However, it is required that all businesses be able to provide evidence of their compliance with these twelve basic safeguards.

1. Firewall rules

PCI standards require that all systems coming in contact with cardholder data be protected by firewalls if those systems support e-commerce or some other use of the Internet such as e-mail.

2. Change system passwords from vendor-supplied defaults.

These passwords and settings are well-known in “hacker” communities. They need to be changed before you connect to your network.

3. If you store it, protect it.

Unless it’s absolutely necessary to retain cardholder data, don’t! And if you do, make sure controls are in place which will minimize the risk of cardholder information getting into the wrong hands.

4. Encrypt all numbers in transit.

When sending sensitive data (like card numbers) across public networks, encryption is a must. That goes for e-mail too. Unencrypted account numbers should never be sent by e-mail.

5. Use anti-virus software.

As anyone with an active e-mail account can attest, malicious viruses and other attacks can slip through firewalls and end up in your electronic in-basket. Not only do you need anti-virus software, but you must also update it regularly.

6. Keep up with security patches.

PCI standards require all systems that might come into contact with payment card data to have up-to-date software patches as long as they don't adversely affect existing security configurations. In-house developers need to be aware of and take PCI into consideration when creating patches for any of those systems.

7. Keep data away from wandering eyes.

There’s very little need for most personnel to see critical cardholder data. For any computing resources using that data, limit access to people whose jobs require access. Systems with multiple users may require special mechanisms that partition access on a need-to-know basis.

8. Require and assign unique user ID’s.

Unique ID’s ensure that you have a way to know who touches what data and when.

9. Keep a tight lock on card data

Physical access to cardholder data or the systems that house that data must be monitored and restricted. This includes any paper or electronic media containing cardholder data.

10. Keep tabs on everything and everyone.

Be aware and keep track of anyone who uses your systems or terminals.

11. Test all security regularly.

Systems and controls should be tested at least quarterly and following any upgrades or modifications by vendors qualified in PCI compliance.

12. Make security job one.

Every organization, large or small, needs a strong security policy in writing. "It sets the security tone for the entire company and informs employees on what is expected of them," states the PCI Security Standards Council.

For more information on the Payment Card Industry Data Security Standard Regulations click here.

The requirements for evidencing full compliance is determined by the category that your business falls into (outlined on chart below):

Note: Most of our customers will fall into the Level 3 and Level 4 categories

Merchant Definition	Criteria	Onsite Review	Self-Assessment Questionnaire	Network IP Scan
Level 1	Merchants processing over 6 million transactions annually (all payment types) or global merchants identified as Level 1	Required Annually¹	Not Required	Required Quarterly²
Level 2	Merchants processing 1 million to 6 million transactions annually (all payment types)	Not required	Required Annually	Required Quarterly²
Level 3	Merchants processing 20,000 to 1 million (any payment type) e-commerce transactions annually	Not Required	Required Annually	Required Quarterly²
Level 4	Merchants processing less than 20,000 (any payment type) e-commerce transactions annually and all other merchants processing up to 1 million (any channel) transactions annually	Not Required	Required Annually	Required Quarterly If Applicable²

1 For Level 1 merchants, the annual onsite review may be conducted by either the merchant’s internal auditor or a Qualified Security Assessor (QSA).
2 To fulfill the network scanning requirement, all merchants must conduct scans on a quarterly basis using an Approved Scanning Vendor (ASV).

The Visa, Inc. Card Information Security Program (CISP) Web site categorizes merchants in one of the four merchant levels based on Visa transaction volume (not dollar volume) over a 12-month period. MasterCard's Site Data Protection Program (SDP) mirrors Visa's CISP requirements.

The merchant's transaction volume is based on the aggregate number of Visa (or MasterCard) transactions. These include credit cards, debit cards and prepaid cards.

For merchants and/or merchant corporations who operate more than one DBA (Doing Business As), the aggregate volume of stored, processed or transmitted transactions by the corporate entity must be considered to determine the validation level and requirements associated.

If the corporate entity does not store, process or transmit cardholder data on behalf of the multiple DBAs, the DBA's individual transaction volume will be used to determine the validation level.