PCI Details
The Fundamentals of PCI Compliance
 

AMG is dedicated to ensuring that you are fully apprised of data security requirements and the actions you are required to take for compliance. As a PCI compliant merchant services provider, AMG urges all of our valued customers to carefully review the information to insure your organization is in compliance with the established security mandates.

PCI Overview

Every consumer wants to know their credit card account information is secure. Offering your customers a safe and secure payment method is no longer just good business practice it is a requirement of doing business. As a business accepting credit cards as payments for goods or services, you are responsible for safeguarding cardholder information, and, ultimately, you can be held liable for any breaches in security. Fines for non-compliance can cost a business thousands of dollars.

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard assembled by the founding payment brands of the Payment Card Industry Security Standards Council (PCI SSC), including American Express®, Discover® Financial Services, JCB International, MasterCard® Worldwide and Visa™ Inc. International. The PCI DSS is a set of comprehensive requirements designed to help organizations proactively protect customer account data.

Does this apply to every business?

PCI compliance mandates apply to ALL organizations that store, transmit or process cardholder data (i.e. Visa™ , MasterCard®, American Express®, Discover® ) regardless of the payment channel - in person, online, by mail or telephone. The degree of proof of compliance will be determined by your organizations merchant level (see information below)

What are the requirements of PCI DSS?

There are 6 objectives and 12 requirements which are categorized below


Objective Requirements
   
Build and Maintain a Secure Network 01. Install and maintain
a firewall configuration
to protect cardholder
data

02. Do not use vendor-
supplied defaults for
system passwords and
other security payments
   
Protect Cardholder Data 03. Protect stored
cardholder data

04. Encrypt
transmission of
cardholder data and
sensitive information
across open public
networks
   
Maintain a Vulnerability Management Program 05. Use and regularly
update anti-virus
software

06. Develop and
maintain secure
systems and
applications
   
Implement Strong Access Control Measures 07. Restrict access to
cardholder data by
business need-to-know

08. Assign a unique ID
to each person with
computer access

09. Restrict physical
access to cardholder
data
   
Regularly Monitor and Test Networks 10. Track and monitor
all access to network
resources and
cardholder data

11. Regularly test
security systems and
processes
   
Maintain an information Security Policy 12. Maintain a policy
that addresses
information security

Validation of Compliance

The mandate to comply with the PCI DSS requires each entity to verify and demonstrate their compliance status. Validation of compliance identifies and corrects vulnerabilities, and further protects customers by ensuring that appropriate levels of cardholder information security are maintained.

Merchant Levels of Compliance

Merchant validation levels vary by processing volume and it's important for you to know what actions you need to take to validate your compliance. Visa™ and MasterCard® have both imposed severe fines on merchants who are found to be PCI DSS non-compliant at the time of a data breach concerning cardholder information. Avoiding these severe fines is easy to do. AMG has entered into an agreement with Security Metrics to implement the appropriate actions. There is an annual $79 fee to work with Security Metrics which will be billed directly to your merchant account.

What Merchant Level is my business?
 

Merchant Level * Description
   
1 Merchants regardless of acceptance channel, processing over
6,000,000 Visa™ transactions annually or global merchants identified as Level 1 by any Visa™ region
   
  Any merchant that Visa™ , at its sole discretion can determine if
merchant is required to meet the Level 1 merchant requirements to mitigate risk to the Visa™ system
   
2 Merchants regardless of acceptance channel, processing 1,000,001 to 6,000,000 Visa™ transactions annually
   
3 Merchants processing 20,000 to 1,000,000 Visa™ e-commerce
transactions annually
   
4 Merchants processing fewer than 20,000 Visa™ e-commerce
transactions annually and all other merchants regardless of
acceptance channel, processing up to 1,000,000 Visa™ transactions annually
 

* Any merchant that has suffered a hack that resulted in an account data breach may be escalated to a higher merchant level.
 
   
What level of action to I need to take?  
   
Merchant Level Action Required Validated by
1 Annual on-site PCI data security assessment Qualified security assessor or internal audit if signed by an officer of the company
  Quarterly network scan Approved scanning vendor
     
2 Annual PCI self assessment questionnaire Merchant
  Quarterly network scan Approved scanning vendor
     
3 Annual PCI self assessment questionnaire Merchant
  Quarterly network scan Approved scanning vendor
     
4 ** Annual PCI self assessment questionnaire Merchant
  Quarterly network scan (if applicable) Approved scanning vendor
 

** The PCI DSS requires that all merchants with externally facing IP addresses perform external network scanning to achieve compliance. Submission of scan reports and/or questionnaires by Level 4 merchants may be required.

As always if you have any additional questions about PCI compliance, please call our customer support department.

Additional Resources
www.pcisecuritystandards.org
usa.visa .com/merchants/risk_management/cisp.html
www.mastercard.com/us/merchant/support/merchant_education.html
 

Click here to Download PDF
 

Go To Top