What is PCI Compliance?

Posted: Jan, 08, 2023 9:20AM ET • 5 min read

Compliance with the Payment Card Industry Data Security Standards (PCI DSS) is mandated by credit card companies such as MasterCard, Visa, and American Express to safeguard cardholder information against theft and misuse. PCI Compliance, as it is generally known, refers to the technical and operational standards merchants must meet to adequately mitigate data breaches and deter fraudulent use of cardholder information.

There are various requirements to consider when looking to achieve a high PCI compliance level. Below are answers to some of the most commonly asked questions regarding PCI Compliance.

1. Is PCI Compliance a requirement for financial processing? 

PCI compliance is not always enforceable by law; however, all major credit card issuers require adherence to the standards for liability purposes. Many jurisdictions have crafted data-protection laws, either referencing PCI requirements or aligning them with those standards.

Some credit issuers, like Visa, exempt merchants from annual PCI compliance evaluations if they take alternative precautions against fraud with equal or greater safeguards, such as EMV or point-to-point encryption.

2. What are the different levels of PCI Compliance, and how do I achieve them? 

Compliance levels range from Level 1, the highest, to Level 4. The following is a breakdown of the requirements that need to be met for each level of PCI Compliance.

• Level 4 PCI Compliance: To meet level 4 requirements, merchants typically process fewer than 20,000 e-commerce or fewer than one million real-world transactions annually. Merchants are required to submit the relevant SAQs every year, with the possibility of undergoing a quarterly PCI scan.

• Level 3 PCI Compliance: To meet level 3 requirements, merchants process between 20,000 and 1 million e-commerce transactions annually. They, too, must submit the SAQs relevant to their level yearly and may be subject to quarterly PCI scans. 

• Level 2 PCI Compliance: To meet level 2 requirements, merchants process between 1 and 6 million real-world debit and credit card transactions. Merchants must also submit annual SAQs relevant to their environment and may be subject to quarterly PCI scans.

• Level 1 PCI Compliance: Those merchants that process more than 6 million real-world debit and credit card transactions annually must undergo an internal audit by an authorized PCI auditor annually. In addition, they submit vulnerability scans and penetration tests quarterly by an Approved Scanning Vendor to retain their Level 1 Compliance. 

3. What does the evaluation process consist of to achieve PCI Compliance?  

The Payment Card Industry Data Security Standard (PCI DSS) has six significant objectives supported by 12 essential requirements. These, in turn, comprise 78 base requirements and are evaluated by over 400 test procedures. The following entities are considered during the rigorous evaluation process: 

• Qualified Security Assessor (QSA): QSAs are independent individuals who have met the PCI DSS’s requirements to conduct appraisals and bear a certificate from the PCI SSC to that effect.

• Internal Security Assessor (ISA): An ISA is an individual certified by the PCI SSC to perform PCI self-assessments on behalf of their sponsoring organization. This certification empowers the individuals to perform internal appraisals of the organization’s compliance and recommend other security solutions and controls to achieve or retain PCI compliance. Part of their responsibility is to liaise with QSAs and assist with their investigations as needed. 

• Report on Compliance (ROC): The ROC is completed by all PCI Level 1 merchant to confirm that their policies, strategies, approaches, and workflows have been appropriately developed and implemented to protect cardholder data against fraudulent transactions.

• Self-Assessment Questionnaire (SAQ): The SAQs a merchant is expected to complete will depend on the following; the number and type of transactions they process in a year; however, the goal remains the same: to attest to the merchant’s processing bank that they are aware of the requirements and are abiding by them. Questions answered with a “No” will be highlighted for future implementation.

As a parking vendor or operator, it Is encouraged to achieve and maintain a high level of PCI compliance. Following the most stringent security protocols in the industry will enable you to process significantly more transactions and position you to navigate existing and emerging payment security infrastructure trends successfully.

References

Ritacca, J. (2021, April 6). A guide to PCI compliance levels. Parking Industry. Retrieved January 9, 2023, from https://www.parkingindustry.ca/parking-revenue/a-guide-to-pci-compliance-levels

Ritacca, J. (2021, March 15). PCI-DSS objectives and Requirements. Parking Industry. Retrieved January 9, 2023, from https://www.parkingindustry.ca/parking-revenue/pci-dss-objectives-and-requirements

Ritacca, J. (2021, March 24). PCI compliance: What it means and how it's evaluated. Parking Industry. Retrieved January 9, 2023, from https://www.parkingindustry.ca/parking-revenue/pci-compliance-what-it-means-and-how-its-evaluated

Share Article:

Featured Articles

Joe Ritacca
Vice President, IT and Research & Development

As Vice President of Precise ParkLink’s Research and Development department and as the head of Precise ParkLink’s Project Management Office, Joe leads a team of systems engineers and software developers, guiding the development of creative solutions. The innovations and integrations he and his team develop let Precise ParkLink offer something truly unique in the Canadian marketplace — a fully turnkey parking technology and management solution. Having studied business administration and computer science at Ryerson University, and with over 25 years of parking industry experience, Joe is ideally suited to his role building teams that can conceptualize solutions and drive change on clients’ behalf.