The 12 requirements are summarized below. The PCI DSS is the global data security standard that any business of any size must adhere to in order to accept payment cards. It presents common sense steps that mirror best securtiy practices.

RESOURCES

• PCI Security Standards

As a responsible citizen of the payments industry, and as the primary subject matter expert with whom our retailers interact, it is our role to provide the tools, encouragement and guidance needed for merchants to achieve compliance within their business.

We continue to stay on the leading edge of security and compliance initiatives. We provide innovative solutions to help minimize the burden of compliance for our partners and retailers. We offer technology, education, and even third-party compliance services to meet our customers and partners at their point of need.

Q: Are the PCI DSS standards and requirements a law?
A: Maybe. They are standards that were created and are enforced by the major payment card brands who established the PCI SSC: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

Historically, enforcement has been contractual, with fees, fines and tort as the major points of liability for a merchant. However, recent legislation may make compliance legally mandated for some merchants. Nevada was the first state to pass legislation requiring that all merchants achieve and maintain compliance with PCI security standards.

Q: Where can I find the PCI Data Security Standards (PCI DSS)?
A: The Standard can be found on the PCI SSC's Website:
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

Q: If I only accept credit cards over the phone, does PCI still apply to me?
A: Yes. All businesses that store, process or transmit payment cardholder data must be PCI Compliant.

Q: Do organizations using third-party processors have to be PCI compliant?
A: Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI.

Q: Are debit card transactions in scope for PCI?
A: In-scope cards include any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC - American Express, Discover, JCB, MasterCard, and Visa International.

Q: What are the penalties for noncompliance?
A: The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business. It is important to be familiar with your merchant account agreement, which should outline your exposure.

Q: What if a merchant refuses to cooperate?
A: PCI is not, in itself, a law. The standard was created by the major card brands such as Visa, MasterCard, Discover, AMEX, and JCB. At their acquirers/service providers discretion, merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach event occur.

For a little upfront effort and cost to comply with PCI, you greatly help reduce your risk from facing these extremely unpleasant and costly consequences.

Resources

https://www.pcisecuritystandards.org/
http://www.pcicomplianceguide.org/