Who has to comply?
The Payment Card Industry Data Security Standard (PCI DSS) applies to any organization that processes credit or debit card information, including merchants and third-party service providers that store, process or transmit credit card/debit card data. Since the end of 2007, any organization that accepts payment card transactions must be in compliance with the standards. However, according to the PCI DSS documentation, “PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.” Credit card companies and acquirer banks can levy stiff fines and remove the merchant’s ability to process credit card transactions until the merchant is PCI compliant. Basic functions such as email and employee Internet access may result in the Internet-accessibility of a company’s network. These seemingly insignificant paths to and from the Internet can provide unprotected pathwa
Network Security Scans apply to all merchants and service providers with external-facing IP addresses that collect, process or transmit payment account information. However, even if an entity does not offer Web-based transactions, there may be other services that make systems Internet accessible. Basic functions such as email and employee Internet access may result in the Internet-accessibility of a company’s network. These seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems and can potentially expose cardholder data if not properly controlled.
The credit card companies have made it clear that ANY entity that stores, processes, or transmits cardholder data regardless of their transaction volumn, are required to comply with the PCI requirements. Failure to comply with the PCI security standard may result in substantial fines or permanent expulsion from card acceptance programs. Recent studies on financial fraud have indicated that hackers are increasingly targeting small, commercial Web sites, increasing the need for all merchants and service providers to become fully compliant with the Payment Card Industry (PCI) Data Security Standard (DSS). All Acquiring Banks (merchant banks) are also required to have received certified proof of PCI compliance from merchants with more than 20,000 transactions per year. This does not mean that only merchants with more than 20,000 transactions per year are required to meet the PCI standard. Acquiring Banks are required to have documented proof of compliance form these merchants, or be liable
