In September 2006, the 5 major credit card companies in the world- MasterCard, Visa, American Express, Discover Financial Services and JCB came together to form an organization that would create, disseminate and regulate the standards by which each member of the payment cards industry would need to comply. The organization would be called the Payment Cards Industry (PCI) Security Standards Council. The key theme behind the PCI council is the DSS or Data Security Standard, which is a set of compliance requirements to be met by each entity in the process of credit card processing, who maintains, processes or stores credit card information. The current version of the Data Security Standard is 1.1 adopted with effect from December 31, 2006.

The PCI consortium is basically aimed at providing security to customers in the e-commerce environment, by ensuring that the merchant or acquirer who is handling the credit card information has sufficient security checks and facilities in place to prevent fraudulent activity. PCI compliance is a mandatory requirement for any merchant, third party credit card processor or acquirer, who is storing, processing or receiving credit card information in any form. By the end of 2007, PCI compliance was made mandatory for any organization that accepts credit card payments. In case such a merchant or acquirer is not PCI compliant, the PCI council is empowered to levy fines (upto $500,000) and take regulatory action, in some cases even permanently prohibit the entity from credit card activity. However, it is important to note that PCI compliance is mandatory for only those parties who are in possession of the Primary Account Number (PAN), or the full 16-19 digit credit card number. Technically, if the merchant or acquirer in question does not store, process or receive the PAN, then the said party would not need to comply with PCI rules.

To be PCI compliant technically means that at the time that an authorized PCI auditor audits a merchant or acquirer’s systems, the said party is in 100% compliance with the PCI rules. This practically means that as long as the merchant can show compliance at the time the audit is conducted, he or she does not need to stay compliant throughout- this is obviously a regulatory issue which may need to be sorted out with time. In any event, being PCI compliant would mean that each of the 12 requirements of the PCI DSS 1.1 standard is met by the merchant or acquirer in question. Most of these requirements revolve around access control and network protection. In addition, proper monitoring and regular security checks are mandated. The PCI DSS can be divided into 6 basic sections to aid understanding:

1. Network Security
2. Protection of Credit card information
3. User and group level access control
4. Organizational level information security policy
5. Protection against vulnerability and business risks
6. Regular monitoring and maintenance of security infrastructure.

The PCI council, prescribes these rules in the context of merchant levels (1, 2, 3, 4), which have different levels of required compliance and corresponding fines and levies. Merchants are classified into levels 1, 2, 3 and 4 based on their volume of transactions and whether or not the merchant has had any data breaches in the past. For instance, Level 1 merchants are those that have the highest volume of transactions, upwards of 6 million a year currently, as well as the merchants who have experienced a breach of sensitive data in the past. It is important to note that the DSS 1.1 standard is more focused on Level 1 and Level 2 merchants, as they are more prone to credit card fraud than the other levels. Furthermore, MasterCard doesn’t have any specific requirements for a merchant to fall under Level 4, whereas Visa has different categories in some geographic regions. While MasterCard suggests that level 4 is for merchants who are not in Level 1, 2 or 3, Visa goes a step further and has level 4a and level 4b categories as well.

Becoming PCI compliant will not be free, as putting in place both organizational as well as technical measures will involve investment in terms of both time and money. It is estimated that a Level 1 merchant would need to spend nearly $700,000 in order to implement PCI compliance. The costs would be lower for lower level merchants- for instance, a Level 2 merchant may spend only half the amount of a Level 1 merchant. However, this is not taking into account the fact that non-compliance could lead to huge fines and sometimes a revocation of the right to accept credit cards.

For more information on echeck processing, high risk merchant accounts and online credit card processing. please visit www.stradafee.com!