PCI Compliance


The rules for handling credit cards are beginning to be enforced by the credit card issuers (e.g., MasterCard). This post describes the compliance process for small businesses.

The Payment Card Industry (PCI) is an consortium of credit card issuers. PCI has developed a number of standards for handling and processing cedit cards for the purpose of reducing fraud, theft, and misuse. These standards apply to various components of the card payment industry. One standard is applicable to business that accept credit card. This standard is called the Data Security Standard (DSS). The current version is 1.2.

The DSS defines in detail the necessary levels of protection that all business must have when handling credit card data. There are four levels of handling based on the number of credit card transactions per year. Separately from the four levels, there are five types of merchants based on how they process their credit card transactions. Most small business dealing with on-line commerce are level 3 or 4 (less than 1,000,000 transactions per year) and type 1 or 5. Type 1 is for merchants who use third-party credit card systems (e.g., PayPal). Type 5 is for those that directly receive credit card information. The distinction between levels 3 and 4 is minor. There is a major distinction between types 1 and 5.

The intent of the DSS is to define the minimum level of security and protection applied to credit card information. The more information you collect and store, the higher level of security that is needed. The DSS does not exclusively deal with technical computer matters (e.g., hardward, network, applications), but also deals with business policies and procedures. A type 1 merchant who outsources all credit card processing does not need the same level of protection as one who keeps your credit card number on file for future purchases.

The details of how small business need to handle the Data Security Standard will be addressed in future posts.