The PCI DSS (Payment Card Industry Data Security Standard) contains a set of requirements to help organizations prevent payment data breaches and payment card fraud. PCI SSC is an independent group created to develop, improve, distribute, and help with the application of security standards for payment account security. PCI SSC has published and is constantly updating technical, administrative, and organizational security criteria for financial institutions, merchants, software and hardware manufacturers, and service providers. The standard was designed to tighten safeguards surrounding cardholder data in order to prevent card fraud. All five card networks (American Express, Discover Financial Services, JCB International, MasterCard, and Visa) have agreed to incorporate PCI-DSS standards as technical requirements of their data security compliance programs and are responsible for enforcing compliance on all parties involved in a card payment transaction.

Before going into detail let’s understand how does card payment works?

The approach becomes complicated when a consumer choose a different payment method, such as a credit, debit, or gift card instead of paying in cash. A merchant must have technology in place to accept the payment method, process the payment, and authorise the money transfer in order to get paid.

Whether the payment is made online or in person, the following parties are involved in the processing of a credit or debit card (‘payment card’) transaction:

• Consumer
• Merchant
• Merchant Processor
• The issuing bank
• The acquiring bank
• The card network

As the person who chooses to spend money by purchasing an item or service, the consumer plays an important role. Merchants begin the process by inputting the consumer’s payment information into a payment gateway system after supplying products and/or services and accepting numerous forms of payment (commonly known as a POS terminal). The merchant processor is the entity in charge of sending payment information through card networks to the consumer’s issuing bank and providing payment approval to businesses. The issuing bank is the financial entity that issues credit and debit cards to customers and other organizations and is in charge of transferring funds to pay merchants. The acquiring bank is the financial institution that holds the merchant’s bank account, accepts payments via the processor, and deposits monies on the merchant’s behalf. The credit card network: Visa®, Mastercard®, Discover®, and American Express® in the United States, as well as JCB in Japan, serve as the link between the merchant and the consumer’s bank, or the issuing bank.

Who is required to comply with PCI-DSS?

Organizations that handle card data from one of the four main US credit card networks (Visa®, Mastercard®, Discover®, and American Express®) and JCB International must comply with PCI-DSS. All parties engaged in card payment processing (merchant, issuer bank, acquirer bank, and processor) must contractually agree to follow PCI-DSS. PCI-DSS compliance is not a legal obligation, but rather a kind of self-regulation. PCI-DSS compliance is effectively compelled by a complicated web of contractual responsibilities. The contracts between the parties engaged in a credit card transaction typically regulate the duties of the parties involved. Merchants: A merchant that desires to accept cards as a payment option must engage into a contract (a merchant agreement) with its bank (the acquirer bank). Merchants do not engage into contracts with issuer banks or networks directly. The merchant agreement generally requires the merchant to follow the rules and regulations of the card association (which also govern the relationship between the issuer and the card association). As a result, the merchant agreement requires the merchant to comply with PCI-DSS and the merchant point-of-sale environment to comply with the Payment Application Data Security Standard (PA-DSS). Validation of PCI-DSS compliance is necessary.

How can PCI – DSS Compliance can be achieved ?

There are four PCI compliance levels, which are determined by the number of transactions the organization handles each year.

Level 1: Merchants that process over 6 million card transactions annually.

Level 2: Merchants that process 1 to 6 million transactions annually.

Level 3: Merchants that process 20,000 to 1 million transactions annually.

Level 4: Merchants that process fewer than 20,000 transactions annually.

The goal is to guarantee that card payments are subject to adequate safeguards – and the first stage is to complete an evaluation (details vary depending on your level), a quarterly network scan, and the Attestation of Compliance Form. The evaluation for Level 1 organizations should include an external audit done by a QSA (Qualified Security Assessor) or ISA (Internal Security Assessor). They will conduct an on-site examination of your company in order to: Validate the scope of the assessment; It includes:

• There are nine key guidelines for preparing for a successful RoC audit.
• A checklist of what the auditor will be looking for on the day of the audit;
• Excellent advice for avoiding unnecessary delays and hassles.
• Advice on finding non-conformities prior to the audit; and
• Advice on how to select the best QSA.
• To show compliance, the auditor will next submit a RoC (Report on Compliance) to the organization’s acquiring banks.

Instead of an external audit, organizations in PCI Levels 2-4 can complete a self-assessment questionnaire (SAQ). An RoC must also be completed by Level 2 organizations.