PCI-DSS certification: Is it obligatory for your company?

The need for security standards

Security measures have always been important in the digital world, but how did it come to the need for obtaining a PCI-DSS certification?

When John Biggins introduced the credit card for the first time in 1946 for Flatbush National Bank of Brooklyn in New York, he probably didn't imagine the impact that his invention would have 71 years later. Nowadays, more than 40 billion transactions are produced with credit cards annually only in the United States, and there are more than 500 million MasterCard and Visa cards registered in the USA strictly regulated by the PCI-DSS security standards. However, the rising number of credit card transactions has stimulated the growth of risks associated with sensitive user information. Moreover, the world has entered in a high-tech era, increasing the trust and comfort of the consumer to use credit cards for payments not only online but offline as well.

As a response to the elevated risk associated with the use of credit cards, in 2006 Visa, MasterCard, Discover, American Express and JCB united their power and created PCI-DSS, or Payment Card Industry Data Security Standard, a security regulations standard that has the purpose of reducing credit card frauds.

Who has the obligation to meet the standards for PCI-DSS certification?

The obligation to comply with PCI-DSS does not apply to all companies. According to the regulations, all entities involved in the processing of payment cards are obligated to meet the requirements defined by the PCI Security Standards Council. They include the following categories:

Commerce

• Level 1 – merchants that process more than 6 million transactions per year. The requirements include an annual Auditory made by a Qualified Security Assessor, a network scanning every quarter by an Approved Scanning Vendor (ASV), an attestation of compliance, etc.

• Level 2 – merchants that process between 1 and 6 million transactions per year. The requirements include the completion of an auto evaluation SAQ form, vulnerability scanning with ASV, and an attestation of compliance.

• Level 3 – merchants that process between 20,000 and 1 million eCommerce transactions per year; this level implies the same requirements as Level 2, and it is designed especially for e-commerce transactions.

• Level 4 – merchants that process less than 20,000 eCommerce transactions. This level is the least restrictive, implying only the completion of a SAQ questionnaire, and an optional vulnerability scanning every quarter.

Service providers

This category is for organizations that provide services to third-parties and process transactions with payment cards during the service delivery. Financial entities that perform determined operations for other financial entities are also included in this category.

• Level 1 – service providers that process more than 300 thousand transactions with VISA and/or Master. An annual Auditory by QSA and a network scanning each quarter are required for this level.

• Level 2 – service providers that process less than 200 thousand transactions. This level requires the completion of an Annual Compliance Report (ROC) and a network scanning.

Acquiring Entities and Issuing Companies

All entities, whether they are acquiring or issuing companies, should comply with the security standard PCI-DSS.

As a general norm, any company, regardless of its size, that stores, processes, and transmits bank card information, is obligated to comply with the standards set by the PCI Security Standard Council.

If your company fits any of these categories, having a PCI-DSS certification is absolutely obligatory. However, fulfilling all the requirements can be extremely costly for some companies, with prices reaching more than $500, 000 for some. If this certification doesn´t fit your budget, but processing transactions with credit and debit cards is a fundamental part of your business, MYMOID offers you a fast and economic solution - an integration of our online payment services into your web or mobile platform via API-REST, allowing you to benefit from our PCI-DSS certification.