Contact Us
To discuss how we can assist your organization, please call us toll free at: 1.866.254.0000 Outside of the United States, please dial: +1.973.854.4684PCI Resource Center
In 2004, the PCI Security Standards Council issued the first unified standard referred to as the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS sets the criteria for assessing compliance with the card brand’s security requirements and focuses on information security policy, cardholder data security, access control, network security and monitoring, and the organizational vulnerability management program. Today, any entity that stores, processes or transmits cardholder data must comply with the PCI DSS.
While every organization must comply with the PCI DSS, the type of validation that is requires depends on the type of organization and how many card numbers are being stored, processed, and/or transmitted. Ultimately the type of validation an organization is required to undergo is set by the acquiring banks and card brands with which that organization has a contractual relationship. In addition, the standards and validation requirements change frequently.
In order to determine what you validation requirements are, merchants and service providers should evaluate:
- Where you sit in the cardholder “value chain” i.e. are you a Point of Sale (POS) application provider, merchant, service provider, or acquirer.
- What “level” you are at, which is often determined by transaction volume with discretion lying with the acquiring banks and/or card brands.
Once your determine what type and level you are, the card brands and/or your acquiring bank (if applicable) will prescribe what level of validation you are required to undergo. Specifically, you will either be required to complete a Self Assessment Questionnaire (SAQ) or undergo onsite validation by a Qualified Security Assessor (QSA) certified by the PCI Standards Council. You may also be required to conduct quarterly scanning by an Approved Scanning Vendor (ASV).