Payment Card Industry (PCI)
The Payment Card Industry Data Security Standard (PCI DSS) is the data security requirement for merchants that store, process or transmit cardholder information, and has been endorsed by all the major card brands: Visa Inc., MasterCard Worldwide, Discover Network, American Express and JCB. The PCI DSS is a framework for the secure handling of cardholder data.
Our team can offer a comprehensive approach to understanding, assessing, achieving, meeting, and maintaining PCI compliance in a phased approach. Since 2004, BEW Global has assisted Level 1, 2, 3 and 4 merchants achieve PCI DSS compliance. Through strategic partnerships BEW Global can also offer an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA) services.
The following table outlines the current PCI-DSS version 2.0 requirements for Merchants:
| Merchant Level | Selection Criteria | Validation Actions | Validated By |
|---|---|---|---|
1 |
Any merchant - regardless of acceptance channel - processing more than 6,000,000 Visa transactions per year Any merchant that has suffered a hack or an attack that resulted in an account data compromise Any merchant identified by any card association as Level 1 |
Annual On-Site Security Audit1 and Quarterly Network Scan |
Independent Security Assessor or Internal Audit if signed by an Officer of the company Qualified Independent Scan Vendor |
2 |
1 million – 6 million Visa or MasterCard transactions per year |
Visa
MasterCard |
Merchant Qualified Independent Scan Vendor |
3 |
20,000 – 1 million Visa or MasterCard e-commerce transactions per year
Annual PCI Self-Assessment Questionnaire |
Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan |
Merchant Qualified Independent Scan Vendor |
4 |
Less than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants processing up to 1 million Visa or MasterCard transactions per year |
Visa
MasterCard |
Merchant Qualified Independent Scan Vendor Validation requirements and dates for Level 4 merchants are determined by the merchant's acquirer. Submission of scan reports and/or questionnaires by level 4 merchants may be required. |
1.Effective 30 June 2011, MasterCard Level 1 merchants that choose to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC-offered merchant training programs and pass any PCI SSC associated accreditation program annually in order to continue to use internal auditors.
2.Effective 30 June 2011, MasterCard Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attends PCI SSC-offered merchant training programs, and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual self-assessment questionnaire.
