All your PCI Scanning questions answered
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID.
The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCIDSS is administered and managed by the PCI SSC, an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB).
It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.
Specific requirements will depend on the card brand, however, all merchants will fall into one of the 4 merchant levels based on the number of transaction volume over a 12-month period. In addition to adhering to the PCI DSS, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants. Any merchant that has suffered a breach that resulted in an account data compromise may be escalated to a higher validation level.
|1||Merchants processing over 2.5 million American Express Card transactions annually.||Merchants processing over 6 million card transactions annually on the Discover network.||Merchants processing over 1 million JCBInternational transactions annually.||Merchants processing over 6 million total combined MasterCard and Maestro transactions annually.|
|2||Merchants processing 50,000 to 2.5 million American Express transactions annually.||Merchants processing 1 million to 6 million card transactions annually on the Discover network.||Merchants processing less than 1 million JCVinternational transactions annually.||Merchants with greater than 1 million but less than or equal to 6 million total combined MasterCard and Maestro transactions annually.|
|Level||Visa Inc||Visa Europe|
|1||Merchants processing over 6 million Visa transactions annually (all channels). Or global merchants identified as Level 1 by any Visa region.||Merchants processing over 6 million Visa transactions annually (all channels). Or compromised merchants.|
|2||Merchants processing 1 million to 6 million Visa transactions annually (all channels).||Merchants processing 1 million to 6 million Visa transactions annually.|
|3||Merchants processing 20,000 to 1 million Visa e-commerce transactions annually.||Merchants processing 20,000 to 1 million Visa e-commerce transactions annually.|
|4||Merchants processing less than 20,000 Visa -ecommerce transactions annually and all other merchants processing up to 1 million Visa transactions annually.||Merchants processing less than 20,000 Visa -ecommerce transactions annually and all other merchants processing up to 1 million Visa transactions annually.|
The validation requirements for your merchant level depend on the card brand, however, the below offers a generalised description:
The key is demonstrating you are managing a route to compliance. Go to your acquirer with the evidence before they come looking for you. This will help if you have a breach or are threatened with fines. Be proactive and have a response plan beforehand, executing it will provide the acquirer with confidence that you are across the situation.
There are many benefits to becoming PCI certified, in becoming PCI Compliant you are protecting your website from potential security threats through undertaking quarterly PCI scans. The scanning must be undertaken by an Approved Scanning Vendor (ASV), and is an efficient method of checking your site for vulnerabilities that could potentially lead to your customer’s personal information to be stolen. Once alerted to these vulnerabilities it is then important to remediate against these issues to ensure that the information remains secure.
In becoming PCI Certified you will increase your customer’s trust, the perception being that you take IT Security seriously and, therefore, their cardholder data and personal information is secure.
The greatest benefit in becoming PCI certified, is avoiding the consequences that you would face if you don’t become PCI compliant. Merchants that do not become PCI Certified risk having to pay major fines, or not being able to handle credit card data on their website at all if they experience a breach.
Yes. Just using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, they cannot ignore PCI.
If your business locations process under the same Merchant ID, then typically you are only required to validate once annually for all locations. You must submit quarterly passing network scans by a PCI SSC Approved Scanning Vendor (ASV).
Every 90 days/once per quarter you are required to submit a passing scan to your acquiring bank. Scans are also required following any major changes to the network. Merchants and service providers should submit the scanning Attestation of Compliance according to the timetable determined by their acquirer. Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV).
You should receive 3 reports from your Approved Scanning Vendor
Any vulnerability detected during scanning is mapped to the CVSS Base score, the CVSS Base Score is determined by the National Institute of Standards and Technology (NIST) http://nvd.nist.gov/cvss.cfm:
It is quite unlikely for Low severity level vulnerabilities to be a PCI fail but there are certain exceptions to this. The CVSS Base score is not the only basis for whether a scan passes or fails. A scan can pass with a high and even fail with a low, depending on the type of exploit.
The criteria for PCI Pass/Fail compliance status implemented is calculated based on criteria listed below:
Compliance documentation must be submitted via email, fax, post or online (if the service chosen provides the facility to do so).
The payment brands may, at their discretion, fine an acquiring bank between £2,500 to £80,000 per month for PCI compliance violations. The bank will most likely pass this fine on to the merchant. If no progress is made after a period of fines being applied, the bank may either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicised, but they can be catastrophic to a small business.
It is important to be familiar with your merchant account agreement, which should outline your exposure.
We recommend following the procedures outlined in Visa’s What to Do If Compromised Visa Fraud Control and Investigations Procedures document.
All merchants, regardless of their level, must submit the certified reports generated using a certified PCI scan service from an Approved Scan Vendor every 90 days. Additionally, all Level 2, 3 and 4 merchants must also submit the Self-Assessment Questionnaire issued by the PCI Security Standards Council annually. Level 1 merchants are subject to an onsite audit of their payment network and do not need to submit the questionnaire.
All information about the PCI Data Security Standard may be found on the PCI Security Standards Council’s website.