• Home > 
• Solutions > 
• Industry Solutions  > 
• Retail > 
• PCI DSS 1.2 Compliance

PCI DSS Compliance What is PCI DSS The security of consumer credit card information has long been a concern for the payment processing industry. In December 2004 a consortium of credit card companies, including American Express, Discover Financial Services, JCB, VISA and MasterCard, adopted a common standard for this purpose. This standard was known as the "Payment Card Industry Data Security Standard (PCI DSS), Version 1.0". PCI DSS 1.1 was published in September, 2006 and PCI DSS 1.2 in October, 2008.

This page... What is PCI DSS Who Should Worry About PCI Compliance How to Ensure PCI Compliance How Often Should I Scan My Networks? Next page... PCI Compliance and Wireless Frequently Asked Questions(FAQs) Download... PCI SSC Wireless Security Guideline New!

PCI DSS imposes 12 basic requirements focusing on following 6 main topics:

1. Build and Maintain a Secure Network
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy

PCI compliance requires that a merchant follow these basic principles and the requirements specified therein. Know more about the requirements for PCI DSS 1.2 and the summary of changes in PCI DSS 1.2.

A consumer who uses debit or credit card to make a payment must ensure that the merchant accepting the card is PCI Compliant.

If you are a merchant and accept (or planning to accept) payment via debit or credit card, you must ensure that you are PCI compliant.

To ensure PCI Compliance, a merchant must follow the PCI DSS requirements rigorously. Typical classification of merchants into various levels and the corresponding actions required to maintain PCI compliance are shown in the table below:

Reporting requirements Annual Onsite Security Audit by Qualified Security Assessor (QSA) Annual Self Assessment Questionnaire (SAQ) Quarterly network security scan by Approved Scanning Vendor (ASV)					Best Practice: 24x7 scan of wired and wireless LAN
Level	Criteria	A	B	C
Level 1	1. Merchants with over 6 million transactions a year 2. Merchants whose data has been compromised	Yes	No	Yes	Yes
Level 2	Merchants with 100,000 to 6 million transactions a year	No	Yes	Yes	Yes
Level 3	Merchants with 20,000 to 100,000 transactions a year	No	Yes	Yes	Yes
Level 4	Merchants with less than 20,000 transactions	No	Yes	Yes	Yes

A merchant on Level 1, 2 or 3, must report its PCI compliance. PCI Scan report and Annual Self Assessment Questionnaire should be turned into your merchant bank. Your merchant bank will then report back to the Payment Card Industry that your company is PCI compliant.

PCI compliance requires that merchants perform at least quarterly scan (see table above) of both their wired and wireless networks. A merchant should perform wireless scan even if no official wireless network is deployed.

Though PCI DSS suggests quarterly scans, a merchant can be held liable if the cardholder data is compromised in the duration between scans.  Beware that PCI compliance does not ensure data security – it is a step in ensuring that the best practices are being followed at the time of the scan. 24x7 scanning of your wired and wireless environment is an essential step in securing the cardholder data and a recommended best practice. With continuous scan you can quickly detect and take preventive actions against any compromise.

To learn about how wireless impacts PCI compliance (even when wireless is not officially deployed), continue reading next section on PCI Compliance and Wireless.