PCI DSS for merchants: the basics you should know

What is PCI DSS

Recently we at Maxpay talk a lot about the payments’ safety, as when times are uncertain, fraudsters stir up their scams even more.
 
Thus far, we’ve discussed the ways you can avoid chargebacks using Ethoca Alerts and VMPI solutions, but there are other issues you should take care of, like financial data security. 

That’s where PCI DSS comes into place. The Payment Card Industry Data Security Standard – is a set of regulations that every company and the financial institution, which process, store, and/or transfer credit card information, should abide by. 

PCI DSS was initiated in 2004 by major card companies Visa, Mastercard, American Express, Discover, and JCB International to better protect transactions from fraudsters and data theft.

PCI DSS compliance certification

If you are a merchant, getting the PCI DSS certification process out of the way is your priority: not only do you want to keep all your and your clients’ data safe, but to take care of your reputation as well. Remember: information leaks and subsequent lawsuits will cost you much more, than getting the certification.

These are some of the objectives the PCI DSS entails: 

  • The cardholder’s data (like card details, social security number, and even phone number and email), which is stored on the website, must be protected properly and digitally encrypted if it is transmitted;
  • A reliable firewall should be used to make the network for transactions secure from data-stealing hackers. Other important means to take a stand against hackers include anti-virus and anti-malware software;
  • Frequent testing of the network is a great way to keep the security systems in check. Merchant’s website should also be frequently checked for system vulnerabilities and bugs;

PCI DSS requirements list

There are 12 general data security requirements for merchants:

  1. Install and maintain a firewall configuration to protect cardholder data;
  2. Do not use vendor-supplied defaults for system passwords and other security parameters;
  3. Protect stored cardholder data;
  4. Encrypt transmission of cardholder data across open, public networks;
  5. Protect all systems against malware and regularly update anti-virus software or programs;
  6. Develop and maintain secure systems and applications;
  7. Restrict access to cardholder data by business need to know;
  8. Identify and authenticate access to system components;
  9. Restrict physical access to cardholder data;
  10. Track and monitor all access to network resources and cardholder data;
  11. Regularly test security systems and processes;
  12. Maintain a policy that addresses information security for all personnel.

PCI DSS merchant levels

The compliance rules can’t apply to different types of merchants equally. That’s why there are four levels of PCI DSS compliance, which you can determine easily by the number of transactions processed yearly. 

Level 1 merchants process over 6 million transactions every year;

Level 2 merchants process from 1 million to 6 million transactions annually;

Level 3 merchants process from 20 thousand to 1 million transactions yearly;

Level 4 merchants process less than 20 thousand transactions in a year;

PCI DSS compliant payment gateway

It’s not enough for merchants to follow all the rules of PCI DSS, they should also work with financial institutions that play by the same rules.

Maxpay is a payment gateway service provider, which got its PCI DSS certification in 2015 before we started working with transactions. 

Maxpay is fully PCI DSS level 1 compliant, and we undergo the certification every year. Find out how you can get a 50% discount on PCI DSS certification by contacting us at start@maxpay.com