What is PCI and Why Is It Important?

The Payment Card Industry (PCI) Data Security Standard is a joint creation of Visa, MasterCard, Discover and American Express. In response to the growing severity of credit card theft, the PCI Standard was created with the goal of protecting cardholder data wherever it may reside. The PCI has developed industry wide standards for card data security to be followed by both merchants and providers alike.

If you sell online and accept credit cards, then you MUST be PCI compliant. The deadline of become compliant has passed and it’s not something you can claim ignorance toward.

Thill Logistics, Inc. has achieved and maintains the highest level of PCI compliance – Level 1 – and offers you the strictest level of technology development and online payment security available today. By choosing Thill Logistics, you can rest assured that you are safeguarding your online properties and brands.

Non-PCI Compliant Merchant Face:

• Losing the ability to process transactions altogether
• $500,000 in fines (per incident).
• Class-action lawsuits
• $10,000 in monthly fines

When customers offer their bankcard at the point of sale, over the Internet, on the phone, or through the mail, they want assurance that their account information is safe. That’s why Visa Inc. instituted the Cardholder Information Security Program (CISP). Mandated since June 2001, CISP is intended to protect Visa cardholder data–wherever it resides–ensuring that members, merchants, and service providers maintain the highest information security standard.

In 2004, the CISP requirements were incorporated into an industry standard known as Payment Card Industry (PCI) Data Security Standard (DSS) resulting from a cooperative effort between Visa and MasterCard to create common industry security requirements. Visa Inc. maintains data security compliance programs endorsing the PCI DSS.

Effective September 7, 2006, the PCI Security Standards Council (SSC) owns, maintains and distributes the PCI DSS and all its supporting documents. Visa Inc., however, continues to manage all data security compliance enforcement and validation initiatives. In addition, the former QDSC Program has also transitioned to the PCI SSC. Please refer to the Assessors page for more information.

If you are a non-U.S.-based entity, please visit Visa International Account Information Security (AIS).

PCI DSS Compliance

PCI DSS compliance is required of all merchants and service providers that store, process, or transmit Visa cardholder data and applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce. Visa Inc.’s compliance programs manages compliance with the PCI Data Security Standard with the required program validation.

The PCI DSS offers a single approach to safeguarding sensitive data for all card brands. Other card companies operating in the U.S. have also endorsed the PCI DSS within their respective programs. Using the PCI DSS as its framework, Visa’s compliance programs provides the tools and measurements needed to protect against cardholder data exposure and compromise. The PCI DSS consists of twelve basic requirements categorized as follows:

PCI Data Security Standard

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

1. Protect stored data
2. Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a Vulnerability Management Program

1. Use and regularly update anti-virus software
2. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

1. Restrict access to data by business need-to-know
2. Assign a unique ID to each person with computer access
3. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

1. Track and monitor all access to network resources and cardholder data
2. Regularly test security systems and processes

Maintain an Information Security Policy

1. Maintain a policy that addresses information security

By complying with the PCI DSS, Visa members, merchants, and service providers not only meet their obligations to the payment system, but also build a culture of security that benefits everyone. Compliance validation

Separate and distinct from the mandate to comply with the PCI DSS is the validation of compliance whereby entities verify and demonstrate their compliance status. It is a fundamental and critical function that identifies and corrects vulnerabilities, and protects customers by ensuring that appropriate levels of cardholder information security are maintained. Visa has prioritized and defined levels of compliance validation based on the volume of transactions, the potential risk, and exposure introduced into the payment system by merchants and service providers.

Visa regulations

The Visa Inc., Interlink, Inc., and Plus Systems, Inc. Operating Regulations govern the activities of member financial institutions and, by extension, merchants and service providers as participants in the Visa payment system.

Members must comply with the PCI DSS and are responsible for ensuring the compliance of their merchants, service providers, and their merchants’ service providers. Acquirers must include a PCI DSS compliance provision in all contracts with merchants and agents. Specific compliance requirements and validation criteria are provided at: http://usa.visa.com/merchants/risk_management/cisp_overview.html

Compliance Fines

If a member, merchant or service provider does not comply with the security requirements or fails to rectify a security issue, Visa may:

1. Fine the responsible member
2. Impose restrictions on the merchant or its agent

Visa may waive fines in the event of a data compromise if there is no evidence of non-compliance with PCI DSS and Visa rules. To prevent fines a member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation. Additionally, a member must demonstrate that prior to the compromise the compromised entity had already met the compliance validation requirements, demonstrating full compliance.

Thill Logistics is proud to participate in the CISP program. In addition, Thill fulfilling the mandate to comply with the validation of compliance. Within this compliance, we ensure that we identify and correct any vulnerabilities and protect customers by ensuring adequate levels of cardholder information security.

Protecting our client’s customers security and maintaining our reputation is key to both our business, our client’s business and maintaining the peace of mind of the consumer.

Visa’s Business Guide to Data Security

Top Five Data Security Vulnerabilities

CISP Overview