PCI DSS (Payment Card Industry Data Security Standard) is an information security standard for all companies that handle cardholder information for their merchant facilities, ecommerce environments or any other environment where this data could be stored. It was developed and created by the Payment Card Industry Security Standards Council (PCI SSC). To understand PCI compliance, you need to know there are four levels of compliance:
- Level 1, which is the most stringent level of security. It applies to merchants processing more than 6 million transactions annually or maintaining a gateway in PCI DSS or companies with over 20,000 cardholders.
- Level 2 applies to companies processing between 1 and 6 million transactions annually or companies that take credit card data but do not store, process or transmit it.
- Level 3 applies to all other merchants not included in the previous levels, including those processing less than 1 million transactions annually and all ecommerce sites regardless of transaction volume.
- Finally, there is a fourth level for merchants who want to validate their compliance.
Each level has different requirements to secure information, but they all have the same basic elements in common: build and maintain a secure network, use firewalls and encryption, develop an incident response plan, implement strong access control measures and many others. The four levels also require merchants to do something called self-assessment which is exactly what it sounds like: you have to do a self-assessment of your company's network and systems, using the PCI DSS as a guideline.
The standard is not self-enforced or enforced by law, but if any company stores credit card information and their system fails an audit which checks for compliance with this standard, that company will be liable for fines and penalties, not to mention the damage this can cause to business.
If you think about it, there's a good reason why all major credit card companies and banks make sure their clients comply with PCI security standards. The standard is complex and difficult to achieve because of its technical nature; it is precisely the reason why it is required for all companies who store, process or transmit credit card information.