Welcome to PCIStandard.com
Auric Systems International created and sponsors this site as a source of information for merchants.
The Payment Card Industry (PCI) Data Security Standard resulted from a collaboration between Visa and MasterCard to create common industry security requirements. Other card companies operating in the U.S. have also endorsed the Standard within their respective programs
Why is there a PCI standard?
The benefit to aligning all these programs under a single standard is to create a commonly accepted set of industry measurements and tools. The result of which is a single validation process that will satisfy all the card associations. The intention of having a single set of standards to validate against makes it less complex for the merchant.
Why should you care?
Failure to comply with the PCI security standard may result in substantial fines or permanent expulsion from card acceptance programs.
Your customers are depending upon you to keep their sensitive payment card information safe. Just one incident can have wide-spread results, damaging your reputation and resulting in loss of both sales and positive relationships with partners.
Who is required to meet the PCI security standard?
Size doesn't matter - PCI compliance applies to all organizations or merchants that collect, process or store credit card payment information, regardless of size or number of transactions.
All Acquiring Banks (merchant banks) were also required to have received certified proof of PCI compliance from merchants with more than 20,000 transactions per year by June 30, 2005. This does not mean that only merchants with more than 20,000 transactions per year are required to meet the PCI standard. Acquiring Banks are required to have documented proof of compliance from these merchants, or be liable to fines themselves. Many banks are already requiring all merchants, regardless of transaction volume, to produce this Certification of PCI Compliance.
What do I need to do to meet the PCI standards?
The PCI standard comprises two basic steps:
1. Pass quarterly remote vulnerability scans conducted by a Visa and MasterCard "Qualified Independent Scan Vendor". PCI scans are required for all internet connection points whether they are office networks or home/office connections (dial-up, DSL, cable or wireless) or permanent Internet servers such as your web site and email server, etc.
2. Successful completion of a security self-assessment questionnaire (SAQ). The self assessment questionnaire asks specific questions about your internal security practices, both on your web site and in your office.
SAQ A v2.0 All cardholder data functions outsourced. No Electronic Storage, Processing, or Transmission of Cardholder Data
SAQ B v2.0 Imprint Machines or Standalone Dial-out Terminals Only, No Electronic Cardholder Data Storage
SAQ C v2.0 Payment Application Connected to Internet, No Electronic Cardholder Data Storage
SAQ C-VT v2.0 Web-Based Virtual Terminal, No Electronic Cardholder Data Storage
SAQ D v2.0 All other SAQ-Eligible Merchants and Service Providers
Each SAQ also has a corelating Attestations of Compliance (AoC) that should also be completed
To obtain your SAQ and AOC go to this link: security self-assessment questionnaire