The Payment Card Industry Data Security Standard (PCI DSS) outlines the data security requirement for merchants, issuers, and service organizations that store, process, or transmit cardholder (credit card, debit card, or pre-paid) information, and has been endorsed by all the major card brands - Visa Inc., MasterCard Worldwide, Discover Network, American Express, and JCB. The PCI DSS is a framework for the secure handling of cardholder data.
Non-compliance means that the payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream until it eventually hits the merchant. Furthermore, the bank will most likely increase transaction fees. Penalties for a breach where card data is lost or stolen have ranged into the millions of dollars (in general, these events are not openly discussed, nor are they widely publicized), but they can be catastrophic to a small business.
For all organizations that utilize cards in their day to day activities, Bonadio’s experience in guiding our clients through the process of PCI DSS compliance is unmatched. We offer a wide variety of services from initial scheduling of your review to technical advice to scanning and penetration testing to the final preparation of documentation. For our clients, from small charitable organizations to large multi-national on-line retailers, we offer a focused, tailored approach that provides an unmatched level of hands-on support, automated scanning, and testing to assure that our clients become compliant and, year over year, maintain compliance with PCI DSS.
A Merchant – is defined as ANY entity that accepts payment cards bearing the logos of any of the five members’ banks - American Express, Discover, JCB, MasterCard, or Visa - as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers
A Service Provider – is defined as a Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS, and other services as well as hosting providers and other entities.
A Payment Application – is defined as a software application that stores, processes, or transmits cardholder data as part of authorization or settlement, where the payment application is sold, distributed, or licensed to third parties.
Network Segmentation - isolates system components that store, process, or transmit cardholder data from systems that do not. Adequate network segmentation may reduce the scope of the cardholder data environment and thus reduce the scope of the PCI DSS assessment.