For most retailers the primary source of revenue comes from credit card transactions. In order to accept credit cards, a retailer must enter into a contractual agreement with a payment processor and a merchant bank. As discussed in previous sections, those agreements typically required that the retailer represent and warrant its compliance with the Payment Card Industry Data Security Standard (“PCI DSS”). Alternatively, they require a representation and warranty that the retailer complies with the rules of the payment card brands (i.e., American Express, Discover, MasterCard, and Visa), and some of the payment brand rules could be interpreted as requiring that a retailer be compliant with the PCI DSS.
The PCI DSS is a standard that originally was established by the payment brands, and later transferred to the Payment Card Industry Security Standards Council (“PCI SSC”) for management and further development. The standard sets forth what the payment brands contend is a baseline of technical and operational requirements designed to protect cardholder data. Put differently, many consider the PCI DSS as the minimum requirements that a company must meet in order to accept and process credit cards.
The current version of the PCI DSS was published in April of 2016 and represents the sixth incarnation of the standard. The following provides a snapshot of information concerning the PCI DSS.
Number of security controls required under the current version of the PCI DSS.1
The frequency with which large retailers must audit and certify their compliance with the PCI DSS.2
Factors retailers should consider when evaluating your compliance with the 12 requirements of PCI DSS:
- Are there any deficiencies identified in your organization’s latest “Report on Compliance,” and are you remediating those issues?
- Are there any concerns about the scope of your organization’s latest “Report on Compliance?”
- If PCI non-compliance is identified, does this trigger contractual notification or remediation requirements?
- With new technologies, is your vendor contractually required to meet PCI standards?
- Do your device vendors and manufacturers meet requirements, such as PIN Transaction Security (PTS) standards?
- Is your Payment Application PA-DSS validated?
- Are you using a Point to Point Encryption (“P2PE”) Isolution?
- Does your Point-to-Point Encryption solution meet the PCI P2PE standard?
- Have the vendors that access, transmit or store you credit or debit card data provided you with appropriate indemnification in the event of a breach caused by the vendor or their equipment?