PCI Compliance Information

Payment Card Industry Data Security Standards (PCI DSS) are designed to provide merchants a single set of requirements for safeguarding sensitive data. These standards have been adopted by all the card brands in conjunction with the PCI DSS. The standards require that all merchants (regardless of their size or type of payment system) that store, process, transmit or have access to cardholder data must be in compliance to protect that data.

What are the requirements?

The PCI DSS is comprised of 12 requirements. These requirements cover a full spectrum of topics necessary for data security. They range from removing sensitive card data from your payment terminals to implementing data security policies for your employees to follow.

In conjunction with the 12 requirements, the PCI Security Council has developed the Prioritized Approach, which provides guidance for non-compliant merchants striving to achieve compliance.

Levels of Requirements

Level
Criteria
Requirements
 
1 Over 6 million Visa or MasterCard transactions in a 12 month period
  • Onsite Assessment performed by QSA
  • Quarterly network scans
 
2 Between 1 and 6 million Visa or MasterCard transactions in a 12 month period
  • Assessment Questionnaire performed by accredited internal staff or onsite assessment by QSA
  • Quarterly network scans
 
3 Between 20,000 and 1 million Visa or MasterCard ecommerce transactions in a 12 month period
  • Self-Assessment Questionnaire (SAQ)
  • Quarterly network scans
 
4 Less than 20,000 ecommerce or less than 1 million transactions with one card brand in a 12 month period
  • Self-Assessment Questionnaire (SAQ)
  • Quarterly network scans
  • Submission to acquirer not mandatory

Validation of Compliance

Your acquirer/ payment processor may require submission of documentation depending on your data security reporting level in order to validate PCI DSS compliance, such as:

  • Report on Compliance (ROC)
  • Self Assessment Questionnaire (SAQ) and Attestation of Compliance
  • "Clean" security vulnerability scan by an Approved Scanning Vendor (ASV)
  • Use of a Payment Application Data Security Standard (PA DSS) compliant payment application

Vulnerability Scans

Why is scanning important? The benefit of having a quarterly network scan is to ensure your payment environment is sealed off to individuals with malicious intent. In addition to safeguarding your customer's cardholder data, performing network scans is a requirement for ongoing PCI DSS compliance.

These scans are non-intrusive tests that involve probing external-facing systems and reporting on the services available through your Internet connection. For a complete list of Approved Scanning Vendors, visit the PCI Security Standards Council website.

For card association updates on data security, please visit Visa Canada or MasterCard Canada