What are the PCI / DSS standards?

The Payment Card Industry (PCI) Data Security Standards (DSS) are a set of security rules and practices governing payment account data. They were established in 2006 by major payment processors (including MasterCard, Visa, and American Express) to protect their users’ payment data and prevent fraud.

PCI standards are extremely important because they are both very effective at reducing payments fraud, and non-compliance with them can be very expensive. A payment processor may, at their discretion, fine between $5,000 and $100,000 per month when merchants are in violation of the standards. In addition, they can also hike up transaction fees or terminate servicing non-compliant merchants altogether.

Determining the Appropriate Level of Compliance

Per the PCI standards, merchants are assigned a “level” that determines the set of PCI rules they must comply with. Each payment processor assigns a level to a merchant based on its own bespoke criteria. As such merchants may find that they are classified at different levels depending on the credit cards they are accepting.

Merchant Level

Visa

American Express

1

Any merchant processing over 6 million Visa transactions, or specially identified global merchants

2.5 million or more American Express Card transactions per year, or merchants identified as Level 1 by American Express

2

1-6 million visa transactions annually across all channels

50,000 to 2.5 million American Express Card transactions per year (Service providers: less than 2.5 million transactions)

3

20,000- 1 million Visa e-commerce transactions annually

10,000 to 50,000 American Express Card transactions

4

Merchants processing fewer than 20,000 Visa ecommerce transactions annually and all other merchants processing up to 1 million Visa transactions annually

Below 10,000 American Express Card transactions

* Qualifying transactions must be made by the Card Member with the physical Card present at a Point-of-Sale system compliant with EMV specifications and capable of processing contact and contactless American Express Chip Cards. Only Merchants who have not had a Data Incident within the previous 12 months can qualify.


Additional PCI Compliance Obligations

Depending on the merchant level, some card brands require periodic audits and documentation confirming continued compliance with PCI rules. Failure to comply could result in hefty fines. For example, American Express level 1 merchants could be assessed up to $100,000 for failure to submit their audit forms on time.

PCI Liability insurance

PCI/DSS Liability coverage triggers to indemnify losses due to any alleged or actual noncompliance with PCI standards. This coverage is extremely important given the extent to which merchants are engaging in electronic commerce and how expensive violations (including simply defending alleged violations) can get.

Example PCI Claims

Negligence: Due to turnover in their finance department, the CFO of a company discovers that her VP of Finance failed to submit important annual audit forms to a credit card network before he left the firm. The network is now assessing a $35,000 fee for audit non-compliance. Luckily the company has PCI/DSS coverage in its cyber policy. The CFO submitted a claim, and the insurance carrier covered the cost after the $2,500 retention (deductible).

Violation: The fraud investigation team at a credit card network discovers a set of cards used at a restaurant were all compromised. After conducting its investigation, the team notices that the waiters were storing card data in plain text, a violation of PCI compliance. The card network assesses a $100,000 fine to the restaurant. Fortunately, the restaurant has PCI coverage in its cyber policy. After the policy’s $5,000 deductible, the insurance carrier covered the remaining $95,000.

Have any questions? Email us at support@getcyber.com. Otherwise, if you’re ready get some quotes click here to get started.