|
Jan 06
2010
|
|
|
A Payment Card Industry compliance protocol, better known as PCI compliance aims to protect personal information and to offer security when using payment cards in an online environment. As important and significant move for sure and one which will impinge on the entire payment card industry to comply. For an industry moving to engage with many more people in conducting transactions online it is an imperative as credit cards remain the preferred choice for consumers. A failure to meet the standards may mean fines from banks and credit card companies, or even the loss of the ability to process credit cards.
Under the protocol, merchants are classified on a volume basis. A number of merchant levels and based to a large extent on the Visa transaction volume in the span of 12 months. Transaction volume depends on the amount of Visa transactions from the merchant on Doing Business As (or the “DBA”) basis. In the PCI Compliance protocol it is proposed that in the case of a merchant corporation having more than a single DBA, the aggregate volume of the transaction stored, transmitted, and processed by the entity needs to be considered by Visa in order to meet the criteria of validation.
Should the data not be aggregated, for example in the case where a corporate entity does not process, store, or even transmit cardholder’s data on behalf of different DBAs, the acquirer will have to continue to take into consideration the individual transaction volume (under ‘DBA’) so as to determine the validation level.
Following are the 4 PCI Compliance Merchant Levels classified by Visa:
- Any merchant- apart from the acceptance channel - processing more than 6M visa transactions in a year.
- Any merchant, no matter what their acceptance channel is, processing between 1M to 6M Visa transactions in a single year.
- Any merchant that processes from 20, 000 up to 1M Visa e-commerce transactions in any one year.
- Any merchant that processes less than 20, 000 Visa e-commerce transactions in a given year, and any other merchants, regardless of the acceptance channel which would process around 1M Visa transaction in a year.
The PCI compliance protocol makes the recommendation that each time personal information of a cardholder is stored in a computer, the computer should have in place measures which are designed toll protect a network. Those business owners who wish to store the data and other information of cardholders are given the task of protecting the data itself.
In this context “protecting” is taken to mean no one can access the said information without authorised entry and access. For businesses that would store credit card numbers, the need would be to store them in an encrypted data. Thus, if someone was able to access the database, that person could never decode the information.
Furthermore, as part of the PCI compliance protocol, limited access would be applied on cardholder information and restricted only to those people who have the need to use it. Business owners too are given the obligation to assign a particular identification to each person who has access to it.
In essence, there are a number of additional aspects that are governed by the PCI compliance protocol, most of which can be classified as means that will protect customer information, assuring them of a hassle-free and safe transaction.