What you need to know about the PCI DSS and PII

Personally Identifiable Information (PII) can mean a number of things but is an important piece of any security or privacy-focused regulation, such as PCI DSS.


The Payment Card Industry Data Security Standard (PCI DSS) comprises a set of policies and procedures that aim to protect credit, debit, and cash card transactions and prevent the misuse of cardholder’s PII. The PCI DSS was created by the Payment Card Industry Security Standards Council (PCI SSC) and its requirements apply to any and all organizations involved in payment card processing- from merchants to processors and third-party service providers- anyone who stores, processes and transmits cardholder data. So, what is cardholder data?

What is cardholder data?

Cardholder data refers to PII associated with a person who owns a credit, debit or cash card. This includes the cardholder’s: account number, name, card expiration date, and service code. This is the important PII covered under the PCI DSS. What the PCI DSS calls for is that cardholder data is kept secure and in compliance with the standard’s requirements.

What are the requirements under PCI DSS?

The Payment Card Industry Data Security Standard lays out six goals and twelve basic requirements, as follows:

Goals PCI DSS Requirements
Build and Maintain a Secure Network 1.       Install and maintain a firewall configuration to protect cardholder data

2.       Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data 3.       Protect stored cardholder data

4.       Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program 5.       Use and regularly update anti-virus software or programs

6.       Develop and maintain secure systems and applications

Implement Strong Access Control Measures 7.       Restrict access to cardholder data by business need-to-know

8.       Assign a unique ID to each person with computer access

9.       Restrict physical access to cardholder data

Regularly Monitor and Test Networks 10.   Track and monitor all access to network resources and cardholder data

11.   Regularly test security systems and processes

Maintain an Information Security Policy 12.   Maintain a policy that addresses information security for employees and contractors

*This chart can be found at this link, from PCISecurityStandards.org

Under the Payment Card Industry Data Security Standard, merchants follow requirements based on their ‘level’. Levels are determined by an organization’s transaction volume. Visa defines the merchant levels as follows:

LEVEL 1: “Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.”

LEVEL 2: “Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.”

LEVEL 3: “Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.”

LEVEL 4: “Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.”

So, for level 4 merchants (small-to-medium-sized businesses), a self-assessment questionnaire (SAQ) must be used to validate compliance. Then, they must pass a vulnerability scan with a PCI SSC approved scanning vendor. After which they must complete a relevant attestation of compliance and submit the SAQ, evidence of passing a scan and the attestation of compliance to their acquirer. You can get more information for small merchants here.

What are the penalties under PCI DSS?

To best see the penalties under PCI DSS, let’s reference the PCI SSC’s FAQ sheet:

“The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine along until it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business. It is important to be familiar with your merchant account agreement, which should outline your exposure.”

To see our security and compliance courses, go to https://www.cybertraining365.com/cybertraining/Courses

certified security analyst training

About CyberTraining 365

CyberTraining 365 is an online academy that offers nearly 1,000 hours of relevant and cutting-edge cybersecurity training. Our training provides the most in-demand industry certification prep courses including EC-Council, CompTIA, (ISC)2 and Cisco; all taught by leading cyber security experts. All of our offerings are aligned with the national initiative for cybersecurity education (NICE) and ensure the most up-to-date information for this constantly shifting field. With engaging content in a scenario-based format, CyberTraining 365 uses bite-sized micro-learning methodology ensures learners are not overwhelmed with information. On Demand, LMS platform has white-label capabilities ideal for internal training purposes.

Leave a Reply

Your email address will not be published. Required fields are marked *