For most retailers their primary source of revenue comes from credit card transactions. In order to accept credit cards, a retailer must enter into a contractual agreement with a payment processor and a merchant bank. As discussed in previous articles, those agreements typically required that the retailer represent and warrant its compliance with the Payment Card Industry Data Security Standard (“PCI DSS”). Alternatively, they require a representation and warranty that the retailer complies with the rules of the payment card brands (i.e., American Express, Discover, MasterCard, and Visa), and some of the payment brand rules could be interpreted as requiring that a retailer be compliant with the PCI DSS.
The PCI DSS is a standard that originally was established by the payment brands, and later transferred to the Payment Card Industry Security Standards Council (“PCI SSC”) for management and further development. The standard sets forth what the payment brands contend is a baseline of technical and operational requirements designed to protect cardholder data. Put differently, many consider the PCI DSS as the minimum requirements that a company must meet in order to accept and process credit cards.
The current version of the PCI DSS was published in April of 2016 and represents the sixth incarnation of the standard.
Number of security controls required under the current version of the PCI DSS.1
The frequency with which large retailers must audit and certify their compliance with the PCI DSS.2
Factors retailers should consider when evaluating their compliance with the 12 requirements of PCI DSS:
1. Payment Card Industry, Data Security Standard v 3.2, https://www.pcisecuritystandards.org/security_standards/documents.php (“PCI DSS 3.2”).
2. See, e.g., American Express Merchant Operating Guide (Oct. 2016).