RSPA stands for Retail Solutions Providers Association. They are the only association dedicated to the retail technology industry. They've been around for over 60 years and are firm advocators of PCI Compliance. The Payment Card Industry Data Security Standard (or PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. To be PCI Compliant, there are many steps and precautions to take. This newsletter is taking information from a Q&A portion of RSPA's monthly magazine in a new feature called "PCI IQ." It tests the PCI knowledge of the readers and teaches them things they may not know about PCI Compliance.

-What does PCI stand for?

Answer: Payment Card Industry. PCI denotes the debit, credit, prepaid, e-purse, ATM, and POS cards and associated businesses.

-What are the two major causes of data breaches?

Answer: 1) Lack of good password administration. 2) Failure to secure remote access points.

-Who mandates and enforces PCI compliance?

Answer: PCI compliance is mandated by individual payment card companies: Visa, Mastercard, AMEX, Discover, and JCB International.

-Name the PCI Compliance Levels and how they are determined.

Answer: A qualified answer might state: Merchants are divided into four categories, and each credit card company may add their own stipulations to each. The retail vertical solution providers should understand the differences and must be prepared to help their clients' payment processes adhere to the variations.

-Does PCI compliance apply to debit card transactions? Why or why not?

Answer: Yes. They apply to PCI compliance if they are branded with any of the five card brand logos that participate in the PCISSC (Payment Card Industry Security Standards Council).

In-scope cards include any debit, credit, and pre-paid cards branded with one of the five association/brand logos that participate in the PCISSC - American Express, Discover, JCB, MasterCard, and Visa International.

-What does PCI DSS define as a "merchant?"

Answer: Any entity is defined as any entity that accepts payment cards bearing the logos ofany of the five members of PCISSC (American Express, Discover, JC, MasterCard, or Visa) as payment for goods and services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider; if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers. 

Reprinted with permission.  Originally published in RSPA connect Magazine.  To read past connect articles, click here.  To learn more about RSPA, visit GoRSPA.org.