PAYMENT CARD INDUSTRY-DATA SECURITY STANDARDS
1) Understand Your Merchant Level.(Not to worry, as your provider, we will determine this.) Each card brand has it’s own merchant level. To give you an example here is Visa’s (the most widely used card). Visa is divided into 4 categories based on Visa card transactions over 12 months. Your level will determine how stringent your PCI Compliance program must be.
- Level 1 – Process over 6 million Visa transactions a year.
- Level 2 – Process between 1-6 million Visa transactions per year.
- Level 3 – Process between 20k-1 million Visa transactions per year.
- Level 4 – Process under 20k Visa transactions per year.
(Note; these are transactions not dollar amount.)Links to the card brands levels are listed here:
- American Express
Complete Self Assessment Questionaire (SAQ)
This is a set of documents that contain a set of questions based on the requirements of the PCI DSS. There are 12 requirements for compliance that are organized into 6 groups. Each requirement has sub-groups and there are 9 variations of the SAQ. You will only have to complete one. The one that will be presented to you correlates to how your business handles credit cards.
Attestation Of Compliance (AOC)After the SAQ you will need to complete the AOC, which is attached to your SAQ. This validates that you complied with all the applicable steps. The AOC also has 9 variations. Like the SAQ, you will only complete one.
Submitting the DocumentsFinal step is to submit your filled SAQ and AOC along with any other documents such as an ASV scan reports. Validation of compliance is then performed annually, either by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
Compliance Process Recap
- Determine your compliance level.
- Complete Self Assessment Questionnaire.
- Complete Attestation of Compliance form.
- If needed, complete and obtain evidence of passing the external vulnerability scans by an Approved Scanning Vendor (ASV).
- Submit all the above.