PCI Compliance

On September 7, 2006 the major card brands such as Visa MasterCard and American Express collaborated to protect the consumer and merchant from the breaches that have taken place. The result was the formation of the Payment Card Industry Security Standards Council (PCI SSC) pcisecuritystandards.org . This council put forth in place the PCI DSS which is the proprietary information security standard for all organizations that store, process or transmit all major credit cards. It contains a set of security requirements that include everything from how your POS should be set up under your wireless WAN to eCommerce and more. To become compliant, a merchant would need to complete an annual self assessment questionnaire and a quarterly network scan.

PCI DSS

Merchant Levels

Understand Your Merchant Level

(Not to worry, as your provider, we will determine this.)

Each card brand has it’s own merchant level. To give you an example here is Visa’s (the most widely used card). Visa is divided into 4 categories based on Visa card transactions over 12 months. Your level will determine how stringent your PCI Compliance program must be.

Level 1 – Process over 6 million Visa transactions a year.
Level 2 – Process between 1-6 million Visa transactions per year.
Level 3 – Process between 20k-1 million Visa transactions per year.
Level 4 – Process under 20k Visa transactions per year.

(Note; these are transactions not dollar amount.)

Links to the card brands levels are listed here:

Complete Self Assessment Questionaire (SAQ)

This is a set of documents that contain a set of questions based on the requirements of the PCI DSS. There are 12 requirements for compliance that are organized into 6 groups. Each requirement has sub-groups and there are 9 variations of the SAQ. You will only have to complete one. The one that will be presented to you correlates to how your business handles credit cards.

Attestation Of Compliance (AOC)

After the SAQ you will need to complete the AOC, which is attached to your SAQ. This validates that you complied with all the applicable steps.

The AOC also has 9 variations. Like the SAQ, you will only complete one.

Submitting The Documents

Final step is to submit your filled SAQ and AOC along with any other documents such as an ASV scan reports.

Validation of compliance is then performed annually, either by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.

Compliance Process Recap

Determine your compliance level.
Complete Self Assessment Questionaire.
Complete Attestation of Compliance form.
If needed, complete and obtain evidence of passing the external vulnerability scans by an Approved Scanning Vendor (ASV).
Submit all the above.

Is It Mandatory?

By federal law, PCI Compliance is not required. However, some states like Nevada has put PCI Compliance into their state law.

Aside from that, businesses that are not PCI Compliant may be subject to fines, sanctions and loss of privileges from the clearinghouse that processes credit card payments. If the PCI failure results in the loss of data, the business could face fines, higher fees, and other sanctions from banks and other credit card processors. Businesses can also be subject to lawsuits and government prosecution for failing to protect customer data. If a data breach occurs, your business will be liable for all damages if not PCI Compliant.