Short for Payment Card Industry Data Security Standard, PCI is a set of requirements designed to guarantee that all companies who handle customer credit card information maintain a secure environment. So if you have a Merchant ID (MID) and accept credit cards as a form of payment, this applies to you.
The PCI Security Standards Council (PCI SSC) was created in 2006 as an independent body by the major payment card brands: Visa, MasterCard, American Express, Discover and JCB. The mandate of the PCI SSC was to improve payment account security throughout the transaction process. The payment brands and acquirers (banks that process the transactions) – not the PCI SSC – are responsible for enforcing compliance.
Depending on the volume of transactions you process over a given 12-month period, you will be classified in one of 4 Merchant Levels, each with varying degrees of security. So for a merchant that processes fewer transactions, the compliance guidelines will not be as stringent as for a merchant processing a high volume of transactions. However, any merchant that has suffered a security breach that resulted in a compromise of account data may be escalated to a higher validation level.
Satisfying the Requirements of PCI
If you are a small-to-medium-sized business (SMB) processing fewer than 20,000 Visa ecommerce transactions per year, you will generally be classified as a Merchant Level 4. Since this applies to the vast majority of individuals likely to read this article, we’ll focus on the PCI requirements that apply to this category.
To satisfy the requirements of PCI, a Level 4 merchant must complete the following steps:
- Identify your Validation Type as defined by PCI DSS – click on the image below. This is used to determine which Self Assessment Questionnaire is appropriate for your business.
- Complete the Self-Assessment Questionnaire according to the instructions in the Self- Assessment Questionnaire Instructions and Guidelines.
- Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). Note scanning does not apply to all merchants. It is required for Validation Type 4 and 5 – those merchants with external facing IP addresses. Basically if you electronically store cardholder information or if your processing systems have any internet connectivity, a quarterly scan by an approved scanning vendor is required.
- Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool).
- Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer.
Even the smallest merchant with very few card transactions – even if credit card payments are only accepted over the phone – needs to be compliant with PCI DSS. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data. If you use a third party processor, your risk exposure is reduced but not eliminated. You are still required to be PCI compliant, although the effort to validate compliance is certainly minimized.
SSL and PCI
If you accept credit card payments over your website, you need an SSL certificate (short for Secure Socket Layer.) But don’t confuse SSL with PCI compliance. High assurance SSL certificates provide the first tier of customer security, but do not secure a web server from malicious attacks or intrusions. An SSL certificate communicates to the user two important things: 1) that there is a secure connection between the customer’s browser and the server and 2) that the website operators have been validated as a legitimate, legally accountable organization.
Penalties for Noncompliance
You definitely want to familiarize yourself with your merchant account agreement, which outlines your exposure. If you have other questions, your acquiring bank or third-party processor can help you sort through the complexities.