What is PCI Compliance?

What is PCI Compliance? The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that regardless of size or number of transactions, any business that accepts, processes, stores or transmits credit card information maintains a secure environment for their customers.

The Payment Card Industry Security Standards Council (PCI SSC) (www.pcisecuritystandards.org) was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB) and launched on September 7, 2006. It was created to address the ongoing changes to the Payment Card Industry (PCI) security standards and their focus was improving payment account security throughout the entire transaction process.

As a result of these standards, every business, regardless of size, will fall into one of four categories, which are:

1. Merchant Level 1
2. Merchant Level 2
3. Merchant Level 3
4. Merchant Level 4

Let’s look at the breakdown of the different levels of merchants a little more closely:

• Visa defines that a business, regardless of their acceptance channel (how they accept payment), is consider a level one merchant if the business processes over 6M Visa transactions per year. Additionally, Visa can require, at their discretion, that a business be required to meet level one merchant requirements to minimize the risk to Visa’s systems.
• For a business to be considered a level two merchant, the business must process between 1M and 6M Visa transactions per year.
• Level three merchants process between 20k and 1M transactions per year.
• Lastly, to be considered a level four merchant, a business must process fewer than 20k Visa e-commerce transactions per year, and all other merchants other than Visa (i.e. Mastercard, AMEX, JCB), regardless of acceptance channel, process no more than 1M transactions per year. Additionally, if a business has suffered a breach that resulted in a compromise of account data, they may be escalated to a higher validation level for a period and until compliance has been met.

Penalties

The penalties imposed by the payment brands (while not openly discussed or widely publicized) for being non-compliant with PCI DSS can be harsh, and they can impose fines to the acquiring bank, ranging from $5,000 to $100,000 per month. The acquiring bank will likely pass these fines along to the non-compliant business. Furthermore, the acquiring bank could increase transaction fees or terminate business with the merchant. To mitigate this risk, a business should be very familiar with their merchant account agreements, which should outline the merchant’s PCI exposure.

Businesses can be proactive with their compliance needs by knowing how transactions impact their environments. For a business that is considered a level one merchant, they must enlist the help of a Qualified Security Assessor (QSA) to complete a PCI Report on Compliance (ROC). Businesses that are not considered level one merchants can complete a self-assessment questionnaire (SAQ), either on their own or with the help of a QSA. An SAQ that is counter-signed by a QSA is considered more credible due to the objective opinion of a trusted third party organization.

For any questions that you have on PCI Compliance, feel free to contact us. In the meantime, feel free to download a copy of our PCI Compliance Services brochure by clicking the image below.