PCI DSS compliance can be a difficult topic to understand. Even for seasoned merchants who have been accepting credit and debit cards for years. Despite its complexity on the surface, it’s important for merchants to be fully aware of these requirements so that they can avoid costly data breaches or the loss of their merchant accounts.
In this article, we’ll fully explain what PCI DSS compliance is and the different ways you can make sure your business is compliant. We’ll also go over the steps needed to determine your level of compliance based on your business’s payment environment.
PCI DSS Basics
Becoming a merchant and accepting credit or debit cards involves learning a lot of new systems. This may include learning more about software such as virtual terminals or hardware like POS (point of sale) devices so that customers can swipe or tap their cards to pay your business.
If you’re a new merchant, you’ve likely already started investigating and researching these things to better prepare yourself to accept payments smoothly.
One thing you may have also come across is the topic of data security and the way customer billing information must be handled by businesses that accept credit cards.
These security rules regarding customer information storage and transmission are referred to as PCI DSS compliance.
What Does PCI Mean?
Payment Card Industry Data Security Standard (PCI DSS) is a set of guidelines for merchants at the point of sale. It was designed by the PCI Security Standards Council (PCI SSC).
To maintain the integrity of the electronic payment and credit card processing system, customers need to trust the payment network as well as merchants when they share their billing information. One of the ways that banks and payment processors went about ensuring this integrity was to develop the PCI DSS protocols for security.
Initially created in 2004, these standards are part of a joint effort from Visa, Mastercard, Discover, American Express, and JCB International. The goal was to create a uniform security standard that all merchants and those involved in payment processing must adhere to.
The Security Standards Council is an industry group and does not have legal authority over any merchants or processors. Instead, they manage the standards and evaluate them at regular intervals to determine if they need to be adjusted or amended to deal with new technology or threats.
What Does PCI Compliance Mean?
It means your business and technology infrastructure are in compliance with the PCI DSS regulations required for your level of processing. Meaning, you are adhering to their rules and guidelines. We’ll discuss the levels of PCI compliance in a later section, including PCI compliance for small businesses.
Is PCI Compliance Required By Law?
No. But payment providers may require it to maintain your merchant account and prevent termination. PCI standards are a voluntary set of standards. But, if merchants choose not maintain them, they may face unnecessary credit card processing fees and fraudulent transactions. Which could lead to chargebacks.
What Happens If My Processor Or I Am Not PCI Compliant?
Those who follow the PCI DSS compliance guidelines do so voluntarily. Although compliance is required to keep a merchant account in good standing and helps avoid unnecessary fees. Not complying with PCI DSS standards may cause your merchant account to be terminated.
Merchants evaluate their own systems through a provided questionnaire. This helps them determine the levels of PCI DSS guidelines they fall under and what measures they need to take to ensure customer data is safe.
A processor that is not PCI compliant will be at risk of losing their ability to process payments if they don’t fix the issues causing the non-compliance.
The Different PCI DSS Levels
Many new merchants ask, “How do I get PCI compliant?”
Not all merchants are required to follow the same guidelines. Additionally, much of the difference is based on a merchant’s processing volume as well as the type of transactions they handle.
There are four core levels of PCI DSS compliance, with PCI level 1 being the most involved, and PCI level 4 merchants being the lowest level.
Below is a list of the different PCI compliance levels for small businesses and enterprises. Along with the thresholds to determine your PCI compliance tier:
- PCI Level 1 Requirements – $6 million or more in transactions per year
- PCI Level 2 Requirements – $1 million – $6 million in transactions per year
- PCI Level 3 Requirements – $20,000 – $1million in transactions per year
- PCI Level 4 Requirements – $20,000 or less in transactions per year
All levels except level 1 require self-reporting to further determine what your requirements are within your PCI DSS level. Merchants can complete self-reporting via filling out a questionnaire. The answers then guide them on the rest of their compliance needs.
We’ll explain the self-reporting questionnaires in the next section.
PCI DSS Level 1 merchants do not use a questionnaire. Instead, to perform an audit, must create a Report on Compliance (RoC) as well as use a third-party Qualified Security Assessor (QSA).
PCI DSS Self-Assessment Questionnaire
A PCI DSS self-assessment questionnaire (SAQ) is an annual requirement. It is used as a validation tool that asks the merchant various questions regarding their processing and private network.
There are nine different SAQs and each one applies to different merchants depending on the nature of their processing. Below is an outline of the different questionnaires and the criteria for each one from the PCI Standards Council.
SAQ A
- Card-not-present only (eCommerce or MOTO)
- Third-party PCI DSS service providers
- No electronic processing or storage of card data on the merchant’s own systems and location
SAQ A-EP E
- Card-not-present only (eCommerce or MOTO)
- Third-party PCI DSS service providers
- No electronic processing or storage of card data on the merchant’s own systems and location
- Has a website that could affect transaction security even though it does not receive card data directly.
SAQ B
- No electronic cardholder data storage
- Use of imprint machines only for transactions
SAQ B-IP
- In person payments at standalone terminals(PTS-approved with an IP connection)
- No electronic storage card data
SAQ C-VT
- Keyed transactions via PCI DSS validated third-party online virtual terminal
- No electronic storage card data
- Not for eCommerce
SAQ C
- internet -based payment application systems
- No electronic storage card data
- Not for eCommerce
SAQ P2PE
- In-person transactions taken on physical payment terminals that are managed by a PCI SSC-listed Point-to-Point Encryption (P2PE) solution
- No electronic storage card data
- Not for eCommerce
SAQ D
- Any merchants that did not qualify for the above SAQ Types
SAQ D For Service Providers
- Any service provider that is eligible to complete an SAQ
Answering The PCI DSS SAQ
Once you’ve determined your appropriate SAQ, you will want to gather the appropriate employees who are responsible for these areas of your business. This can mean anyone involved in IT deployment or security as well as management that deals with payments or your financial systems and software.
If you run the business alone, then it will just be you answering the questions. If you need help with your PCI compliance situation, contact ECS Payments to speak with one of our merchant account experts.
Some of the questions in the SAQ may be involved depending on your business. So you likely won’t be able to answer these all in one sitting. The goal is to examine each question thoroughly and provide the most accurate possible.
Answering the SAQ required for your business is based on a pass or fail grade. To pass, you must answer all questions positively stating you meet the requirement or answer “not applicable” to questions that don’t apply.
Any question that a merchant cannot answer in one of those two ways means a failure. Meaning, the business must then look to resolve the issue. Then, answer the questionnaire again once they have resolved the problem.
PCI Report on Compliance (RoC)
A RoC is required in lieu of a SAQ if your business falls into the level one category of DSS compliance as explained above.
The main difference between an RoC and a SaQ is that the business does not fill out an RoC. Instead, a Qualified Service Advisor (QSA) must conduct it.
A business can also use an internal employee known as an Internal Security Assessor (ISA) if they’ve undergone the proper PCI training.
The RoC follows a template provided by the PCI SSC and once complete, the banks involved must approve it.
An RoC is typically required annually by merchants who fall into the level 1 category of DSS compliance.
Difference Between Merchants And Service Providers
When reading through the PCI requirements and the different SAQs, you’ll likely notice a distinction between merchants and service providers. While this is pretty simple, there can be some overlap between the two which can cause confusion.
A merchant is an entity that accepts credit cards bearing the logo of any of the PCI SSC members such as Visa or Mastercard. This is pretty straightforward to understand and likely the category where most merchant account holders fall into.
Service providers are those entities such as payment processors, payment gateways, and POS hardware suppliers who still come into contact with customer data even though they may not be processing it for their own business.
But there is overlap. For example, a merchant who provides services can take credit card payments from customers, but they also provide technical services to those customers that involve them having contact with customer data.
For example, an ISP (internet service provider) may qualify as both a merchant and a service provider. If they accept payments from customers via credit card but also host merchants who store customer information, then they qualify as both a merchant and service provider.
Using the information above should help you determine whether you are a merchant, service provider, or both as you work through your PCI compliance documents and procedures.
PCI Compliance Requirements
In this section, we’ll dive deeper into the specific requirements and how they are structured for every merchant accepting credit or debit cards.
There are 6 goals of PCI compliance and this makes up the core of the requirements. Within each goal is a subset of best practices to help achieve those goals. It’s a very logical structure and once seen you quickly understand how it works despite seeming somewhat complicated on the surface.
Below, we’ll outline the 6 goals and the related 12 requirements for PCI compliance.
Goal 1: Maintain a Secure System
Rules
- Implement and keep an up-to-date firewall.
- Change default passwords and other vendor-supplied security parameters.
Goal 2: Protect Card and Cardholder Information
Rules
- Secure stored cardholder data.
- Encrypt cardholder data transmissions across open and/or public networks.
Goal 3: An active Vulnerability Management Program Should Be Maintained
Rules
- Safeguard systems with up-to-date anti-virus software to defend against malware.
- Build and sustain secure systems.
Goal 4: Execute Robust Access Controls
Rules
- Keep accessibility to cardholder information limited to only those who need to know for business purposes.
- Verify and authorize entry to system components.
- Limit physical admission to cardholder data.
Goal 5: Conduct Routine Monitoring and Testing of Networks
Rules
- Keep a record of all admission to cardholder information and network resources.
- Conduct routine security testing.
Goal 6: Regularly Review and Update the Information Security Policy
Rules
- Ensure there is a policy in place that covers information security for all staff.
ASV Scans and Penetration Testing
Depending on the number of transactions and your internal network, you may be required to perform quarterly network scans of your technology infrastructure. These scans are known as ASV (approved scanning vendor) scans. As the name suggests, they must be done by a qualified vendor.
These scans are also required after any significant changes to your network or system infrastructure. So if you modify or expand your internal network in a significant way, you will likely need to perform another scan.
The following are changes that may require an additional ASV scan.
- Firewall rule changes
- New system components
- Changes to network topology
- Product upgrades
Merchants are allowed to perform their own scans for internal security auditing. However, only a scan by an approved vendor will meet the requirements of PCI standards.
PCI DSS Penetration Testing
Part of the PCI DSS requirements is to ensure entities perform regular penetration testing (pen tests). These are tests performed by a third party to expose any possible vulnerabilities within a network or system. It’s important to note that not all entities or merchants will need these pen tests. As with the other PCI requirements, these are dependent on your unique situation.
Pen testing is for service providers that A) store, process, or transmit cardholder data on behalf of someone else, and B) Use segmentation for PCI scope reduction.
So it’s very possible as a merchant you may not be required to perform these tests. But it’s important to understand your infrastructure to make the proper determination.
Penetration tests fall into two main categories which are manual and automated. An automated test uses software and tools to look for vulnerabilities. While a manual test uses security experts to conduct the test and look for vulnerabilities.
Why PCI Compliance Is So Important
After learning about PCI compliance, it may seem like something that was put in place to punish businesses with undue regulations. However, that’s not the case at all.
The requirements promote the integrity and safety of the payment system. It’s this safety which helps keep costs and fees as low as possible. It also makes customers comfortable doing things like keeping their credit cards on file with various merchants.
Keeping cards on file helps businesses increase sales and increase repeat business. So these features directly help drive revenue for many different merchants. Without robust security requirements like PCI compliance, these features would not be possible.
Another reason for PCI compliance is to help alleviate the liability a business may be exposed to if there is a security breach.
A data breach can cost a business millions of dollars in both real dollars and reputational damage. Sometimes it can even cause a business to fail completely.
If a business was following all PCI compliance requirements, they may be exposed to less liability in such an event. Without these guidelines, businesses could be found to be grossly negligent. Which may mean increased cases of credit card fraud and more severe legal penalties.
Finally, following network and security best practices is simply good business. Lax security can be a sign of a poorly run business. Which likely means other aspects of the business may also be run poorly. So having tight security promotes a strong foundation for business and also shows respect for customers and their sensitive data.
So overall, PCI compliance is necessary to both protect businesses and customers. But it also helps businesses limit damages and at the same time increase revenue through additional billing features.
Additional Assistance With PCI Compliance
PCI compliance can be a difficult topic, especially for those new to merchant accounts and credit card processing.
Those who need help with PCI compliance also need a trusted partner to help them navigate this area to build a secure business.
ECS Payments is an industry-leading payment processor that works with merchants all around the country. Our in-house team has the expertise and knowledge to help you understand your processing needs and meet all your PCI compliance requirements.
Contact ECS Payments if you need a merchant account or require help with PCI compliance. We offer access to different payment gateways and also specialize in high-risk transactions for merchants of any size.
