Do I Need To Be PCI-Compliant?

If yours is an organization that processes credit card or debit card payments, it must comply with the Payment Card Industry Data Security Standard (PCI DSS). Non-compliance could result in heavy fines and loss of your ability to accept payment cards or to process credit card transactions — a death knell for almost any enterprise.

Created by the PCI Security Standards Council–a consortium of payment card brands including Visa, Mastercard, American Express, Discover, and JCB–the PCI Data Security Standard is designed to protect debit and credit card information from data breaches. 

To accept payments using cards from any of these credit card companies, you must be PCI compliant. Doing so entails conforming to the PCI standards applicable to your organization.

Credit card data, or cardholder data, comprises the primary account number (PAN) or card number in conjunction with cardholder name, expiration date, or service code. PCI compliance is also required to collect sensitive authentication data. This type of sensitive data includes card validation codes/values, magnetic stripe or card chip data, PINs, PIN blocks, or any other information used to authenticate cardholders or authorize payment card transactions.

The PCI SSC established four levels of compliance for merchants and two for service providers. Your organization’s level will determined whether you must undergo a PCI audit by a qualified security assessor (QSA) to establish your compliance or if you may simply complete a self-assessment questionnaire (SAQ). 

Either of these tasks is arduous and can take many months or even years to complete. For this reason, many enterprises use compliance software to help them manage workflows, conduct self-audits, and perform other complex PCI compliance tasks.

Your compliance level depends on how many debit and credit card transactions you process each year, what types of cards you accept, and whether you have suffered a breach or cyberattack resulting in compromise of credit card or cardholder data.

The levels are:

Merchant Level One

Criteria:  

•       Processes more than 6 million Visa, Mastercard, or Discover transactions annually OR
•       Processes more than 2.5 million American Express transactions annually OR
•       Processes more than 1 million JCB transactions annually OR
•       Has suffered a data breach or cyberattack that resulting in compromise of cardholder data OR
•       Has been identified by another card issuer as Level 1

Requirements:

•       Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA) or Internal Security Assessor
•       Quarterly network scan by Approved Scan Vendor (ASV)
•       Submission of completed Attestation of Compliance (AOC) form

This highest and most stringent of the PCI DSS compliance levels is the only level to require a full, on-site audit every year. As a result, to become PCI compliant typically takes Level 1 merchants about two years.

In addition, merchants must report the results of their audit to their “acquiring bank,” defined by the SSC as an “entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance.”

Merchant Level Two

Criteria:

• Processes 1 million to 6 million Mastercard, Discover, or Visa transactions per year OR
• Processes 50,000 to 2.5 million American Express transactions annually OR
• Processes fewer than 1 million JCB transactions annually AND
• Has not suffered a data breach or attack that compromised card or cardholder data

Validation Requirements:

• Annual Self-Assessment Questionnaire (SAQ)
• Quarterly network scan by Approved Scan Vendor
• Attestation of Compliance Form

At Level 2, merchants do not necessarily need an on-site audit unless they have suffered a data breach or cyberattack that compromised credit card or cardholder data. Also, a Level 2 merchant’s acquiring bank may require an audit and ROC.

Otherwise, Level 2 merchants may self-report by filling out and submitting a Self-Assessment Questionnaire. They also need to have their networks scanned quarterly by an Approved Scan Vendor—because PCI DSS compliance, like data security, is not a one-and-done endeavor but a continual process.

Completing the SAQ can be a lengthy process in itself—a year or more—with as many as 281 PCI DSS directives to address. Most organizations work to narrow the scope of their audit or assessment to save time and expense.

Merchant Level 3

Criteria:

• Processes between 20,000 and 1 million Visa e-commerce transactions annually OR
• Processes 20,000 Mastercard e-commerce transactions annually, but less than or equal to 1 million total Mastercard transactions annually OR
• Processes between 20,000 and 1 million Discover “card-not-present” (e-commerce)  transactions annually OR
• Processes fewer than 50,000 American Express transactions annually AND
• Has not suffered a data breach or cyberattack that compromised card or cardholder data

Note that card provider JCB has no Level 3. All merchants processing fewer than 1 million JCB transactions per year qualify as Level 2 merchants.

Validation Requirements:

The validation requirements for a Level 3 merchant are the same as those for Level 2 merchants:

• Annual Self-Assessment Questionnaire
• Quarterly network scan by an Approved Scan Vendor
• Attestation of Compliance form

Although Level 2 and 3 merchants are not usually required to commission an on-site audit or obtain a ROC, some may choose to do so to boost their business profile or ensure that their cardholder data environment is completely secure.

Merchant Level 4

Level 4 is the lowest PCI merchant compliance level established by Visa and Mastercard.

Criteria:

•   Processes fewer than 20,000 Visa or Mastercard e-commerce transactions per year OR
•   Processes up to 1 million total Visa or Mastercard credit card transactions AND
•   Has not suffered a data breach or attack that compromised card or cardholder data.

Neither Discover, American Express, or JCB has a Level 4 designation. Discover and American Express stop at Level 3; JCB has just two merchant levels.

Validation Requirements:

Merchants that qualify as Level 4 must achieve PCI DSS compliance by meeting their acquiring bank’s requirements. Typically, banks require of Level 4 merchants:

•   Annual Self-Assessment Questionnaire (SAQ)
•   Quarterly network scan by an Approved Scan Vendor (ASV)

Service Provider Level 1

A service provider is an enterprise that processes, stores, or transmits cardholder data on behalf of another business, or that provides services that could affect cardholder data security. Those providing managed firewalls, intrusion detection systems, intrusion protection systems, data destruction services, and web hosting providers. Service providers must be PCI DSS compliant.

The criteria and validation requirements for Level 1 service providers are slightly different than for Level 1 merchants.

Criteria

•   Stores, processes, or transmits more than 300,000 credit card transactions annually

Requirements

•     Annual Report on Compliance by a Qualified Security Assessor
•     Quarterly network scan by an Approved Scanning Vendor
•     Penetration Test
•     Internal Scan
•     Submission of completed Attestation of Compliance Form

Service Provider Level 2

Criteria:

•     Process, store, or transmit fewer than 300,000 credit card transactions per year

Validation requirements:

•     Annual Self-Assessment Questionnaire
•     Quarterly network scan by an Approved Scan Vendor
•     Penetration test
•     Internal scan
•     Attestation of Compliance Form

Service providers who qualify as Level 2 may be asked by partners, clients, or other business partners to validate their PCI DSS compliance with an on-site audit by a Qualified Security Assessor or Internal Security Assessor and meet other, more stringent, Level 1 criteria. Also, they may opt to validate as a Level 1 provider to be included on Visa’s Global Registry of Approved Service Providers.

Other Compliance Considerations

Any point-of-sale technology (including websites), line-busting technology, or WLAN used to store, process, or transmit payment card data falls under the compliance requirement. If a business chooses to outsource its PCI DSS compliance to a third party, the merchant is responsible for oversight and vendor management to ensure continuous compliance with the standard.

Ecommerce merchants must use PCI DSS-validated third parties if they outsource payment processing. They must also ensure that no electronic storage, processing, or transmission of cardholder data remains on their systems or premises.

Merchants who only use imprint machines with no electronic cardholder data storage and/or who use standalone dial-out terminals with no electronic cardholder data storage should also consider PCI DSS compliance.

Merchants using standalone, PTS-approved terminals that connect to a payment processor using an IP address need to review their individual compliance requirements.

In cases where the merchant manually enters individual transactions on a keyboard into an internet-based terminal solution, the business needs to review the PCI DSS validated third-party for compliance.

If a merchant uses a payment system connected to the internet with no electronic cardholder data stored, they need to meet PCI standards.

Merchants using hardware payment terminals included in, and managed by, a validated PCI SSC-listed P2PE solution must be compliant and must ensure that their vendor is compliant.

Get Help if You Need It

If all this seems a bit overwhelming, it doesn’t have to be. Today, many organizations use software to manage their PCI DSS compliance with ease. ZenGRC takes the worry out of this complex task with color-coded dashboards, unlimited self-audits, audit-trail documentation, and more. Contact us today for your free demonstration.