If you accept credit and debit cards in your store, you need to comply with the PCI standards and requirements regardless of the payment channels used and the size of your business. This will help ensure protection of the information that is being collected and stored during the entire payment card processing. In order to satisfy these requirements, you need to follow these steps:
Identify your PCI compliance level and your requirement definition
Merchants are classified into different compliance levels according to volume of debit and credit card transactions per year and per card brand. Visa and MasterCard have four compliance levels, American Express (AMEX) has three levels, JCB International has two, while Discover utilizes a risk-based approach, instead of classifying merchants into levels. These levels have defined set of requirements that merchants need to comply in order to meet PCI standards.
- Level one. Level one merchants for Visa, MasterCard, AMEX, and JCB International are those merchants with annual credit and debit card transactions of more than six million for Visa and MasterCard, those with over 2.5 million for AMEX,and over one million for JCB. Those having experience with data compromise and hacking also belong to level one. Merchants in this level are required to undergo annual review by Qualified Security Assessors (QSA) on-site, as well as network scans done quarterly by an Approved Scanning Vendor (ASV).
- Level two. These merchants are those with annual payment card transactions between one to six million for Visa and MasterCard, between fifty thousand to 2.5 million for AMEX, and less than one million for JCB. If you belong to this compliance level, you need to undergo quarterly network scan by an ASV. Level two merchants for Visa, MasterCard, and JCB also need to fill up annual Self Assessment Questionnaire (SAQ).
- Level three. Level three merchants are those with annual AMEX transactions of less than fifty thousand and those with Visa and MasterCard annual transactions between twenty thousand to one million. Under this level, you need to undergo quarterly network scan for all three card brands and additional annual SAQ for Visa and MasterCard level three merchants.
- Level four. Merchants under this level are those with less than twenty thousand yearly Visa and MasterCard transactions. The requirements in this level are the same as those in level three, which include quarterly network scan by ASV and annual SAQ completion.
- Discover. Merchants accepting Discover payment cards are required to undergo quarterly network scan by ASV and either an on-site review done by a QSA or completion of SAQ both done annually.
Perform compliance tasks
Once you know what level you are in and you know the PCI compliance requirements, you can already start working on these.
- Annual on-site review. Annual on-site reviews are conducted for merchants with higher risk of data exposure. These are merchants who belong to PCI compliance level one. If you belong in this category, you need to select a qualified service assessor (QSA) to perform an audit on your system. You can find a list of QSAs in the websites of card companies like Visa and MasterCard.
- Quarterly network scans. Networks scans done quarterly are required from literally all merchants accepting debit and credit cards. This can be conducted by ASVs or approved scanning vendors. These vendors scan your systems like your virtual host, domain host, and mail server, among others and report risks in your system, if any is found. They also determine the level of risk associated with your system and help you fix these vulnerabilities.
- Self-Assessment Questionnaire. This questionnaire applies to merchants that belong to PCI compliance levels two, three, and four. It has five validation types, which refer to the different terminals or the nature of payment card processing. For example, SAQ type one applies to card-not-present transactions. These SAQ types use different forms to assess compliance with the PCI DSS requirements. You need to determine which type applies to your company and fill then out the form completely.
Submit needed documentation to your acquirer
Once all the requirements have been met and the SAQ has been completely filled out, you can submit your forms and reports to your acquirer using a PDF file for your SAQ. In order to be PCI compliant, you must pass the on site review and the network scans. Furthermore, all questions in the SAQ must be answered with "yes" or not applicable (N/A) for those that do not apply to your system. A merchant is said to be non compliant if any question in the SAQ is answered with "no", meaning there is threat in your payment card processing system. Issues need to be resolved in order to gain compliance.
Gaining PCI compliance sounds pretty difficult, but are actually simple if you just make sure all the systems you use in your payment card processing keep the stored and processed data safe and secure. Your merchant account providers can actually help you make sure of this since they also have a role in adhering to PCI standards. Notice that some providers include PCI fee in your annual fee. However, there are also some providers who have no PCI fee included in their fees. Do not hesitate to ask your merchant account provider about PCI compliance.