PCI Compliance is an often misunderstood topic. This is no surprise considering how complex and nuanced the standard is, the general lack of knowledge (even among those enforcing PCI compliance) and how little clear explanation is available for the topic. The following is our attempt to clarify this issue.
What is PCI Compliance?
As an eCommerce service provider, we find the most common misunderstanding our clients have is thinking that they can purchase PCI compliance from someone like us. Unfortunately, the PCI standard covers not only the technology which runs a website or shopping cart, but also the organization’s entire IT infrastructure and all policies and procedures which related to payments and the storage of cardholder data. It’s worth reiterating this point:
PCI compliance requirements apply to an entire organization, not just to the technology behind a website.
A particular data center or piece of infrastructure provided by a third party may be audited and deemed PCI compliant. Many merchants believe that simply hosting an eCommerce website in a PCI compliant data center will mean that their organization is automatically PCI compliant. This is not the case, though it will make achieving compliance an easier task.
We also see a lot of misunderstanding around the enforcement of the PCI standards. The first thing to understand is that the PCI Council has no authority to enforce the PCI standards.
Each payment card brand has its own standards around compliance and enforcement. Furthermore, it is left up to individual merchant account providers to implement any measure of enforcement.
Q: What if a merchant refuses to cooperate?
A: PCI is not, in itself, a law. The standard was created by the major card brands such as Visa, MasterCard, Discover, AMEX, and JCB. At their acquirers/service providers discretion, merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach event occur.
For a little upfront effort and cost to comply with PCI, you greatly help reduce your risk from facing these extremely unpleasant and costly consequences.
Levels and Types, Oh My
Depending on the size of your business and the degree to which you store cardholder data, you may be subject to highly varying degrees of compliance requirements from your merchant account provider. These range from being required to fill out a questionnaire and run some scanning software against your network up to being required to hire an auditor who will come to your offices and spend days audited processes, people, paperwork and computers.
A Self Assessement Questionnaire (SAQ) is required at all merchant levels and validation types, though the content varies. The minimum you will be required to provide otherwise are the results of a network vulnerability scan (for example from the McAfee Secure service).
It is important to understand which Merchant Level and which SAQ Validation Type your organization will fall under. The following tables outline the basics and give you an idea of what your merchant account provider will be requiring of you.
|1||Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.|
|2||Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.|
|3||Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.|
|4||Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.|
|SAQ Validation Type||Description||SAQ|
|1||Card-not-present (eCommerce or mail / telephone order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.||A|
|2||Imprint-only merchants with no cardholder data storage.||B|
|3||Stand-alone dial-up terminal merchants, no cardholder data storage.||B|
|4||Merchants with payment application systems connected to the Internet, no cardholder data storage.||C|
|5||All other merchants (not included in descriptions for SAQs A-C above) and all service proivders defined by a payment brand as eligble to complete an SAQ||D|
Where does this leave us?
Most StoreFront Consulting clients fall into SAQ Validation Type 1 and Merchant Levels 3 or 4. This means that generally the compliance requirements you will see all close to the minimum outlined above (Fill out an SAQ-A and complete a vulnerability scan once per quarter).